ENISA, the European Network and Information Security Agency together with the International Telecommunication Union, is launching a new portal for IT security standards, for the first time giving Europe one, single access point for IT security standards.

One of the objectives of this security standards portal named "ICT Security Standards Roadmap" is to provide a central tracking facility for NIS standards. It facilitates identification of standards and standardization activities, as well as coordination among standardization bodies, reduction of duplicate work and easier identification of existing gaps.

The Roadmap is in five parts:

• Part 1: ICT Standards Development Organizations and Their Work
• Part 2: Approved ICT Security Standards
• Part 3: Security standards under development
• Part 4: Future needs and proposed new security standards
• Part 5: Best practices

In order to use the Security Standards Database, a link is provided either to the standard itself or to the source of the standard because some organizations make their standards freely available while other organizations charge for their standards.

The security standards portal is hosted by ITU-T at
http://www.itu.int/ITU-T/studygroups/com17/ict

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

I was wrong about BBpress not having a single vulnerability during May 2006 - May 2007. Now it has one.

As Ory Segal pointed out in his comment on the forum vulnerabilities post , the BBpress authentication page (bb-login.php) is home of a XSS vulnerability. A few days ago we’ve had an interesting conversation on this topic and I’ll post here the conclusions

Ory Segal: 

It’s rather simple, and seems to be working on the installation I have here in front of me:
 
GET /bb-login.php?re="><script>alert(1);</script> HTTP/1.0
Host: www.some.site
Referer: http://www.some.site/
 
The tricky part here is that the Referer header needs to point to http://www.some.site/ - or any other path which belongs to the host on which BBPress is installed on.
 
If there Referer is anything but this, it’ll disregard ths value of the "re" parameter - this can be seen in the code at:
 
if ( 0 !== strpos($re, bb_get_option( ‘uri’ )) )
$re = $ref . $re;
Now, one might argue if this is exploitable, since you can’t fully control the HTTP Referer header, but there are several ways around this:
 
1) You locate a script on BBPress which forces a redirection, and then use it as the launch pad for the attack - I haven’t validated if such a script exists
 
2) You use some other technique, which allows you to control the HTTP Referer header, for example: http://www.cgisecurity.com/lib/XmlHTTPRequest.shtml , or http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00069.html

Indeed, the refferal parameter ($re) is not sanitized properly and it’s used to render the page template:

bb_load_template( ‘login.php’, array(’re’, ‘user_exists’, ‘user_login’, ‘redirect_to’, ‘ref’) );

The login.php template simply returns the value of $re as a hidden value : 

<td><input name="re" type="hidden" value="<?php echo $re; ?>" />

So basically Ory was right and I have updated the Top 10 Open Source Forums - 12 Months of Vulnerabilities post

 P.S: Read more about  memory cards

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Before running a security assessment or penetration test, most auditors and testers check their arsenal toolkit for the latest versions and updates. Easy if your toolbox is at least 10 tools. However, this quickly turns to a hard task when your arsenal exceeds a hundred piece of softwares. - www.security-database.com

This is where Security Database Tools Watch comes very handy. The guys at www.security-database.com keep a close eye on hundreds of security tools and they provide free access to the tracking database so that you know exactly which tools you need to update before starting your assessment projects.

All the tools are well organized in categories  and there is also a search function available.
Great resource!

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

I was browsing the NIST Computer Security Resource Center and I’ve seen that some new drafts and final publications have been released on June 1st and June 4th.
June 4th, 2007:
Draft Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems.
This draft publication provides guidelines for developing security assessment plans and a comprehensive catalog of assessment procedures that can be used to determine the effectiveness of security controls in federal information systems.

June 1st, 2007:  
1. Draft SP 800-44 version 2, Guidelines on Securing Public Web Servers
SP 800-44 version 2 is intended to aid organizations in the installation, configuration, and maintenance of secure public Web servers. It presents recommendations for securing Web server operating systems, applications, and content; protecting Web servers through the supporting network infrastructure; and administering Web servers securely. SP 800-44 version 2 also provides guidance on using authentication and encryption technologies to protect information on Web servers.

2. Draft SP 800-46 version 2, User’s Guide to Securing External Devices for Telework and Remote Access
The publication is intended to help teleworkers secure the external devices they use for telework, such as personally owned desktop and laptop computers and consumer devices (e.g., cell phones, PDAs). SP 800-46 version 2 focuses on security for telework involving remote access to an organization’s nonpublic computing resources.
 

The three final publications released on June 1st:

1. SP 800-101, Guidelines on Cell Phone Forensics
This publication provides general principles and technical information to aid organizations in developing appropriate policies and procedures for preserving, acquiring, and examining digital evidence found on cell phones, and for reporting the results

2. NISTIR 7387, Cell Phone Forensics Tools : An Overview and Analysis Update
This publication provides an overview of current forensic software tools designed for the acquisition, examination, and reporting of data residing on cellular handheld devices

3. NISTIR 7275 revision 2, Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.3
This publication describes XCCDF, which is a standardized XML format that can be used to hold structured collections of security configuration rules for a set of target systems. The XCCDF specification is designed to provide automated testing and scoring that can support FISMA compliance and other efforts.

