вторник, 20 октября 2009 г.

PCI DSS and wireless networks

Again, we discuss PCI DSS and wireless networks http://www.securityfocus.com/archive/137/507096

But how can we determine if this rogue AP and especially rogue wireless clients (WLAN card into a back office server) are inside CDE? By signal level? But Kismet shows this information only for APs (not for clients) :(

I’ve already answered the question on

Informzaschita web site, but let’s repeat.

>how could I know that the wireless access point with enabled encryption is a part of our local network?

Access Point location can be detected in different ways. The easiest way is by traffic “in the air”. Even if the point uses strong encryption (not WEP), enough data to indentify the segment are sent in clear text. For example, sender’s MAC address. As an access point is a link -level device, it relays all segment broadcast requests “into the air”. As there are a lot of this kind of requests in the network (ARP, NetBIOS, IPv6, etc.), comparing MAC addresses of senders who send packets through the point, and the list of known MAC addresses from your network, it’s easy to detect the access point location. Additionally, you can send a great number of broadcast packets via utilities that realize ARP-ping, such as Cain or nmap.
Triangulation… Running after every beacon with an antenna is not an easy task.

>Whre can I find information about access point search by triangulation method, and what kind of antennais the best?

Parabolic and Yagi- antenna for 2,4 diapason are rather bulky, so panel ones are more comfortable to use, in spite of worse directivity and sensitivity to reflected signal.

>But if it’s really rightly configured access point WPA2+hidden+MAC filter. It takes long time to find until there’s no activity.

Any AP connected to network, “signals” anyway: - sends beacon (even if ESSID is empty) - relays broadcasts and multicast with source MAC addresses in clear text

Its’ difficult to image a network without broadcast requests. And I wrote above how to detect access point location by these requests.

>How to detect clients that connect to external access points

Clients that are authorized to connect to “external” access points, can be detected by active security assessment mechanisms. For example, there are three mechanisms in
MaxPatrol that helps to resolve the problem:
- inventory that analyzes wireless Windows clients settings,
- security assessment that analyzes insecure configurations (e.g., multihomed, no encryption, WEP usage),
- compliance management that sets black and white lists of access points which are allowed in the network.

By monitoring wireless network, but you need to list “your ” MAC addresses beforehand. It’s possible to do by active (see above) or passive (see below) mechanisms.

>How can I understand that this is my users? Something about it is written

here (Russian).

But in any case, a workstation (especially under Windows) sends a lot of interesting traffic which allows to define network membership. This is both NetBIOS Broadcast and

WPAD requests, and also DHCP requests which contain host and domain name...

But one question is still open – how to send this kind of traffic? Here

Gnivirdraw can help us.

>Active scanners don’t help us!!! Of course, sometimes to run along with laptop is useful :). But scanners can help to do the following:

- fingerprint in pentest mode of network devices (including AP).

- inventory of wireless client configuration (MAC addresses, lists of networks)

- analysis of access point configuration

- analysis of wireless device logs in order to find “bad” events

Thus some wireless problems are on the wire :)

понедельник, 19 октября 2009 г.

WASC Announcement: 2008 Web Application Security Statistics Published

The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2008. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are the most prevalent regardless of the methodology used to identify them. Industry statistics such as those compiled by Mitre CVE project provide valuable insight into the types of vulnerabilities discovered in open source and commercial applications, this project tries to be the equivalent for custom web applications.

This article contains Web application vulnerability statistics which was collected during penetration testing, security audits and other activities made by companies which were members of WASC in 2008. The statistics includes data about 12186 sites with 97554 detected vulnerabilities.

WASC Web Application Security Statistics 2008


четверг, 15 октября 2009 г.

Some plug about Bitrix

Recently we conducted audit of new security functions of "1С-Bitrix: Site management " to assess the compliance with Web Application Firewall Evaluation Criteria requirements of Web Application Security Consortium.

The story has continued on Chaos Constructions CC9 Festival" that took place on 29-30 August 2009 in Saint Petersburg, Russia.

"More than six hundred Russian hackers have been trying to hack down a server-installed content management software in attempt to get over its sophisticated Proactive Protection system. There had been more than 25.000 attacks recorded and effectively repulsed during the software crash test competition hours. The competition was organized by the Bitrix, Inc. team and Positive Technologies IT experts"

Bitrix Real-Time Hack Competition in Russia

25.000 Russian Hack Attacks Repulsed by Bitrix in Two Days

WAF-protected, tested "by Russian Hackers", PCI Compliant site from the box. Not bad, is not it?

среда, 3 июня 2009 г.

