Web And Information Security Archives | Page 3 of 3

Web Application Vulnerability Scanners: W3AF – 12.10 xUbuntu Installation

Published in Security on January 28, 2013

I have been interested in the Web Application Attack and Audit Framework (W3AF) since I first heard about it last summer, 2012. It was unfortunately not the most straight forward installation, it contains a number of dependencies and not something I was willing to invest into. I was also a bit more novice than I am today and didn’t completely understand what I was doing or needed to do. Today things are a bit different and this evening I decided to take another stab at it.

Note: If you run BackTrack 3.0 you’ll find it prepackaged, not sure about earlier versions, so just skip this entire post.

My biggest challenge was that I was trying to install it on a xUbuntu NIX distribution. If you’re not familiar with it, it’s a child of the Ubuntu family as implied by the name, but it’s light weight. By light weight I mean that it comes with the bare necessities only, if you want something on the box you have to install it and that includes all its dependencies. That’s perhaps where I ran into the most issues. Most of the documentation you find, to include what w3af says once installed, states that python 2.6 is required. That, fortunately is not the case. You can definitely get it running with 2.7 and that’s what I’ll provide here.

Responsible Disclosure

Published in Security on November 14, 2012

As of late I seem to get into more and more discussions around this subject. I am fortunate enough to own a web security company which has grown in brand reputation to the point where when we disclose we often get a response, but that is not always the case. We go through the same struggles many do around disclosure.

When is it appropriate to disclose?
What time-frame should you give?
What do you do if you don’t receive a response?
What do you do if you get a response that blows you off?

Protecting Your Website: CloudFlare or Incapsula?

Published in Security on November 13, 2012

I get this question a lot whenever I talk with clients or give presentations, “How do I prevent my website from being hacked?”. Many actually confuse the service we offer at Sucuri as a preventive service. Good thing we don’t advertise preventive services.

That’s right, our service sits in the detection and remediation realm. By the nature of what we do there are preventive components that we implement, but our service has always been about detection, and more importantly remediating the mess. For any InfoSec professional working in the security domain you can understand this approach; you have long learned that prevention is ideal but detection is key and that’s based around the understanding that prevention, like detection, will never be a 100% solution.

That being said, I came across a recent report by Philip Tibom of Sweden titled Incapsula vs. CloudFlare (PDF Download). It was published October 15th, 2012 and in it he chronicles his experiences with both platforms over the last 6 months. If you’re not familiar with either then you’re really not that concerned with your security posture, and that’s ok of course but unfortunate none the less.

Spoofing an Admin’s Cookies Using Burp

Published in Security on November 5, 2012

Here is a quick little video I put together to show you how spoofing a users cookies works. This is not a real example, in most instances an application like Burp suite would be used in conjunction with a XSS attack or some equivalent attack. The objective is to get someone with higher privileges to log in with the desired credentials.

In this example, I intercept the administrators account cookie then use that same cookie to modify my own request, from a lower privileged user. This in turn grants me full access as the administrator, the application being none the wiser. Even after I logged out.

2012 NCSA / Symantec: National Small Business Cyber Security Study

Published in Security on October 16, 2012

The National Cyber Security Alliance (NCSA) partnered with Symantec to conduct an online safety survey study of Small to Medium businesses. It was just released October of 2012 and as surprising as some of the data points are, they really shouldn’t be. The total representative sample group was 1,015 US based SMB’s (250 employees or less) and its margin of error is +/- 3.1 percent for the sampling error.

The report actually covers a wide range of Information Security concepts, from: internet usage, device management (obviously getting more insight into the growing bring your own device (BYOD) dilemma plaguing companies) and other concepts like intrusion detection and mitigation. I will obviously focus on those areas that best pertain to the domain I’m interested in, web security.

OSSEC Agent to Server Connection Issues

Published in Security on October 9, 2012

So naturally, as of late, I have found myself doing more than I probably need to on my servers and in the process causing more headaches then required. One of those issues has been with the communication between my agents and the mother-ship (command control) server with my OSSEC installs. For more details information, be sure to check out the OSSEC Host-Based Intrusion Detection Guide by Daniel.

