Monday, April 30, 2007

Security Feeds


Recently several people have inquired about easy and efficient ways to stay on top of what is going on in the security community. The answer of course is by aggregating all of your security news "inputs" into a RSS reader.

For Mac OSX platforms, I highly recommend Vienna. This is what I use 90% of the time.

For Win32 platforms, I am currently using Feedreader, however, I am still not completely sold on it. If anyone knows of a better free RSS Client please let me know.

Another amazing resource is the Security Blogger's Network created by Alan Shimel and of which www.monkey-house.org is a proud member. This is essentially a large collection of top-notch IT Security related blogs, aggregated and served out as a Feedburner Feed. To take advantage of this, simply subscribe your RSS client to:

http://networks.feedburner.com/Security-Bloggers-Network/feed


Addtionally for anyone that is interested, I have exported my current list of Security/IT related feeds to an opml file. To use this, simply download my security.opml file and import this into your RSS reader.

***Please note that because my current job duties include performing web application security tests against Ruby on Rails platforms, I have alot of feeds specific to these two areas.

Labels: , ,

Google Calendar Session Auth.

While reviewing IDS logs at work today, I noticed that the Snort Bleeding-Edge rule "BLEEDING-EDGE CURRENT EVENTS Google Calendar in Use" (Snort SID 1:2003597) had fired.. Looking at the logged request, I noticed that it logged a URL similar to:

http://www.google.com/calendar/feeds/COWORKER%40gmail.com/private-98d32c472
5baf853a1c50c4485c9XXXX/full?start-min=2007-04-30T00:00:00&start-max=2007-05
-05T00:00:00


(note, actual calendar name and Session-ID have been changed to protect the innocent, so link will not work)


But the URL basically includes: /username/auth-token

Upon clicking on the initial unmodified link, it allowed me to view my coworker's private Google calendar..

It appears that Google is ignoring a fundamental rule of web application security. "Thall shall not expose any credentials in URLs"


Referencing item A3 Broken Authentication and Session Management of the OWASP Top 10

From the Session ID Protection section: First, they should never be included in the URL as they can be cached by the browser, sent in the referrer header, or accidentally forwarded to a ‘friend’.

This also includes web proxy logs and IDS logs.


Quote from a friend of mine: " but it's Google.. you don't have to be secure, you just have to be easy "

Friday, April 06, 2007

Hotel Wireless IDS (Oppsie!)

I was recently out in Las Vegas for some compliance training. After a long night of honing my Blackjack skills, I returned to the hotel to catch up on e-mail. The hotel had free wireless, and since 24 hours had expired from when I initially connected, I was redirected to the captive web portal to agree to terms of service, see their marketing stuff, etc. Well, when I clicked accept, I noticed that the captive portal was utilizing a series of CGI scripts to authorize clients. Definitely piqued my interest.

So, first step in any good "investigation" is to do some fingerprinting. I fired up nmap -sT -A to identify listening services and make an OS guess. Being the impatient person that I am, I also fired up nikto in parallel. But of course, that wasn't enough to immediately satisfy my curiosity, so I started conduction some web tests by hand. And then something happened that I completely did not expect. I got this web message:

Opps!

Has anyone else experienced something like this before? The interesting thing is the URL. I wonder if I sniffed the IP / MAC address combinations off my local segment and did HTTP POST's to that URL if I could blacklist everybody else.

Labels: ,

Revolution On Rails

As I've previously noted, Revolution Health is currently the largest Ruby on Rails site on the internet. There has been alot of discussion in the industry that Rails could not scale well in a full blown enterprise environment. So, in an effort to dispel this myth and help others who may follow in our footsteps, my coworkers are attempting to document the trials and tribulations of Ruby On Rails from an Enterprise level in their Revolution On Rails Blog

My Kudos to them for also releasing alot of the custom written tools, plug-ins, Gems, and scripts they have developed along the way. I think its fantastic when corporations that heavily leverage open-source tools and platforms in their business environments can find a way to give back to the open-source community.

Labels: , , ,

Pantera WAS Documentation

It looks like all of the Pantera on OSX Documentation I did here on Monkey-House has been officially incorporated in the OSX Install guide bundled in Pantera:

Pantera_Release_0.1.3/doc/en/install-osx.html

Labels: ,

Metasploit Frame on Gentoo

Today I discovered a bug while installing the new Metasploit3 Framework on Gentoo, according to the provided instructions. The essence of the problem is a mixing of a new version of rails (1.2.2) with an old version (< 0.9.0) of RubyGems. This is a problem for anybody that is running Gentoo Stable, as Gentoo is currently shipping RubyGems version 0.8.11-r6. The work around is to install the testing branch of RubyGems. To do this in Gentoo, simply appending: dev-ruby/rubygems ~x86 to the file: /etc/portage/package.keywords and rerunning emerge rubygems.

I've also opened up a defect ticket with metasploit so the documentation can be updated.

Labels: , ,