Add protection means add “a hole”

Funny news

New D-Link protection for Wi-Fi routers is a hole in security!

D-Link had barely announced updated firmware for wireless routers with protection from automatic registrations (CAPTCHA), when several enthusiasts found out that this new protection measures make routers more vulnerable to password theft.




There are some comments on SecurityLab forum that say:

Is it again an attack with default password?

The situation is much more amusing, indeed. The problem is that CAPTCHA is used by D-Link to protect from Cross-Site Request Forgery (CSRF) which (to be more precise, exploitation method for a router) was greatly named Drive-by Pharming by Symantec. But implementation error (accepting of requests with valid hash without CAPTCHA) makes this protection to be a vulnerability.

If passwords are standard then there is a method to bypass basic authentication via Javscript (see "Breaking through the perimeter" http://www.securitylab.ru/analytics/292473.php ).

But if the password (or its derivative such as hash) is sent to GET (as Basic duplicate), then the situation is more interesting – an attacker could use not only standard password hash but also conduct user password brute force attack Javascript via CSRF from which CAPTCHA should protect.

It means that the vulnerability concerns not only standard passwords but also could increase the effectiveness of user password brute force attacks via CSRF, and standard password security (timeout, temporary lockout, etc.) does not work as not brute force itself but attempts to connect with different “normal” hashes are taken, used instead of session identifier. A simple script is enough for it, that call the address

GET /post_login.xml?hash=

and check whether the action was successful. The point is to trick a user to open the site:)

In general, rather interesting design error in authentication mechanism of web application.

понедельник, 18 мая 2009 г.

Tool for WINS and DNS (MS-09-008)

The utility is used to detect potentially dangerous entries in DNS and WINS services databases. The utility also allows local network scanning to detect hosts with dangerous NetBIOS names. If system administrators and security administrators use the utility regularly then it allows controlling potentially dangerous entries in name servers and availability of hosts with dangerous NetBIOS names in local network.

Detail information could be found in the article by Sergey Rublev and on SecurityLab:



Download here:

среда, 13 мая 2009 г.

Compliance management vs Risk management

If we consider the question of request compliance in terms of risk analysis, i.e. assume that:
threat – violation consequences described by the compliance enforcement agency (CEA :).

vulnerability – incompliant to requirements
attack – checks made by the CEA
counter-measure - compliant to requirements

so there is practically an unexampled situation – we have all necessary basic data for quantitative risk analysis based on the classical technique ARO x SLE = ALE.


We have:

ARO – probability of CEA checks
SLE - violation consequences described by the law or CEA

This interesting situation not only proves that school rules still sometimes work, but also a great benefit of compliance as an engine of information security.

Lets consider some examples that are now widely known - Russian Federal Law 152 (On Personal Data) and PCI DSS.


This is quite simple, as Visa and other payment systems decided not to taunt business and allow to shift action plan because of events in the world economy now. This is a delay in attack implementation in several years. Unexampled situation when you exactly know that this particular attack did not take place during a year. Or a couple of years. Just imagine a license from virus attacks or hardware theft for a year… A great thing!


threat - fines (N x K$) or loss of operation prohibition (let it be also N x K$ for ease), SLE;
vulnerability - incompliant to requirements (PCI DSS);
attack – CEA (Visa, Mastercard, etc) response to action plan deviation (the probability that it will take place, ALE - 0 times a year)

Totally, we have:

Risk = (N x K$) x (0) = 0

Tat is that you can do nothing!!!

But! The key condition is that you have action plan. Accordingly, you should create it. By yourself or with QSA – as you wish. Unfortunately I do not have information about regulator response if there is no PCI DSS action plan, but I think in this case SLE is about counter-measure (audit) costs.

Federal Law 152

In this case everything is easy also.

threat - some variants

1. Administrative responsibility - fines
2. Suspension or termination of personal data processing in the company is the period of idle time/degradation of constrained business processes before elimination. I think you can take minimum 1/6 of a year.
3. Company and (or) its head is made responsible for criminal (civil, disciplinary, etc.) offence -– a catastrophe.
4. Licenses suspension or revocation for the company basic activity – closer to catastrophe in the current situation.

attack – check by CEA

With regard to newness and interest for regulator and the possibility of initiation from the outside (an application), the probability that the attack will be conducted in 2010 could be taken equal to 1.
For more detailed calculations by regions and business brunches the following statistics could be used:


Totally, we have (worse case scenario):

Risk = (the value of business) x (1) = (the value of business)

That is: there is a problem, and you have to solve it.

PS. There is no need to make far-reaching conclusions. It‘s just a funny story. We didn't sell FL-152 consulting :)