Very nice but do you work the East Coast as well or just the West Coast? I am asking as my office is just about the jump into the type of non-static, pay for use, remote access, without a clue as to securty, services. They are at the moment just talking to the vendor and excluding all IT support from the interviews as "you ask too many questions and are always so negative" when dealing with this type of service.
Jon On Feb 8, 2008 9:07 PM, Marc Maiffret <[EMAIL PROTECTED]> wrote: > I am very familiar with these tools and most of the guys who write them. > For > what you are looking to do Metasploit is going to give you everything you > need and it is free. The real advantages of Core Impact and Canvas are > more > geared towards consulting penetration testers who need functionality like > the ability to load "tunneling agents" so that after they compromise one > system they can use it to attack another. Those types of things are not > going to be as important in the situation you are in. What you really need > to care about is the completeness of their exploit database and variety of > types of testing they can perform beyond simply seeing if an exploit works > or not. > > In reality though these tools should not hopefully tell you to much about > a > system that you are building because most are simply attempting to exploit > known vulnerabilities and as long as you run Windows Update and double > check > third party vendor patches you shouldn't have much of a problem, unless of > course your going out of your way to make yourself vulnerable by opening > FTP > with anonymous write access or something. In general though for performing > system health checks you should look more into vulnerability > scanning/management software (foundstone/eeye/qualys/etc). > > Now your second question is definitely a much more complicated field and I > am so happy to see you talking and thinking about it. Because I promise > you > that right now you could probably compromise 80-90% of the companies on > NTSYSADMIN using Web Application vulnerabilities. Unless of course your > website is completely boring and static html but I doubt the big cheeses > are > letting you get away with not living in the web deuce world! > > When it comes to web application security metasploit/canvas/core do not > really help a whole lot. Although you should definitely keep an eye on > Core > Impact as they are adding more web app sec testing stuff and if you have > to > buy a commercial exploit tool, they are the one to get. That being said > though all 3 of those tools are very weak (for web application scanning) > compared to Watchfire, SPI, NTObjectives, or even Accuentix (Ex-GFI guys). > Beyond web application security products there are also managed services > such as what Whitehat does where they basically have their own code that > they are constantly running against your website and they process the > results and help fine tune false positives, like having a constant > security > consultant. > > When it comes to the web application scanning tools they honestly are a > lot > alike in that they all have major advantages and weakness in their ability > to correctly identify web application security flaws. I like NTO from an > engine perspective, but the UI is terrible. Others like Whitehat are good > because they kind of do it all, but then you also are going to pay more > than > an off the shelf product. Watchfire and SPI are considered the two product > market leaders and your probably good either way. > > The main thing is your company will be far better off using anyone of > these > web products than none. Also a lot of companies opt to hire consultants to > do manual and automated scans of their web infrastructure and a lot of > times > that costs about the same as the product you would have bought and you get > much higher quality, depending on which consultants you hire of course. > > And as if I have not rambled enough I want to tell you a quick story that > hopefully makes everyone on this list really realize that web application > vulnerabilities are the biggest threat they potentially face, second to > stupid users opening attachments or going to the wrong website. > > Not long ago I was consulting with the FBI and a well known University > that > suffered a major data breach. The University lost hundreds of thousands of > identities due to the data breach and while it was a terrible thing for > students the school was more worried about all of the famous/rich donors > who > also had their identities compromised and were threatening to pull > funding. > For my part I was helping the school not only fix their gaping security > problems but also to be an overall security stopgap to determine the > extent > of the leak and future risks it might pose. The server that had been > compromised was a very simple server running a student registration > application of not much interest. However that registration application > had > access to backend databases that stored a lot of extra information. The > website itself had a vulnerability that allowed for SQL injection. For > those > that are not familiar with how simple of an attack SQL injection can be > let > me paint a picture. The attacker[s] were able to steal all of these > identities by simply crafting a 40+ character string (ASCII no less) and > putting that into something like a Search form that you find on most any > website. Because the web code behind it was not properly sanitizing > information the code happily took that string, translated it into a > database > query and then returned whatever data from the database the attacker > wanted. > Now some people might be thinking, how stupid of a mistake! But again I > bet > that 80-90% of the companies on NTSYSADMIN (with more than static HTML) > are > all vulnerable to this or similar attacks. Back to the story… So first > things first I got a copy of the last year worth of server logs for IIS. > This was a high traffic server and the years worth of log files were > *many* > gigabytes worth so I put together some custom forensic log analysis tools > to > speed things up a bit. I started at the beginning of the year searching > for > traces of an attack and oddly enough the program found an attack within a > few seconds which means attacks were happening since the beginning of the > year. I then called my friend at the FBI and got the previous year's logs, > ran my code, and the same thing I found attack traces at the beginning of > the second year. This went on until I finally found the beginning of the > attacks which had taken place over the course of 4 YEARS!!! Now people > again > might be thinking wow their IT team must have been just completely stupid > to > have been having data stolen for 4 years. The IT team is actually a smart > IT > team but they are similar to most in that they are undertrained (ask for > training, then products) when it comes to security. They had about the > same > security that most NTSYSADMIN'ers had, firewalls, anti-virus on the > desktop, > some gateway filter. There was nothing however that was detecting these > specifically targeted web attacks (no network IPS would have seen it > either) > and the IT team only accidently discovered the attacks because after 4 > years > one of the attacker[s] was stupid and tried to upload a 1 year old Trojan > which Symantec ended up catching and therefore tipped them off that > something was wrong. However, had that one newbie attacker not done that > who > knows how long the attack would have gone on for. Being that the attack > had > taken place over 4 years and there were over 200+ unique source addresses > (from China, good luck working with them) performing the attack there was > not a whole lot I could do to be a stopgap as they were as they say > "completely f***ed." And if that story was semi-interesting then maybe > next > Friday I will tell you about a famous Hollywood actor, and his "new york > girlfriend" who kept every dirty SMS and camera phone photo, how a hacker > stole it all, and how I helped make their problem go away. > > Anyways my point, if to not just be a semi-entertaining Friday email, is > to > hopefully paint a picture of what is happening right now out there in > cyberspace, and has been for a while. And hopefully to spawn a few of you > to > start thinking about your business and your web presence (Like my man > Edward > is) and how secure it really is or is not. > > Signed, > Marc Maiffret > Freelance Security/Technology Consultant > > > From: Ziots, Edward [mailto:[EMAIL PROTECTED] > Sent: Monday, February 04, 2008 10:42 AM > To: NT System Admin Issues > Subject: Anyone using Pen-testing tools from Canvas or Core-impact in > there > system deployments? > > > Folks, > > Looking for some reviews on Metasploit vs Canvas Vs Core Impact from > people > who use the products to Pen-Test there application/server builds, before > putting them into production as a part of system security and risk > management of there information systerms. > > Also if you are using Watchfire, or SPI dynamics or other web-application > vulnerability testing tools, please let me know what you think about them > ( > good and bad) > > Z > > Edward E. Ziots > Netwok Engineer > Lifespan Organization > MCSE,MCSA,MCP,Security+,Network+,CCA > Phone: 401-639-3505 > > > > > > > > > > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