In order to get e-mail notifications whenever new publications are released, you can subscribe to NIST computer security publications e-mail list.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Shedding light on who’s doing what with your private information.- etiolated.org

I’ve written before about massive data loss incidents which are more or less advertised in the mainstream media. All these security incidents which involve identity theft and compromise of personal data are archived by attrition.org since Jan 2000. 

There are over 690 incidents in the database and it’s not always easy to pinpoint a specific incident. This is where etiolated.org comes into place : a highly specialized search engine for identity theft  and personal data compromise incidents.

Besides trend graphs and top incidents. etiolated.org offers a complex search syntax which allows you to search by location, number of affected records, year, and many other search terms.

For instance :

(georgia OR california) AND records:[2000 TO *] AND org_type:"Uni" AND breach:"SSN"

will return incidents where the number of records is greater than 2000, occuring in organizations with georgia or california in their names, where the organization is a univeristy, and the type of information breached includes social security numbers.

So whenever you learn about a new identity theft incident, chances are that etiolated already has it indexed together with refferences and breach volume information.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Configuring webserver security made easy - Well, not yet, but that’s the plan…

Christian Folini announced the public release of REMO, a project to build a graphical rule editor for ModSecurity with a positive/whitelist approach.

Short list of features:

• Ruby on rails application with ajax use
• Enter http requests, display them, edit them, delete them, rearrange them
• Edit the http headers of the requests
• Edit the query string parameters
• Edit the cookie parameters
• Edit the post payload arguments
• Every argument can be optional or mandatory
• The response to every argument failure can be configured specially including http status code and optional redirect location
• Argument names can contain regular expressions themselves
• Default value domains for all arguments. So you do not have to edit a regular expression for every parameter. Just select a predefined value.
• Generate positive ModSecurity2 ruleset
• Import ModSecurity audit-logs
• Check requests in the audit-log against the ruleset in development to find out wether it will work in practice

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Ounce Labs released a valuable resource for everybody involved in the Software Security business. "Software Security Assurance: A Framework for Software Vulnerability Management and Audit" is more than a framework, it’s a call to action driven by the need for better understanding of roles and responsibilities in software security assurance.
 

The paper starts by presenting the main components of software risk management processes which must address the issues and consequences of vulnerable software.

The core of the solution offered by OunceLabs  for managing software security assurance is based on 4 critical cyclic actions:

• Perform Risk Assessment : Determine the extent of vulnerabilities and their potential impact
• Provide Vulnerability Management and Remediation: Identify and fix the flaws
• Set Security Standards for Development and Deployment: Prevent the introduction of vulnerabilities
• Ensure Ongoing Assessment and Assurance: Provide monitoring and auditing

The Appendixes provide a consistent starting point for implementing the framework :

• Appendix A : Audit Program and Internal Control Questionnaire for Source Code Vulnerability Management
• Appendix B: Roles and Responsibilities for Software Security Assurance
• Appendix C: Control Objectives and Practices (related Control Frameworks, Requirements, Standards and Guidance : COSO, SOX, COBIT, ISO/IEC 17799 )
• Appendix D : Web Application Vulnerabilities : Top 10 Sources of Exposure to Locate and Remediate

I see this guide fitting very well in a general PDCA security management framework

Download (free registration required)  : Software Security Assurance: A Framework for Software Vulnerability Management and Audit

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Security Hacks assembled a list of Top 15 free SQL Injection Scanners which include some of the most popular SQL injection tools such as : SQLibf, Absinthe, NGSS SQL Injector, etc.

Great resource of tools!
I’ve had my experiences with some of these scanners and although some of them have very intuitive GUI console, unfortunately many times the SQL injection vulnerability is not visible (the error messages are filtered) and one has to relay on manual blind SQL injection. Painfull but rewarding . I will test some of these tools on one future assessment and I will post the results.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

A friend of mine asked me to recommend a secure open source PHP bulletin board (forum) . Having worked with PHPbb in the past, I remembered the large number of PHPbb security vulnerabilities which were reported every few months. I decided to take a look at today’s top 10 bulletin boards and see how many security vulnerabilities have been published in the last 12 months by Secunia.

For my test I chose

• phpBB
• YaBB
• bbPress
• Beehive
• deluxeBB
• iceBB
• MyBB
• Phorum
• PunBB

The results show that PhPBB and MyBB still rule in the game of security vulnerabilities with 13 each (averaging one each month!) whilst BBPress and Beehive had no public vulnerability disclosure.

Vulnerabilities disclosed during May 2006 - May 2007

I know that  more attention it gets, the more an application is prone to being picked on for vulnerabilities.  I will watch the comments on this top 10, but right now I would go for BBpress or Beehive :) 

Here are the complete results:

BBPress : BBpress XSS Vulnerability
Beehive :  Beehive Zero Vulnerabilities - Myth BUSTED

IceBB: 1

QuickSilver : 1

YaBB : 2

PunBB : 3

Phorum : 4

DeluxeBB : 7

PHPbb :13

MyBB: 13

 What open source forum would you recommend ? Are these numbers relevant ?

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Today I gave a presentation on Web Application Security to a banking audience. Too bad the meeting room had lousy acoustic and it was way too much ambient light :( 

Anyway, this was my first "emotional built" presentation as I used images extensively and I think it was well received by the powerpoint-minded crowd

Without further ado, here is the flash version of my presentation : E-Banking Web Application Security.

Do you like it ?

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!