Slashdot Mirror
Ask Slashdot: Do-It-Yourself Security Auditing Tools?
An anonymous reader writes "I'm a 'prosumer' website builder, have a few sites that are mainly hobbies, but I would like to know that they're at least fairly robust. I'm thinking of the equivalent of a 'dental clinic' — where someone interested in the white hat security field might be willing to take on an audit for the experience and to build a resume. Or, tools such as websites that let you put in a password and see how long it takes to crack it. Or sites where you can put in a URL and it gets poked and prodded by a number of different cracker tools and a 'score' is given. Ideally with suggestions on how to improve. Does anything like that exist? I'm not talking FBI/CIA level security, but just common-sense basics. I've tried to use techniques that improve security, but I don't know how well they work. And I've realized that in the ever growing, fast changing field of computers I'm not going to ever get the knowledge I need to do this myself. I know there are software suites that allow you to sniff and test things on your own, but I'm afraid it's overwhelmingly foreign to me and I just feel like I can't reliably do this myself. Any ideas?"
This is a nifty suite of programs made for a lot of what you want that runs on a Raspberry Pi. If you don;t want to get a Pi you can look at the list of software and download then into your favorite Linux distro. Most (if not all) of these are open source.
http://pwnpi.sourceforge.net/
You say things that offend me and I can deal with it. Can you?
What's the point of "basic" security check?
But a quick search for metasploit should get you going, perhaps add a Nessus scan and go watch some Def Con presentations on SQL injection and penetration testing http://www.youtube.com/user/ChRiStIaAn008 is a good place to start.
If you have a decent hosting company, they'll do this for you. Mine will send out alerts if a popular CMS install has a known hole in it, and require people to upgrade the software.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
There are plenty of web (vulnerability scanners) that you could use, some requiring no experience and point and click, otherwise will require prior knowledge.
http://sectools.org/tag/web-scanners/
From the way you describe your goal, you are building mostly one-off websites. For small companies and the like? You'll be best off just using popular open source products like Drupal, WordPress, or ModX and keeping up to date with security updates. Many of these will automatically notify you of security updates and you can apply them right away. Don't try to host the websites on your own server either. Get a hosting product from a company that will keep the underlying OS, Apache, and PHP up to date and secure. This will reduce your exposure quite a bit. You still need to make sure to choose good passwords. Nessus or OpenVAS are also an option.
Ceci n'est pas un post
Two articles on arstechnica recently covered booters (paid services to attack your sites using a large set of vectors), and password cracking for script kiddies.
Here they are :
http://arstechnica.com/security/2013/03/details-on-the-denial-of-service-attack-that-targeted-ars-technica/
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
That should give you a first hint...
Posting as AC because for some annoying reason Slashdot won't let me log ion right now...
https://www.owasp.org/index.php/Web_Application_Penetration_Testing
Whether you wanted to or not, just by having a site, you've already asked the whole Internet to check it out. One way to find out if you've done things right, is to look for evidence that you've done things wrong. And there's a little tip I learned...
Grep your logs for your table names.
If you have an injection hole, for example, then automated spiders have already found it and exploited it, and (so far) they don't obfuscate or even escape/character-encode their requests, so you'll plainly see their injected queries in your logs.
Preferably, look for site-unique table names, so that you'll know they could have only gotten the name by successfully querying the schema. You're going to see lots of scary-looking things in your logs, but some of those are just unsuccessful attempts. A unique table name (hint: use tables names with the word "user" or "password" in them) will be a dead giveaway they succeeded.
Don't ask me how I know what that looks like. Hey, it wasn't my fault. Mostly. Ok, partly but mostly not. Look, it's complicated, and involves an inherited legacy, OKAY?! Everybody just back off. ;-)
Anyway, when you see that, then it means you screwed up, so you'll learn something and know you need to fix something. If you don't see it .. sadly, you won't really know much more than you did before.
No.You'd be able open my luggage if I gave you that.
Sectools.org has a comprehensive list of tools with explanations of what each one does. Look at the web tools and the vulnerability scanners and you will find something you feel comfortable using. Most of the other tools mentioned so far can be found there. Also, the Open Web Applicaiton Security project (owasp.org) has some good information on secure app development.
good luck.
Average Intelligence is a Scary Thing
If yours isn't a mass-market, mass-profit, hugely-popular site, you don't need to secure it. You just need to be different enough that the standard chinese attack vectors looking for standard run-of-the-mill popular web-site building packages don't find any.
Trust me, no one's going to your tiny site and trying to find the holes -- no matter how big they are.
