[Interview] Chris John Riley – ‘The Änal Security Guy’
For our second ever interviewee we have Chris John Riley the ‘Änal Security Guy’. Chris was born in the UK and is now living in Austria. He has been in the IT industry for over 13 years, he now works as a IT Security Analyst doing penetration testing internally and for external clients.
Questions:
How did you get started in information security?
Well I’ve always been interested in security I guess. Although I always used to think of it as an unhealthy interest in how things really worked under the hood. I’ve broken my fair share of systems be being too curious what would happen if I just changed or deleted this or that file. Then again, who hasn’t done that once in a while.
I guess the real turning point was while I was working in Munich, Germany. An interesting project came across my desk that really seemed interesting to me. The project was a simple one, install and configure an Intrusion Detection System to protect an external server farm, and schedule regular vulnerability scans. But to tell you the truth, the project wasn’t really what made me want to do security, it was the response from the management after the project was finished. I sat down with one of the bosses and started to go through one of the vulnerability reports I’d run. Lots of red and yellow alerts, and things to change. His response, was that the IDS and scans where simply a contract requirement to win a customer bid, and nobody had the time or interest in changing things. We’d ticked the box that said we have IDS and run regular scans, project done, please move on.
As you can imagine this didn’t sit too well, but there wasn’t much I could do at the time. I was still learning German and could rock the boat. So, moving on I tried to work security into the next couple of projects and found it increasingly hard to get the point across that security should be built in at the ground level and not just ignored. Well to cut a long story short, I asked for 4 weeks leave to attend some training (self funded naturally) and it was turned down. At that point I decided I’d be better off moving on and finding a position that supported security and didn’t punish it. So I handed in my notice, did my training and made the move to Austria to be with my girlfriend.
[BONSAI] XSS and SQL Injection in Achievo <= 1.3.4
Today Andres Riancho owner of Bonsai Information Security (Argentina) and lead developer of w3af has released a couple of advisories on vulnerabilities in Achievo <= 1.3.4 which we found a few months ago after our vulnerability research into common web applications.
The affected web application is Achievo <= 1.3.4. Achievo suffered from multiple simple persistent XSS vulnerabilities within their scheduler module and an SQL injection vulnerability within their dispatch.php file.
Achievo is a flexible web-based resource management tool for business
environments. Achievo’s resource management capabilities will enable
organisations to support their business processes in a simple, but effective
manner.
I and Andres worked on quite an novel (to me) payload for the persistent XSS vulnerability which we found. Essentially the payload we worked on was an AJAX script which sent POST requests to the vulnerable application in order to escalate a users privileges. A write up by Andres on the payload can be found here: http://www.bonsai-sec.com/blog/index.php/cross-site-scripting-payloads/
For the original advisories:
All vulnerabilities found were disclosed in an ethical manner. We worked along side the affected application developers in order to fix the vulnerabilities found. The advisories were not published until the developers had fixed and updated their software.
Netsparker – The next gen web app scanner
I was lucky enough to get my greasy hands on a copy of ‘Netsparker Final BETA’ from Mavituna Security’s project leader Ferruh Mavituna.
Netsparker can crawl, attack and identify vulnerabilities in all custom web applications regardless of the platform and the technology it’s built on, just like an actual attacker. It can identify web application vulnerabilities like SQL Injection, Cross-site Scripting (XSS), Remote Code Execution and many more.
I tested Netsparker v0.9.9.9935 (FINAL BETA) against DVWA v1.0.6. Setting up a new scan was as easy as putting in the DVWA URL, adding the security/PHPSESSID cookies and then selecting the different vulnerabilities to scan for. Netsparker picked up on almost all of DVWA’s vulnerabilities, even the SQL Injection vulnerability which a lot of web application scanners have problems picking up for some reason. The vulnerabilities that it did not pick up on I sent in an email to Ferruh, he has already added scans for some of these and will implement others in future.
[Interview] Rob Loos – ‘Students in Security’
We have decided to start interviewing people in infosec to talk about various security topics. Our first ever interviewee is Rob Loos!
Rob Loos is a Belgium Applied Computer Science student at KHK Geel Belgium University who has a massive interest in the security world and loves to get other students involved too.
Questions:
What started you out in information security?
I’ve always had an interest in computers, playing games, writing a few small programs and helping other people out. As many security people I enjoyed the forums a lot and got in contact with people who’s hat were pretty far from white. I got a lot of blackhat knowledge that way, even tough most was pretty scriptkiddy. I got experienced with malware, remote administration and some webapp exploiting. Its a lot of fun but not something that can get you a good future.
Defcon too far? Blackhat too expensive? No problem!
Have no fear SecurityTubeCon is here! (well… soon!)
SecurityTubeCon is the first hacker conference to be held completely in cyberspace.
SecurityTubeCon is aimed at democratizing hacker conferences by allowing any researcher, regardless of his physical location, to share his work with the community. Unlike other Cons we will not *accept / reject* speakers. If you have something interesting to share, you WILL be heard. The idea behind SecurityTubeCon is not to pass judgments on your work, instead, it aims at providing a platform for knowledge exchange.
Ive always wanted to attend a hacker conference however for a poor student like me its not easy. If you don’t live in a big city you have to get to the conference by plane or train (£100 to £500), buy a ticket to attend (£50 to £1000), pay for a hotel (£100 – £300) and then pay for food/beer (£50 – £150), not to mention the time off work. All in all it can be an expensive trip!
SecurityTubeCon will be held on the 6th, 7th and and 8th of November. Location: cyberspace
For more information on SecurityTubeCon or if your interested in giving a talk:
