Adam Palmer, Linux, PHP Programmer, MySQL Developer, Website Security Consultant
msgbartop
I will happily conduct a FREE basic web security scan for any genuine organization interested in my services to point out whether or not I can find vulnerabilities in your application. Just contact me.
Need a PHP Programmer, PHP staff or project manager? Contact me now.
msgbarbottom

02 Sep 09 Website Security Consultant

Interested in using my services? Contact Me

I will happily conduct a FREE basic web audit for any genuine organization that is interested in my services. Please contact me. Alternatively if you are looking for an on site arrangement please again, do contact me.

webdesign-icon A website or web application is generally built with a layered approach. From the ground up, a simple stack might consist of a OS & Physical server, network stack, database server software, database classes (i.e. connection, query and data select), controller code to drive the database and other classes, and and a view (which is the site that you see). It is important that each layer is considered and scanned, as vulnerabilities in one will usually cause a system-wide vulnerability
onlineprocessing-icon The majority (about 70%) of the websites and web applications that I scan have critical vulnerabilities. By critical, I mean, the ability to download and modify your entire database, or download and modify your website and code. This can obviously cause massive site and customer devastation.
hosting-icon Security starts with the server itself. The list of things to check for here is endless; unnecessary user accounts, unnecessary services, misconfigured services, easily guessible passwords, poor resource limits, weak permissions, unpatched software, etc. A direct server compromise will usually result in full disclosure of all sensitive data. An exploit through poor web code though, could be further escalated by elavating user priviledges from the web user to the root user on an unpatched system.
consulting-icon Consulting is a critical part of the service. I’m always available to discuss a report or provide advice. I can either provide a report and recommendations for you to pass on to your own hosting company and developers, or alternatively, I can usually provide an estimate to make fixes to your existing platform, and then retest and support at a discounted rate.
email-icon Contact me now – I can often perform a basic initial audit absolutely FREE. A full audit can range anywhere from a scan and report, to a fully blown internal and external audit and report.
Website Security and Pen Testing (Penetration Testing) is not something that can effectively be taught in any rigid kind of framework, but is really an experience based process. A website security consultant requires a highly logical and analytical mind in order to ‘cover all the bases’.

It is important that a security consultant who has been engaged to perform a pen test;

  1. Discloses to the Client in technically appropriate language exactly what the test will entail, potential loss of service/access, what might theoretically happen as a worst case scenario and why.
  2. Ensures that all services being tested should be backed up and preferably NON-live
  3. Understands the scope of what is to be tested and what is not to be tested

Once the test has been concluded, the consultant needs to decide how best to present the results. As a security consultant, I personally present the results and explain the implications of such results as well as what can be done to address issues found.

No system can ever be 100% secure, however the art of security consultancy is finding an acceptable risk level, based on required functionality and usability of the system in question.

As a London based security consultant, I scan both web applications and physical networks. I prefer to scan web applications and have substantially more experience in pen testing web applications although pen testing physical networks can definitely be more challenging in a lot of cases.

Both web application auditing and networking require the same base skills, logic, understanding of protocols, specifically TCP and IP, standards, good practice and common sense. Web applications can require more programming and syntax knowledge and experience, although network auditing can require just as much syntax knowledge.

As of writing today, I have documented php website security tests of 145 independant web applications that I have audited, of which 104 were found to have ‘major’ vulnerabilities. That’s about 70%! By ‘major’ vulnerabilities, I mean that data could be retrieved from the database, passwords could be stolen, or content could be changed. 70% is a really worrying figure. To those non-technically minded individuals reading this article, the padlock you see in your browser DOES NOT mean the site you are accessing is secure, certified secure or guaranteed by anyone in any way. In fact, it categorically means nothing about the security of the site, or of the data that you send to it. It simply means that your connection between your own PC and that site is encrypted at the time when you submit it.

I will happily conduct a FREE basic web audit for any genuine organization that is interested in my services. Please contact me. Alternatively if you are looking for an on site arrangement please again, do contact me.

Here are my relevant blog posts on security consultancy / penetration testing:

19th January 10 – Website Security Scan

Websites get hacked every day, customers details taken, and it’s usually REALLY EASY to do. As a security consultant,  I often get a call after a Google search turns up with my details as the guy to contact when this happens.

Shameless plug: Why not contact me BEFORE this happens for a FREE basic web scan.

