Today I came across the The Standard of Good Practice for Information Security which has been produced by the Information Security Forum (ISF), an international association of over 260 leading organisations which fund and co-operate in the development of a practical research programme in information security.

The ISF’s work probably represents the most comprehensive and integrated set of material anywhere in the world in the area of information risk management.

The main aspects of security which are covered by the standard are :

• Security Management - Security management at enterprise level.
• Critical Business Applications - A business application that is critical to the success of the enterprise.
• Computer Installations - A computer installation that supports one or more business applications.
• Networks -A network that supports one or more business applications.
• Systems Development - A systems development unit/department or a particular systems development project.

An examination of the main sections of The Standard of Good Practice will show that it covers the entire spectrum of arrangements that need to be made to keep the business risks associated with information systems within acceptable limits. It is a major tool in improving the quality and efficiency of security controls applied by an organisation.

You can get it for free (reg. required) here

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

I’ve seen today the release of a new tool collection for auditing SIP devices : SIPVicious . Apart from the great name, this suite consists of 3 applications used to map, scan and crack the SIP devices:

• svmap
  This is a SIP scanner. When launched against ranges of ip address space, it will identify any SIP servers which it finds on the way. Also has the option to scan hosts on ranges of ports.
• svwar
  Traditionally a war dialer used to call up numbers on the phone network to identify ones that are interesting from ones that are not. With SIP, you can do something similar to identify active users.
• svcrack
  This is a password cracker making use of digest authentication. It is able to crack passwords on both registrar servers and proxy servers. It can make use of ranges of numbers or a dictionary file full of possible passwords.

The project is released under GPL license and you can download it from it’s Google Code homepage

[June 09 2008 Update]

 SIPVicious 0.2.3 released

Fingerprinting support was added for svmap. fphelper.py and three databases used for fingerprinting were included. svlearnfp.py was added, which allows one to add new signatures to a database and send them to the author.

A DNS SRV check was added to svmap. The ability for svreport to count results when doing a list was added. A bug related to resuming a scan which does not have an extension was fixed.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Today I discovered an impressive collection of security tools developed and offered for free by iSEC Partners and because I really appreciate any open source effort, I thought at least I could present them.

There are four categories :

• Application Tools
• Infrastructure Tools
• Storage Security Tools
• VoIP (Voice Over IP) Tools

Since the topic of this blog is more application security, I will detail the Application Tools:

• Forensic Fuzzing Tools
  This is a collection of scripts that can be used to generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files. These can be used to test the robustness of forensics tools and examination systems.
• SAMLPummel
  SAML Pummel is a BeanShell plug-in for WebScarab. It automates eight different injection attacks to assist in auditing the implementation of SAML 2.0 single sign-on systems.
• Jailbreak
  Jailbreak is a tool for exporting certificates marked as non-exportable from the Windows certificate store. This can help when you need to extract certificates for backup or testing. You must have full access to the private key on the filesystem in order for jailbreak to work.
• ProxMon
  ProxMon is an extensible Python based framework that reduces testing effort, improves consistency and reduces errors. Its use requires limited additional effort as it processes the proxy logs that you’re already generating and reports discovered issues. In addition to penetration testing, ProxMon is useful in QA, developer testing and regression testing scenarios.
• CyberVillainsCA
  The CyberVillainsCA is a small Java library for on-the-fly generation, duplication and substitution of X.509 certificates. It is intended for use in building or extending security testing tools, for example, WebScarab (example included).
• File Fuzzers
  These tools are useful for testing any program which processes binary file inputs such as archivers and image file viewers.
• Windows IPC Fuzzing Tools
  This is a collection of tools used to attack applications that use Windows Interprocess Communication mechanisms. This package includes tools to intercept and fuzz named pipes, as well as a shared memory section fuzzer.
• WSMap
  WSMap is a Python-based tool that helps penetration testers find web service endpoints and discovery files.
  • Parses WebScarab logs to find testing targets
  • Tests URLs and implies URLs found in log
  • Tests for WSDL and DISCO web service discovery formats

  As said, these tools are released for free and I’m sure that iSEC Partners will more than happy for any feedback you could provide.

