DevBUG – Keeping track so you don’t have to
DevBUG is an idea that came to me while conducting a Vulnerability Assessment for University a few months back. We did a service scan on a web server and found that way too many ports and services were running! But that wasn’t the problem, well, not for us anyway. The problem was, is that we had 20 different software services and versions to google and write about.
So what is the process? We needed to find the software package’s homepage, find what the latest version of the package is for the development tree that was used, find out how old the version the web server was running was and then try to find any known vulnerabilities associated with that version. This is not too much hassle when you have to do it one to three times however when you have to do it twenty to fifty times it starts to become time consuming.
So in comes DevBUG. DevBUG is a web application which will be free for any one to use, no subscriptions or anything. It will be a search engine for software packages and their versions. Three times a day (every 8 hours) starting at 8AM GMT a backed spider will visit every software package’s homepage looking for new versions, if it finds a new version this will be added to a database. So the idea is, to keep a record of software, their released versions, release dates and any vulnerabilities which may affect each version. So this is great to solve our original problem! We have a one stop shop for all the information we need! But what other uses does it have?
UK Security Clearance 101
In the Information Security industry it is said that if you have security clearance you can earn significantly more income and work on exiting secret projects for government agencies. So what is security clearance and how do I get it?
Security clearance is a way to prove your trustworthiness at a particular point in time so that you can work with sensitive information on government projects. Your trustworthiness is assessed by a thorough background check. There are a number of different security clearance levels depending on the sensitivity of the information which you are required to work with. These levels were changed in the UK during WWII to reflect those of the US so that sensitive information could be shared and the sensitivity of the information not be confused.
National Security Clearances:
Developed Vetting (DV)
This is the highest level of Security Clearance and is required for people with substantial unsupervised access to TOP SECRET assets, or for working in the intelligence or security agencies. This level of clearance involves Security Check (SC) and, in addition, completion of a (DV) questionnaire, financial checks, checking of references and a detailed interview with a vetting officer. To gain (DV) clearance you will normally have had to have been a resident in the UK for a minimum of 10 years.
Security Check (SC) is for people who have substantial access to SECRET, or occasional access to TOP SECRET assets and information. This level of clearance involves a (BPSS) check plus UK criminal and security checks and a credit check. To gain (SC) clearance you will normally have had to have been a resident in the UK for a minimum of 5 years.
Counter Terrorist Check (CTC) is required for personnel whose work involves close proximity to public figures, gives access to information or material vulnerable to terrorist attack or involves unrestricted access to certain government or commercial establishments. A (CTC) does not allow access, or knowledge, or custody, of protectively marked assets and information. The check includes a Baseline Personnel Security Standard Check (BPSS) and also a check against national security records. To gain (CTC) clearance you will normally have had to have been a resident in the UK for a minimum of 3 years.
Baseline Personnel Security Standard (BPSS) (formally Basic Check)and Enhanced Baseline Standard (EBS) (formerly Enhanced Basic Check or Basic Check +): These are not formal security clearances; they are a package of pre-employment checks that represent good recruitment and employment practice.
A BPSS or EBS aims to provide an appropriate level of assurance as to the trustworthiness, integrity, and probable reliability of prospective employees. The check is carried out by screening identity documents and references.
Reference: http://www.securityclearedjobs.com/HowToBeSecurityCleared.aspx
Month of PHP Security
In 2007 the Hardened-PHP Project setup by three German Security Researchers organised the Month of PHP Bugs (MOPB). The ‘Month of Bugs’ concept was started by non other than HD Moore back in 2006 with his Month of Browser Bugs (MoBB) which found security holes within most of the popular browsers. Since then there have been many ‘Month’s of Bugs’ including Month of Kernel Bugs (MoKB), Month of Apple Bugs, Month of Twitter Bugs and the Month of Facebook Bugs.
So why a Month of Bugs?
“The intention of the Month of PHP Security is to gather the best research and articles about PHP security topics from the security community and share them with the rest of the world. This time the goal is not only to improve the security of PHP itself and applications directly by fixing security bugs, but also to help PHP developers around the world to write better and more secure PHP applications.”
Skipfish – Automated web security scanner
A couple of days ago (March 19th) Michal Zalewski famous for tools such as p0f and his excellent book ‘Silence on the wire’ announced the release of an open source automated web security scanner called Skipfish from the Google Online Security Blog.
Key features:
High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.
OWASP Testing Methodology
It is very easy for some one to find an XSS vulnerability within a web application and write a report about it. According to WhiteHat Security (2007) there is a 73% chance that you will find an XSS vulnerability within a web application. Does finding one of these mean you have assessed the security of the web application? Let’s take a web application vulnerability that is ‘seen’ to be more critical. Again, according to WhiteHat Security you have a 18% likelihood to find an SQL Injection vulnerability within a web application. So during the web application security assessment you have found an SQL injection vulnerability, the back end DBMS is a version of Microsoft SQL Server which has ‘xp_cmdshell‘ enabled by default. You manage to get a reverse shell and acquire a copy of the database. Great! By gaining shell access to the server does that mean you have properly assessed the security of the web application? No!