Shameless plug over, why not consider some of the things that can be done to help prevent a website breach..
(more…)

25th December 09 – SSHing from a compromised machine

Often, when working with compromised machines, as a security consultant, I find a malicious SSH binary. The malicious SSH binary generally logs all usernames, passwords and hosts connected to from the compromised machine, and usually in /tmp/. The attacker can then log back into the machine and collect this file at a later date.
(more…)

11th October 09 – Linux Consultant – How to recover a compromised server

As a security consultant I often have to deal with machines that are already compromised. The ‘official’ standpoint is always to wipe the machine alltogether, reinstall your OS, and restore your data and configurations from the backups that you obviously have.

The above not always being possible, and as a second best alternative, you’ll have to recover the machine.

The first thing to do is compare each command line utility to that of a known good identical system before using it, so you can rely on the results that it returns. A hacker will often drop a modified ‘ls’, ‘lsmod’, ‘ps’ and various other tools onto your system to hide the various other things that he may have installed.

You’ll need to use md5sum and ls to check the size and checksum of each utility before you use it, although of course, md5sum and ls themselves could be hardcoded with predefined responses. You could also use ’strings’ to check the ASCII contents of those tools, although the ’strings’ could just as easily be rigged. If you’re that paranoid, you’ve got no choice but to wipe the machine alltogether.

So firstly, check the integrity, of each of your core utilities. If your Debian 5.0 with the latest updates installed system was compromised, you’ll need to check against another Debian 5.0 system with the same updates and tools installed. Or, if you can find a listing online somewhere of what binaries should be what sizes and have what MD5s then you should be fine.

Once you have confirmed your ‘md5sum’ utility, you should be able to just start comparing MD5s and not worrying about file sizes and strings. Check your package management utilities and check that you’re happy with them, then apt-get install rkhunter this will check a number of issues. There are other ‘root kit hunters’ that you can use as well if you wish. Once this has been run, check your ps utility and ensure that it is as you expect. Then once done just run ps auxw and check each running process in the same way. Assuming that all of that is done and has not shown up anything, all is good so far. If something has been found and one of your binaries is compromised. Assuming your package manager is in good order, dpkg -P <package> and reinstall. If it is a core package that can not be removed/purged without affecting the rest of the system, then just scp over a new binary. Check again that the libc6 version and package version is IDENTICAL, and check of course that scp itself is in good order.

At this point, we can assume that your binaries themselves are in good order. Check for any new SUID utilities with find / -perm +4000 and once done, firstly make sure that everything on that list is as expected, and secondly, double check your md5sums of each and everyone of those.

This all being OK, continue to check by looking at your /etc/passwd, /etc/group and /etc/shadow files checking for user accounts that you don’t recognise. Then check syslog, wtmp, lastlog, etc, and check the IPs and last logins of each account. Also check directories such as /tmp/ especially with ls -al to check for directories beginning with a ‘.’ which would otherwise be hidden.

If everything above returns success, then it’s unlikely that your system was directly compromised. There is always the chance that your web application or database was compromised, but then that’s outside of the scope of this article. In short though, check your webserver log files as that should give you the information on what was compromised, and how it was done. Obviously ensure that any 3rd party software that you may be using such as wordpress, vBulletin, etc, etc are always up to the latest version.

03rd October 09 – Linux Security Freelancer – Securing a node – Where to start?

As a Linux Security Freelancer, I’m often asked where best to start when securing a single linux host. Whereas most would suggest configuring iptables or similar, the most effective first step in my opinion is to remove unnecessary services.

There are a number of methods that you can use to show open sockets at least:
lsof -U will list open sockets
nmap -sT -sU localhost will scan your local machine for open TCP or UDP ports
netstat -a | grep LISTEN will show all listening sockets.

Forgive me for stating the obvious, but the first thing to do is disable any open sockets or services that aren’t required. On a default install, this could include the likes of the portmapper service, identd and an smtpd.

Next, you want to suitably lock down user accounts, check passwords, and perhaps consider enforcing a secure password policy, at minimum I generally prefer at least 8 characters, at least one uppercase, one lowercase and one integer. Obviously this shouldn’t be easily guessible, nor should it just end in a ‘1′.

