Month: January 2015

How To Protect your Linux Server Against the GHOST Vulnerability

Introduction

On January 27, 2015, a GNU C Library (glibc) vulnerability, referred to as the GHOST vulnerability, was announced to the general public. In summary, the vulnerability allows remote attackers to take complete control of a system by exploiting a buffer overflow bug in glibc’s GetHOST functions (hence the name). Like Shellshock and Heartbleed, this vulnerability is serious and affects many servers.

The GHOST vulnerability can be exploited on Linux systems that use versions of the GNU C Library prior to glibc-2.18. That is, systems that use glibc-2.2 to glibc-2.17 are at risk. Many Linux distributions including, but not limited to, the following are potentially vulnerable to GHOST and should be patched:

  • CentOS 6 & 7
  • Debian 7
  • Red Hat Enterprise Linux 6 & 7
  • Ubuntu 10.04 & 12.04
  • End of Life Linux Distributions

It is highly recommended that you update and reboot all of your affected Linux servers. We will show you how to test if your systems are vulnerable and, if they are, how to update glibc to fix the vulnerability.

Check System Vulnerability

The easiest way to test if your servers are vulnerable to GHOST is to check the version of glibc that is in use. We will cover how to do this in Ubuntu, Debian, CentOS, and RHEL.

Ubuntu & Debian

Check the version glibc by looking up the version of ldd (which uses glibc) like this:

ldd --version

The first line of the output will contain the version of eglibc, the variant of glibc that Ubuntu and Debian use. It might look like this, for example (the version is highlighted in this example):

ldd (Ubuntu EGLIBC 2.15-0ubuntu10.7) 2.15
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

If the version of eglibc matches, or is more recent than, the ones listed here, you are safe from the GHOST vulnerability:

  • Ubuntu 12.04 LTS: 2.15-0ubuntu10.10
  • Ubuntu 10.04 LTS: 2.11.1-0ubuntu7.20
  • Debian 7 LTS: 2.13-38+deb7u7

If the version of eglibc is older than the ones listed here, your system is vulnerable to GHOST and should be updated.

CentOS & RHEL

Check the version glibc by looking up the version of ldd (which uses glibc) like this:

ldd --version

The first line of the output will contain the version of glibc. It might look like this, for example (the version is highlighted in this example):

ldd (GNU libc) 2.17
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

If the version of glibc is older than 2.18, your system is vulnerable to GHOST and should be updated. If you are using 2.18 or later, you are safe from the vulnerability.

Fix Vulnerability

The easiest way to fix the GHOST vulnerability is to use your default package manager to update the version of glibc. The following subsections cover updating glibc on various Linux distributions, including Ubuntu, Debian, CentOS, and Red Hat.

APT-GET: Ubuntu / Debian

For currently supported versions of Ubuntu or Debian, update all of your packages to the latest version available via apt-get dist-upgrade:

sudo apt-get update && sudo apt-get upgrade
## only run dist-upgrade on a Ubuntu if you want to upgrade kernel too
## sudo apt-get dist-upgrade

Then respond to the confirmation prompt with y.

When the update is complete, reboot the server with this command:

sudo reboot

A reboot is necessary since the GNU C Library is used by many applications that must be restarted to use the updated library.

Now verify that your system is no longer vulnerable by following the instructions in the previous section (Check System Vulnerability).

YUM: CentOS / RHEL

Note: The updated version of glibc for CentOS is not available via yum, at the time of this writing (Jan 27, 2015, 10:00pm EST). Check back later for an update.

Update glibc to the latest version available via yum:

sudo yum update glibc

Then respond to the confirmation prompt with y.

When the update is complete, reboot the server with this command:

sudo reboot

A reboot is necessary since the GNU C Library is used by many applications that must be restarted to use the updated library.

Now verify that your system is no longer vulnerable by following the instructions in the previous section (Check System Vulnerability).

Conclusion

Be sure to update glibc on all of your affected Linux servers. Also, be sure to keep your servers up to date with the latest security updates!

Original Post: https://www.digitalocean.com/community/tutorials/how-to-protect-your-linux-server-against-the-ghost-vulnerability

2

The Laws of Vulnerabilities – The GHOST Vulnerability

The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.

Qualys security researchers discovered this bug and worked closely with Linux distribution vendors. And as a result of that we are releasing this advisory today as a co-ordinated effort, and patches for all distribution are available January 27, 2015.

What is glibc?

The GNU C Library or glibc is an implementation of the standard C library and a core part of the Linux operating system. Without this library a Linux system will not function.

