Obscurity

Saturday September 27, 2008

Custom Tests for Appscan

I knew this day would come. :) A reason to write your own tests because you want to test parameter tampering... :)

Using the Tools >> User Defined Tests menu.

Create a new test and specify:

    •  Test name
    •  Test advisory (impact, description, fix recommendation, etc)
    •  Test severity level
    •  Test validation criteria (when is this test considered successful)

Appscan's sources of information

It seems Appscan has a Live Update facility to get the latest in vulnerabilities. It appears from my research that Appscan updates contain information collected from:

    •  Web application security resources like security/hacking newsgroups, mailing lists, etc.

    •  Hackers websites. Usually for 0-day / new attacks

    •  Research performed by Appscan's Security Team. This would involve either CERT style exercises and / or from on-site client testing.

Appscan Functions

Not only does AppScan run security scans on Web applications it also does that on Web Services applications. I've been evaluating the quality of testing on applications containing Flash and/or JavaScript. AppScan seems to be able to parse them to navigate the application properly. AppScan can also act as a SOAP client to test applications with custom values / data sets. This is an invaluable tool in itself.

The general operation of Appscan is that it applies 3 basic steps to generate its reports:

    •  Surfing / Exploration - It acts as a front-end user traversing pages. It can send SOAP / RMI XML requests to emulate a web-service subscriber. During this part of its operation it logs any potential vulnerabilities it would want to test for. From what I can see its primarily based upon sending invalid requests then logging the error / warning responses from the application being tested

    •  Analysis /  Testing - The data collected form the Surfing / Exploration stage is used to conduct a series of tests via requests and then validation rules are applied to the responses. Its not easy to work out what these validation rules are as yet. However it is at this point that security risks are identified.

    •  Iterative Scanning - This step can be configured to be repeated (by configuration) to use the data from the first two steps. The second step generates extra application tests which require exploration.

The concept of templates in Appscan is effectively configuration data for the web application being tested. For example, this usually involves specifying where the WSDL is, etc.

Thursday September 25, 2008

Rational Appscan do what others cant...

Interesting product. IBM accquired it from Watchfire Corporation, a security and compliance testing software company based in Waltham, Massachusetts.  It appears that Appscan provides Web application security testing and compliance management software and services that help clients evaluate, understand and resolve issues impacting their online businesses. 

The product is very comprehensive in what it can provide:

    •  Established attacks and string based manipulation of URLs to detect vulnerabilities with regard to session hi-jacking, login avoidance, stray pages that don't have any security on them. This includes static AND dynamic testing.

    •  Port scanning for security holes like SQL injection

    •  A comprehensive report on all the exploits it found to work

    •  A recommendation on how to repair / patch these exploits.

Most products / suite of of products on the market do not have the reporting tool which has recommendations. I am usually skeptical of all-in-one products that claim to provide recommendations. Appscan seems to deliver what it promises.

Sunday August 10, 2008

PS3 remains unhacked or so it may seem

Well I bet the PS3 engineers at Sony are feeling pretty good about their latest achievement. A so far un-hacked PS3 console. It seems the PS3 remains to be chipped or the firmware buggered with. A few like "Dragula96" have managed to edit the V2.20 firmware with some profound results but nothing to call home about. It seems the following reasons dictate the security of the PS3:

*  The firmware is updated automatically from Sony, online, which allows security flaws to be patched. Each firmware release unlocks/creates new features that make the console more exciting to use. So firmware upgrade blocking using your firewall will result in an outdated console and some games might not even run in the future.

* Not much info on how to copy the Bluray Disc games. This is a function of time and persistence.

* So far not a lot has been leaked about the firmware or some debug mode perhaps. Again, this is a function of time and persistence.

The following features will allow the PS3 to be subverted:

* You can run Linux (ppc64) on the PS3

* You can boot off the Linux installation by default

* You have access to the hardware devices on the system through this installation

As an aside to this task of making the PS3 homebrew friendly, it also has some desirables that make it a great tool for hackers. It has the famed IBM Cell Processor with 7 (+1 redundant) cores or "synergistic processing elements"  (SPE). Only 6 SPEs are available to the developer as 1 is reserved for the OS. It has 256Mb of XDR Main Memory and a further 256Mb of GDDR3 memory for the GPU. This equates to one hell of device capable of "password retrieval".

Past PS console hacks have been done in the form of a "mod chip". However it seems that to have access to the hardware by running a Linux installation would imply that one may not even have to modify/subvert any of the hardware. Rather:

* A custom firmware,

* A version of linux that has drivers for all the hardware components (GPU, USB, Wifi, GLan and Bluray) and is wrapped with a windowing manager that is built around a Gtk or Gnome base, and made to look like the existing PS3 operating system.