BONUS : I’m very eager to test the "soon to be released" SecurityQA Toolbar, a great testing product for web application security presented as a browser toolbar !

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

The Secunia Personal Software Inspector  is an invaluable tool for you to use when assessing the security patch state of software installed on your system. It constantly monitors your system for insecure software installations, notifies you when an insecure application is installed, and even provides you with detailed instructions for updating the application when available

It is NOT the purpose of the Secunia PSI to detect whether your system has already been compromised or if local changes, settings, or missing requirements could cause the Secunia PSI to report incorrect results. The Secunia PSI relies on the meta-data of executables and library files.

The Secunia PSI works by examining files on your computer (primarily .exe, .dll, and .ocx files). These files contain non-specific meta information provided by the software vendor only. This data is the same for all users, and originates from the installed programs on your computer - never from their configuration.

The Secunia PSI does NOT conduct an integrity check of the individual files, rather, it checks whether a specific program is vulnerable according to the reported version numbers and not whether the files have been compromised or replaced by other users or programs.

Free download for Private/Home Users available.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

"Watir" (pronounced water) stands for "Web Application Testing in Ruby". Watir is an automated test tool which uses the Ruby scripting language to drive the Internet Explorer web browser. Watir is a toolkit for automated tests to be developed and run against a web browser.

Plan what you need to get Watir to do before you begin scripting. Open your web browser with the application under test in front of you, and pay close attention to the objects on that page. What text fields require entries? What buttons need to be pushed? What links need to be clicked on? It sometimes helps to write out the steps it will take to exercise a test first, and then filling in the Watir scripting code to satisfy each of those steps.

It is a good idea to view the source of the page (in Internet Explorer, right click and select View Source) and get an idea of what the attributes of the objects you need to interact with are.

To start developing a test:

1. Open your text editor.
2. Name your test file with a .rb (Ruby) extension.
3. Provide your new test file with access to the Watir tool by entering this statement at the beginning of your test script: require ‘watir’
4. Open Internet Explorer and navigate to the application you wish to test
5. Interact with it to design your test case
6. Using the Watir methods below, type the corresponding Watir methods into your test script
7. Verify the result

It’s interesting to see that you can interact with all the elements of a webpage such as : buttons, URL, checkboxes, radio buttons, IDs,frames  and others.

So once the script is done, you just load it and run it. I didn’t have time to check it inside out, but I think it’s a great web application testing framework which deserves more coverage and exposure.

Find out more about Watir on the project’s website.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Srinath Anantharaju, a member of Google’s Security Team  posted in Google’s Security Blog the availability of "Lemon" , a new web application security fuzzer developed by Google.

The tool has not been made public, nor is it going to be, in the near future,  Srinath says. It’s just too custom built for Google applications.

This whole story makes me think about 2 issues :

1. Is Google interested in offering web security services to it’s customers ? it’s like "We already have all your URLs harvested by our googlebot , and we also have this great balck box fuzzing technology; so we can find any vulnerable parameter in seconds"
2. Is there a new Google product on it’s way which require a careful web application assessment ? ( something  whcih require PCI compliance perhaps ? )

I guess we’ll wait and see; anyway it’s good to see the giant G getting involved in application security .

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Today I had a chance to read the “PCI DSS Made Easy”  whitepaper released by GFI. Being a QSAP auditor myself, I was curious to see how does GFI play the game of PCI compliance. It was a good read !

I found the structure of the paper to be very helpful for the reader, even though it’s a vendor supplied arcticle and the marketing lion must take it’s share .

There are 4 essential sequences which raise awarness and try to answer the most important questions about PCI Compliance  : 

• What is the Payment Card Industry (PCI) directive?
• Why is it important for your business to comply?
• What are the consequences of not complying?
• What solutions does GFI provide to help you meet PCI requirements?