The first thing to understand is how to check the status of your agents and easiest way to do that is running the following on the server install (my mothership):

# /var/ossec/bin/agent_control -lc

This will list out all your agents and if they are active it’ll read Active. If they are inactive, they don’t read inactive unfortunately, they just don’t show up.

Update WPSCAN using GIT on BackTrack 5R2

Published in Security on October 3, 2012

So I have been playing with a number of tools lately and this was perhaps one of the easiest things I couldn’t figure out. Talk about having a “WTF” moment.

If you’re curious, wpscan is a vulnerability scanner designed to pentest WordPress applications. It has a number of features that allow you to enumerate usernames, plugins, and TimThumb files. I’ll actually be demonstrating the tool this weekend at WordCamp Las Vegas. As for BackTrack its a Linux distribution also designed for pentesters. If you’re interested more in malware reverse engineering then you might want to look at the REMnux linux distribution. In any event, that’s a subject for another day…

WPSCAN came pre-configured with BackTrack but as you might expect, it was out of date. So naturally I tried their update option:

#ruby ./wpscan.rb --update

When you do, on a clean install, you’re likely greeted with the following:

Black Hole Exploit Kit 2.0 Released

Published in Security on September 13, 2012

If you’re not aware, there are number of kits available to crackers intent on causing your website harm. And NO, not all crackers are created equal.

There are those that are developing and creating their own infections and then there are those that leverage the infections being developed.

Today, one of the most prevalent kits out there has been updated – BlackHole Exploit Kit 2.0. This is never a fun period as they have made a number of updates designed to improve and better avoid detection across various AV engines. If you’re interested in better understanding this kit NakedSecurity put together a great document that I would recommend reading.

Basic Access Authentication: Protection Against Automation

Published in Security on September 6, 2012

I wrote an article recently talking to the use of Basic Access Authentication to help harden your administrator panel.

I have been monitoring my logs to see how it protects and this is what I found:

WordCamp Baltimore 2012: WordPress Security Panel

Published in Security on September 4, 2012

This weekend I’ll be jumping on a jet plane again — this time to WordCamp Baltimore 2012 happening September 8 at the Maryland Science Center.

I’ll be joining my business partner Dre Armeda and development partner Brad Williams for a WordPress Security panel, where we’ll be answering YOUR questions about security, WordPress, and keeping your site safe.

This panel will be similar to the one Mark Jaquith provided at WordCamp San Francisco 2011, but different as you might imagine with Dre, Brand, and I at the helm.

Java Zero Day: Two Vulnerabilities

Published in Security on August 28, 2012

Yesterday was an interesting one for the security world, it was a buzz over the new Java 0-Day and today is no different.

It turns out however that it’s not just one (1) zero-day, it’s two and they were introduced back in July of 2011. We shared our initial thoughts on the vulnerability yesterday.

Today though Esteban Guillardoy put out a more in-depth analysis of the vulnerability. Thought you too would enjoy the read. It’s good to note that I’m by no means well-versed on desktop based malware but I still enjoyed the read, my focus is web-based malware.

My New OSSEC HIDS Book

Published in Security on August 8, 2012

Pretty excited, today I got my very own copy of the OSSEC Host-Based Intrusion Detection (HIDS) Guide in the mail.

If you haven’t heard about it, it was developed a few years back and was founded by our founder at Sucuri, Daniel Cid.

Its core features include:

Uninstall ModSecurity & WordPress Challenges

Published in Security on August 7, 2012

Ok, as simple as a post as this might appear I recently undertook an effort to install and configure ModSecurity on my little server. In the process I quickly learned a number of things, specifically that I needed to uninstall from my production box and push it over to a staging box.

I’m not a system administrator and quickly learned that sometimes its good to follow your own advise, don’t get crazy with changes on a production box without testing on a staging box.

Recent Security Related Posts

Published in Security on July 14, 2012

Sometimes I wonder why I did this to myself, start a blog that has to be maintained, but don’t worry I will maintain it, I hope.

That being said, the past few weeks have been busy. While I have posted here, there have been a number of things going on. The most notable, notable in the sense of popularity, was Yahoo’s security breach. We, Sucuri, wrote more about it here: http://blog.sucuri.net/2012/07/analysis-of-yahoo-voice-password-leak-453441-passwords-exposed.html, we even put out a nice little tool that allows you to check your email to see if it was compromised.

