Web And Information Security Archives | Page 3 of 4

OSSEC – Detecting New Files – Understanding How it Works

Published in Security on July 27, 2013

I recently saw some discussion in the OSSEC distribution list of someone having an issue with getting OSSEC syscheck to work right in real-time. It reminded me of a similar issue I had with my own configuration and others I have read about, so I figured I’d write something to shed light on how OSSEC’s syscheck works in real-time. Thanks ofcourse to Dani for the assist.

Syscheck – Integrity Checking Daemon

If you’re familiar with OSSEC, then you know syscheck, if you’re not then this section will get you caught up – I hope.

Syscheck is the integrity checking daemon within OSSEC. It’s purpose is simple, identify and report on changes within the system files. The way it works is simple, when you first install OSSEC it runs an initial syscheck scan, this scan will go through and capture the check sum of every file on the system (every file you have identified in your configuration file – /var/ossec/etc/ossec.conf). Once the baseline is set, syscheck is able to perform change detection by comparing all the checksums on each scan. If it’s not a 1 for 1 match, it reports it as a change. If new files are added, it identifies it as new, and reports it.

Simple, right? Right…

Crazy April for the WordPress Platform

Published in Security on April 25, 2013

In case you haven’t been following the month of April has been a bit of a whirlwind for website owners, specifically those using the WordPress platform. The good news is it’s motivated me to start writing again, not so much here but on our company blog. That being said, let me get you caught up on what’s been going on.

Fortunately, it all started off with my presentation at WordCamp Miami, which was pretty awesome I might add.

It really kicked off with the big challenges presented by the apparent abuse of trust that came from the Social Media Widget plugin.

If you didn’t hear, the original developer of the plugin sold the rights to a marketing firm, who then outsourced it to a freelancer. That freelancer then took it upon himself to inject code into the core of the plugin, so when it was pushed to the repository and notified everyone of updates it injected everyone with the payload. Nasty, I know. Talk about taking all the fun out of hacking, boo for laziness, yay for ingenuity. The obvious downside here being the abuse of trust as I just stated, making you wonder what is being done to address that very apparent vulnerability. What do you think?

WordPress Website Security: WordSesh 2013

Published in Security on April 15, 2013

Here is an online presentation I gave at WordSesh 2013. Always weird when you give an online presentation, unable to gauge the crowd and respond accordingly. Look forward to your feedback.

WordCamp Miami 2013: WordPress Website Security

Published in Security on April 3, 2013

I’ll be in Miami this weekend, for WordCamp Miami 2013, giving a new, updated talk on Website Security. Come by and say hi if you’re around — If you’re not, no problem, I’ve included my slides below in this post for your reference.

My talk is titled Staying of the Website Threats and Becoming One with Malware. In it, I talk about the latest threats and things you can do to help yourself and your site stay secure. The idea is to educate and in the process, help you gain a deeper appreciation for the underbelly of the web and the realities of the web based malware.

OSSEC For Website Security: Part I

Published in Security on March 13, 2013

OSSEC HIDS is my preferred host-based intrusion detection system (HIDS). I have to admit I am a bit partial to it because my good friend Daniel Cid built it and sold it to Trend Micro / Third Brigade back in 2008. I have what many don’t have, that’s the ability to pester Daniel until he tells me and guides through all my issues. In the process I have learned a number of things and made some very interesting observations about the product, here is where I will be sharing them.

Being that my focus is on website security my employment and utilization of the product will be as such. I won’t talk much to the configuration and monitoring of large scale enterprises, but will likely get into large n-tier implementations of web enterprises. This could include the utilization of load balancers, web servers and database servers, and possibly some storage devices. Pretty straight forward stuff.

Protect Your Website Vulnerabilities With a WAF: New Compairson Report: CloudFlare vs Incapsula vs ModSecurity

Published in Security on March 9, 2013

A new report came out in February, put together by Zero Science Lab, in which they compare the effectiveness between CloudFlare and Incapsula. In it they did the same thing Philip Tibom of Sweden did last year in his comparative report in which he concluded that Incapsula was the superior product. In this new report they included the use of TrustWave’s ModSecurity solution. The thing that website owners have to understand however is that comparing the three is a bit misleading.

Incapsula and Cloudflare are the two leading WAF solutions set up as a software as a service (SaaaS) designed to help every day website owners. CloudFlare probably trumps Incapsula actually in their marketing prowess. ModSecurity, although powerful, is the opposite. It’s something you’d have to configure and maintain on your web servers.