What is the vulnerability?

During a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.

More details can be found in this advisory or in the YouTube interview below.


Amol Sarwate discusses the GHOST Vulnerability.

What is the risk?

There is a remote code execution risk due to this vulnerability. An attacker who exploits this issue can gain complete control of the compromised system.

Is the risk real?

During our testing, we developed a proof-of-concept in which we send a specially created e-mail to a mail server and can get a remote shell to the Linux machine. This bypasses all existing protections (like ASLR, PIE and NX) on both 32-bit and 64-bit systems.

What can be done to mitigate the risk?

The best way to mitigate the risk is to apply a patch from your Linux vendor. Qualys has worked closely with Linux distribution vendors and patches are available as of today January 27, 2015.

Why is it called the GHOST vulnerability?

It is called as the GHOST vulnerability as it can be triggered by the GetHOST functions.

Is this a design flaw?

No. This is an implementation problem in the affected versions of the software.

What versions and operating systems are affected?

The first vulnerable version of the GNU C Library affected by this is glibc-2.2, released on November 10, 2000. We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example.

Where can I download the exploit?

We want to give everyone enough time to patch. According to our data once the vulnerability has reached its half-life we will release the exploit. Half-life is the time interval measuring a reduction of a vulnerability’s occurrence by half. Over time, this metric shows how successful efforts have been to eradicate vulnerability. A shorter half-life indicates faster remediation. Half-life was originally coined by Qualys in the Laws of Vulnerability.

Qualys customers can detect GHOST by scanning with the Qualys Vulnerability Management (VM) cloud solution as QID 123191. This means that Qualys customers can get reports detailing their enterprise-wide exposure during their next scanning cycle, which allows them to get visibility into the impact within their organization and efficiently track the remediation progress of this serious vulnerability.

References:

Qualys Advisory: https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt

RedHat: https://rhn.redhat.com/errata/RHSA-2015-0090.html

Ubuntu: https://launchpad.net/ubuntu/+source/eglibc

Debian: https://security-tracker.debian.org/tracker/CVE-2015-0235

GNU C Library: http://www.gnu.org/software/libc/

Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235

Original Post: https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability

0

Overview of Automated Malware Analysis in the Cloud

Malicious attackers are constantly on the lookout for new and advanced attacks, which they use to spread malware around the world. There are a vast number of malware samples spreading around the Internet by using different attacks vectors: malware can spread as email attachments, drive-by download attacks, watering hole attacks, etc. Because of the vast number of malicious samples being distributed by attacks, automated malware analysis techniques are a necessity. In this article, we’ll take a look at different automated malware analysis tools provided online and evaluate whether malware can be used to detect if it’s being executed in such an environment.

There are millions of malware samples being distributed around the world on a daily basis, which makes malware very widespread today. Despite so many malware samples constantly targeting different sectors of businesses, only a handful of them are actually new malware samples that do things differently. The majority of malware samples are a simple derivations of known malware samples, which have already been analyzed. Therefore, they can almost always be thoroughly analyzed by using one of the cloud automated malware analysis platforms – we can choose from many such services, which will be presented later in the article and are mostly free for use. The problem with new malware samples is that they can be too complex for cloud automated malware services to analyze them, since they can use different techniques to detect an automated malware analysis environment and execute a valid program instead.

Malware samples can use the following techniques to detect whether they are being executed in an automated malware analysis environment:

  • Detecting a sandbox: a sandbox provides a virtual environment where a malware sample can be executed to determine whether the sample is malicious or not.
  • Detecting a debugger: when malware is analyzed in a debugger, it can use different functions and techniques to detect if it’s being analyzed. The debugger is usually used when analyzing malware samples manually and not by automated cloud malware analysis services, but can still provide different barriers a malware analyst must overcome to be able to analyze malicious samples.
  • Detecting a virtual environment: almost all of the cloud automated malware services are analyzing malware samples in a virtualized environment. This is because they provide many advantages that are quite useful when doing malware analysis. An especially useful feature is snapshots, which can be used to revert the virtual machine prior to malware infection. So we can setup a virtual machine, usually running Windows operating system, install all the required tools that we need for malware analysis, and create a snapshot of that virtual machine. Then we can run the malware inside that virtual machine, obtaining all the interesting pieces of information we can get in order to determine whether the sample is malicious and what it does. After the analysis is complete, we can revert back to the snapshot we had created earlier and start with a clean system ready to analyze another malware sample.

