Drupal and WordPress Denial of Service

Drupal and WordPress frameworks are vulnerable to a denial of service condition within the XML-RPC service.

Details of the issue can be found here on the official sites for Drupal and WordPress. Basically the attack works by sending an XML-RPC call to the remote site with an initially small XML document. This element of the document is then iterated multiple times, expanding the document to an even larger size.

How does this work? Well, a small initial file of 200 KB will expand to 2.5 GB on the remote server due to a vulnerability called an XML Quadratic Blowup Attack. Attempting to parse multiple requests leads to all resources being consumed. This results in the application and even possibly the whole system falling over.

Using a simple proof of concept script it was possible to kill an entire site and underlying operating system within a few moments:

 

“System running out of memory. Availability of the system is in risk.”

 

Unless you have previously disabled XML-RPC or have patched your Drupal and WordPress frameworks in the last few days you are currently exposed to this denial of service attack and we would recommend that you update to the latest version of your framework as soon as possible.

GCHQ certifies Master’s Degrees in Cyber Security

Our CEO, David Stubley, has been quoted in a recent Information Security Magazine article regarding the launch of the GCHQ programme to certify Cyber Security University Master’s Degrees:

“As a highly technical security consultancy we are acutely aware of the skills gap that exists between academia and the commercial sector,” he told Infosecurity.“GCHQ looking to address this can only be a positive step and one we hope will lead to providing graduates with the skills that will enable them to become valued security professionals.”
The full article can be found here, with the full announcement from GCHQ here.

7 Elements scopes international expansion at OWASP AppSec EU

7 Elements reports a successful year as sponsor of OWASP AppSec EU, scoping growth opportunities across Europe.

The not-for-profit event is key for the sector, attracting information security professionals from across Europe to a four day event which includes a quality conference and training workshops.  The event is renowned for widening business networks internationally as well as providing the opportunity for collaboration and gaining valuable insight into current market trends.

David Stubley, CEO at 7 Elements, said; ‘There are few events in the annual calendar that add as much value to the information security network as OWASP. This year provided us with an unparalleled opportunity to grow our business internationally, with a great representation of visitors from across Europe.’

OWASP ran from 23rd to the 26th of June at the Anglia Ruskin University’s Cambridge campus, Cambridge, attracting visitors from across the EU, this year’s discussion was centred round the need for further education for developers with regards to security flaws and the impact of poor coding.

Security Testing – A Buyer’s Guide

Know what you’re asking for and what to expect

People often ask for penetration testing without knowing what it really means or does. The word has become ubiquitous within the field of information security and means very different things to individuals and organisations.

Even security professionals are at fault here, interchanging words such as pen test, vulnerability assessments and other related security words to fit the current situation. In some cases the same term is used differently within the same conversation! Unfortunately this can this can lead to an organisation failing to gain the right level of assurance required.

To help organisations understand what it is they require and assist them in provisioning the right security test we have laid out the different types of tests that come under the security testing banner and what you can expect from that test.

An Overview of Security Testing

There are four key types of testing that come under the banner of Security Testing, the most commonly referred to being a pen test or penetration test.  The following diagram lays out the different types of security testing and highlights the extent to which automated testing tools are used compared to manual testing.  As we move up the pyramid the level of skill required of the tester increases.  Security Testing Levels

We will now take a look at each of the types of security testing, detailing what it is and what you get from each.

Vulnerability Scan

What is it?

The scan uses automated tools to identify known security issues through matching conditions with known vulnerabilities.

What do you get?

The tool automatically sets the risk level for the results of the scan and no manual verification or interpretation of the results prior to issue takes place.  This is great for identifying technical vulnerabilities at a low financial cost. However, it also generates a high level of false positives while missing certain types of issues.  This limits the overall level of assurance gained.

Vulnerability Assessment

What is it?

A vulnerability assessment takes a vulnerability scan a step further by using a security tester‘s knowledge to drive an appropriate use of automated tools and test scripts.

What do you get?

The report for the results should be manually created, which places the findings into the context of the environment under test. An example would be removing common false positives from the report and deciding risk levels that should be applied to each report finding to improve business understanding and overall context of a finding. It is great for increasing the level of assurance gained through automated testing, whilst still helping to keep costs low.

Security Assessment

What is it?

A security assessment builds upon a vulnerability assessment by adding manual verification of the results to confirm the level of exposure.  It does not though include the use of exploitation code to gain further access to systems.

What do you get?