Once done, the next thing that you want to do is to suitably firewall the services that you do require open, and perhaps also restrict the rate of ICMPs, etc, with iptables.
(more…)

02nd October 09 – Security Consultant – Man In The Middle Attacks (MITM)

A Man In The Middle (MITM) attack is a popular network based attack in order to hijack a connection or to sniff traffic. A MITM attack actually covers a variety of different methods. A MITM attack is literally positioning yourself as the attacker between the two communicating parties. Whether you do that via an ARP attack, some type of cryptographic attack, or a physical attack depends on the requirements and scenario. As a security consultant it is important to ensure that the network and it’s communications are as secure as possible against this type of attack. I will cover a simple physical MITM attack, then an ARP attack, and then prevention techniques.
(more…)

30th September 09 – Security Consultant – London Site Visits

The majority of my onsite visits as far as security consulting goes are in London City. The time budgeted for an onsite visit by a Client is almost never enough, and trying to squeeze two and a half day’s worth of testing into a single day has it’s challenges. Due to the sensitive nature of a lot of the material, more often than not, I’m also not able to take notes offsite. This means that I either need an incredibly good memory, or more practically, I need to be able to complete the majority of the report whilst onsite as well. Being a London Security Consultant can be very challenging at times, however the rushed nature of the average engagement means that more often than not I don’t get to go into some of the detail I would have liked.

Speaking to colleagues in the field, more often than not it is perfectly acceptable to assess the network and simply point out potential flaws. I personally thought though that there was more though to being a penetration tester than spending a day running nmap against various devices. When under time pressure, it’s particularly important to be able to multitask, although ensuring that one test and perhaps it’s bandwidth consumption will not interfere with other tests being run is also important to keep in mind. It should be obvious by now that I test in too much depth as opposed to too little, and if time doesn’t permit, I guess certain areas will have to remain untested until we can get a time extension..

28th September 09 – Security Consultant – Scope of work

As a Security Consultant, I’ve always had a difficult time with the scope of work and just how much detail to go into during the test. What to pen test is more often than not strictly defined, however what detail to go in to, is often not. In some cases the time constraints dictate the detail of the penetration test itself, however often with pen testing, more time is allowed than is necessary.

I have a specific example in mind, whereby I identified a possible DoS (Denial of Service) attack against a service running on a particular vendor’s hardware. The attack was only vaguely theoretically possible, however given the spare time, I did spend a number of hours writing an actual implementation of the Denial of Service attack, and then demonstrating proof of it’s functionality. At that point, the Client changed various configuration options which prevented this DoS, whilst technically mildly limiting functionality.
(more…)

18th September 09 – Web Application Security Consultant Methodology

I wanted to share some thoughts on my general methodology when approaching web application pen testing. Depending on size, scope of work, complexity and a number of factors, there are two separate angles, usually both or a hybrid of both that I will take.

The first angle has to be the network security itself, all the way down the the physical security. As a penetration tester, I’ll test the web, database, storage and any other related networked devices inside and out. Port scanning their interfaces, spoofing IPs and MACs, asking myself questions such as “Does the database accept direct connections from any IP? Does Apache keep too many spare threads waiting?” We need to work our way from bottom to top of the OSI Model, a lot of which can be done using nc (Netcat) and a combination of scripts, as well as nmap.

Secondly, as the security consultant, I would then test the application itself and dependant or otherwise related applications. Crawl the site and it’s file hierarchy using wget or similar, and then run automated test tools, such as burpsuite, acunetix and a combination of curl/wget and shell scripts before manually drilling down into anything suspicious. Unfortunately for the user, the majority of web applications are insecure. A web crawl using a recursive wget, followed by some blind SQL injection checks will more often than not turn up the opportunity for SQL injection. Once this is done, the next query is how far I can go with the SQL injection. Do I have root access now to the database? Does the database user have unnecessary permissions? I should be able to SELECT and possible INSERT/UPDATE data. It’s unlikely that I should be able to actually alter, or even drop the database from the web user. Having table update priviledge on all tables is just as good as being able to drop the database itself though in terms of potential damage. This combination of security issues could lead to even further damage once the initial compromise has been made.

The next question is how far to proceed once an opportunity has been identified. Is demonstrating an opportunity for SQL injection sufficient, or does the opportunity need to be exploited? Once done, does data actually need reading or writing to the database or code changed? This generally depends on the scope of the work and purpose/setting of the systems under test. More will be discussed on this in later articles.