1. Cloud malware analysis services

There are plenty of automated malware analysis services on the Internet, most of which are free and can be used by anyone. Despite the services automating most parts of malware analysis, the analyst still requires deep understanding of what he’s looking for in order to understand the service’s output. In this article, we’ll take a look at the output provided by services supporting analysis of PE file formats or Windows executables, which are the following:

2. Determine if binary sample is malicious

Prior to using any of the services above, we might want to analyze a binary sample on VirusTotal, which will give us an indication whether the sample is malicious or not. If the binary sample is quite new, there’s a good chance that the binary won’t be detected as malicious, because the anti-virus companies didn’t yet have time to update their signatures. Since the anti-virus solutions don’t check only the signatures, the sample must be advanced enough to subvert any other detection mechanisms anti-virus solutions are using to detect malicious samples.

Let’s take a look at the malware known as “CRDF.Malware-Generic.1124918328″, which was first analyzed at VirusTotal on 17.1.2015, which is the current date. The analysis results are present at the following link. Right on the top of the page, we can see that on the current date only 5 out of 57 antivirus solutions detected the file as malicious. We can see the results on the picture below, where different information regarding this malware sample can be obtained. The SHA256 can be seen on the top of the page, which is normally used when identifying malware samples. Also all five antivirus solutions that detected the binary sample as malicious are presented on the bottom of the page, together with the name of the malware and the last time the signatures have been updated.

On the picture above, we can also see that there are different tabs we can look at to obtain more information about the analyzed sample. So far we have determined that the file is probably malicious, but getting more information from the malware sample is useful, so we can eliminate false positives and determine what the malware does. We want to obtain the necessary knowledge to determine whether the malware sample writes some files to the filesystem, whether it connects back to the C&C server to fetch and execute commands, whether it modifies certain registry keys to achieve persistence on the infected machine, etc.

On the “File Detail” tab, the compilation timestamp can be seen, which provides the information about when the malware sample was compiled by a malicious attacker. The PE windows executable file contains 5 different PE sections: .text, .rdata, .data, .rsrs, .reloc, which can be seen on the picture below. For each of the sections, their virtual address inside the file as well as their virtual size are given together with the MD5 of the entire contents of the section. This information can help us determine whether certain malicious samples have the same sections, because it’s often the case that malware authors won’t change the section containing the malware resources (the .rsrs section), but will only change the actual code that will be executed on the system (the .text section).

On the same tab we can also see all the DLLs used by the malware sample, which can give us an insight into what the sample is doing. Each of the imported DLLs can also be expanded to display the functions belonging to this DLL and used by the malware sample. If the malware is trying to detect whether it’s being debugged, it most often uses the IsDebuggerPresent function, which is part of the kernel32.dll DLL. If we expand the KERNEL32.DLL module, we can see that this sample actually uses this function, which gives us a clear indication the malware samples doesn’t want to be debugged. Therefore we can be fairly certain that this current sample is malicious, because valid programs rarely have the reason to use the IsDebuggerPresent function.

In the “Additional information” tab there is some additional information regarding the malicious sample as MD5/SHA1/SHA256 hashes, the ssdeep signatures, the size of the file, the file type, the TrID statistics, etc. The “Behavioural information” tab contains some useful information, like a note that the sample is using the IsDebuggerPresent API function, but other than that, there isn’t any other information.

3. Determine what the malware does

So far we’ve looked at VirusTotal, whose goal is to give us information about whether the binary sample is malicious or not, but doesn’t present much additional information regarding what the malware does. So in order to determine the true purpose of malware, we can turn to cloud automated malware analysis solutions we’ve already presented.

Let’s first take a look at Anubis. The submission of the file can be seen below, where it’s evident that besides choosing a file from our local disk, we also have to input the simple CAPTCHA to prove that we’re human. This is required to prove to the website that no scripts could be written to automatically submit malicious files for submission; the authors of the analysis engine are clearly trying to prevent spam or invalid entries from being submitted to their solution.

After pressing the “Submit for Analysis” button, the malware will get analyzed and a pretty status bar will be shown presenting the time needed to complete the analysis. An alert reader might have observed that the MD5 is shown on the picture below, which identifies each malware – if we go back to our VirusTotal analysis the same MD5 must be shown under the “Additional information” tab. That provides enough information for us to be confident that we’re working on the same file.

After the analysis has completed, the results of the analysis will be available in HTML, XML, PDF or TXT form as presented below. I usually use the HTML version of the report, since it’s the easiest to use, but other formats might come in handy depending on what you’re doing. If you want to save the details of the report for later inspection, you might open the report in a PDF, which allows you to save it to the hard drive and inspect it at any later time. The XML version of the report would certainly be best when writing a program that is able to automatically parse the results of analyzed malware.