We secure bank vaults with big heavy locks. Your house with a tiny mediocre lock. Your car door with a tinnier very crappy lock. Your car trunk with a down-right shitty lock.
Just be different. It'll get you through the 99% that you care about.
This suite of tools used to go under the name of "BackTrack", most recently BackTrack 5. It has now been named Kali Linux.
This is a full-blown Linux distro with all the security tools you are ever likely to need. Metasploit? It's there. Nessus? It's there. The actual list of tools is huge.
Kali won't teach you everything about using the tools (though there are good instructions available online). But it does offer all you could want in one package.
Hate to tell you, but security auditing is mostly about documentation. Checking that the right documents are in place and have been updated, verifying office procedures, physical security, etc. Technical tests are mostly about checking for the status and presence of files or configurations, not about probing networks or white hat hacking. There is a vaild business opportunity in pen testing, which is just one component of auditing, and is not even needed for every type of audit.
This. While it would seem logical to put a round of known vulnerabilities into a scanner (like a Virus Scanner works) in the real world this is extremely tricky. Vulnerabilities that come about from combinations of different packages and different configurations interacting are very hard to systematically detect, and even if you do detect them they are just one piece in the huge puzzle that is information security.
Case in point, I often get audit reports from "creditable" security professionals that there are a set of vulnerabilities in XYZ product, specific to "somesoft operating system 9.0", when in fact the product in question uses no such operating system (or even one similar to it) so the "audit" was obviously just a set of false-positives from a scanner tool. Scanner tools are just that, a TOOL, they are not even close to a true security solution that would produce a meaningful audit; that can only come (at least in this day and age) from a combination of tools and a *lot* of expertise.
hunter2
The known vectors are finite.
Yes, the number equals 1: human.
Fix that attack vector and you won't have anything to worry about.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
No matter what an intruder tries, if you put your operating system on read-only media, intrusion becomes limited.
Of course, installation and changes become more difficult because you must reboot with your media set to read-write, then reboot again to read-only. SDHC memory works well for this, since it has a read-write switch like the old floppy drives. Put the memory in a
USB "card reader" for SD
(microSD doesn't appear to have a read-write switch).
You can insert the SDHC in something that looks like a flash drive, then insert the whole in a USB slot.
Or, you can use something like the Adonics eSATA/USB Digidrive
http://www.addonics.com/products/aepddesu.php
to connect to your computer's eSATA port (if you have such a port on the back of your computer),
which is probably more efficient (fewer waits) than a USB 3.0 connection.
In Linux, you might choose to put most of your operating system on SDHC switched to read-only,
then put a variable area on a regular disk drive for logs, although you can put logs into a memory area that disappears on reboot.
Or you might put your webpages on a separate SDHC,
so your webpages get no intrusion changes.
You could then unmount your webpage SDHC, switch to read-write, make changes, unmount, switch to read-only.
In Debian Linux, the foundation for most Linuxes (eg, Ubuntu), you can look at the "Securing Debian Manual",
http://www.debian.org/doc/manuals/securing-debian-howto/securing-debian-howto.en.pdf
Debian has a highly tailored Aide (like tripwire) that uses checksums to detect any file changes.
In Debian, "dar" Disk Archiver (like tar) makes backups on external disk drives, but dar probably requires some tailoring (I use dar).
For a firewall, you could use Debian's easily used Guarddog.
In some sense, Debian is the administrator's operating system -- for the serious.
I'd recommend you proxy your web site through CloudFlare -- www.cloudflare.com -- by having them handle your DNS. You can read more about them at their web site -- I'm not affiliated with them in any way. They offer a free proxy service that acts as a web application firewall and will do a good job at blocking hack attempts.
From there, you should restrict your webserver's firewall to only allow traffic from CloudFlare's known IPs, so people cannot directly hit your webserver.
If Linux, install fail2ban on the SSH daemon + require SSH-key based access (no passwords!)
Finally, get a copy of the home version of Nessus from Tenable and use that to scan your server. It's interface is relatively easy to use, and if you hit your webserver IPs every couple months with this, in addition to using CloudFlare and hardening your SSH daemon, you should be in good shape and not have to worry about silly hacks.
Not true at all.
While humans are the biggest attack surface, they are far from the only one.
My suggestions are Backtrack Linux & a copy of The Art of Deception by Kevin Mitnick.
Backtrack has some great security auditing tools, however you will still need to understand exploits to test for them. The Art of Deception gives real world examples of social engineering & suggestions on how to plug those gaping holes called humans.