Security Implications of WordPress in The Enterprise

Published in Security on January 30, 2013

My Chileno brother from another mother, Chris Lema, put out a great guest post on WPEngine yesterday talking about WordPress and the Enterprise. He talks to the how and why of it’s emergence in the enterprise scene, but in the process makes a number of statements that very clearly explains the challenges we face as information security professionals. That, however, does not take away from the great points he makes around why it is a good enterprise platform.

Quick side note:

If you’re not familiar with Chris Lema, he’s perhaps one of the most engaging and insightful people you’ll meet and loves to write. WP Engine on the other hand is one of the premiere managed WordPress hosting providers in today’s market specializing in the ability to make your website grow wings, yes like Red Bull.

The Discussion

Of the various things I do at Sucuri, the one I am fondest of, is the ability to lead our incident / intrusion handling team. This is an unadvertised service that we provide enterprises. At a high-level we perform forensic analysis of the incident, outline the impacts of the compromise and perform offensive countermeasures to attacks if so required. It’s in this capacity that I have gained a unique perspective on this subject. I can attest to its arrival in the enterprise, and I’d argue that it’s no longer sneaking in – that was perhaps 2 years ago.

Web Application Vulnerability Scanners: W3AF – 12.10 xUbuntu Installation

Published in Security on January 28, 2013

I have been interested in the Web Application Attack and Audit Framework (W3AF) since I first heard about it last summer, 2012. It was unfortunately not the most straight forward installation, it contains a number of dependencies and not something I was willing to invest into. I was also a bit more novice than I am today and didn’t completely understand what I was doing or needed to do. Today things are a bit different and this evening I decided to take another stab at it.

Note: If you run BackTrack 3.0 you’ll find it prepackaged, not sure about earlier versions, so just skip this entire post.

My biggest challenge was that I was trying to install it on a xUbuntu NIX distribution. If you’re not familiar with it, it’s a child of the Ubuntu family as implied by the name, but it’s light weight. By light weight I mean that it comes with the bare necessities only, if you want something on the box you have to install it and that includes all its dependencies. That’s perhaps where I ran into the most issues. Most of the documentation you find, to include what w3af says once installed, states that python 2.6 is required. That, fortunately is not the case. You can definitely get it running with 2.7 and that’s what I’ll provide here.

Responsible Disclosure

Published in Security on November 14, 2012

As of late I seem to get into more and more discussions around this subject. I am fortunate enough to own a web security company which has grown in brand reputation to the point where when we disclose we often get a response, but that is not always the case. We go through the same struggles many do around disclosure.

When is it appropriate to disclose?
What time-frame should you give?
What do you do if you don’t receive a response?
What do you do if you get a response that blows you off?

Protecting Your Website: CloudFlare or Incapsula?

Published in Security on November 13, 2012

I get this question a lot whenever I talk with clients or give presentations, “How do I prevent my website from being hacked?”. Many actually confuse the service we offer at Sucuri as a preventive service. Good thing we don’t advertise preventive services.

That’s right, our service sits in the detection and remediation realm. By the nature of what we do there are preventive components that we implement, but our service has always been about detection, and more importantly remediating the mess. For any InfoSec professional working in the security domain you can understand this approach; you have long learned that prevention is ideal but detection is key and that’s based around the understanding that prevention, like detection, will never be a 100% solution.

That being said, I came across a recent report by Philip Tibom of Sweden titled Incapsula vs. CloudFlare (PDF Download). It was published October 15th, 2012 and in it he chronicles his experiences with both platforms over the last 6 months. If you’re not familiar with either then you’re really not that concerned with your security posture, and that’s ok of course but unfortunate none the less.

Spoofing an Admin’s Cookies Using Burp

Published in Security on November 5, 2012

Here is a quick little video I put together to show you how spoofing a users cookies works. This is not a real example, in most instances an application like Burp suite would be used in conjunction with a XSS attack or some equivalent attack. The objective is to get someone with higher privileges to log in with the desired credentials.

In this example, I intercept the administrators account cookie then use that same cookie to modify my own request, from a lower privileged user. This in turn grants me full access as the administrator, the application being none the wiser. Even after I logged out.

2012 NCSA / Symantec: National Small Business Cyber Security Study

Published in Security on October 16, 2012

The National Cyber Security Alliance (NCSA) partnered with Symantec to conduct an online safety survey study of Small to Medium businesses. It was just released October of 2012 and as surprising as some of the data points are, they really shouldn’t be. The total representative sample group was 1,015 US based SMB’s (250 employees or less) and its margin of error is +/- 3.1 percent for the sampling error.

