How to disable XSS filter on Internet Explorer 11 July 24, 2014
Posted by alexoldman in Burp, Information security, Security.add a comment
I was just doing some training on Cross-site Scripting (XSS) vulnerability for our development team. My demo didn’t work because both IE v11 and Chrome v36 have clever filters that protect against XSS attacks. So first lesson, is check your demos before you try them! I was using the excellent Burp proxy.
Anyway, here is how to turn off XSS filters in IE v11.
Tools > Internet Options> Security
Select the Custom Level button
Scroll down set Enable XSS filter to Disable
You can do the same in Chrome releases v35 or earlier, by starting it with the switch –disable-web-security
“C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –args –disable-web-security
I have not found out how to disable the XSS filter in Chrome v36 yet.
I hope this helps someone.
How to extract a list of cookies from Burp May 16, 2012
Posted by alexoldman in Burp, Information security, Penetration testing, Security.add a comment
Download your copy of Burp from www.portswigger.net/burp
- Spider your application (in Target, right click the host and select “spider this site”)
- When spidering has completed [this can take a seriously long time], select Options, Sessions
- Select View Cookie Jar
- Select the cookies you want to export and then copy/paste. You can use the keyboard shortcut CTRL+A to select all.
Enjoy!
InfoSec 2012 Conference review May 3, 2012
Posted by alexoldman in Advanced Persistent Threat, Information security, Malware, Security, Splunk.Tags: enterprise-it, mobile device management
1 comment so far
Last week I attended the Information Security 2012 conference at London’s Earls Court. The biggest event of its type in Europe, InfoSec event brings together security suppliers and customers, providing traditional sales opportunity, while giving delegates the opportunity to see other potential suppliers or participate in a programme of high-level presentations in four ‘theatres’ on a variety of topics. It’s also a good chance to meet up with other security professionals. The areas that seemed to have the highest attention were: Mobile Security (BYOD and MDM); “Big Data”; Advanced Persistent Threats; Advanced Evasion Techniques; and Security Information Event Management (SIEM). My particular interests for this show were in Mobile Security (Bring Your Own Device policy development/ Mobile Device Management), and Advanced Persistent Threat detection, avoidance and handling.
Mobile Security
iPads are taking off at a phenomenal rate in our working lives. There is a huge move in the way people expect to work. Last year the sales guys had to have iPad 2’s, just now the “new iPad” is the must-have executive toy, and really soon it’ll be the workers demanding them in the workplace. This Cultural Revolution has come as a result of as a blurring of boundaries between what is traditionally ‘work’ and what is ‘play’. The technology we want to use supports this lifestyle. Many of the people I communicate with on Facebook are important to me professionally. But not every work place realises this. Organisational policies need to keep up, while ensuring the protection of client and company interests. Where technology leads, security policy must follow.
Having conceded the inevitability of a BOYD (Bring Your Own Device) policy in my own workplace, I need to understand what the technology capabilities of mobile device management are. I had a demo of the new McAfee Enterprise Mobility Management Platform, which integrates with Exchange ActiveSync (part of Microsoft exchange) and McAfee’s own E-Policy Orchestrator, to support Apple iOS, Google Android, Microsoft Windows Phone and Blackberry’s. The impression I was left with is that the policy enforcement capabilities vary with the platforms (iOS is weak compared with say Blackberry) potentially leaving gaps between policy and enforcement capability. However MMP is the most rounded product I’ve seen to date (I’ve not seen many!). One feature I particularly like is the idea of a secure container on each device, for storing company data. This can be remotely wiped, which is much more discrete than whole device wiping. There was also the suggestion that individual emails could be labelled as ‘corporate’ or ‘other’ although this feature was not demonstrated, it shows how companies are thinking of how to classify corporate data on the move.
Deloitte gave an interesting presentation on Mobile Security trends. They identified that the trend for mobile computing is moving from data consumption to data creation. Deloitte suggested that there were difficulties related to regulation such as Financial Services Authority requirement on the auditing of every communication that result in a transaction. They also identified that expertise in Secure mobile application development is limited. These are all areas that as an industry we need to tackle if we want to enable a secure, mobile workforce.
Deloitte highlighted a case study of a major English utility provider. The study identified in a total user base of 120,000, a population of 30,000 mobile devices, including non-Blackberry devices. There were 25,000 users – indicating that many people have more than one device. The interesting statistic is that 20% of staff used mobile devices for work.
Advanced Persistent Threats
Advanced Persistent Threats are exactly as the name suggests. They are an on-going type of attack that is highly motivated and resourced and typically goes for high value assets. The best publicised attacks are on Iran’s nuclear weapons development programme (Stuxnet), and the hack of security company RSA, which ultimately led to the compromise of the defence contractor Lockheed Martin. The problem with APT is that even if you do detect and prevent one attack, ‘they’ will come again in another wave. ‘They’ are….Persistent.
I was therefore interested in developing my own knowledge of APT prevention, detection and response, which is already quite well researched.
Lee Lawson from Dell SecureWorks gave an entertaining overview of APT in the InfoSec Technical Theatre. I had a light-bulb moment at the suggestion of cutting communication with the command and control servers, as a way to defeat an infection. This session didn’t answer my main question, which is how to defend against APT as a general threat, but as a response plan it’s a no-brainer. This severing the head approach is already written in my botnet and malware outbreak response plans.