WP Late Night #15: My First Podcast

Published in Life on June 28, 2012

Following up on my post this morning, talking to my experience on WPLate Night, WPCandy released last nights live recording this afternoon, so go check it out.

Oh and special thanks to the guys at WP LateNight for getting my good side in the banner:

Look forward to feedback. I always feel funny listening to myself, but don’t think it came out too bad.

Check It Out

Review of the WordPress AntiVirus Plugin – Effective or Not?

Published in Security on June 21, 2012

After my most recent Review of the WordPress WordFence Plugin post I felt it was only fair that I take time to review the effectiveness of other similar security focused plugins in the WordPress.org repository.

It’s important to understand that while I work for an InfoSec company my focus is not on whether its a competitive product, but rather how useful it is to end-users and how effective it is at detecting malware. The goal is to establish an unbiased review, leveraging the large repository of web-based malware variants I have at my disposal.

I stumbled on the AntiVirus plugin while crawling the repository and was naturally curious. The plugin repository description is not very exhaustive, but appears to succinctly articulate what it was designed to do.

Review of the WordFence Plugin – Effective or Not?

Published in Security on June 19, 2012

As of late I have been seeing a lot of traffic on various mediums, WordPress.org, Twitter, and Facebook about this new plugin – WordFence. It hasn’t been around for too long I don’t think, maybe 6 months or so, and I have been getting a lot of questions around its effectiveness, etc…

I get this a lot and more often than not my answer is usually pretty neutral, “You know, I’m not sure I have not personally tried them, but I encourage you to and let me know how it works” or “Nope, no thoughts on it, but I hear good things.” Well today, for whatever reason I decided to give them a whirl. If you know what I do then you know web security is a bit of my life these days. Like many others I often obsess over would be competitors and its good to understand what might be chomping at the heels.

With that being said, this post will hopefully serve as an unbiased, hopefully, review of a plugin that is getting a lot of positive remarks from end-users. The focus will be to measure its effectiveness in detecting web-malware on a basic WordPress website.

Selecting a MAC Anti-Virus Solution

Published in Security on June 15, 2012

I am what most would consider to be a new adopter of Apple machines, less than 6 months, other than the obvious iPhone that is. It’s important to note though that this hasn’t been my first try, I attempted the conversion about 14 months ago and failed miserably. I found myself secretly getting my Windows fix without letting my colleagues know and that eventually led me into withdrawals and finally back on a Windows box, but I digress…

Then came the day I went full-time as an entrepreneur and my partners, being the security freaks that they are, banned me from using Window’s products on our network. My option was a distro of Linux, and as fun of an experience as that was, cough, I found the need for what I would consider a more robust UNIX based products – in enters Apple again.

It just so happens that I made the conversion just as the Flashback / Flashfake outbreak hit the streets. Oh you know, that little outbreak that got every one up in arms over Apple’s security policies and rumored to have over 600,000 MAC’s infected world-wide.

So naturally, my obvious reaction was, “WTF!!!!”

Is LastPass Secure?

Published in Security on June 11, 2012

Back in February I put out a post talking about Web Security: Managing Your Passwords, with the recent compromises on sites like LinkedIn, eHarmony and Last.fm I felt it was appropriate to go back and look at some of the technical aspects of the LastPass solution. Specifically on whether it is secure.

This week I was sent a podcast, Security Now with Steve Gibson, that supposedly talked to whether LastPass is secure so I figured why not give it a go. I learned a few things from it and thought I’d share it in a quick post, especially being how relevant a topic it is right now. Password management that is…

Web Security: Managing Your Passwords

Published in Security on February 11, 2012

This post is for friends and colleagues and any one who cares to listen. It focuses on the very real issue of managing all our password!!!!

Everyday I deal with websites, and their owners, in varying degrees of distress. I want to help avoid crossing paths with any of you. There are a number of preventive tips you can take and you can watch them here or read about it here. The one I want to spend a few minutes on specifically is password management.

I, like most of you, as of a week ago, would have been classified as a culprit of poor password management. I mean lets face it, in this day and age we have, probably, no less than 50 different sites we go to that require us to enter credentials to authenticate (e.g., Facebook? Bank? School? Work? Email?).