The report actually covers a wide range of Information Security concepts, from: internet usage, device management (obviously getting more insight into the growing bring your own device (BYOD) dilemma plaguing companies) and other concepts like intrusion detection and mitigation. I will obviously focus on those areas that best pertain to the domain I’m interested in, web security.

OSSEC Agent to Server Connection Issues

Published in Security on October 9, 2012

So naturally, as of late, I have found myself doing more than I probably need to on my servers and in the process causing more headaches then required. One of those issues has been with the communication between my agents and the mother-ship (command control) server with my OSSEC installs. For more details information, be sure to check out the OSSEC Host-Based Intrusion Detection Guide by Daniel.

The first thing to understand is how to check the status of your agents and easiest way to do that is running the following on the server install (my mothership):

# /var/ossec/bin/agent_control -lc

This will list out all your agents and if they are active it’ll read Active. If they are inactive, they don’t read inactive unfortunately, they just don’t show up.

Update WPSCAN using GIT on BackTrack 5R2

Published in Security on October 3, 2012

So I have been playing with a number of tools lately and this was perhaps one of the easiest things I couldn’t figure out. Talk about having a “WTF” moment.

If you’re curious, wpscan is a vulnerability scanner designed to pentest WordPress applications. It has a number of features that allow you to enumerate usernames, plugins, and TimThumb files. I’ll actually be demonstrating the tool this weekend at WordCamp Las Vegas. As for BackTrack its a Linux distribution also designed for pentesters. If you’re interested more in malware reverse engineering then you might want to look at the REMnux linux distribution. In any event, that’s a subject for another day…

WPSCAN came pre-configured with BackTrack but as you might expect, it was out of date. So naturally I tried their update option:

#ruby ./wpscan.rb --update

When you do, on a clean install, you’re likely greeted with the following:

Black Hole Exploit Kit 2.0 Released

Published in Security on September 13, 2012

If you’re not aware, there are number of kits available to crackers intent on causing your website harm. And NO, not all crackers are created equal.

There are those that are developing and creating their own infections and then there are those that leverage the infections being developed.

Today, one of the most prevalent kits out there has been updated – BlackHole Exploit Kit 2.0. This is never a fun period as they have made a number of updates designed to improve and better avoid detection across various AV engines. If you’re interested in better understanding this kit NakedSecurity put together a great document that I would recommend reading.

Basic Access Authentication: Protection Against Automation

Published in Security on September 6, 2012

I wrote an article recently talking to the use of Basic Access Authentication to help harden your administrator panel.

I have been monitoring my logs to see how it protects and this is what I found:

WordCamp Baltimore 2012: WordPress Security Panel

Published in Security on September 4, 2012

This weekend I’ll be jumping on a jet plane again — this time to WordCamp Baltimore 2012 happening September 8 at the Maryland Science Center.

I’ll be joining my business partner Dre Armeda and development partner Brad Williams for a WordPress Security panel, where we’ll be answering YOUR questions about security, WordPress, and keeping your site safe.

This panel will be similar to the one Mark Jaquith provided at WordCamp San Francisco 2011, but different as you might imagine with Dre, Brand, and I at the helm.

Java Zero Day: Two Vulnerabilities

Published in Security on August 28, 2012

Yesterday was an interesting one for the security world, it was a buzz over the new Java 0-Day and today is no different.

It turns out however that it’s not just one (1) zero-day, it’s two and they were introduced back in July of 2011. We shared our initial thoughts on the vulnerability yesterday.

Today though Esteban Guillardoy put out a more in-depth analysis of the vulnerability. Thought you too would enjoy the read. It’s good to note that I’m by no means well-versed on desktop based malware but I still enjoyed the read, my focus is web-based malware.

My New OSSEC HIDS Book

Published in Security on August 8, 2012

Pretty excited, today I got my very own copy of the OSSEC Host-Based Intrusion Detection (HIDS) Guide in the mail.

If you haven’t heard about it, it was developed a few years back and was founded by our founder at Sucuri, Daniel Cid.

Its core features include:

Uninstall ModSecurity & WordPress Challenges

Published in Security on August 7, 2012

Ok, as simple as a post as this might appear I recently undertook an effort to install and configure ModSecurity on my little server. In the process I quickly learned a number of things, specifically that I needed to uninstall from my production box and push it over to a staging box.

I’m not a system administrator and quickly learned that sometimes its good to follow your own advise, don’t get crazy with changes on a production box without testing on a staging box.