An interesting thing about Anubis analysis is that it will show you a screenshot of a popup window if such a popup is detected. In the picture below, we can see that Anubis presented a dialog box showing the text “This is a test.”

The Anubis report also shows additional load-time DLLs that are used by the malware sample, like ws2_32.dll, which contains network-related functions that can be used to call back to the C&C server. The report also contains a list of run-time DLLs that were loaded after the executable has already been run. The picture below presents that the MSCTF.dll DLL was loaded at runtime. Currently, we can’t say for sure why the library was loaded, but by Googling we can determine that it can record keyboard and mouse inputs.

The ViCheck cloud analysis service doesn’t provide many details that we haven’t yet gathered. All of the information gathered from the uploaded binary is presented below.

Malwr is based on Cuckoo Sandbox and provides extensively more information that other analysis services. The “Quick overview” tab contains basic information that we already have, but also the screenshot of the entire desktop at the time of malware analysis. The picture below presents the popup box opened by the submitted binary.

The summary of files presents the files and directories accessed by the binary sample. There are standard temporary files created when the binary is run, so they are of no importance to use. The interesting part is the msctftime.ime, which after Googling a bit, appears to be a valid Microsoft file.

The interaction of the malware sample with Windows registry is presented below. The interesting part is the second entry, the AutoIt registry, which gives us an idea that AutoIt scripting language for automating Windows GUI is being used in the binary.

If we look at the “Static analysis” tab, we can see a list of all strings in a binary. An interesting part of the script is shown below, where it clearly states that this is a third-party compiled AutoIt script.

If we scroll to the bottom of the list, we can also see what’s presented on the picture below, which appears to be strings displayed to the user when something goes wrong in an AutoIt script.

4. Conclusion

The analyzed program appears to be an AutoIt script, which displays a text message in a popup box. Despite a few antivirus solutions saying that the file is malicious, it might not be, and those might be false positives. We can’t claim that with 100% accuracy since we’d probably have to manually analyze the file to determine what the binary does. It might just have been a simple AutoIt script created by some programmer trying to learn AutoIt language, but on the other hand, the answer might not be so obvious. Therefore, cloud malware analysis tools are developing new and improved features, which might be able to solve such uncertainties.

5. References

[1] Choosing the best Sandbox for malware analysis,
http://kromer.pl/malware-analysis/choosing-th-best-sandbox-for-malware-analysis/.

[2] 5 Steps to Building a Malware Analysis Toolkit Using Free Tools,
http://zeltser.com/malware-analysis-toolkit/.

Original Post: http://resources.infosecinstitute.com/overview-automated-malware-analysis-cloud/

0

Security & Privacy Best Practices

Download as a PDF

See 2015 Data Breach Readiness Guide

OTA recommends that all organizations implement the following best practices:

  1. Enforce effective password management policies.  Attacks against user credentials, including brute force, sniffing, host-based access and theft of password databases, remain very strong attack vectors warranting the use of effective password management controls.  Best practices for password management include:
    1. Use multi-factor authentication (e.g. one-time PINs) for access to administratively privileged accounts. Administrative privileges should be unique accounts and monitored for anomalous activity and should be used only for administrative activities;
    2. Require users to have a unique password for external vendor systems and refrain from reusing the same password for internal system and personal website logins;
    3. Require strong passwords comprised of an 8-character minimum including a combination of alphanumeric characters, and force password changes every 90 days with limited reuse permitted;
    4. Deploy a log-in abuse detection system monitoring connections, login counts, cookies, machine IDs, and other related data;
    5. Avoid storing passwords unless absolutely necessary and only store passwords (and files) that are hashed with salt or are otherwise encrypted;
    6. Remove or disable all default accounts from all devices and conduct regular audits to ensure that inactive accounts can no longer access your infrastructure;
    7. Remove access immediately for any terminated employees or any third parties or vendors that no longer require access to your infrastructure.
  2. Least privilege user access (LUA) is a core security strategy component, and all accounts should run with as few privileges and access levels as possible. LUA is widely recognized as an important design consideration in enhancing data security. It also provides protections against malicious behavior and system faults. For example, a user might have privileges to edit a specific document or email campaign, but lack permissions to download payroll data or access customer lists.  Also, LUA controls help to minimize damages from exposed passwords or rogue employees.
  3. Harden client devices by deploying multilayered firewall protections (both client and WAN-based hardware firewalls), using up-to-date anti-virus software, disabling by default locally shared folders and removing default accounts.  Enable automatic patch management for operating systems, applications (including mobile and web apps) and add-ons. All ports should be blocked to incoming traffic by default. Disable auto-running of removable media (e.g. USB drives, external drives, etc.). Whole disk encryption should be deployed on all laptops, mobile devices and systems hosting sensitive data.
  4. Conduct regular penetration tests and vulnerability scans of your infrastructure in order to identify and mitigate vulnerabilities and thwart potential attack vectors.  Regularly scan your cloud providers and look for potential vulnerability points and risks of data loss or theft.  Deploy solutions to detect anomalous flows of data which will to help detect attackers staging data for exfiltration.
  5. Require email authentication on all inbound and outbound mail streams to help detect malicious and deceptive emails including spear phishing and spoofed email.  All organizations should:
    1. Authenticate outbound mail with SPF and DKIM, including parked and delegated sub-domains;
    2. Adopt a DMARC reject or quarantine policy once you have validated that you are authenticating all outbound mail streams;
    3. Implement inbound email authentication check for SPF, DKIM, and DMARC;
    4. Encourage business partners to authenticate all email sent to your organization to help minimize the risk of receiving spear-phishing and spoofed emails;
    5. Require end-to-end email authentication using SPF and DKIM with a DMARC reject or quarantine policy for all mail streams managed or hosted by third parties.
  6. Implement a mobile device management program, requiring authentication to unlock a device, locking out a device after five failed attempts, using encrypted data communications/storage, and enabling the remote wiping of devices if a mobile device is lost or stolen.
  7. Continuously monitor in real-time the security of your organization’s infrastructure including collecting and analyzing all network traffic in real time, and analyzing centralized logs (including firewall, IDS/IPS, VPN and AV) using log management tools, as well as reviewing network statistics.  Identify anomalous activity, investigate, and revise your view of anomalous activity accordingly.
  8. Deploy web application firewalls to detect/prevent common web attacks, such as cross-site scripting, SQL injection and directory traversal attacks.  Review and mitigate the top 10 list of web application security risks identified by the Open Web Application Security Project (OWASP).  If relying on third-party hosting services, require deployment of firewalls.
  9. Permit only authorized wireless devices to connect to your network, including point of sale terminals and credit card devices, and encrypt communications with wireless devices such as routers and printers. Keep all “guest” network access on separate servers and access devices with strong encryption such as WPA2 with AES encryption or use of an IPSec VPN.
  10.  Implement Always On Secure Socket Layer (AOSSL) for all servers requiring log in authentication and data collection.  AOSSL helps prevent sniffing data from being transmitted between client devices, wireless access points and intermediaries.
  11. Review server certificates for vulnerabilities and risks of your domains being hijacked.  Attackers often use “Domain Validated” (DV) SSL certificates to impersonate e-commerce websites and defraud consumers.  Sites are recommended to upgrade from DV certificates to “Organizationally Validated” (OV) or “Extended Validation” (EVSSL) SSL certificates.  OV and EV SSL certificates are validated by the Certificate Authority to ensure the identity of the applicant.  EV SSL certificates offer the highest level of authentication and verification of a website.  EVSSL provides users a higher level of assurance that the site owner is who they purport to be, presenting the user a green trust indicator in a browser’s address bar.
  12. Develop, test and continually refine a data breach response plan. Regularly review and improve the plan based upon changes in your organization’s information technology, data collection and security posture. Take the time after an incident to conduct a post-mortem and make improvements to your plan. Conduct regular tabletop exercises testing your plan and personnel.

Reference: https://www.otalliance.org/resources/security-privacy-best-practices

0

OTA Determines Over 90% of Data Breaches in 2014 Could Have Been Prevented

Seattle – The Online Trust Alliance (OTA), the non-profit with the mission to enhance online trust, today released its 2015 Data Protection Best Practices and Risk Assessment Guides, revealing that over 90 percent of data breaches that occurred in the first half of 2014 could have easily been prevented.

OTA also announced that it has analyzed over a thousand breaches involving the loss of personally identifiable information (PII) in 2014, as reported by the Open Security Foundation (OSF) and the Privacy Rights Clearinghouse. OTA found that only 40 percent were the result of external intrusions, while 29 percent were caused by employees—accidentally or maliciously—due to a lack of internal controls. The balance of incidents were primarily attributed to lost or stolen devices or documents (18 percent) and social engineering/fraud (11 percent).

