When running web application security assessments it is
mandatory to evaluate the security stance of the SSL/TLS (HTTPS)
implementation and configuration. OWASP has a couple of references the
author strongly recommends taking a look at, the “OWASP-CM-001: Testing
for SSL-TLS” checks, part of the OWASP Testing Guide v3, and the
Transport Layer Protection Cheat Sheet.
There have been several tools to test for SSL and TLS security misconfiguration along the years, but still today, lots of people get the output from all these tools and are not very sure what they need to look at. Apart from the SSL/TLS web application best practices, it is important to also check the security of SSL/TLS at the web platform layer. One such tool is:
SSLyze v0.4 Released – Scan & Analyze SSL Server Configuration
The purpose of the TLSSLed tool (named from the idea of your website being TLS/SSL-ed, that is, using “https;//”) is to simplify the output of a couple of commonly used tools, and highlight the most relevant security findings of any target SSL/TLS implementation. It is based on sslscan, a thorough SSL/TLS scanner that is based on the openssl library, and on the “openssl s_client” command line tool.
TLSSLed is a Linux shell script inspired on ssl_test.sh by Aung Khant, where a few optimizations have been made to reduce the stress on the target web server (sslscan is run only once and the results are stored on a local file), and some tests have been added and tuned.
The current tests include checking if the target supports the SSLv2 protocol, the NULL cipher, weak ciphers based on their key length (40 or 56 bits), the availability of strong ciphers (like AES), if the digital certificate is MD5 signed, and the current SSL/TLS renegotiation capabilities.
New in version 1.2: Mac OS X support, an initial check to verify if the target service speaks SSL/TLS, a few optimizations, and new tests for TLS v1.1 & v1.2 (CVE-2011-3389 aka BEAST).
New in version 1.1: Certificate public key length, the certificate subject and issuer (CA), as well as the validity period. It also checks the existence of HTTP secure headers, such as Strict-Transport-Security and cookies with and without the “secure” flag set.
You can download TLSSLed v1.2 here:
TLSSLed_v1.2.sh
Or read more here.
There have been several tools to test for SSL and TLS security misconfiguration along the years, but still today, lots of people get the output from all these tools and are not very sure what they need to look at. Apart from the SSL/TLS web application best practices, it is important to also check the security of SSL/TLS at the web platform layer. One such tool is:
SSLyze v0.4 Released – Scan & Analyze SSL Server Configuration
The purpose of the TLSSLed tool (named from the idea of your website being TLS/SSL-ed, that is, using “https;//”) is to simplify the output of a couple of commonly used tools, and highlight the most relevant security findings of any target SSL/TLS implementation. It is based on sslscan, a thorough SSL/TLS scanner that is based on the openssl library, and on the “openssl s_client” command line tool.
TLSSLed is a Linux shell script inspired on ssl_test.sh by Aung Khant, where a few optimizations have been made to reduce the stress on the target web server (sslscan is run only once and the results are stored on a local file), and some tests have been added and tuned.
The current tests include checking if the target supports the SSLv2 protocol, the NULL cipher, weak ciphers based on their key length (40 or 56 bits), the availability of strong ciphers (like AES), if the digital certificate is MD5 signed, and the current SSL/TLS renegotiation capabilities.
New in version 1.2: Mac OS X support, an initial check to verify if the target service speaks SSL/TLS, a few optimizations, and new tests for TLS v1.1 & v1.2 (CVE-2011-3389 aka BEAST).
New in version 1.1: Certificate public key length, the certificate subject and issuer (CA), as well as the validity period. It also checks the existence of HTTP secure headers, such as Strict-Transport-Security and cookies with and without the “secure” flag set.
You can download TLSSLed v1.2 here:
TLSSLed_v1.2.sh
Or read more here.
Posted in: 
Noted Chinese Hacker Wicked Rose Heading Antivirus Company Anvisoft
The latest scandal on the block, it seems like a noted Chinese
hacker known as Wicked Rose or Withered Rose is involved with the
Antivirus startup Anvisoft. The hackers real name is Tan Dailin and he
was previously involved in the hacking of some US defence contractors.
Anvisoft even posted on their official Facebook group a simple response to the original article “Yes it’s true”.
Even so, the evidence that has been turned up so far is far from conclusive and as well know just because this chap was mixed up in some dubious activity a few years back – doesn’t mean he isn’t ethically sound now. Some of the best ‘whitehat’ security folks have some distinctly grey stains on their hats.
Infamous Hacker Heading Chinese Antivirus Firm?
Most Western Antivirus companies and providers have a standing ban on hiring people that have been mixed up in blackhat activities or malware creation, more from Sophos here:
Did anti-virus company hire convicted Chinese malware author?
Source: The Register
Anvisoft even posted on their official Facebook group a simple response to the original article “Yes it’s true”.
Antivirus startup Anvisoft was founded by an infamous Chinese hacker who allegedly cut his teeth exploiting Microsoft Office security holes to hack US defence contractors, it has emerged.From Kreb’s research is seems like it could have been Dailin that actually registered the domain for Anvisoft, which would indicate he is a key player in the operation and perhaps even the founder or co-founder.
Investigative journalist Brian Krebs uncovered evidence – largely based on historic domain records for Anvisoft and reports compiled by VeriSign on Chinese hacking activities – to allege that black-hat Tan Dailin established the antivirus startup.
