Wednesday, February 28, 2007

Open Source Web App Security

I read a blog posting by Ed Finkler "Do Open Source Devs Get Web App Security? Does Anybody?".

In it he described disturbing statements contained in one of Open Source Content Management System :

A colleague of mine who is dealing with Plone, a CMS system built atop Zope, pointed me to a rather disturbing documents in the Plone Documentation system, one that I feel is indicative of a much larger problem in the web app dev community.

The first describes a hole (subsequently patched) in Plone that allowed users to upload arbitrary Javascript. Apparently no input or output filtering was being done. Certainly anyone familiar with XSS attacks can see the potential for stealing cookie data, but the article seems to think this is simply a spam issue.

In closing, Ed Finkler gives blunt statements :

A web developer is not qualified to do the job if he or she does not have a good understanding of web application security concepts and techniques. Leaders of development teams must stop allowing developers who are weak on security techniques to contribute to their products, and managers need to stop hiring candidates who do not demonstrate a solid secure programming background. If they continue to do so, they demonstrate a lack of concern for the safety of their customers.

Friday, February 23, 2007

The OWASP Testing Guide v2 is now published

I just found out that OWASP has released "The OWASP Testing Guide v2" on February 10, 2007.

You can read the guide online at Testing Guide v2 Wiki or you can download it in PDF format.

Nessus 3.2 beta available for testing

Tenable has released Nessus 3.1.2 for Linux, FreeBSD and Solaris which is a beta version of the upcoming Nessus 3.2.

Nessus 3.2 contains the following new features :

- Experimental IPv6 support
- Improved bandwidth throttling
- Extended nessusd.rules to add support for ports and plugins
- New command 'nessuscmd' which lets you do a quick command-line scan
- Improved NASL engine
- Easy-update : Nessus can now update its own engine by doing /opt/nessus/sbin/nessus-update

Tenable explains more about these new features in its blog entry.

Thursday, February 22, 2007

NIST Publication on IDS and IPS technology

NIST have released a new publication (SP800-94) that covers just about everything you can think of when it comes to IDS and IPS. The report is titled "Guide to Intrusion Detection and Prevention Systems (IDPS)".

Why blurring sensitive information is a bad idea

Dheera Venkatraman has published an article describing how to attack blurring image to conceal information.

In the article, he describes :

Undoubtedly you have all seen photographs of people on TV and online who have been blurred to hide faces.

For the most part this is all fine with peoples' faces as there isn't a convenient way to reverse the blur back into a photo so detailed that you can recognise the photo. So that's good if that is what you intended. However, many people also resort to blurring sensitive numbers and text. I'll illustrate why that is a BAD idea.

And he gives suggestion to conceal information in images, we should just color over them.

Malicious JS Could Alter DNS Settings on Routers

I just found out the following news :

Malicious JavaScript placed on web sites could be used to change DNS settings on home routers that are still using default passwords. Once the change has been made, the next time the router is rebooted, the user would be redirected to spoofed, possibly malicious web sites. Research indicates than about half of router owners have not changed the password from the default.
You can find the technical details at Symantec's site.

NIST Releases New Information Security Documents

The National Institute of Standards and Technology (NIST) has released two new information security documents.

  • NISTIR 7359, "Information Security Guide for Government Executives," is designed to "assist senior leaders in understanding how to oversee and support the development and implementation of information security programs."
  • NISTIR 7358, "Program Review for Information Security Management Assistance (PRISMA)" describes "a methodology developed by NIST for reviewing complex requirements and posture of a federal information security program."

Tuesday, February 20, 2007

Vulnerability in Snort DCE/RPC Preprocessor

I just found out about the vulnerability in Snort DCE/RPC Preprocessor. This preprocessor is vulnerable to a stack-based buffer overflow that could potentially allow attackers to execute code with the same privileges as the Snort binary.

It affected the followings :

  • Snort 2.6.1,, and
  • Snort 2.7.0 beta 1
Recommended Actions:
  • Open-source Snort 2.6.1.x users are advised to upgrade to Snort (or later) immediately.
  • Open-source Snort 2.7 beta users are advised to mitigate this issue by disabling the DCE/RPC preprocessor in snort.conf file. This issue will be resolved in Snort 2.7 beta 2.

Thursday, February 15, 2007

Using Snort as a simple IDS

In my previous blog (Testing Snort 2.7.0 Beta 1) , I described about my endeavour to install Snort 2.7.0Beta1. After successfully install Snort, I want to create a simple IDS rule and use my Snort as a simple IDS.

To test Snort as an IDS, first I created a simple rule like the following :

Then I started Snort using the following command :

I open up another Konsole, and ping localhost :

In Snort window, I press Ctrl-C. Snort will appear as not responding to Ctrl-C, but in fact it's waiting for the first packet.

In other Konsole, I ping the localhost again :

In Snort window, the display will be like the following :

You can see that Snort is actually responding to our Ctrl-C press after it received the first packet matching its rules.

From the figure above, we can see that Snort received 10 packets and it analyzed 2 (two) ICMP packets. Those packets generated 5 alerts and 5 log entries.

In the tests/ directory we can see that Snort has created two files :

And here is the alert file contents :

Our Snort has analyzed ICMP packets according to the rule we've created.

Monday, February 12, 2007

Secunia Releases Software Inspector

Feature Overview :

  • Detects insecure versions of applications installed
  • Verifies that all Microsoft patches are applied
  • Assists you in updating your system and applications
  • Runs through your browser. No installation or download is required.

The Secunia Software Inspector covers the most common/popular end user applications:

  • Internet browsers
  • Internet browser plugins
  • Instant messaging clients
  • Email clients
  • Media players
  • Operating systems
You can find it here.

Back from A Disaster

Several days ago, I experienced a flood disaster for days. It ruined my schedule. But thanks God I am still alive and kicking.

Now I try to recover from the disaster.

Here are several things I learn from this disaster :

  • You need to be prepared for the unexpected
  • Do not depend too much on the government
  • Develop your disaster recovery plan suitable for your needs

Thursday, February 01, 2007

Hari Kesadaran Keamanan Informasi

Hari Kesadaran Keamanan Informasi akan dideklarasikan pada:

Tanggal 07 Maret 2007
Waktu 18h30 - 21h30
Bertempat di Ruang Komisi Utama, Gedung II BBPT, Lantai III
Jl. MH. Thamrin no.8, Jakarta

Susunan Acara
18.30 – 19.00 Registrasi
19.00 – 19.10 Sambutan BPPT
19.10 – 19.20 Sambutan DepKomInfo
19.20 – 19.30 Sambutan DeTIKNas
19.30 – 19.40 Sambutan Lemsanneg
19.40 – 19.50 Sambutan Polri
19.50 – 20.10 Pembacaan dan Penandatanganan Deklarasi
20.20 – 20.30 Konferensi Pers
20.30 – 21.30 Makan malam dan Penutup

Untuk keterangan lebih lanjut hubungi Dimas 98929053 atau kirim email ke

Get NAT'ed IP Address Using JS in Firefox

I just read Jeremiah posting regarding how to get NAT'ed IP address using JavaScript in Firefox version 1.5-2.0.

It happens because in Firefox, JavaScript can access Java classes directly ( You can try it here (copied from Jeremiah's posting) :

When I think about it and how this can be used by the bad guys, I feel very scare. One of the solution for this is by blocking JavaScript from a website. In Firefox, you can use NoScript.