w3af web security assessment tool gets support from Rapid7

Rapid7, which purchased the Metasploit attack framework last year, has agreed to sponsor the open source w3af web assessment and exploit project. This is fantastic news for web application development teams, since it shows the open source (and hence more affordable) tools they can use to improve the security of their applications are maturing.

Websites like sectools.org maintain lists of various security tools and point to numerous open source web application fuzzing and testing tools, including BurpSuite, Nikto, WebScarab, Whisker and Wikto. Although each of the open source tools I use have various strengths, w3af is IMHO the first reasonable challenger to commercial web application testing tools like IBM’s AppScan.

Can we please get rid of bad input validation errors now??

For a commercial IT security professional that wants to help an internal web application development team improve the security of their applications, tools like IBM’s AppScan and Acunetix WVS can save valuable time by generating reports that include not only the vulnerable URI but also include vulnerability background information (CVSS, OWASP, WASC), the specific HTTP request/response strings and suggested code fixes. This is particularly valuable to a security architect or operations role that is pressed for time (an army of one anyone?).

The w3af support from Rapid7 will enable this excellent tool to mature more quickly and improves the capability for any web development team, regardless of funding, to improve their security. Can we please get rid of bad input validation errors now?? My recent thesis illustrated the downright depressing numbers of SQL injection flaws that continue to exist. With tools like w3af, there is no excuse left for web developers to press applications into production with these injection flaws that are trivial to avoid. At the very least a survey of the NIST National Vulnerability Database does show the number of SQL injection flaws starting to drop. Unfortunately they still substantially outnumber traditional memory corruption flaws such as buffer overflows.

Explosion of SQL buffer errors

Explosion of SQL buffer errors

As you can see, the story up to 2008 was pretty grim for web applications – SQL injection flaws increased by over 1,500% in the same time buffer overflow errors increased by just over 500%.

Although it looks like there has been a reversal of the shocking explosion of SQL injection flaws, the sheer volume of these web application flaws is astonishing .. especially since injection flaws have been around for about 10 years. Not exactly a problem that has recently snuck up on us.

Web developers that still turn out applications that contain SQL or command injection errors and most cross site request forgery errors are simply guilty of gross negligence.

Despite the web development industry knowing these errors exist and good developers designing and coding to avoid these issues, there is still a need to build sufficient forensics around externally facing (publicly accessible) applications to enable reconstruction of attacks. In my next post, I outline a summary of my thesis “Effective SQL injection attack reconstruction using network recording”.

How to secure your home PC

Whether you have a Mac or a Windows PC, there are some basic steps you can take to reduce the risk and personal impact of a malware infection.  This advise is especially impactful when you have just purchased a new Mac or Windows system. There are several steps that you can take to protect your new investment and more importantly your information. In the following detail, I mainly focus on Windows as that’s the main technology that my non-IT type friends ask about.

Basically what you should be doing is:

  1. Ensure that a hardware firewall/router is in between the internet and the PC (I’ll just call it a firewall from now on)
    • Use a recognized brand name like Linksys, avoid the no-name generics as they often have bad defaults and don’t implement the stateful-packet-inspection that you want to filter out most of the cruft on the Internet from reaching your PC
  2. Ensure all default passwords on the firewall and PC have been changed
    • When you initially turn on the power to your PC and to your firewall, do NOT have them connected to your cable or DSL modem initially.  Do the setup of your firewall and PC first in order to ensure malware doesn’t have a chance to get at your shiny new PC before you’ve turned on the needed protection
    • Point a browser to your firewall (likely 192.168.0.1 or 192.168.1.1) and change the default administrator password.  This is very important, as some malware will seek out your firewall and try to use the manufacturer default password to change things like your DNS server settings – inserting the bad guys in between you and the rest of the Internet (eg. forcing your traffic to them first before it goes to your bank)
  3. All normal accounts used for day-to-day business on the computer should NOT have administrator privilege (see my post on running without admin privileges)
    • On Windows XP, Vista (and I think 7), the default “user” that accesses the PC has full administrative privilege, that enables software  installation and configuration changes.  This is very dangerous, as malware that you come in contact with from infected emails or websites use this privilege to install their spyware, keyloggers, backdoors and other nasty stuff on your PC – without your explicit permission
    • Set a password for your Administrator account
    • Create a new user right away, before you setup your email, music, photos, documents, etc; ensure that new user is NOT a Computer Administrator
    • Always login with this non-Administrator username for your day-to-day use; only use the Computer Administrator username for software installation and configuration changes.
  4. Never surf the Internet with an account that has administrative privilege
  5. If this is a common PC for a business, ensure employees accounts are individually assigned (if practical). Ensure those employee accounts are not administrators (unless there is a need and a high degree of trust)
  6. Run a good commercial anti-virus program with annual software support (or a subscription)
    • There are some good free AV packages (AVG, Clamwin, Avast) .. Google them for the links
    • Sophos makes a good Mac AV package .. yes, Macs are vulnerable to malware as well; it’s just not as prevalent
  7. Finally ensure regular (daily) backups are being run to protect your business, financial, customer information from loss if there is a problem with the PC
  8. For setup of your wireless access point (if you have one .. sometimes it’s built into the router/firewall)
    • Chose wireless encryption of at least WPA or WPA2 .. never use WEP or no encryption
    • There is no significant increase in security by obscuring your network name (SSID)
    • Don’t use any personally identifiable information in your network name