In response to the growing breach threat, OTA identified through a multi-stakeholder effort the top 12 most critical yet achievable security practices that all companies should follow. In its Risk Assessment Guide, OTA introduced a framework detailing how to complete an assessment of both one’s own security practices and that of third-party vendors upon which businesses are increasingly reliant. These practices complement those recently outlined by President Obama to enhance data and consumer protection.

The best practices correlate to some of the most infamous data breaches of the last two years. For instance:

  • Following OTA’s guidelines for enforcing effective password management and also assessing the security protocols of cloud-based partners would have prevented the 2014 hacking of private celebrity photos.
  • OTA’s recommendations for assessing third-party vendor partners for vulnerabilities and also segregating internal systems would have helped prevent and contain breaches impacting major retailers including Target and Home Depot.

“Businesses are overwhelmed with the increasing risks and threats, yet all too often fail to adopt security basics,” said Craig Spiezle, Executive Director and President of OTA. “Releasing the Guides and best practices in advance of Data Privacy and Protection Day will provide businesses with actionable advice. When combined with other controls, these can help prevent, detect, contain and remediate data breaches.”

As a companion to the Data Protection Best Practices Guide, the OTA Risk Assessment Guide instructs readers about how to help evaluate the vulnerabilities of not only their own organizations, but also their third-party cloud service providers and vendor partners. Such business relationships are an often overlooked and increasingly exploited liability.

Data Privacy & Protection Day Workshops
OTA will address the content of its Guides and the state of the current data breach epidemic—including the Sony and Home Depot hacks—at three upcoming OTA Town Halls in Silicon Valley (Jan. 28), New York (Feb. 3) and Washington DC (Feb. 5). These interactive events will include sessions featuring leaders from the FBI, FCC, FTC, Secret Service, the New York and California Attorney General’s office, American Greetings, PayPal, Publishers Clearing House, Twitter and more.

The Town Halls are designed to provide businesses with prescriptive advice about how to navigate complex cybersecurity and data privacy issues, while enhancing brand trust and product innovation. The events are underwritten in part by leading companies including Act-On Software, Brunswick Group, Bryan Cave, Epsilon, Holland & Knight, Identity Guard, Sailthru, SiteLock, Symantec and TRUSTe.  Reflecting industry wide support of the program, over a dozen consumer and industry groups have joined OTA in support of this program including the Anti-Phishing Working Group, Better Business Bureau, Center for Democracy & Technology, ConnectSafely.org, Digital Content Next, ESPC, Future of Privacy Forum, Identity Theft Council, local InfraGard Chapters, StopBadware, Smart Card Alliance and others.

About OTA:

The Online Trust Alliance (OTA) is a non-profit with the mission to enhance online trust and user empowerment while promoting innovation and the vitality of the Internet. Its goal is to help educate businesses, policy makers and stakeholders while developing and advancing best practices and tools to enhance the protection of users’ security, privacy and identity. OTA supports collaborative public-private partnerships, benchmark reporting, and meaningful self-regulation and data stewardship. Its members and supporters include leaders spanning the public policy, technology, ecommerce, social networking, mobile, email and interactive marketing, financial, service provider, government agency and industry organization sectors.

Original Post: https://www.otalliance.org/news-events/press-releases/ota-determines-over-90-data-breaches-2014-could-have-been-prevented

0

2014 Top Security Tools as Voted by ToolsWatch.org Readers

2014_toolswatch_best_tools

Results by Year

01 – Unhide (NEW)
02 – OWASP ZAP – Zed Attack Proxy Project (-1↓)
03 – Lynis (+3↑)
04 – BeEF – The Browser Exploitation Framework (-2↓)
05 – OWASP Xenotix XSS Exploit Framework (0→)
06 – PeStudio (-2↓)
07 – OWASP Offensive (Web) Testing Framework (NEW)
08 – Brakeman (NEW)
09 – WPScan (0→)
10 – Nmap (NEW)

2014 Top Security Tools as Voted by ToolsWatch.org Readers

01 – Unhide

logo_ghostbuster

Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. Unhide runs in Unix/Linux and Windows Systems. It implements six main techniques.

Features

  • Compare /proc vs /bin/ps output
  • Compare info gathered from /bin/ps with info gathered by walking thru the procfs. ONLY for unhide-linux version
  • Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
  • Full PIDs space ocupation (PIDs bruteforcing). ONLY for unhide-linux version
  • Compare /bin/ps output vs /proc, procfs walking and syscall. ONLY for unhide-linux version. Reverse search, verify that all thread seen by ps are also seen in the kernel.
  • Quick compare /proc, procfs walking and syscall vs /bin/ps output. ONLY for unhide-linux version. It’s about 20 times faster than tests 1+2+3 but maybe give more false positives.

