Site Stats | Darknet – The Darkside

Comments Posted By dre

Displaying 1 To 30 Of 31 Comments

SSA Version 1.5.2 – OVAL Vulnerability Assessment Software

There is a ton of information about OVAL on these forums.

I’m reconsidering what I said earlier about OVAL after looking at the MITRE integration overall. I’m also reconsidering AVDL because it turns out that WebInspect hasn’t even supported it themselves all year.

For example, check out this presentation by Bob Martin on CWE. On slide 15 (second to last slide), he shows how XCCDF and OVAL can be used as knowledge repositories to bring data to/from operations security management processes.

» Posted By dre On October 31, 2007 @ 5:46 am

qualys has integrated oval support into their product.

i find that the avdl support in webinspect is much more mature, and i wish that other products would support this… although oval support isn’t that bad of an idea either

» Posted By dre On October 25, 2007 @ 1:31 am

Storm Worm Descends on Blogspot

according to Brandon Enright, who spoke about the storm worm at toorcon 9 in san diego this past weekend – the storm worm is actually shrinking in size. i don’t have his slides, but as soon as i find them – i’ll post them here

» Posted By dre On October 25, 2007 @ 11:22 pm

Official release of SQL Power Injector 1.2 – Download Now!

i’m going to start using this FF extension instead of a lot of the command line tools I use. Thanks for the pointer!

in the past, i’ve mostly used SQLiX from owasp, as well as a few manual methods (mostly using Burp). if you want the latest on Overlooked SQL Injection techniques, look no further than Paul Battista, who i recently saw give this talk at toorcon 9 in san diego.

dave aitel and jms also put together a sort of proxy fuzzer/monitor (basically an RDBMS spy) called SQL Hooker, which is certainly worth a look at. i think bestorm does something similar in their products. immunitysec is also working on a similar tool that would help with file monitoring to increase the intelligence behind manual or automated web application black-box security testing

» Posted By dre On October 25, 2007 @ 11:14 pm

New German Hacking Law 202(c) – Sites Close & Possible Backfire

i talked with jerome athias about these laws, and he says that france has similar laws in place right now. it appears the whole EU will likely implement something like this

» Posted By dre On October 25, 2007 @ 1:27 am

unmask.py – Statistical E-mail & Blog Profiling

watch as christopher abad explains how behaviorial analysis can be applied to user fingerprinting in his slides from Toorcon 2004. the winner of a selected set of words can be predicted based on their use of the command line (bash shell in this case).

i just saw chris abad speak again at toorcon 9 this past weekend. he is an excellent speaker, and usually “you have to be there” to understand – his work can’ really be explained.

i imagine that with abad’s techniques (and dave aitel’s techniques in umask.py) – along with hdm’s decloak… and a little Google Analytics cookie saving and search query stealing – you can gather tons of information on random bloggers or other website users.

» Posted By dre On October 25, 2007 @ 11:07 pm

Common Criteria Web Application Security Scoring (CCWAPSS) Released

for similar work look at the fortifysoftware metricon 2.0 talk by fred lee, Security Metrics in Practice: Development of a Security Metric System to Rate Enterprise Software. i wasn’t able to see it at metricon 2.0, but he gave the talk along with me at the owasp msp event last week.

mark cuphey and the owasp team (including chris wysopal and myself) have also been working on another set of metrics. darkreading did an article on it called OWASP Preps Framework for Website Security Certification. wysopal is also working on a more generic vulnerability rating system using CVSS from CWE data as described in Software Security Weakness Scoring

» Posted By dre On October 25, 2007 @ 1:20 am

bookmark me

bookmarklets are a great resource. the gnucitizen technika firefox add-on has support for saving/modifying bookmarklets, and the new version (1.3) also has support for command-line scripting, sharing scripts, and paths.

you’ll also want to check out rsnake’s security bookmarklets, bmlets, blummy, bookmarklets every blogger should have and these firefox add-ons: flat bookmark editing and openbook / update bookmark

» Posted By dre On October 25, 2007 @ 1:37 am

WSBang – Python Based SOAP Services Testing Tool

WSBang and the iSecPartners’ tools are nice.

Most recently, I have been using SOAPSonar Enterprise from Crosscheck Networks because of its inclusion of a very nice vulnerability assessment engine, as well as support for almost everything related to web services. The Personal Edition is also downloadable for free.