If you are unsure of how to do any of these steps, get one of your computer knowledgeable friends to help you.  Of course if you are purchasing a new system right now, I’d strongly recommend you check out Apple’s Mac products.  They’re not immune to malware, but the architecture and core are by design much less vulnerable to the types of malware that plague Windows.

Building a web security lab (with VMware Fusion)

Problem: VMware machines load boot loader immediately, no BIOS banner, so can’t get into BIOS to alter boot settings.
Solution: Edit the vm’s .vmx file and add the line:

bios.bootDelay = "5000"

which adds a 5000 millisecond (5 second) delay to the boot, or add:

bios.forceSetupOnce = "TRUE"

to make the VM enter the BIOS setup at the next boot.

Problem: VMware Fusion 3.0 doesn’t give a way to edit the virtual network settings via the GUI.
Solution: To change the subnet used by the NAT or HostOnly networks, go root in Mac OS X and edit

/Library/Application Support/VMware Fusion/networking

and set the following lines to the subnets desired:

answer VNET_1_HOSTONLY_SUBNET 192.168.35.0
answer VNET_8_HOSTONLY_SUBNET 10.10.1.0

To add additional custom isolated host only VLANs, also edit the networking file and add additional VNET definitions. There can apparently only be 8 VLANs with VLAN 1 and 8 already pre-defined.

answer VNET_2_DHCP no
answer VNET_2_HOSTONLY_NETMASK 255.255.255.0
answer VNET_2_HOSTONLY_SUBNET 10.10.21.0
answer VNET_2_VIRTUAL_ADAPTER yes
answer VNET_3_DHCP no
answer VNET_3_HOSTONLY_NETMASK 255.255.255.0
answer VNET_3_HOSTONLY_SUBNET 10.10.22.0
answer VNET_3_VIRTUAL_ADAPTER yes
answer VNET_4_DHCP no
answer VNET_4_HOSTONLY_NETMASK 255.255.255.0
answer VNET_4_HOSTONLY_SUBNET 10.10.23.0
answer VNET_4_VIRTUAL_ADAPTER yes

Now create your vm with as many network interfaces as you have separate VLANs (vnet) then edit the node.vmx vm configuration file and change the interfacename.connectionType to custom, and define the VLAN (vnet) that interface will attach to:

#ethernet0.connectionType = "nat"
ethernet0.connectionType = "custom"
ethernet0.vnet = "vmnet3"

Also realize that VMware will take the .1 host address on each vmnet – so you cannot assign .1 to any of your VMs.

Problem: Ubuntu 9.10 persistent network configuration (stores the MAC address of network adapters), so if you copy a machine, by default Ubuntu will setup a new logical adapter (eth1) since the MAC address has changed (when you answer I Copied It in VMware).
Solution: Tell VMware you copied the machine, so it will chose a unique MAC address. Boot Ubuntu into single user mode (another article on that to follow) then edit the MAC address associated with eth0.

sudo vi /etc/udev/rules.d/70-persistent-net.rules

find the stanza of the network interface in question (NAME=”eth0″) and set the following ATTR tag to the new MAC address:

ATTR{address}=="new-mac-address-here"

Electronic Health Records in Alberta

Thinking of the challenges associated with creating electronic healthcare records for all healthcare users in Alberta. Typical government projects don’t have the best track record for maintaining proper security architecture, much less implementation. Starting to dig into this for my next paper, and I’m somewhat underwhelmed with what I see. Do we have a choice to opt out? Is there any way to ensure our health records don’t get compromised and exposed publicly? I guess I’ll be searching for some answers.

