Dragan on Security

Google released Ratproxy - passive web application security assessment tool. It is released under terms and conditions of the Apache License, version 2.0.

Here is Google’s description of tool:

Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

Microsoft IPsec Diagnostic Tool assists Network administrators with troubleshooting network related failures, focusing primarily on IPsec. It is applicable on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. This tool download is available to customers running genuine Microsoft Windows. Also, check interesting Network Access Protection (NAP) Case Study. It’s a quick and interesting to read, use IPsec-based enforcement.

Insecure.org has Top 100 Network Security Tools list. Author says:

Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also point newbies to this site whenever they write me saying “I don’t know where to start”.

If you think your passwords are strong enough, think twice. They are probably not. Ophcrack is a Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a GTK+ Graphical User Interface and runs on Windows, Mac OS X (Intel CPU) as well as on Linux. The multi-platform password cracker Ophcrack is incredibly fast. How fast? It can crack the password “Fgpyyih804423″ in 160 seconds. Most people would consider that password fairly secure. The Microsoft password strength checker rates it “strong”. The Geekwisdom password strength meter rates it “mediocre”.

See more here and here.

Thanks to Dejan for bringing this to my attention.

Application Verifier is nice tool, designed in Microsoft, specifically to detect and help debug memory corruptions and critical security vulnerabilities. It makes it easier to create reliable applications by monitoring an application’s interaction with the Windows operating system, profiling its use of objects, the registry, the file system, and Win32 APIs (including heaps, handles, locks, and more). It also includes checks to predict how well the application will perform under Least-privileged User Account operation, compatibility tests to be used in logoing, and print tests to verify your usage of the print subsystem.

You can download new version here.

IEEE Security and Privacy, issue July/August 2007 (Vol. 5, No. 4), has interesting article Encryption: Security Considerations for Portable Media Devices (subscription required).

Abstract

With the proliferation of removable media devices, such as iPods and USB drives, large amounts of an organization’s sensitive data can easily be removed. The author explores the complexities of protecting networks against removable media, including guidelines for purchasing encryption software.

Michael Howard’s talks about SDL Crypto Code Review at his blog. He says:

When I review code for security bugs I basically do the following:

1) Run static analysis tools and compile with /W4 to see which source code files appear to have more warnings or errors. This may indicate more bugs.
2) Look for known issues, such as banned APIs and banned functionality. I hand review anything I spot in this pass, but the noise can be very high.
3) Drill down into the riskiest code (ie; line-by-line review) based on the threat models.

Michael decided to create a simple macro to help with (2) when reviewing code for potential crypto issues. You can read about it and donwload code at his Web log (here).

What is ASA in computer security area? Two products with same acronym:

• Cisco: ASA - Adaptive Security Appliances
• Privacyware: ASA - Adaptive Security Analyzer

Details about Cisco ASA are available at their Web site (here).

Short story about Privacyware ASA. Privacyware is pre-announcing the general availability of Adaptive Security Analyzer 2.0 (”ASA”). Adaptive Security Analyzer (”ASA”) can identify suspicious events and trends in a wide range of activities such as inbound/outbound firewall traffic, database transactions, http traffic, logon/logoff activity, Web server and application use, changes to Group Policies, and much more. Custom analysis can be easily configured to focus on almost any event class enabling ASA implementation to be as dynamic as your unique and evolving requirements.

Adaptive Security Analyzer Key Features/Benefits according Privacyware announcement are:
- Advanced Anomaly Intelligence reveals previously undetected security events and policy violations. 
- Robust analytic engine rapidly processes high-volume security data to increase IT staff capacity.
- Pre-configured analytics help deliver immediate value.
- Custom analytics provide flexible and adaptive implementation.  
- Intricate filter and rules designer enables the input of expert or specialized knowledge. 
- Machine and mentored learning ensures progressively accurate and meaningful output.
- Scheduled reporting automates work flow.

ASA provides IT administrators with an ability to develop fresh perspectives and make more accurate determinations about suspicious activity even in situations where definitive threat characteristics are not available. With ASA, elusive security and compliance threats that go unnoticed by conventional tools, can now be identified and better understood.

Custom analysis can be performed using data stored in most standard sources, (i.e. syslog, .csv, .txt, MS SQL, MySQL, Oracle, etc.) including those formatted in leading SIM/SIEM solutions from vendors such as Cisco, LogLogic, netForensics, Sensage, Quest Software, and others.

ASA also includes pre-built models designed to analyze logs from the following devices/applications:
- Check Point Firewall-1
- Cisco PIX Firewall
- Microsoft ISA Sever
- Juniper/NetScreen Firewall

If intelligence regarding atypical behavior among your logs or data is valuable, ASA may be an ideal solution.

You may download the software and support materials from the Privacyware website by registering here:
http://www.privacyware.com/ASAP_Registration.html and the User Guide here: http://www.privacyware.com/ASA_Pro_Support.html

Here is small list of tools for cracking passwords. It is listed in order: tool, URL, and short description.

• Dictionaries / Wordlists ftp://coast.cs.purdue.edu/pub/dict/, http://packetstormsecurity.org/Crackers/wordlists/dictionaries/ - Word lists that can be used in most password-cracking utilities.
• Hydra http://www.thc.org/thc-hydra/ A fast network logon cracker that supports many different services.
• John the Ripper http://www.openwall.com/john/ A password-cracking utility.
• L0phtCrack http://www.atstake.com/research/lc3/index.html A password-cracking utility for Windows.
• LSADump2 http://razor.bindview.com/tools/files/lsadump2.zip An application to dump the contents of the LSA secrets on a machine, provided you are an administrator.
• PWDump2 http://razor.bindview.com/tools/files/pwdump2.zip A utility to extract the Windows SAM database.
• PDDump3 http://www.ebiz-tech.com/html/pwdump.html A utility to remotely extract the Windows SAM database.
• VNC Crack http://www.phenoelit.de/vncrack/ A password-cracking tool for VNC.

Note: But… some domains expired and some companies acquired by bigger ones. :)

Identity theft is a growing problem and fight against it is very important. One possible idea and question is: Can the speed at which user types be used to determine whether he/she is allowed to view bank account details or use other online services?

This is mechanism that, if proves as correct with acceptable accuracy, can help in antiphising battle as additional authentication layer as it is unlikely that an attacker will be able to properly repeat typing style and timings of original user.

My graduate student did some work in this area and developed application which hasn’t been proven as highly reliable, but was able to perform additional level of authentication coupled with other methods. It helped to increase level of protection for password based systems.

BioPassword is new security company and software based on the idea of keystroke recognition. According this company, they already have solutions for banking and finance, eCommerce, healthcare, digital rights etc. They also got awards for this.

There are open issues with this method still: What about if you’re trained as typist? Also, do you type the same way as others who learned the same way? Can we assume that the same user will type same every time? His mood, circumstances in which he types and other conditions that are not under control, can affect this lot. Also, the system would need to be recalibrated every time you changed your password. With a fingerprint, for example, that only happens once.

If you ask me, I wouldn’t want to automatically block users. From experiments my graduate student have done with this method up to now, the false-positive/false-negative ratio would have to be jiggered properly and also it is not method that we can use with high confidence still. But if they (BioPassword company) can get it working right, it’s an extra layer of authentication.