For general XML fuzzing – check out untidy. Another tool worth mentioning is wsScanner from BlueInfy, whose creator – Shreeraj Shah – wrote the book on Hacking Web Services

» Posted By dre On November 6, 2007 @ 5:21 pm

Police to Monitor Indian Cyber-Cafes

do you guys have GSM modems (e.g. GPRS, EDGE, HSDPA) in India?

in the US, I often use a tethered phone and use the Verizon or Sprint EVDO service… EVDO is AES encrypted and difficult to monitor in comparison to WiFi

» Posted By dre On October 28, 2007 @ 1:51 am

Cyber Crime Toolkits Go On Sale

@Sandeep Army and govt agencies MUST have THE BEST security professionals and programmers who can make rootkits and what not rather than buying off a 3rd party rootkit and anti-root kit

How many armies and government agencies are there in the world? There is no way that they can hire the best, as much as they would like to or need to. Even the top 15 most powerful governments can’t afford much at all in terms of security professional talent – although they may still have advanced spy, assassin, or propaganda / mass-manipulation organizations and devices.

Nuclear Grabber and other kits, which cost anywhere from US$25 to US$3k – have been used to steal money from many European banks on several occasions. How many elite government spies are capable of doing that for a similar cost and risk equations? How many elite government security professionals are capable of doing that for the same cost and risk equation?

» Posted By dre On October 31, 2007 @ 6:04 am

@Sandeep: nononono… Sony didn’t get owned by a rootkit… they tried to build one… you missed the whole point of my argument

» Posted By dre On October 28, 2007 @ 4:27 am

Well look at Sony. They are as large as many governments and military outfits – yet they failed to “roll their own” rootkit. In some cases, Sony would have been better off buying Haxdoor or equivalents at the time. So I think this does hold true for those who need offensive computing but can’t afford the expertise at varying levels. Of course, they could hire experts to modify these tools.

Who else do they turn to? ImmunitySec, CORE, and modifying Metasploit? My guess is that many intelligence agencies are also getting their hands on these cybercrime toolkits to be used in cyberwarfare. I wouldn’t say it’s a stretch to call such a tactic Science Fiction.

» Posted By dre On October 28, 2007 @ 1:58 am

well in some cases you have governments and military who need to purchase these tools as weapons for offensive computing efforts. these are people who almost certainly need rootkits to protect themselves but also need their hands held when deploying them.

fortunately for those in the know – anti-rootkit technology has stepped up again. i saw gabe lawrence speak at the toorcon 9 seminars in san diego this past weekend. his talk mostly centered around linux rootkit technology, but he also covered Windows and virtualization rootkits. his current project, 99lb, looks very promising.

» Posted By dre On October 25, 2007 @ 11:48 pm

Metagoofil 1.2 – Metadata Extractor Tool

well now they have that facial recognition software stuff…

» Posted By dre On October 31, 2007 @ 7:07 am

when i took my picture on orkut, there will be no metadata left to find me because i used the physical properties of the camera to prevent my eyes and above from showing

» Posted By dre On October 31, 2007 @ 6:28 am

There is a hilarious story about a Firefox developer’s business card from this past BlackHat USA 2007. RSnake posted a picture of the card, but failed to remove the underlying EXIF metadata. Thus, any skilled person could glean the striked-out phone number on the card. I’m surprised I didn’t hear too many people talking about this blunder, but it was covered in detail on Giorgio Maone’s blog post, Two faces of the same card. Very funny!

» Posted By dre On October 28, 2007 @ 2:07 am

@Sandeep: do you have more information about that tool? Location?

I’m also familiar with an earlier tool called The Revisionist, which only works for Word – but it has many hooks that I’d like to see make it into another revision of Metagoofil.

The tool was written by Michel Zalewski and he demonstrates how ot use it here on his website.

» Posted By dre On October 28, 2007 @ 1:41 am

CORE GRASP – PHP Web Application Protection Software

@fazed: hence why i was recommending fortifysoftware defender or imperva securesphere over mod_security – they go a little further by hooking into your application.

of course, no WAF will ever stop many complex business logic flaws, session management issues – e.g. CSRF

» Posted By dre On October 31, 2007 @ 6:18 am

@fak3r: read the last link i provided to “web security gateway” or just go to the mod_security website.

there’s also tons of other resources such as http://www.apachesecurity.net, this PDF on APIDS with ModSecurity by Ivan Ristic. Ryan Barnett also wrote a great book that covered mod_security well, Preventing Web Attacks with Apache, which included some custom mod_security rules as well as linked to the now popular gotroot rulset.

» Posted By dre On October 31, 2007 @ 6:17 am

@fak3r: there are multiple ways of running mod_security – the only way it wouldn’t work with lighttpd is the apache loaded module that only works with a local installation of apache.

probably the most common way deployed in your scenario (without apache) is in reverse-proxy mode

» Posted By dre On October 26, 2007 @ 9:25 pm

another nice feature of commercial web application firewalls is support for web application security scanners to create rules for the vulnerabilities it finds directly to the waf’s. i suppose that mod_security / breach count – but smaller projects like grasp might not get included…

personally, i like the web application security scanner feature that submits findings as bugs to the development team’s issue tracking system.

