Back in March 2009 I wrote a blog post about using web bugs in information gathering, found here. For those unfamiliar with web bugs;
“A web bug is an object that is embedded in a web page or e-mail and is usually invisible to the user but allows checking that a user has viewed the page or e-mail. One common use is in e-mail tracking. Alternative names are web beacon, tracking bug, tracking pixel, pixel tag, 1×1 gif, and clear gif.”
At the time I thought I had stumbled across something unique and that no one had really understood the implications of allowing the posting of remote images in web applications. The idea originally came to me when playing around with Adrian Crenshaw’s (IronGeek) logo. I wasn’t aware of the term ‘web bug’ so I explained to Adrian my concept, he knew what a web bug was and seemed to be well aware of their consequences.
DevBUG is an idea that came to me while conducting a Vulnerability Assessment for University a few months back. We did a service scan on a web server and found that way too many ports and services were running! But that wasn’t the problem, well, not for us anyway. The problem was, is that we had 20 different software services and versions to google and write about.
So what is the process? We needed to find the software package’s homepage, find what the latest version of the package is for the development tree that was used, find out how old the version the web server was running was and then try to find any known vulnerabilities associated with that version. This is not too much hassle when you have to do it one to three times however when you have to do it twenty to fifty times it starts to become time consuming.
So in comes DevBUG. DevBUG is a web application which will be free for any one to use, no subscriptions or anything. It will be a search engine for software packages and their versions. Three times a day (every 8 hours) starting at 8AM GMT a backed spider will visit every software package’s homepage looking for new versions, if it finds a new version this will be added to a database. So the idea is, to keep a record of software, their released versions, release dates and any vulnerabilities which may affect each version. So this is great to solve our original problem! We have a one stop shop for all the information we need! But what other uses does it have?
In the Information Security industry it is said that if you have security clearance you can earn significantly more income and work on exiting secret projects for government agencies. So what is security clearance and how do I get it?
Security clearance is a way to prove your trustworthiness at a particular point in time so that you can work with sensitive information on government projects. Your trustworthiness is assessed by a thorough background check. There are a number of different security clearance levels depending on the sensitivity of the information which you are required to work with. These levels were changed in the UK during WWII to reflect those of the US so that sensitive information could be shared and the sensitivity of the information not be confused.
National Security Clearances:
Developed Vetting (DV)
This is the highest level of Security Clearance and is required for people with substantial unsupervised access to TOP SECRET assets, or for working in the intelligence or security agencies. This level of clearance involves Security Check (SC) and, in addition, completion of a (DV) questionnaire, financial checks, checking of references and a detailed interview with a vetting officer. To gain (DV) clearance you will normally have had to have been a resident in the UK for a minimum of 10 years.
Security Check (SC) is for people who have substantial access to SECRET, or occasional access to TOP SECRET assets and information. This level of clearance involves a (BPSS) check plus UK criminal and security checks and a credit check. To gain (SC) clearance you will normally have had to have been a resident in the UK for a minimum of 5 years.
Counter Terrorist Check (CTC) is required for personnel whose work involves close proximity to public figures, gives access to information or material vulnerable to terrorist attack or involves unrestricted access to certain government or commercial establishments. A (CTC) does not allow access, or knowledge, or custody, of protectively marked assets and information. The check includes a Baseline Personnel Security Standard Check (BPSS) and also a check against national security records. To gain (CTC) clearance you will normally have had to have been a resident in the UK for a minimum of 3 years.
Baseline Personnel Security Standard (BPSS) (formally Basic Check)and Enhanced Baseline Standard (EBS) (formerly Enhanced Basic Check or Basic Check +): These are not formal security clearances; they are a package of pre-employment checks that represent good recruitment and employment practice.
A BPSS or EBS aims to provide an appropriate level of assurance as to the trustworthiness, integrity, and probable reliability of prospective employees. The check is carried out by screening identity documents and references.