Wednesday, August 25, 2010

Can Security be harmful?

This week's SANS NewsBites (Vol. 12, Num 67) has a story of the potential of security (or lack thereof) in the Spanair air crash that killed 154 people.  According to the post, the official cause of the crash was due to pilot error.  The investigation also discovered that a warning indicator did not activate.  These events would have been logged in the company's maintenance system.  It has been alleged that the maintenance system was riddled with malware.  Could this be a case where not patching a system could indirectly lead to deaths?

Recently, I've audited systems and applications that reside in medical treatment facilities.  One system was responsible for the delivery of radiation to patients.  The vendor stated that they are the only authority allowed to administer patches to the system as they need to test out each and every patch before it could be released live in production so as not to endanger a patient.  They talked about one particular case where the pushing of patches by a medical treatment facility enabled a system to administer too much radiation.  And, if were not due to the diligence of an alert technician, fatal conditions would have been met.

Granted, the day-to-day security decisions and risk analysises we make are not going to be that critical.  Heck, just driving to work each day we go through a risk analysis.  Sure, there's a risk that we could get in an accident, but it's not that high and we accept it.  But when it comes to mission-critical systems, or systems that are deemed of high importance, well thought-out risk analysis could be what causes or averts a dire situation.

Friday, August 13, 2010

Vulnerable Web Applications for testing and practice

I'm working on a small presentation for web application testing.  In order to get the bullet points across, I want to have an application where the students can actually try the attacks and see the results as I find that this gets the points across more effectively than PowerPoint slides.  Knowing only a handful of the more popular applications, I started searching.  Google gave me more than I could imagine, and I'm listing a bunch of them here.

This first group are actual applications to be installed:
Vincum
OWASP WebGoat
OWASP Insecure Web App Project
Damn Vulnerable Web App
Hacme Travel
Hacme Bank
Hacme Shipping
Hacme Casino
Hacme Books
Mutillade
The Butterfly Project
Stanford SecuriBench
BadStore
Gruyere
WackoPicko
BodgeIt Store

Live sites (hosted on the internet):
SPI Dynamics
Cenzic
Watchfire
Acunetix (php)
Acunetix (asp)
NT Objectives

If I have missed a good one, please let me know.  I haven't picked one yet, I'm still evaluating.  But I'll add to the list as I hear of and try more applications.

edit: 4-19-2011 added BodgeIt Store

Tuesday, August 10, 2010

Free Monitoring Tools for Systems and Networks

The SANS Internet Storm Center has a great post today, that I'm linking to in order to come back to it as there are some great monitoring tools (free or inexpensive) for various operating systems.

Monitoring Tools

As there are a lot of posts at the Storm Center, I'm sure I'll lose this one if I don't create a link to it.  Hopefully it will help out someone else.