» Posted By dre On October 25, 2007 @ 11:36 pm

when you’re a financial institution already paying $200k for every 100 developers to use fortifysoftware sca… and you’re still losing $30M a year or more due to internet-related fraud… i’m not sure that cost matters much when fortify will likely let you try defender for free until its optimally working. surely you understand that defender has applications hooks that mod_security can’t compete with. i would say the same is true for imperva.

for mom and pop or everyday websites – sure – mod_security is free and fine to use

» Posted By dre On October 25, 2007 @ 11:27 pm

hot off the press: someone on the webappsec mailing-list also posted a link to jwall.org which adds a few java tools to mod_security.

the secure java framework at hdiv.org remains one of my current favorites (especially its support of struts2 and spring), especially along with the cookie revolver security framework

a bit dated, but the web security gateway project is also very interesting

» Posted By dre On October 25, 2007 @ 1:25 am

i would say that mod_security would solve most of these problems, but if you want to get even closer to the application – you might want to look at fortifysoftware defender or imperva securesphere web application firewall (or whatever happened to the determina memory firewall after vmware killed all their products).

most of the appliance based web application firewalls are total crap. a few open-source projects are out there besides mod_security and core grasp – such as aqtronix webknight, dotnetids, which is based on php-ids and mod_anti_tamper, just to name a few

» Posted By dre On October 25, 2007 @ 1:08 am

HttpBee – Web Application Hacking Toolkit

i wonder how this compares to w3af or wfuzz. with the release of technika 1.3, the portswigger book (and new burp features) – i am really going back to my roots with these types of webapp vulnerability assessment tools. now i can remove greasemonkey and start using technika for everything internal to the browser… and use burp for anything that should be external

i also really like how cenzic hailstorm supports modification of its internals with javascript, as well as supporting xpath for configuration of custom crawls (like squish, selenium, and pmd do). combined with fortifysoftware tracer and immunitysec’s sql hooker (plus possibly jdbc spy, filemon, and similar tools) – you can really do web application full-knowledge assessments almost better than doing code review

» Posted By dre On October 25, 2007 @ 1:04 am

Web Integrity Checker – ISPs Inserting Ads Into Web Content

I think it’s great and more power to them. If Google can monopolize on everything Javascript, I don’t see why your ISP shouldn’t also be able to do so. It’s your own damn fault for allowing cookies and/or Javascript (or Java applets, Flash, Actionscript, VBScript, ActiveX, PDF, Quicktime, or whatever else browser plugin support)…

Of course, I also think the UW Web Integrity Checker is a wonderful idea. People should learn about who is influencing them and why.

People should also start using inbound WAF’s that remove potentially malicious iframes or Javascript, but then allow them to be whitelisted on a case-by-case basis. I’ve heard of Palo Alto Networks, but there is also their open-source project, Whitetrash. Using (or forwarding) OpenDNS is also a plus, as would be null routing or firewalling various sensitive IP prefixes, maybe ones pulled via a DNS or BGP RBL.

Point of this: don’t trust the web, but help your ISP monotize itself. They are going to need the help, what with the problems the secret working group is attempting to address – let alone the stupid threat of net-neutrality.

» Posted By dre On October 31, 2007 @ 6:45 am

Commenter of the Month Competition

how does one submit?

this turned up nothing:
http://www.scroogle.org/cgi-bin/nbbw.cgi?Gw=site%3Adarknet.org.uk+submit+or+submission&n=5

do you have to be in the UK to submit/win?

» Posted By dre On May 29, 2007 @ 7:20 pm

you guys don’t post often enough; the quality of your posts are not good enough to post anything about since most are already well known URL’s that you can find on del.icio.us, reddit, or digg. at least most of the time this may hold to be true, and that may change what with this contest.

i thought i was the only person who commented on here is any consistent way. it will be good to see if others rise to the occasion.

» Posted By dre On May 29, 2007 @ 1:29 pm

ProxyFuzz – MITM Network Fuzzer in Python

interesting. proxy fuzzing is a heuristic-based dissection technique used to automate or improve the performance of fuzz testing. it is not widely known or talked about, but is probably one of the best ways to improve fuzz testing results, especially in a pure black-box scenario (iow: lacking the capability to go gray box via reverse engineering through static binary or bytecode analysis).

when i first saw this post, i was thinking that proxyfuzzer, a tool by cody pierce of dvlabs (tippingpoint) was released. this tool goes further than ProxyFuzz because it does automatic mutation of plain-text fields. the internal tippingpoint version probably also does binary data, thus being able to change TLV and static values which could mess with parsers on either end of the connection.

proxy fuzzer (and tons of other new tools) will be available on the fuzzing.org website once it goes live. there were a few things up there the other day, but now it’s password protected for some reason.

» Posted By dre On June 27, 2007 @ 10:39 pm