Thursday, April 30, 2009

Using AppDetective to audit a MySQL database

I'm still in the middle of a big project testing web applications. Most of the databases have been SQL Server or Oracle. Believe it or not, we've run into some Access databases as well. And I'll admit, I did not know that Access could be used as a back-end to a web application. Yesterday, I had to test a MySQL database. The DoD has not put out a specific checklist for MySQL, and there are not SRR Scripts for MySQL either.

We did have AppDetective, though. We've run into many issues with getting AppDetective to audit LotusNotes databases, so I was a little worried. But, I'm happy to say that it was pretty straight forward and I got good results back.

To do this:

Fire up AppDetective
Add an application
  • Fill out the DNS Name / IP Address
  • On the Port tab, pick MySQL (and the correct version.) For my test I was able to leave the default port, but you could add the port if it is not on the default.
  • On the platform tab, select the platform that the application is running on.
  • On the Miscellaneous tab, I added the version of MySQL.
Once the application is added to the right pane in AppDetective,
Expand the + signs until you reach your application.
Right-mouse click on the app, and pick Audit with....
then choose your audit policy

(Of course, you could run a Pen Test, or pick any number of audit policies.)

I chose Strict.

The AppDetectivePro - Run Audit window will pop up.
Right-mouse click in the username/password frame.
At this point, you can fill in the username and password combination that will grant you the access you need. I always test the DB connection, just to make sure every thing connects and works.
Click OK.
Then, click the Run Audit button to start the test.

If I've left anything out, leave it for me in the comments, and I'll update the post.

Wednesday, April 22, 2009

Information Security Magazine - update

Well, I got an email the other day, to download the latest issue of Information Security magazine. I didn't know it went digital. So, at least I've caught up with the magazine. However, it would have been nice to know that the magazine was moving to a digital format. I never saw anything in print or an email.

Sunday, April 19, 2009

2009 Verizon Data Breach Report

I forgot to write about this. I saw that the 2009 Verizon Data Breach report was out. This is a report I almost always read because it is interesting, concise, and full of validated data. Mainly, the fact that there are hard numbers to back up the real-world claims gives the paper credence. This is not just media spin doctoring. Or biased claims by any one company. Sure, any point could be countered, but with the amount of data collected and the source, there has to be some validity.

I have the paper downloaded, I just need time to spend reading and digesting.

To do, to do....

I haven't written much lately. Partly, I haven't had the time. As I've alluded to, I've been busy on a huge project; working to help certify applications that are moving from the local fort to wherever they are going. It is very time consuming because there just are not enough resources to run the project smoothly. My manager decided to hire a bunch of employees to help with the workload. Not a bad idea, except they are all new to the security field. (One guy has his CISSP, yet has never worked in a security domain, and has ZERO security experience.) I believe it is just a case of the company bidding on a contract that would bring in much revenue without really thinking about how we would accomplish it. (And, one of the tools that is central to our testing is not the best; I almost say it's not ready for prime time; and it is not one of ours.)

So, we're continuously behind the proverbial eight-ball. Working long hours. And dealing with clients that are less than enthusiastic to have us there.

But then, I've been thinking of going in a different direction. Forensics has been the siren song in my head for a very long time. It's part of the reason that I left the old company; I wanted to work in computer forensics on my own. (To say nothing of the LACK of security at my old job.) Where I'm at now does not have a forensics group. They don't have an incident response group. Besides the IA we perform, there is a small group that does commercial testing, more of a pen-testing group.

What to do? What to do?

If I move towards forensics I could attempt to push forensics into the company. But, are their DoD engagements where they would need CF? Or, do I push to create a forensics group that would be internal to the company and only serve the company? Is there even a need? (I suspect "yes", but would it get funded? The ultimate question.) Or, do I start casting an eye elsewhere?

And, further at issue, I should really make a push for the CISSP. I'm not really a huge fan of it. Not that it is a bad certification. If I stay in the company I'm at, I'll probably need it sooner or later as the DoD somewhat worships it. But does it align with MY goals? I'm not sure. It certainly wouldn't hurt.

You could say I'm Lost In The Flood. At least Bruce has been putting on some great shows.

Writing is therapeutic. I might scribble some more in order to clearly think about my options, goals, and ambitions.

Cool gadget bag

I saw this post on Gadget Lab. This bag would make an awesome jump bag. The only thing I can't figure out is if a laptop would fit in it. But, boy, you could probably pack a lot of gear in there.

(granted, I don't carry bullets, but still.)

Friday, April 3, 2009

Shhh, Don't tell anyone....

I finally signed up for Facebook. I spent a good hour and a half figuring out the privacy and security settings. I may have been a bit paranoid, and I may have to start relaxing the settings. We'll see.

Conficker Eye Chart

I found a great link to the Conficker Eye Chart, with instructions on how to use it. I would say that it is accurate as of this writing. As we know, Conficker has a new method to update itself, and my mutate to make the Eye Chart worthless. However, for the time being, this seems to work.

Link here.