Tales from the Web Scanning Front: Why is This Scan Taking So Long?

As CEO, I’m constantly emphasizing the importance of customer support and trying to attend several support calls each week to stay on top of our support quality and what customers are asking.

Surprisingly, application scan times are one of the most common issues raised by customers.  Occasionally, scans will take days or even weeks.

At this point, I would say that in almost all cases, there is an issue that lies within the application’s environment as opposed to a something within the software.

First some background on web application security scanners. Web scanners first crawl websites, enumerate attack points and then create custom attacks based on the site.  So, for example, if I have a small site with 200 attackable inputs and each one can be attacked 200 ways, with each attack requiring 2 requests, I have 200*200*2 or 80,000 requests to assess that site.

Now NTOSpider can be configured to use up to 64 simultaneous requests so depending on the response time from the server, you can run though requests very quickly.  Assuming, for example, 10 requests a second, that’s 600 per minute, 36,000 per hour and you can get through that site in 2.22 hours.

The problem is that quite often the target site is not able to handle 10 or even 1 request per second.  Some reasons can include:

  • Still in development – The site is in development and has limited processing power and/or memory.
  • Suboptimal optimization – The site is not built to handle a high level of traffic and this has not yet shown up in QA.  We were on the phone with a customer last month who allowed us to look at the server logs and we saw that one process involved in one of our requests was chewing up 100% of the CPU for 5 seconds.  Another application was re-adding every item to the database each time the shopping cart was updated (as opposed to just the changes) and our 5,000 item cart was severely stressing the database.
  • Middleware  Not to bash any particular vendor (Coldfusion) but some middleware is quite slow.

So let’s look at our 80,000 request example from above and assume that our site can only handle 1 request per second.  Our 2.2 hour scan time balloons to 22 hours.  For our 5 second response in bullet 2, we get to 4.6 days for our little site.  The good news is that NTOSpider can be configured to slow itself down so as to not DOS the site (this is our Auto-Throttle feature).  The bad news is that it will take some time.

So what’s a poor tester to do?

  • Beefier hardware  If you are budgeting for a web scanner,  consider spending a couple of extra thousand dollars on some decent hardware to test your apps. (Note – a modern laptop with optimal ram for the OS you are running – 32-bit OS = 4 Gigs of ram / 64-Bit OS = 8 Gigs of ram – will solve 90% of all performance issues.)
  • Scheduling  In some cases, you can schedule scans so that even if they are longer, you can still get things done in time.
  • Segmenting  In some cases, if you know that only a portion of the site has changed, you can target the scan to test only that subset and dramatically reduce scan time.
  • Code Augmentation  Not to put too fine a point on it, but if a single request is taking 5 seconds to process, a hacker can DOS your site by hand.  You might want the developers to look at adjusting the code.


A non-security geek way to question the Iran drone hack

So, over the past few days we’ve seen several articles about the recent/potential hacking of one of our military UNAV planes over Iran.  Naturally the security geek in me has been piqued to learn more details about how this was done.In the latest information, one of the Iranian engineers talks about jamming the command and control signals to the plane and forcing it to go into auto-pilot mode. Then hacking the plane at its weakest point, aka its GPS system. As a security minded person, I can make lots of arguments on the technical and security related challenges of these statements. However as a big radio frequency (RF) and remote control (RC) enthusiast, I  wanted to talk to a few points of this proposed attack and what may or may not be possible.
Command and Control Jamming- If  you are into RC planes and are big on electronics then finding out that there are kits out there already to build your own small scale UNAV system is nothing new. U-Nav.com (www.u-nav.com) has been in business for years and makes some of the best solutions for building solutions on the small scale.  Their latest kit includes using XBee based radios or modems to send command and control information to the UNAV system from the ground station.  As described in the Iranian attack, once this signal is jammed, the software goes into auto-pilot mode.  This auto-pilot mode usually instructs the aircraft to fly home or to a pre-determined GPS waypoint and hover (fly in circles) around the waypoint until the command and control connection are re-established or perform a controlled crash (typically a flat spin) once power has been depleted to the craft.

Reading up on the latest Info-warfare solutions that we theorize that Iran has at their disposal, it looks as if they have the proper surface-to-air platforms to use to perform this attack. Just keep in mind that jamming most RF signals is entirely possible, just by broadcasting “noise” on the same set of frequencies that the RF receiver is trying to listen in on.

GPS Jamming – GPS jamming is extremely easy.  Heck you can now find complete kits on the Internet to perform just about any jamming you need.  Worried about privacy issues, install a jammer. Worried that law enforcement has installed a GPS or Lo-jack tracker on your car, install a jammer. Yep, its that easy.