Companies are constantly at risk of losing sensitive cardholder data. Such a loss will result in fines, legal action and bad publicity. This will in turn lead to loss in business. Achieving compliance to the PCI Data Security Standard should be high on the agenda of organizations who carry out business transactions involving the use of credit cards.  
I would recommend the article to anyone who’s interested in getting a solid overview of the PCI DSS and also it’s interesting to see how GFI can help you address multiple sections in 9 of the 12 PCI requirements.

Download free PDF : PCI DSS Made Easy

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

If you are looking for a way to silently run information gathering tools out of a U3 compatible USB thumb drive, look no further. The Hack5 USB Switchblade is a great tool to turn a harmless USB pen drive into a dangerous hacking tool.

While the USB Switchblade does require a system running Windows 2000, XP, or 2003 logged in with Administrative privileges and physical access the beauty lies in the fact that the payload can run silently and without modifying the system or sending network traffic, making it near invisible.

For example the USB Switchblade can be used to retrieve information from a target system at a LAN party by lending the key to an unsuspecting individual with the intent to distribute a game patch or other such warez.

The system presents a modular architecture which enables you to install different packages such as: 

• Dump SAM
• Internet Explorer Password Grabber
• Windows Update Lister
• Netstat
• Messenger password Dumper
• FireFox Password Stealer
• Silent VNC installer (with external IP send)
• Username adder

I would definitely recommend using these devices as part of a larger social engineering attack: just use a catchy label and drop them in the customer’s parking lot (I know it’s been done already)

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Francois Larouche announced today the availability of a new version of Sql Power Injector , an excelent application created in .Net 1.1 that helps the penetration tester to find and exploit SQL injections on a web application.

This time like the last version I emphasized on maturity, stability and reliability. I also emphasized on usability, documentation and innovation.

One of the major improvements is an innovative way to optimize and accelerate the dichotomy in the Blind SQL injection, saving time/number of requests up to 25%.

Added to this it’s now possible to define a range list that will replace a variable (<<@>>) inside a blind SQL injection string and automatically play them for you. That means you can get all the database names from the sysdatabases table in MS SQL without having to input the dbid each time for example.

Also another great time saver is a new Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context. No more time wasted to copy paste the session cookies after you logged… And of course you can make the easy SQL tests in your browser and you use the plugin once you want to search more thoroughly.

To make your life easier there is now a new feature that will search the diff between a positive condition (1=1) response with a negative condition (1=2) and display the list for you.

Last major addition is the extensive databases Help file (chm) that contains most of the information you need when you SQL inject. It covers the 5 DBMS supported by SQL Power Injector. You can find in it the system tables and views with their columns, environment variables, the useful functions and stored procedures. All this with some notes to how to use them and why it’s useful for SQL injection.

But of course, it’s more than that… As you will see in the list of the new features.

Released under Clarified Artistic License, Sql Power Injector is freely available for download

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Paterva Evolution is in my opinion the tool to demonstrate the butterfly effect or the six degrees of separation theory. It is all about information gathering and intelligence graphs. And now it’s even easier to use, grace to it’s new GUI.

• Evolution is a program that can be used to determine the relationships and real world links between:
• People
  • Groups of people (social networks)
  • Companies
  • Organizations
  • Web sites
  • Internet infrastructure such as
    • Domains
    • DNS names
    • Netblocks
    • IP addresses
  • Phrases
  • Affiliations
  • Documents and files
• These entities are linked using open source intelligence.
• Evolution is easy and quick to install - it uses Java, so it runs on Windows, Mac and Linux.
• Evolution provides you with a graphical interface that makes seeing these relationships instant and accurate - making it possible to see hidden connections.
• Using the graphical user interface (GUI) you can see relationships easily - even if they are three or four degrees of separation away.
• Evolution is unique because it uses a powerful, flexible framework that makes customizing possible.
  As such, Evolution can be adapted to your own, unique requirements.

Although the  program is not GPL , you can try the free Web interface or you can download the free GUI for Windows / Mac / Unix . Give it a try and suddenly you will see that you know somebody who knows somebody who knows…

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!