URL: http://www.unhide-forensics.info

Testimonials

“It is a very complete and very useful security tool. You can easily find any hidden file, ports, etc.”

“Good tool for detect malware in linux system!!”

“A good command-line tool essential nowdays to detect rootkits in unix based systems.”

02 – OWASP ZAP – Zed Attack Proxy Project

zap-banner-square

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Features

  • Open source
  • Cross platform (it even runs on a Raspberry Pi!)
  • Easy to install (just requires java 1.7)
  • Completely free (no paid for ‘Pro’ version)
  • Ease of use a priority
  • Comprehensive help pages
  • Fully internationalized
  • Translated into over 20 languages
  • Community based, with involvement actively encouraged
  • Under active development by an international team of volunteers

URL: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Testimonials

“It is open source and easy to use which covers all issues.”

“Loads of features (weekly releases). Easy to use. Active community. Scripting. Runs on all platforms with Java. Extensive documentation.”

“Stable, maintained and improved, well-documented, and supports WebSockets!”

03 – Lynis

cisofy_lynis

Lynis is an auditing tool which tests and gathers (security) information from Unix based systems. The audience for this tool are security and system auditors, network specialists and system maintainers.

Lynis performs an in-depth local scan on the system and is therefore much more thorough than network based vulnerability scanners. It starts with the bootloader and goes up to installed software packages. After the analysis it provides the administrator with discovered findings, including hints to further secure the system.

Features

  • System and security audit checks
  • File Integrity Assessment
  • System and file forensics
  • Usage of templates/baselines (reporting and monitoring)
  • Extended debugging features

URL: https://cisofy.com/download/lynis/

Testimonials

“Helped me several times to harden my systems, love it.”

“Really great auditing tool! It’s easy to use plus it’s free.”

“It helps to quickly satisfy compliance requirements in a jiffy…”

04 – BeEF – The Browser Exploitation Framework

logo_beef

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

Features

  • Key Logger.
  • Bind Shells.
  • Port Scanner.
  • Clipboard Theft.
  • Tor Detection.
  • Integration with Metasploit Framework.
  • Many Browser Exploitation Modules.
  • Browser Functionality Detection.
  • Mozilla Extension Exploitation Support.

URL: http://beefproject.com

Testimonials

“Because there’s only one tool like it. No other tool serves the same purpose.”

“Nothing demonstrates the internal threat and vulnerability of a browser better than the browser exploitation framework.”

“BeEF besides the integrate attacks. It provides clients with clear pictcure of what could happen just by visiting a poisoned site.”

05 – OWASP Xenotix XSS Exploit Framework

logo_xenotix

OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results.

Features

  • Scanner Modules
  • Information Gathering Modules
  • Exploitation Modules
  • Auxiliary Modules
  • Xenotix Scripting Engine

URL: https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework

Testimonials

“It helps me to make interesting proof of concepts for all the XSS vulnerabilities which I found during Web-app Vulnerability Assesments.”

“XSS is a menace and this scanner allows one to scan for advanced XSS attacks from a mobile device. Moreover it eases the whole scanning effort with an amazing interface.”

“It’s UI is easy to use. It has many payloads than you can ever imagine. Overall, I would recommend it as the best tool for XSS testing.”

06 – PeStudio

malware-cartoon2-02

PeStudio is a unique tool that performs the static investigation of 32-bit and 64-bit executable. PEStudio is free for private non-commercial use only.

Malicious executable often attempts to hide its malicious behavior and to evade detection. In doing so, it generally presents anomalies and suspicious patterns. The goal of PEStudio is to detect these anomalies, provide Indicators and score the Trust for the executable being analyzed. Since the executable file being analyzed is never started, you can inspect any unknown or malicious executable with no risk.

Features

  • References
  • Indicators
  • Virus Detection
  • Imports
  • Resources
  • Report
  • Prompt
  • Interface

URL: http://www.winitor.com

Testimonials

“Great tool, easy to use, efficient for early evaluation of malware potential and intents.”

“Best tool for static PE analysis”

“Easily the best and quickest malware analysis/triage tool. Amazing support from the author, who updates the software almost every other day. Spectacularly useful in my day-to-day analysis.”

