Websites where I can ask hacker types for advice on something?

AARRRGH

Hello

As part of my job I want to do some security testing. In a nutshell, I am testing a web applicatin which is run in an IIS application pool as "local system". This is supposedly a security risk, but I would like to be able to prove this. So, I basically want advice on what sort of things I can look for in our code (potential buffer overflows, etc.) which would enable me to do something bad using the local system priviledges.

This would all be as part of my job and is not just me acting the maggot!

So, do any of you know any websites where hacker types might be able to advise me on this? Obviously I wouldn't be showing them any code but I am sure there are some common flaws I can look for...

Cheers

LoLth

not being smart but have you tried googling for Ethical Hacking forums? (remember the ethical bit!). if its web app hacking you are interested in discussing then you may do well to have a look at OWASP and their related discussions.

If its part of your job, you should really ask your company to send you on a course (I know, easier said than done) as, until you get some training you ahve a very good chance of overlooking something obvious - thats not to say trained personell dont overlook things but the likelihood is lessened.

SANS do a very good ethical hacking course, but its quite expensive.
The CEH from EC Council is quite good but doesnt really look at web applications in any great detail.
Perhaps a secure programming course, assuming you have some programming experience, would be more useful?

probe

AARRRGH wrote: »

Hello

As part of my job I want to do some security testing. In a nutshell, I am testing a web applicatin which is run in an IIS application pool as "local system". This is supposedly a security risk, but I would like to be able to prove this. So, I basically want advice on what sort of things I can look for in our code (potential buffer overflows, etc.) which would enable me to do something bad using the local system priviledges.

This would all be as part of my job and is not just me acting the maggot!

So, do any of you know any websites where hacker types might be able to advise me on this? Obviously I wouldn't be showing them any code but I am sure there are some common flaws I can look for...

Cheers

Put a copy of your proposed system (with dummy data and dummy everything - other than it should look credible to hackers) on the net as a honeypot. See what happens! Don't firewall it - leave it open and exposed to get some fresh air....

Send an email to Moxy Marlinpike. the playhacker, perhaps using a few choice words to ridicule his hacking prowess, to tell him about your 100% bulletproof system - if you are in a hurry and want to speed things up...

http://www.thoughtcrime.org

(The dummy data should be credible for search engines as well).

Blackhat Europe hackers convention is on in Barcelona (2010-04-12 to 15) in a scruffy youth hostel at Ave Diagonal 661. You might consider reserving a dormitory bed there (bring your own sleeping bag), and run your IIS application on a laptop pc connected to the hostel's WiFi and Ethernet network. Pick up a 3G dongle or two for the Spanish mobile networks to give it maximum exposure in the vicinity - GSM/3G encryption has past its sell-by date. It would be like throwing a baby into a rattlesnakes nest. See if it has what it takes to survive....!

http://www.blackhat.com/html/bh-eu-10/bh-eu-10-home.html

LoLth

two problems immediately spring to mind:

1. no guarantee that a hacker will actually hack the system in the timeframe you leave it sitting there

2. if the box is compromised (and assuming that this is a compeltely seperate box and completely devoid of any sensitive information from passwords to config files) are you going to have the ability to see exactly how it was done? what flaw was leveraged? Unless you have a monitor runnign on the box, or running pointed at the box in which case you put that monitor at risk as well. The point of pentests is that you get a controlled environment with known testing targets. Its not 100% perfect but at least you know what does, and almost as importantly doesnt, work.

oh and, why on earth would you deliberately draw unwanted attention to your own company? By putting out a honeypot you are just putting yourself in the hackers sights and increasing the risk of either a return visit when you dont want one or discovery of a link to your main site which will lead to inspection.

bringing it to a conference: same issue as above as well as the fact that anythign running on a laptop at a black hat convention is almost expected to be hacked. its not a true test, its more a law of averages. also, laptops wont properly emulate the web app environment and patch level/hardening.

my advice: get your company to hire a pentest firm to test the web app and provide a pentest report until you get someone trained up, or are trained up yourself to do the job internally (external pentests are still a good idea though, a second set of lobes is never a bad thing)

probe

LoLth wrote: »

two problems immediately spring to mind:

1. no guarantee that a hacker will actually hack the system in the timeframe you leave it sitting there

2. if the box is compromised (and assuming that this is a compeltely seperate box and completely devoid of any sensitive information from passwords to config files) are you going to have the ability to see exactly how it was done? what flaw was leveraged? Unless you have a monitor runnign on the box, or running pointed at the box in which case you put that monitor at risk as well. The point of pentests is that you get a controlled environment with known testing targets. Its not 100% perfect but at least you know what does, and almost as importantly doesnt, work.

oh and, why on earth would you deliberately draw unwanted attention to your own company? By putting out a honeypot you are just putting yourself in the hackers sights and increasing the risk of either a return visit when you dont want one or discovery of a link to your main site which will lead to inspection.

bringing it to a conference: same issue as above as well as the fact that anythign running on a laptop at a black hat convention is almost expected to be hacked. its not a true test, its more a law of averages. also, laptops wont properly emulate the web app environment and patch level/hardening.

my advice: get your company to hire a pentest firm to test the web app and provide a pentest report until you get someone trained up, or are trained up yourself to do the job internally (external pentests are still a good idea though, a second set of lobes is never a bad thing)

There are no guarantees in life about anything - especially about security issues! Microsoft Windows has been out in various flavours for decades and still has security vulnerabilities coming to surface virtually every month.

Many / most vulnerabilities are identified by hackers of one sort or another.

He could set-up his test box to send detailed log entries to another machine that is secured.

He doesn't have to draw attention to his own organization. He is hardly going to put the company's logo or real information on the test platform. He could not run it from the corporate net connection (it has to be exposed) - eg he should get a DSL modem / account exclusively for any testing.

There is nothing to stop him from using various penetration testing services and getting nice certificates to frame on his wall etc as well.

But if he keeps an unprotected version of the system dangling out there in the wilderness, it will catch prey and if he keeps detailed logs he can see what route the attackers use before they get snared in the net.

If someone manages to get root access they can delete their traces on the target system - but if it has been "squealing" on the attack, blow by blow, to a protected logging system, the latter will collect useful information on the modus operandi of the attacker so that the vulnerability that was exploited can be plugged.

MiCr0

There's companies that do security and penetration testing. I'd go and hire one of them rather that find some l33+ h4x0rz from the net

LoLth

probe wrote: »

There is nothing to stop him from using various penetration testing services and getting nice certificates to frame on his wall etc as well.

But if he keeps an unprotected version of the system dangling out there in the wilderness, it will catch prey and if he keeps detailed logs he can see what route the attackers use before they get snared in the net.

If someone manages to get root access they can delete their traces on the target system - but if it has been "squealing" on the attack, blow by blow, to a protected logging system, the latter will collect useful information on the modus operandi of the attacker so that the vulnerability that was exploited can be plugged.

or

you could get the nice certificate to frame on the wall and KNOW what to do to harden the box himself, or, hire a company that knows how to harden the box and test it for vulnerabilities who will work, under contract, within the scope provided to them to stop others from getting root access. Yes, more exploits will turn up, they always do. Its the risk of exposure and as with any risk you analyze it, you do your best to mitigate it and in the end agree whether the net risk is acceptable. (and that doesnt just apply to security). Dangling a box for black hat hackers to disembowel so you can see what commands were run or ports were accessed is not the job of a non-security company.

@OP: in all honesty, its not fair of your employer to ask you to assess the security of the box if you havent received the training or had the resources you require made available to you. If you say its ok, what happens if it gets hacked straight off and a forensic analysis report shows that it wasnt a fault in IIS but a patch that wasnt applied to stop priviledge escalation? Are you still held responsible for missing that bit of hardening?

pieface_ie

i agree with LoLth on this.
Youl be advertising yourself.
The internet forums are full of delboys asking how to break into this and that so i think itd be fair to say that itl be hard to find someone to help you,and sure,you shouldnt be handing code over to people you dont know.

Theres a book called Software Exploitation,maybe that might be of help to you?

If its not really your job to be doing this its best/safest to leave it up to a prof pentester,if you told the boss the code was good to go and then someone gained access to the system by bad coding that you had overlooked or didnt fully understand im sure youd get in trouble,not worth the hassle me thinks