Other stuff
I had a quick demo of Netexpose by Rapid7, the same people that provide Metasploit security testing framework. Netexpose is a vulnerability scanner, but looks to be nothing more than a Nessus clone. Disappointing.
I saw a more detailed demo of Splunk’s Enterprise Security module, which will form part of a security posture initiative I am implementing at work. I hope to make Information Security Risk easier to comprehend, and therefore manage.
In general, InfoSec was an excellent conference, with a great balance between learning new stuff and exploring what I already understood.
How to import McAfee data into Splunk May 3, 2012
Posted by alexoldman in Malware, Security.Tags: correlation technology, enterprise security suite
add a comment
I am a huge fan of Splunk. I still think it’s the most innovative system I’ve seen in the last 15 years.
Splunk Enterprise Security 2.0 (formally called ESS – Enterprise Security Suite) is a pay to play add-on to Splunk. It includes McAfee EPO Anti-virus as an out of the box datasource. For a list of supported datasources see http://docs.splunk.com/Documentation/ES/latest/CreateTA/Out-of-the-boxsourcetypes
There are many advantages to ESS, including really cool correlation technology, which would allow for better APT (Advanced Persistent Threat) detection, for example, by building rules that look at infections, AV service halts with firewall and IDS/IPS activity.
The other anti-virus add-in’s provided with ES 2.0 are TA-sep which supports Symantec AntiVirus version 10 and earlier, and Symantec AntiVirus 11 and later; and TA-trendmicro for Trend Micro.
I would hope that Splunk would see good sense in making the TA-McAfee more generally available, since their licensing is built on data volumes and not on features. But for the moment this is a niche requirement, with some really innovative technology that goes beyond “normal Splunk”. I understand why early adopters have to pay for this.
You can also create custom add-ons to EA for other anti-virus datasources. For information about creating technology add-ons for ES 2.0 see http://docs.splunk.com/Documentation/ES/latest/CreateTA/CreatingaTechnologyAdd-on
Hyena Access is denied in Windows 7 January 12, 2012
Posted by alexoldman in Computer, Security.add a comment
I use Hyena from SystemTools.com for extracting various reports on Active Directory.
I’ve just installed it on Windows 7 64-bit and I hit the following error message when running the Exporter Pro module:
Unable to open Hyena configuration file ‘C:\Program Files\Hyena\HYENA_EXPORTER_PRO.DAT’. Verify configuration and/or installation. Access is denied.
The solution was to run Hyena run as Administrator, which is simply a case of right clicking on the Hyena icon and selecting Run As.
NMAP Service version switch November 7, 2011
Posted by alexoldman in Information security, Security.1 comment so far
Nmap is an incredibly flexible tool for analysing network vulnerabilities. It has some god-like capabilities. One useful switch is -sV which enables service version detection. For example: nmap server1 -sV -p5900 will examine host server1 for the version of the service on port 5900 (default port for VNC). You can download the nmap tool from http://www.nmap.org/download.html
Updating Malwarebytes offline June 15, 2011
Posted by alexoldman in Computer, Information security, Malware, Security.add a comment
I am a big fan of the Malwarebytes system, as it seems more effective for detecting and cleaning malware than other much more expensive tools aimed at the Enterprise. Sadly it’s not as developed as more expensive tools such as McAfee, so centralised deployment and updates are difficult to manage.
Here is a hint for updating Malwarebytes offline.
After you install Malwarebytes it wants to connect to the internet to update. You may be unwilling or unable to connect to the internet.
Assuming you have a computer with Malwarebytes installed and updated, you can copy RULES.REF from C:\Documents and Settings\All Users\Malwarebytes\Malwarebytes’ Anti-Malware to the infected computer, and that in effect updates your install of Malwarebytes.
Download via http://www.malwarebytes.org
Enjoy!
Humour: Clown Computing verses Cloud Computing May 20, 2011
Posted by alexoldman in Computer, Humour.add a comment
It’s been a while since I last blogged, but I thought I would share some cloud humour with you. This is original all my own work!
Disable HacmeBank localhost only access March 18, 2011
Posted by alexoldman in Security.1 comment so far
HacmeBank is a vulnerable web application produced a few years back by Foundstone, now part of McAfee. It’s useful for teaching (learning) attack and defence techniques in web application security.
I run a VMWare (Win XP) on my Windows 7 machine, to deal with some of the Windows 7 incompatibility problems, such as dot net framework version. However I run my penetration test tools in my Windows 7 host, so I have to make the Hacmebank web application available to my host. By design, Hacmebank website application is configured to only allow local access (127.0.0.1). You can comment a line C:\Inetpub\wwwroot\HacmeBank_v2_Website\Web.config as follows to allow remote access.
<!– <add name =”HttpModule_onlyAllowLocalAccess” type=”HacmeBank_v2_Website.httpModules.HttpModule_onlyAllowLocalAccess,HacmeBank_v2_Website”/>
–>
Please be aware that removing this restriction makes your computer vulnerable to remote exploit via the Hacmebank web application. In my case, that’s a VM machine, so it’s okay to do.
Alex Oldman's blog 