Web application scanning is a subject that I know little about. In a recent audit, I was asked if we used any tools for that, but its not something we have addressed. It looks like this topic is going to get broader press coverage due to a presentation at this summer’s blackhat conference regarding the use of javascript and XSS to compromise intranets.
The topic’s author is the founder of Whitehat Security. I found it kind of funny that they sell a website scanning service along with an appliance for scanning your intranet. Yet on the same website there is a copy of a previous blackhat presentation they gave in 2004 that seems to argue that humans are needed to appropriately evaluate web application vulnerabilities. I’ll have to keep reading on the website to find out what has changed.
Archive for July 2006
Web Application Scanning
Norton Personal Firewall 2006 DoS
There is a denial of service vulnerability in Norton Personal Firewall 2006, and potentially earlier versions. The system may crash due to the exploitation of this vulnerability. Exploit code is available.
–Source
Disabling the LAN Manager Hash Value
We finally got around to disabling the LAN Man Hash value on our domain controller.
As Jesper Johansson and Steve Riley say in Protect your Windows Network,
Ideally this setting will never have any direct impact on security because if it does it means your domain controller has been hacked; but just in case, we recommend disabling storage of LM hashes. In most cases, the primary benefit of this setting is that it breaks compatibility with Windows 9x
We’ve had it disabled in the test domain since I posted in March. I’m still nervous about whether or not this will break anything. Anything that does break, wont be discovered until the next time the user changes their password. That is because the LM hashes aren’t dropped from the table when this setting is enabled. It is only dropped at next password change.
Trackbacks
Since a server migration, I’ve had nothing but trouble with trackbacks. The webhost support team resolved a problem with the cgi. But now, I seem to get so many spam trackbacks that Movable Type is throttling further trackbacks when it reaches a certain number per hour or per day.
All of the junk tracks are correctly tagged by the spam filter, but they still count against the throttle quota. The spammers are wasting their time since in addition to an effective spam filter, I am also moderating.
Its not as if people are beating down the door to send me a trackback ping, but I’d kind of like to actually receive it instead of having legitimate pings (including my own pings to older articles) throttled. Movable Type currently assigns a numeric trackback address to each post. This allows a spammer to send me a ping, without previously visiting the site. I hope this has been resolved in the new version of the software. I’m thinking about implementing a plugin which will rename the trackback links, and put the spammers in a tar pit, but I”m worried about the consequence.
Somewhere over the rainbow
My rainbow tables for alphanumeric plus 32 symbols and a space are not working right with Sam Inside. I’m not sure if the problem is with SAMInside or with the files. My original file source is not available right now, so I cant download a new copy and compare hashes. I feel like my powers have been diminished, like superman with kryptonite.
Vulnerability Scanners
Rod asks,
What are you all using for Security vulnerability remediation and tracking? Posts in the security community over the last few weeks have highlighted that eEye’s Retina product may not be as automated as larger company’s need.
What’s your experience?
I haven’t used eEye’s vulnerability scanner, so I cant really comment on that.
I use Qualys as my vulnerability scanner. An appliance is used to scan internal systems. External systems are scanned from the Qualys servers. I like the customizable reports, and the remediation ticketing systems. As I’ve mentioned, I’ve had some issues with false positives and they aren’t always the fasted at getting those worked out.
We have an auditor on site verifying our Site Security Plan, they are using Harris STAT. I had a week to scan machines using their account. STAT also had its share of false positives. I did not work with STAT support to resolve those so I dont know how their support it. The reporting was not as flexible as Qualys. Its not a bad software package, but I dont see why the government is so in love with it.
One of the key things I like about Qualys is the ability to schedule and forget. It will always have the current signatures. Ease of use is very important. Automatic updates, scheduled scans, and flexible reporting are key. Vulnerability scanners are designed to let you know about vulnerabilities for which a patch is available. If no one is responding to the reports, its just a waste of money.
More Invision Power Board Vulnerabilities
Six Apart’s free support bulletin board for Movable Type has been offline for maintenance since this past weekend. I just saw why on Bugtraq. Looks like there is another SQL injection exploit in Invision Power Board that will grant an attacker admin access. This is a vulnerability in versions prior to 2.1.7. Hopefully they’ll get patched and back online soon.
Back in May, I wrote when that forum was exploited and modified to serve up WMF exploits. At that time I let the SANS ISC know about it. So it was pretty funny in June when a Circuit City IPB forum was hacked and it made the tech news. According to MSN search there are still a lot of boards running Invision Power Board 2.1.6. A lot of them are hobby websites that likely learn the hard way about keeping up with security patches.
Microsoft Purchases Wininternals/Sysinternals
I see in Mark’s Sysinternals blog that they’ve been bought by Microsoft.
Congratulations to Mark and thanks for the great tools. Best of luck at Microsoft.
Websense RSS Feeds
I added two Websense RSS feeds into my RSS Reader today. One feed is for alerts. It contains alerts about new phishing attacks or interesting dangerous sites. The other feed is their blog.
http://www.websense.com/securitylabs/RSSFeed.php