This would then mean that the base OS of the PS3 is subverted by not being used at all. Firmware upgrades would be moot as now, all the visual / functional changes are customisable by the Linux OS. Backed-up Bluray games will run natively in the Linux OS perhaps or might require a reboot where the game runs in another cut-down Linux kernel that has no GUI loaded etc.

We'll see what the future holds for PS3.

Saturday August 09, 2008

Enabling HDCP Compliance to existing devices

It seems, HDCP is the new gatekeeper stopping the display of HD content on non-HDCP compliant devices. So this means even though my fairly new monitor that has a DVI input and is capable of displaying at least 720 pixels height cannot display HDCP protected content. 

Enter the Silicon Image SiI 1169 chip. It is a DVI Receiver chip that has the HDCP key and decoding built into the chip. The brochure is available here: http://www.sci-worx.com/products/product.aspx?id=50

It would then mean that theoretically, one could build a circuit that incorporates this chip to allow HDCP protected content to be decoded by this circuit and passed to a non HDCP compliant device like a PC LCD monitor with VGA/DVI.

 One would also suspect that devices like HDFury utilise this method of HDCP "compliance" to avoid being accused of "stripping HDCP".

 

Remote Shutdown of Windows

With today's buzz being Green Technology. It seems powering down machines while they are not being used sounds like a great way to conserve power. Most workstation users keep their machines running overnight for the following reasons:

* Torrent-ing

* Helping SETI@Home with their search for extra-terrestrial life from data collected from some patches in the sky.

* Not interested in waiting 5 minutes for the machine to settle down after power-up

I'm not sure I want to meet the aliens just as yet when humanity is represented by our contemporaries. Besides, if you were an alien would you want to 'hook up' with a species of life that ignores the vast quantities of quantum energy and still burns ancient tree remains for energy? The only reason would be to exploit us perhaps...too dire.

There are a few ways to force shutdown on these machines from your Linux server:

* Using SMB,  net rpc shutdown -r -f -I <ip_address> -U <admin_user_name> OR net rpc shutdown -r -f -S <system_name> -U <admin_username> Both require passwords to be entered.

* Using BeyondExec tool from www.beyondlogic.org BeyondExec V2.05 - Spawn Remote Processes on Windows NT/2000/XP WorkStations.

The net rpc method calls require remoting to be activated on the client machines on the network. The BeyondExec tool requires a driver to be installed on the machines.

 There is another tool worth considering called NeoSploit. However this tool is rather difficult to obtain due to what "else" it can do.

 

Wednesday August 06, 2008

NAS for the home

Been working on a homemade NAS using the following components

- Via C3 Processor 800Mhz with 9W TDP

- Mercury Flex ATX motherboard

- 512Mb DDR RAM

- SATA Raid PCI Card

- Gigabit LAN NIC

- Compact Flash Card & IDE adapter

- 4 x 750Gb Samsung F1 HDDs

The result is a machine that uses 52W at idle and 60W at full tilt. The operating system consists of:

- Ubuntu LTS Server Edition 8.04

- Webmin 1.429

 The OS was setup such that the Swap is on a 1Gb partition on one of the drives. The remainder of the space is setup as XFS and managed by LVM.

 The result? A 2.75Tb machine geared for media serving and file storage.

Tuesday August 05, 2008

It came from Uranus...I mean Ubuntu About a year ago I was tempted by some linux purists to abandon my dual boot setup and stick to Ubuntu only on my laptop...something stopped me. I pictured a scene from "It came from Uranus" where my laptop gets eaten up somehow. How right I was to trust that instinct. A quick google search will reveal numerous forum posts about "Ubuntu is killing your laptop". Seems an earlier version of Ubuntu had a bug where the hard drive does not shutdown properly and initiates an "emergency unload". This sounds like a pop. Do this often enough and you reduce the life of the hard drive (apparently). The bug has been addressed and is fixed. So don't be fiesty, be gutsy or hardy instead.
Posted by Gusius Gus in Politics at 20080805 Comments[0]

Offline NT Password & Registry Editor

You know its not very often you come across a tool that allows you to exploit the design flaws of the NT Kernel. Hang on what am I saying...Well, this little program (mind you, which fits on a USB stick; size 3Mb) will boot into a cut-down linux kernel and allows you to "recover" the NT administrator password and un-ban and / or promote existing accounts.

 Site: http://home.eunet.no/pnordahl/ntpasswd/

 So if you ever get a machine from a government auction and find it has a 'locked' copy of windows on it....