In response to inquiries from The Reg, Anvisoft confirmed via a message from its official Facebook account that the report is accurate. “Yes, it is true,” it simply stated.
Dailin, AKA Wicked Rose or sometime Withered Rose, allegedly led a state-sponsored four-man crew called NCPH – Network Crack Program Hacker. According to VeriSign’s iDefense, NCPH developed a rootkit [PDF] that was used to infiltrate the US defence establishment in 2006. The group is accused of launching Microsoft Office-based attacks for two years before it disbanded in 2008.
Krebs followed various online clues to piece together his tentative conclusion that Dailin, a 28-year-old graduate of Sichuan University of Science and Engineering in Zigong, registered Anvisoft’s domain in 2011, and may still be a key player at the startup.
One of Dailin’s cohorts in NCPH, a hacker nicknamed Rodag, wrote a blog post describing Anvisoft’s Smart Defender as a “security aid from abroad” and praised the technology, Krebs noted.
Even so, the evidence that has been turned up so far is far from conclusive and as well know just because this chap was mixed up in some dubious activity a few years back – doesn’t mean he isn’t ethically sound now. Some of the best ‘whitehat’ security folks have some distinctly grey stains on their hats.
Trademark registration records pinpoint Anvisoft’s genesis in the Chinese city of Chengdu although the company states it is based in Toronto, Canada.You can read more by Brian Krebs here:
Kreb’s digital detective work, though persuasive, was far from conclusive, which he admits. There is no suggestion of any wrongdoing by Anvisoft.
“Anvisoft may in fact be a legitimate company, with a legitimate product; and for all I know, it is. But until it starts to answer some basic questions about who’s running the company, this firm is going to have a tough time gaining any kind of credibility or market share,” Krebs noted.
Anvisoft’s technology has not been widely reviewed, but that’s not to say it is ineffective or untrustworthy. Against this Trend Micro, alone among mainstream antivirus software, flags up Anvisoft’s Anvi Smart Defender Free setup utility as malign, according to results from VirusTotal.
Western antivirus firms, at least, generally have a policy of not employing former malware writers. Aside for presenting a negative image to potential customers, and sustaining the myth that antivirus firms employ an underground army of virus programmers to ramp up demand for their products, VXers are thought to be ill-suited to life in an antivirus firm.
Not only have they shown themselves to have dubious morals but from a purely practical view the skills required to write a decent antivirus program are not the same as those necessary to construct modern malware.
Infamous Hacker Heading Chinese Antivirus Firm?
Most Western Antivirus companies and providers have a standing ban on hiring people that have been mixed up in blackhat activities or malware creation, more from Sophos here:
Did anti-virus company hire convicted Chinese malware author?
Source: The Register
HoneyDrive – Honeypots In A Box
HoneyDrive is a pre-configured honeypot
system in virtual hard disk drive (VMDK format) with Ubuntu Server
11.10 32-bit edition installed. It currently contains Kippo SSH
honeypot. Additionally it includes useful scripts and utilities to
analyze and visualize the data it captures. Lastly, other helpful tools
like tshark (command-line Wireshark), pdftools, etc. are also present.
In the future more software will be added such as Dionaea malware honeypot and Honeyd.
You can get the latest version (0.1) of HoneyDrive which contains Kippo SSH honeypot and related scripts (kippo-graph, kippo-stats, kippo-sessions, etc). Everything is pre-configured to work.
After downloading the file, you must uncompress it and then you simply have to create a new virtual machine (suggested software: Oracle VM VirtualBox) and select the VMDK drive as its hard disk.
You can download HoneyDrive here:
HoneyBox.7z
Or read more here.
In the future more software will be added such as Dionaea malware honeypot and Honeyd.
You can get the latest version (0.1) of HoneyDrive which contains Kippo SSH honeypot and related scripts (kippo-graph, kippo-stats, kippo-sessions, etc). Everything is pre-configured to work.
After downloading the file, you must uncompress it and then you simply have to create a new virtual machine (suggested software: Oracle VM VirtualBox) and select the VMDK drive as its hard disk.
You can download HoneyDrive here:
HoneyBox.7z
Or read more here.
Hack.me – Build, Host & Share Vulnerable Web Application Code
Hack.me is a FREE, community based project powered by eLearnSecurity. The community allows you to build, host and share vulnerable web application code for educational and research purposes.It aims to be the largest collection of “runnable” vulnerable web applications, code samples and CMS’s online. The platform is available without any restriction to any party interested in Web Application Security: students, universities, researchers, penetration testers and web developers.
- Upload your own code
- Online IDE for PHP & MySQL
- Your code hosted in the cloud
- FREE!!
- Practice webapp security
- Isolated enviroment
- Online: nothing to download!
Every time you run a new Hackme the site will initiate a new sandbox for you. You will get isolated access to it so that you will always know that the application is safe for you to use. No other students can add malware or exploits in your sandbox. This ensures 99% safety.
What about the 1%? While the team makes the best effort to moderate every and each new web app uploaded on Hack.me, chances are that something can and will slip through. If you are not 100% comfortable to trust us or the Hackme developer, please just run new Hackmes from a virtual machine or from a non production OS.
We have written about a variety of web apps where you can practice your hack-fu such as:
0 komentar:
Posting Komentar