Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Penetration testing tools?


Ben,

Bear in mind:

> Versions
>
> The ISM is available in two UNCLASSIFIED versions. One version has been authorised for release into the public domain and covers information and systems classified up to RESTRICTED and PROTECTED whilst another UNCLASSIFIED version covers all classifications of information and systems but has not been authorised for release into the public domain.
<http://www.dsd.gov.au/library/infosec/ism.html>

Also, security is broader than IT Security. For example, network and password security can be undermined by a lack of physical and behavioral/cultural (including social engineering, sticking passwords on terminals, chatting to mates at the pub) security. Leaving copies of data/information in Airport Lounges etc.

You might also like to have a look at OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, 2002. <http://www.oecd.org/document/42/0,2340,en_2649_34255_15582250_1_1_1_1,00.html>

Marghanita
Ben wrote:
3.7.2.4. User authentication can be achieved by various means, including:
•	 biometrics
•	 cryptographic	tokens
•	 pass	phrases
•	 passwords
•	 smartcards.


as well as knowing a few basic details about the person for password
reset - the Sarah Palin email hack.


"3.8.1.26. Where practical, cryptographic products must provide a
means of data recovery
to allow for recovery of data in circumstances where the encryption
key is unavailable due
to loss, damage or failure."

That was not comforting.
---

"3.8.1.46. The requirement for an encryption product to provide a key
escrow function,
where practical, was issued under a Cabinet directive in July 1998."

So who is the keymaster?
---

3.8.2.7. The approved hashing algorithms are:
•	 Message	Digest	v5	(MD5)
•	 Secure	Hashing	Algorithms	(SHA-1,	SHA-224,	SHA-256,	SHA-384	and	SHA-512).

MD5 and SHA-1 have known weaknesses and should be phased out:
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
http://groups.google.com/group/comp.security.pgp.discuss/msg/8357547aa75d0bcd?pli=1
---

      3.3.1.6. An attacker socially engineers an agency staff member
into unwittingly assisting
R#175
      to compromise a system.

Finally found a mention under training, which is encouraging :-)
---

The notes about testing are good, but should probably include
something getting independent penetration testing done.
---

Content filtering doesn't seem to address the DNS poisoning + Man in
the Middle technique that many companies use to filter HTTPS content.
(not that I think these are a good thing).

Also doesn't mention the issues surrounding encrypted content or
anonymising proxies.
---

Keyboards,

Mention of infra red, but not wireless in general
---

There are mentions of cabling security issues, but nothing that seems
to address:
* Monday: cleaner comes in and connects USB or PS/2 keyboard logging device.
* Tuesday: cleaner collects device.

Having daily or hourly checks of cables is not something users would
be likely to adhere to, so you'd probably need something like those
crypto key chain things instead. Of course, there are many passwords
people might use in the system, so they'd be better off putting them
in some kind of wallet, with the master key protected by multiple
techniques.

On Sat, Oct 25, 2008 at 5:43 PM, Marghanita da Cruz
<marghanita@xxxxxxxxxxxx> wrote:
Ben wrote:
No search hits for:
 * social engineering
 * impersonate

Am I missing something or does this document miss half of IT security,
from the word go?
It might just be that the language is unfamiliar - try authentication and
access control.

On Mon, Oct 20, 2008 at 12:04 PM, Marghanita da Cruz
<marghanita@xxxxxxxxxxxx> wrote:
Amos,

You might like to check the Australian Government ICT Security Manual
(ISM)
it
tends to talk at a higher conceptual level than specific applications.
But
provides useful contextual information...I would be interested in your
comments
about its relevance/comprehensiveness.
<http://www.dsd.gov.au/library/infosec/ism.html>

Marghanita

Morgan Storey wrote:
Hi Amos,

That isn't a bad list, I tend to direct people to
http://sectools.org/vuln-scanners.html even though it is a little
dated, and doesn't mention OpenVAS (Nessus forked and OpenVAS is truly
OSS), I also use Webscarab, Xenu (just a link checker but gives you a
good list of the site), W3af, as it is open source and does some nice
fuzzing through its proxy, Nikto/Wikto and Nmap if it is more than
just web.
These are all just auto tests, they won't find everything and there
are some false finds too, so you also have to have a look at
techniques like sql injection (you can get sql injection tools like
the Acuntix, but it is not cheap), and imho you are better learning
the techniques yourself, cause if you know how a tool works you are so
much better off.

Regards

On 10/16/08, Amos Shapira <amos.shapira@xxxxxxxxx> wrote:
Hello,

I need to find tools to run penetration testing on our external web
interfaces (a web application and an HTTP-based data interface).

The idea is to be able to run automatic tests on new releases before
deployment. Stress is on "automatic".

Has anyone here got good experience with such tools?  I'm digging
through
the net and found lots of lists (e.g.


http://www.samurainet.org/blog/2008/05/12/web-application-penetration-testing-my-tools-of-the-trade/)
but if someone can give some input from their personal experience on
what's
worth pursuing and what's a waste of time it'll, well..., might save us
some
time.

Thanks,

--Amos
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

--
Marghanita da Cruz
http://www.ramin.com.au
Phone: (+61)0414 869202


--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html


--
Marghanita da Cruz
http://www.ramin.com.au
Phone: (+61)0414 869202





--
Marghanita da Cruz
http://www.ramin.com.au
Phone: (+61)0414 869202