Raesene's Ramblings

There's a new freeware database security scanner available called scuba from Imperva.
The front page looks quite interesting so I'll be sure to have a look at it. However not today, as I'm not in fromt of a windows machine.
And here's the really weird bit. When I heard about it I noted that it's a Java program..... "great" I thought it'll run nicely on Linux (which I use almost exclusively at home, apart from the odd game) but.. it's a java program that requires windows!!
What the heck is the point of that!
"No problem" I thought "I'll just download the archive and there'll be a JAR file there that I can run manually"....
no
when you download the program it extracts one .exe file!
Why bother programming something in Java if you're going to tie it to windows!!

I was just thinking that there's lots of little advances in technology that you don't really think about but that add up to make a real difference to what you can do..
This time it's a combo of SSL VPN's and free broadband Internet in hotels that's letting me sit here and listen to any music from my home music collection without having to tote around player with me (that I always forget to charge!)
And the great thing is... it's all free.
The SSL VPN is courtesy of the excellent sslexplorer. the community edition is stored on my CentOS server at home which has a port forward from my little ipcop firewall..
The next piece of the puzzle is slimserver which is designed to support Slim devices squeeze boxes , but which they release as a free download whether you use their product or not... This lets me set up a stream over HTTP of any music I like, that I can connect to with any media player (windows media etc)
Actually what occurs to me is that the common piece of all this is Open source software. Without that all this would cost me a fortune and very likely I wouldn't have it at all...! Yay open source.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System
This post on the sans handlers log has some really useful information about the use of netstat to detect connection information on windows boxes, with some features that I wasn't aware of.
Also put me on to something else that I've been woefully ignorant of . wmic
This looks like a really handy command-line tool for getting information out of windows boxes. from what I can see so far, there's a load of interesting information that you can get from it. To get started just type "wmic" from a command prompt then type /? for a list of "aliases" that wmic uses for information retrieval.
Some of the commands I've found so far which seem handy "process list brief" and nicconfig list brief" but you can use the /? switch after anything to get some useful help about options...

It occurs to me that I promised the odd cat when I set up this blog, and I've not really had any... so without further ado, here's some picture of our two that Marion captioned...

A post over on White Hat Security makes a great run at bursting the bubble of all the people saying that AJAX is some kind of terrible security risk.
I won't reiterate the arguments in the article, 'cause they do a pretty good job of laying out what the problems and non-problems of AJAX security are. I'd just say that I agree this has been a really overhyped area of security.

hmm looks like it's not quite as bad as I thought it was. After a bit more reading on the subject, the windows cached password is not just an NTLM hash, it's actually a salted hash, with the salt being the username.
So rainbow tables aren't really a practical attack for this, although it's interesting to note that there's a John the ripper plug-in for cachedump now which enables you to do dictionary based/brute-force attacks on retrieved credentials

Reed Arvin # Security Tools
A listing of some cool looking security tools. In particular, I think that PWDumpX could be an interesting one.
I've not had a chance to play with it yet, but it seems to me that the implication of it is that in an enterprise environment, if you have access to a local admin set of credentials (which depending on how your company manages local admin accounts may be pretty easy) or if your domain account has local admin, you could use this tool to dump the domain credentials of any user by running this against the machine that they're logged in to. Of course, once you've got the credentials you need to decrypt them, but then, that's what rainbow tables are for!
If it works like that it's actually a pretty sneaky attack, definitely one to test.

<a title="SecuriTeam Blogs

There are some amendments in the new Police and Justice Act to the Computer Misuse Act and some of them do not sound like good news for the UK Penetration testing & Security Research community.
Looking at Section 37 of the Act you get this

(1) A person is guilty of an offence if he makes, adapts, supplies or offers
to supply any article intending it to be used to commit, or to assist in
the commission of, an offence under section 1 or 3.
(2) A person is guilty of an offence if he supplies or offers to supply any
article believing that it is likely to be used to commit, or to assist in the
commission of, an offence under section 1 or 3.
(3) A person is guilty of an offence if he obtains any article with a view to
its being supplied for use to commit, or to assist in the commission of,
an offence under section 1 or 3.
(Offences in section 1 or 3 is basically unauthorised access to computer resources).
To my mind that leaves people publishing exploit code in the UK in serious trouble along with anyone selling or making open source Penetration testing software. It'd would be pretty hard to argue that you didn't believe it was likely that a tool that could be used for Pen testing could also be used by someone to break into a system, as the only thing that's really different is the intent !
The act also covers DoS (or reckless impairment of the operation of a computer as the act calls it) so would it follow that software which stress tests systems would also fall foul of the act?
I expect that what'll happen is that we'll get some chat from government officials that "legitimate security professionals won't be targeted" but I for one really don't like the idea that I could be committing an offence and I'm relying on someones definition of "legitimate" to avoid being prosecuted!

There's some more data on comparing Oracle and MS SQL server vulnerability levels over at michael Howards blog.
There's a link to a study by David Litchfield on the numbers here which pretty much comes to a similar conclusion to looking at the secunia numbers, but does a more accurate job of analysing the findings by looking at a number of sources.
The clear point to be made is that Microsoft have done a very good job on the security of MS SQL server 2005 and if someone were to ask me about a choice between these two "enterprise database" vendors in terms of security, it would be a bit of a no-brainer!
One thing you can see is that this study, whilst still coming to the same conclusion (that MS SQL server is more secure than Oracle) actually has quite different numbers from the ESG study that was quoted in Michael's earlier blog posting here
At a rough count the NGS paper lists ~58 MS SQL vulnerabilities whilst the ESG one lists less than 10 (there's no background data so it's kinda hard to tell), and a similar story for the Oracle one with well over a hundred in the NGS paper and only 70 in the ESG one.
IMO a good reason to actually dig a bit deeper on these things rather than go with something like CVE which isn't really designed for the purpose. The same result has come out but by being able to see what's being counted it becomes more believable and less likely to have people be able to argue the stats....