Info Sec and IT Sec books and articles of interest

Start of my InfoSec article journal and book list

Not really blog worthy, but I decided to start a journal of interesting information security articles or books that I’ve found to be particularly valuable. Not all of them are publicly available, but where I can, I’ll add some links. Really this is just a list of my dog-eared books in no particular order. (-:

Articles

Security Controls That Work; Information Systems Control Journal; Volume 4, 2007

Information Security Standards Foucs on the Existence of Process, Not Its Content; Communications of the ACM; August 2006, Volume 49, Number 8

FrankenSOA; Network Computing; 06/25/07; Page 41

Books

Chris McNab, Network Security Assessment, Sebastapol, CA: O’Reilly Media, Inc., 2004 – Describes a technical assessment methodology which can be used to understand the “threats, vulnerabilities, and exposures modern public networks face.”

Andrew Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt, Upper Saddle River, NJ: Addison-Wesley, 2007 – Information security has been largely justified by fear over the last many years. This book is the single best book I have seen yet which provides a pragmatic guide to using effective metrics in infosec programs and communication with stakeholders. I think that organizations which adopt this type of approach will fare well when infosec spending starts to level off or dry up.

Stephen Northcut, Lenny Zeltser, Scott Winters, Karen Kent & Ronald Ritchey, Inside Network Perimeter Security, Indianapolis, Indiana: Sams Publishing, 2005 – excellent multi-layer book which describes appropriate techniques to layer differing strategies together to provide stronger perimeter defense
.  “Defense in depth is a primary focus of this book, and the concept is quite
simple: Make it harder to attack at chokepoint after chokepoint.”

High availability firewalls with OpenBSD, pf and CARP

One can now inexpensively build a fault tolerant firewall cluster that removes any single point of failure in the security policy enforcement points at your security zone boundaries. Synchronous firewall state table updates and an open source version of virtual router redundancy protocol (CARP) gives the ability to seamlessly insert or remove firewalls from a cluster. No more patching firewalls at 2am hoping for the best (or not patching because it’s too hard).

PDF

Linux iptables notes

Add local redirection of low port to unpriv high port

Remove any existing entries:

iptables -t nat -D PREROUTING –src 0/0 -p tcp –dport 25 -j REDIRECT –to-ports 11025 2> /dev/null
iptables -t nat -D PREROUTING –src 0/0 -p tcp –dport 80 -j REDIRECT –to-ports 8080 2> /dev/null

Add new redirects:
iptables -t nat -I PREROUTING –src 0/0 -p tcp –dport 25 -j REDIRECT –to-ports 11025
iptables -t nat -I PREROUTING –src 0/0 -p tcp –dport 80 -j REDIRECT –to-ports 8080

Reducing malware risk by removing local Administrator privileges

Running day-to-day with a Windows account that has Administrator privileges is a recipe for disaster.  Casual browsing of a website that is infected or inadvertent opening of infected attachments can result in an infection through the user’s Administrator privileges.  Something like 92% of Microsoft critical vulnerabilities announced in 2008 could have been mitigated by operating day-to-day as a normal user.  Splitting your accounts into a normal account and admin account is a good idea, but it can lead to some headaches when the normal user needs to run temporarily as Administrator.

Fortunately there are some work arounds that can be used to temporarily elevate the user’s privileges to Administrator.  Most of these involve the RUNAS command:

File explorer
If you’re running IE7 under WinXP, in order to run Windows Explorer with the runas command, it must be run as a separate process. A quick way to do this, without having to change your Folder Options settings, would be to run an instance of Explorer with the undocumented parameter /separate, like this:

runas /user:domain\username "explorer /separate"

Command Line Prompt
You can add a shortcut on the task bar with the following syntax to get an Administrator cmd prompt:

%windir%\system32\runas.exe /user:yourdomain\a-someuser cmd

yourdomain is the name of your AD domain if you have one, if not, leave it out.  a-someuser is a suggested naming convention for the Administrator account associated with the user named someuser.