A security assessment is looking to gain a broad coverage of the systems under test but does not consider the depth of exposure to which a specific vulnerability could lead. False positives should be excluded through the analysis of the results. Security assessments are great for exposing business logic flaws and identifying security vulnerabilities that automated tools are unable to identify. This leads to a higher level of assurance. However, the time and effort required to complete a security assessment are higher than vulnerability scanning and assessments and require a higher level of technical skill to deliver.   This will increase the cost of an engagement.

Penetration Test

What is it?

Penetration testing simulates an attack by a malicious party by using tools and manual investigation to identify weaknesses. Testing involves the exploitation of found vulnerabilities to gain further access. Using this approach will result in an understanding of the ability of an attacker to gain access to confidential information, affect data integrity or availability of a service and the respective impact.

What do you get?

This approach looks at the depth and impact of a potential attack, as compared to the security assessment approach that looks at the broader coverage.  It is great for understanding the depth of exposure from a vulnerability but it can result in a narrow focus that potentially misses other vulnerabilities that would have been identified through a security assessment.  The level of assurance gained is directly associated with the ability of the tester, the scope of engagement and the time and effort allocated.

Finding the right level – some considerations

All levels of security testing are valid assurance activities but it is important that you choose the level that is right for your needs.  Organisations need to balance risk appetite, cost, the level of assurance required, the threat landscape and any regulatory requirements (if applicable).   In our next blog post we will consider how to align security testing with the threat landscape.

OWASP AppSec EU 2014

OWASP AppSec Europe is returning to the United Kingdom in 2014 and 7 Elements are proud to announce that we will be sponsoring this event.

Hosted this year in Cambridge, the event will take place from the 23rd to the 26th of June and will include:

  • Two days of training and a two day conference
  • Three tracks, focusing on the core OWASP mission (Builder, Breaker, Defender), with an added Research track
  • Keynote addresses by highly respected Industry experts

For those still looking to book tickets, we have a discount code for full conference passes that you can use:

1.      Just visit: http://sl.owasp.org/appseceuregister

2.      Select either “Member – Event Only” option if you are a current OWASP member or select the “Non Member – Event Only” option if you are not a current member.

3.      Enter discount code: EU10_7LMTS

Don’t forget to visit the 7E team while you are there.

Security Tester Roles

Due to further growth we are looking for a Senior Security Tester and an experienced Security Tester to join the team. We pride ourselves on our expertise in technical information assurance, as such the candidate must have a high level of technical ability and share our passion for information security.

If this sounds like you then visit our careers page to find out more.

Guest Lecture at RGU

Our CEO David Stubley will be delivering a guest lecture to the School of Computing Science and Digital Media at Robert Gordon University on Tuesday 25th March 2014.

His talk will be on ‘Penetration Testing‘ and will cover the technical capability of attackers and the different levels of security testing used to gain assurance.

Digital Forensic Student Conference

On the 26th March, Glasgow Caledonian University (GCU) will host their first Digital Forensic Student Conference aimed at addressing the challenges faced by and inspiring the next generation of forensic professionals. 7 Elements are proud to announce that we will be sponsoring this event and that our CEO, David Stubley will also be speaking. More information on the event can be found here.

 

Digital Forensic Student Conference

Our CEO David Stubley will be presenting at the GCU Digital Forensic Student Conference on Wednesday 26th March 2014.

His talk will be on ‘Tactical Incident Response‘.

There is often a perceived need to provide a forensically sound approach to data acquisition and interrogation during an incident. However, the use of the term ‘forensically sound’ is often misunderstood and incorrectly applied to incidents, limiting the overall response available. In this talk and through the use of real life examples, David will explore how a tactical response can add value to an organisations’ response to incidents.

More information on the event can be found here.

7E supports Scottish talent

One of the key motivations in establishing 7 Elements was a drive to deliver customer focussed security testing that provided clients with a service they need and to proactively support and develop the wider security community for the benefit of everyone.

As part of this commitment, 7 Elements recently offered two students from Glasgow Caledonian University (GCU) the opportunity to write a blog post on the recent changes to PCI DSS. Doing so would provide vital hands on experience for these undergraduates. Both are studying Digital Security, Forensics & Ethical Hacking at GCU and share our passion for information security. Their post on PCI DSS v3 in a Nutshell can be found here.

In addition to guest blog spots, 7 Elements are also taking on two interns over the summer of 2014.  As well as providing them with the opportunity to gain industry experience in the field, the interns will be assisting 7 Elements with the development of customer focussed projects and bespoke security research.