Once complete, I will generally report and rate the issues found from 1 to 5. 1 being informational, 2 being low severity, 3 being medium severity, 4 being high severity and 5 being critical severity. The database user having additional priviledges may fall into categories 3 or 4. An outdated but currently secure version of the webserver running may fall in to category 1, whilst an SQL injection opportunity will for sure fall in to category 5.

Scope depending, I can either discuss the issues and advise on strategies to resolve, or alternatively provide the report ready for the Client to pass on to his own IT consultant.

10th September 09 – Security Consultant – Ports & Port Knocking

Port Knocking is a clever and interesting method of allowing remote firewall manipulation whilst leaving all ports closed to all IPs. When I attempt to initiate a TCP connection to a remote host I send a packet with a ‘SYN’ flag, indicating my intention, along with other information such as a source port, destination port, source IP and destination IP. The target machine has the option of responding by accepting, responding by rejecting, or simply ignoring the packet alltogether, known under iptables and most other firewalls as ACCEPT, REJECT or DROP.

(more…)


06th September 09 – Security Consultant – PHP Developer – SQL Injection Attacks

One of the most common form of attacks against web applications is SQL Injection. In the most part, the language that the web application is written in is irrelevant, be that PHP, ASP, Python, Perl, C, etc. As long as the back end database uses something SQL based, be that MySQL, MSSQL, etc, again, we’re in business. This probably covers over 99% of web applications out there. Both the security consultant and the php developer or web application developer in general has to be aware of the implications of SQL Injection. Here’s how it works:
(more…)

04th September 09 – Security Consultant – PHP Developer – Exploiting Common PHP Code Flaws

There are a number of PHP and in fact programming errors in general that PHP Programmers and Security Consultants need to be aware of. Specifically, how can a malicious user use the code to gain access above what he is supposed to.

Cross Site Scripting (XSS), Shell Execution and SQL Injection are all issues that programmers need to be aware of. Luckily, buffer overflows in their traditional sense are not something that PHP developers need to concern themselves with.

Here in it’s most basic sense is an example of how we can read arbitrary files on the filesystem that we should not have access to.
(more…)


02nd September 09 – Security Consultant – Basic NMAP Usage

nmap is one of the most useful tools for a security consultant in a penetration testing environment. It has a massive range of options, and only the most basic will be considered in this tutorial.

It goes without saying, that nmap should only be run against IPs and ports that you yourself have gained authorization to test. Here goes: (more…)



Reader's Comments

  1. PHP, MySQL and memcached | Adam Palmer, Linux, PHP Programmer, MySQL Developer, Embedded Hardware, Security Consultant | 25 Jun 2010 10:10 pm

    [...] Website Security Consultant [...]



Leave a Comment

You must be logged in to post a comment.

Adam Palmer I'm Adam Palmer, and I'm a PHP Programmer, Web Security Consultant, and Linux Consultant. I run 'APNIC Solutions Ltd' and spend most of my time consulting, managing server clusters, and writing PHP, whilst what little spare time I have is dedicated to playing with gadgets.
Skype Me.!
sidebartop

Most Popular

sidebarbottom
sidebartop

Pages

sidebarbottom
sidebartop

Categories

sidebarbottom
sidebartop

Meta

sidebarbottom
sidebartop

Recent Comments

sidebarbottom
sidebartop

Recent Posts

sidebarbottom
sidebartop

Tags

alix apt-get bind C debian echo embedded ethernet gcc Hosting iproute2 iptables kernel Linux Linux robot mikrotik minipci mount MySQL openvpn PHP php5 PHP Developer PHP MySQL Developer php programmer picolcd Robot router routerboard 532a script security Security Consultant split access sql sql injection ssh SSL tcp the robot udp usb usb to ttl vps website security consultant xen
sidebarbottom
sidebartop

Archives

sidebarbottom
sidebartop

 

September 2010
M T W T F S S
« Aug    
 12345
6789101112
13141516171819
20212223242526
27282930  
sidebarbottom
sidebartop

Widgets & Links

  RSS Feed
sidebarbottom
Adam Palmer, Linux, PHP Programmer, MySQL Developer, Website Security Consultant   |  Contact Me  |  My Resume & Portfolio
© Adam Palmer . All Rights Reserved. Adam Palmer is a trading name of APNIC Solutions Ltd, Registered in England & Wales No. 05514218