07 – OWASP Offensive (Web) Testing Framework

logo_owasp-owtf

OWASP OWTF, Offensive (Web) Testing Framework is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient, written mostly in Python. The purpose of this tool is to automate the manual, uncreative part of pen testing: For example, spending time trying to remember how to call “tool X”, parsing results of “tool X” manually to feed “tool Y”, etc.

Features

  • OWASP Testing Guide-oriented.
  • Report updated on the fly.
  • “Scumbag spidering”.
  • Resilience.
  • Easy to configure.
  • Easy to run.
  • Full control of what tests to run.
  • Easy to review transaction logs and plain text files with URLs.
  • Basic Google Hacking without (annoying) API Key requirements via “blanket searches”.
  • Easy to extract data from the database to parse or pass to other tools.

URL: https://www.owasp.org/index.php/OWASP_OWTF

Testimonials

“Helped in automating and managing multiple tools with ease.”

“Because it rocks!!! It is combining all of the owasp vulnerability checks in one framework.”

“It saves me lot of time with repetitive tasks.”

08 – Brakeman

logo_brakeman

Brakeman is a security scanner for Ruby on Rails applications. Unlike many web security scanners, Brakeman looks at the source code of your application. This means you do not need to set up your whole application stack to use it.

Once Brakeman scans the application code, it produces a report of all security issues it has found.

Features

  • No Configuration Necessary
  • Run It Anytime
  • Better Coverage
  • Best Practices
  • Flexible Testing
  • Speed

URL: http://brakemanscanner.org

Testimonials

“Free, high quality, actively developed. Significantly better than many expensive commercial products in our testing. Justin is really nice as well.”

“One of best open source tool available for security vulnerability scanning.”

“Great ruby gem that helps you see what possible security risks you have included in your application.”

09 – WPScan

wpscan_logo_407x80

WPScan is a black box WordPress vulnerability scanner.

Features

  • Username enumeration (from author querystring and location header)
  • Weak password cracking (multithreaded)
  • Version enumeration (from generator meta tag and from client side files)
  • Vulnerability enumeration (based on version)
  • Plugin enumeration (2220 most popular by default)
  • Plugin vulnerability enumeration (based on plugin name)
  • Plugin enumeration list generation
  • Other misc WordPress checks (theme name, dir listing, …)

URL: http://wpscan.org

Testimonials

“There are a lot of website developed using wordpress and still vulnerable, using WP Scan which specialized in detecting wordpress security issue can reduce a lot of time for any security tester. No need to configure any payload or something similiar, just let WP Scan do it automatically.”

“The team made a new WPScan vulnerability database (wpvulndb.com). Everyone can populate (after approval) the database with new found vulnerabilities. Now the core program is better separated from the data.”

“Constant la updated. Best tool for WordPress security.”

10 – nmap

nmap

Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for network inventory, managing service upgrade schedules, monitoring host or service uptime, and many other tasks. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

Features

  • Host Discovery.
  • Port Scanning.
  • Version Detection.
  • OS Detection.
  • Nmap Scripting Engine (NSE).

URL: http://nmap.org

Testimonials

“Everyones favourite portscanner.”

“Enumerate ports, find “open door.”

“The best tool that ever Pen Tester must have.”

Others Tools Listed, voted by users:

  • Arachni: Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. [http://www.arachni-scanner.com]
  • ArchAssault: The ArchAssault Project is an Arch Linux derivative for penetration testers, security professionals and all-around Linux enthusiasts. [https://archassault.org]
  • FBHT: Facebook Hacking Tool is an open-source tool written in Python that exploits multiple vulnerabilities on the Facebook platform. [https://github.com/chinoogawa/fbht]
  • GoLismero: Free software framework for security testing. It’s currently geared towards web security, but it can easily be expanded to other kinds of scans. [http://www.golismero.com]
  • Iron OWASP: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. [http://ironwasp.org]
  • Metasploit: It is the de-facto standard for penetration testing with more than one million unique downloads per year and the world’s largest, public database of quality assured exploits. [http://www.metasploit.com]
  • OWASP O-Saft: Tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations. [https://www.owasp.org/index.php/O-Saft]
  • ThreadFix: Software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems. [http://www.denimgroup.com/resources-threadfix]
  • Volatility: The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. [https://github.com/volatilityfoundation/volatility]
  • w3af: Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities. [http://w3af.org]
  • YASAT: YASAT (Yet Another Stupid Audit Tool) is a simple stupid audit tool. Its goal is to be as simple as possible with minimum binary dependencies (only sed, grep and cut). Second goal is to document each test with maximum information and links to official documentation. [http://yasat.sourceforge.net]
0

Up ↑