Excellent email, Marc. This is stuff I've been thinking about myself, and your email will be forwarded to my management team to get them thinking about this kind of thing too.
Your voice carries a more than the usual amount of weight with management, since you helped found a successful company, which is more ssive to some folks than your actual technical knowledge. Kurt On 2/8/08, Marc Maiffret <[EMAIL PROTECTED]> wrote: > I am very familiar with these tools and most of the guys who write them. For > what you are looking to do Metasploit is going to give you everything you > need and it is free. The real advantages of Core Impact and Canvas are more > geared towards consulting penetration testers who need functionality like > the ability to load "tunneling agents" so that after they compromise one > system they can use it to attack another. Those types of things are not > going to be as important in the situation you are in. What you really need > to care about is the completeness of their exploit database and variety of > types of testing they can perform beyond simply seeing if an exploit works > or not. > > In reality though these tools should not hopefully tell you to much about a > system that you are building because most are simply attempting to exploit > known vulnerabilities and as long as you run Windows Update and double check > third party vendor patches you shouldn't have much of a problem, unless of > course your going out of your way to make yourself vulnerable by opening FTP > with anonymous write access or something. In general though for performing > system health checks you should look more into vulnerability > scanning/management software (foundstone/eeye/qualys/etc). > > Now your second question is definitely a much more complicated field and I > am so happy to see you talking and thinking about it. Because I promise you > that right now you could probably compromise 80-90% of the companies on > NTSYSADMIN using Web Application vulnerabilities. Unless of course your > website is completely boring and static html but I doubt the big cheeses are > letting you get away with not living in the web deuce world! > > When it comes to web application security metasploit/canvas/core do not > really help a whole lot. Although you should definitely keep an eye on Core > Impact as they are adding more web app sec testing stuff and if you have to > buy a commercial exploit tool, they are the one to get. That being said > though all 3 of those tools are very weak (for web application scanning) > compared to Watchfire, SPI, NTObjectives, or even Accuentix (Ex-GFI guys). > Beyond web application security products there are also managed services > such as what Whitehat does where they basically have their own code that > they are constantly running against your website and they process the > results and help fine tune false positives, like having a constant security > consultant. > > When it comes to the web application scanning tools they honestly are a lot > alike in that they all have major advantages and weakness in their ability > to correctly identify web application security flaws. I like NTO from an > engine perspective, but the UI is terrible. Others like Whitehat are good > because they kind of do it all, but then you also are going to pay more than > an off the shelf product. Watchfire and SPI are considered the two product > market leaders and your probably good either way. > > The main thing is your company will be far better off using anyone of these > web products than none. Also a lot of companies opt to hire consultants to > do manual and automated scans of their web infrastructure and a lot of times > that costs about the same as the product you would have bought and you get > much higher quality, depending on which consultants you hire of course. > > And as if I have not rambled enough I want to tell you a quick story that > hopefully makes everyone on this list really realize that web application > vulnerabilities are the biggest threat they potentially face, second to > stupid users opening attachments or going to the wrong website. > > Not long ago I was consulting with the FBI and a well known University that > suffered a major data breach. The University lost hundreds of thousands of > identities due to the data breach and while it was a terrible thing for > students the school was more worried about all of the famous/rich donors who > also had their identities compromised and were threatening to pull funding. > For my part I was helping the school not only fix their gaping security > problems but also to be an overall security stopgap to determine the extent > of the leak and future risks it might pose. The server that had been > compromised was a very simple server running a student registration > application of not much interest. However that registration application had > access to backend databases that stored a lot of extra information. The > website itself had a vulnerability that allowed for SQL injection. For those > that are not familiar with how simple of an attack SQL injection can be let > me paint a picture. The attacker[s] were able to steal all of these > identities by simply crafting a 40+ character string (ASCII no less) and > putting that into something like a Search form that you find on most any > website. Because the web code behind it was not properly sanitizing > information the code happily took that string, translated it into a database > query and then returned whatever data from the database the attacker wanted. > Now some people might be thinking, how stupid of a mistake! But again I bet > that 80-90% of the companies on NTSYSADMIN (with more than static HTML) are > all vulnerable to this or similar attacks. Back to the story… So first > things first I got a copy of the last year worth of server logs for IIS. > This was a high traffic server and the years worth of log files were *many* > gigabytes worth so I put together some custom forensic log analysis tools to > speed things up a bit. I started at the beginning of the year searching for > traces of an attack and oddly enough the program found an attack within a > few seconds which means attacks were happening since the beginning of the > year. I then called my friend at the FBI and got the previous year's logs, > ran my code, and the same thing I found attack traces at the beginning of > the second year. This went on until I finally found the beginning of the > attacks which had taken place over the course of 4 YEARS!!! Now people again > might be thinking wow their IT team must have been just completely stupid to > have been having data stolen for 4 years. The IT team is actually a smart IT > team but they are similar to most in that they are undertrained (ask for > training, then products) when it comes to security. They had about the same > security that most NTSYSADMIN'ers had, firewalls, anti-virus on the desktop, > some gateway filter. There was nothing however that was detecting these > specifically targeted web attacks (no network IPS would have seen it either) > and the IT team only accidently discovered the attacks because after 4 years > one of the attacker[s] was stupid and tried to upload a 1 year old Trojan > which Symantec ended up catching and therefore tipped them off that > something was wrong. However, had that one newbie attacker not done that who > knows how long the attack would have gone on for. Being that the attack had > taken place over 4 years and there were over 200+ unique source addresses > (from China, good luck working with them) performing the attack there was > not a whole lot I could do to be a stopgap as they were as they say > "completely f***ed." And if that story was semi-interesting then maybe next > Friday I will tell you about a famous Hollywood actor, and his "new york > girlfriend" who kept every dirty SMS and camera phone photo, how a hacker > stole it all, and how I helped make their problem go away. > > Anyways my point, if to not just be a semi-entertaining Friday email, is to > hopefully paint a picture of what is happening right now out there in > cyberspace, and has been for a while. And hopefully to spawn a few of you to > start thinking about your business and your web presence (Like my man Edward > is) and how secure it really is or is not. > > Signed, > Marc Maiffret > Freelance Security/Technology Consultant > > > From: Ziots, Edward [mailto:[EMAIL PROTECTED] > Sent: Monday, February 04, 2008 10:42 AM > To: NT System Admin Issues > Subject: Anyone using Pen-testing tools from Canvas or Core-impact in there > system deployments? > > > Folks, > > Looking for some reviews on Metasploit vs Canvas Vs Core Impact from people > who use the products to Pen-Test there application/server builds, before > putting them into production as a part of system security and risk > management of there information systerms. > > Also if you are using Watchfire, or SPI dynamics or other web-application > vulnerability testing tools, please let me know what you think about them ( > good and bad) > > Z > > Edward E. Ziots > Netwok Engineer > Lifespan Organization > MCSE,MCSA,MCP,Security+,Network+,CCA > Phone: 401-639-3505 > > > > > > > > > > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