Note – Just remember that it is illegal for you to build or use one in the US (as well as many other countries).

Waypoint Hacking – This is the most interesting point of the Iranian hack. According to some of the articles, Iran claims to have altered the GPS signal going to the UNAV system and giving the plane enough information to land safely at a location in Iran.  What is impressive here are the technical challenges to perform this hack:

  • Pushing updated data to the craft – The part I struggle with the most, is the claim that a ground-based tracking station/platform was used to performed this attack.  As I stated, jamming is rather easy.  But jamming while also updating coordinates is complex… especially when doing this to a craft that is above your elevation, fling at 200+ MPH, and you are overriding a signal coming from a satellite that is located above both you and the target. I’d love to hear from any military types on this capability.  But as stated, its one heck of a hurdle to overcome.
  • Knowing the Waypoint to Spoof/Alter – To have the plane land at a location of your choosing assumes you know where its original destination was located at to begin with.  Since Iran stated they analyzed several previously crashed aircraft, I’ll have to assume they were able to gather this information through these or more traditional information gathering efforts..aka – everyone in the region knows all the planes come from 1 or 2 bases.
  • Overriding The Waypoint – The other part I struggle with in the articles is the statement that Iran chose where to land the plane. This basically assumes that they tricked the plane into thinking it was over Afghanistan instead of Iran and was to land at its pre-determined waypoint.  All jokes aside about both places being mostly desert, still the locations are not identical.  To do this part of the attack, you have to overide not only the physical location but also important factors such as the topology of the landing site… aka altitude, approach angle, and wind direction.

It is these last three challenges that make me question the validity of the “hack” that took place, at least as described so far.  But since I know the challenges, I’m also eager to hear on the techniques and solutions to overcome these hurdles. As always, I’ll wait to hear more before giving a final verdict, but just wanted to open up a discussion on the basic hurdles that needed to be overcome for this attack to work.

An Information Security Place Podcast – Episode 01 for 2012 – Breach Report

Wow! Six Months…and two job changes later, we are finally back to recording! YEAH!….Here the latest show from our intrepid hosts.

Show Notes:

InfoSec News Update –

Discussion Topic – 2012 Breach Report

  1. Care2 Discloses Breach; Company Has Nearly 18 Million Members
  2. AntiSec hit California and NY Law Enforcement Sites
  3. Anonymous Nabs 50,000 Credit Card Numbers From Security Think Tank

Music Notes: Special Thanks to the guys at RivetHead for use of their tracks

  • Intro – RivetHead – The 13th Step”
  • News Bed – RivetHead – “Beautiful Disaster”
  • Discussion Bed – RivetHead – “Difference”
  • Outro – RivetHead – “Zero Gravity”
  • Tour Dates:
    1. Jan 6 – Dallas – Curtain Club
    2. Jan 27 – Dallas – Trees
    3. Jan 28 – Dallas – Trees
    4. Mar 2 – Dallas – Curtain Club – 7th Album CD Release Party
    5. Mar 3 – Houston – BFE Rock Club
    6. Mar 24 – Fort Worth – The Rail Club
    7. May 5 – Dallas – Renos Chop Shop


Assessing risk before you buy software: Is company risk inversely related to company size

Software purchase risk assessment
I recently stumbled across this article which got me thinking about the risks organizations take when they buy technology products and what kind of risk assessment process is conducted. Our company sells application security assessment software to people who are experts at managing IT security risk, so I’m curious to hear what others think.
11 Companies On the Edge in 2012
#8 on the list.
Hewlett-Packard. Stock decline: 38 percent.
“HP is on its third CEO in less than two years, with the turnover reflecting strategic confusion that has impaired earnings, enraged shareholders and raised concerns that HP is too unwieldy to be run effectively. With operations in many business and consumer markets, HP has numerous competitors that have been nibbling market share, leading to disappointing results likely to continue into 2012. Some analysts worry that a heavy focus on acquisitions in recent years has left holes in HP’s new-product pipeline. New CEO Meg Whitman may enjoy a bit of a honeymoon, but she’ll need to prove herself by the second half of 2012.”

First, I’d like to clear the air in the spirit of full disclosure.

  1. I have nothing against technology conglomerates and believe that they fill an essential role in our economy.
  2. At various times in my own company’s history, HP and its subsidiaries have been customers, partners and vendors.
  3. I have personally purchased and used many HP products over the years and am a fan of Meg Whitman for her work at eBay.
  4. My company directly competes with HP in the application security space as I mentioned.
  5. I am co-CEO of a privately held company that has been profitable for over six years.  Now on with the post.

The common wisdom seems to be that when purchasing technology products there is little or no risk with large firms and significant risk with smaller firms.

In my experience, this isn’t really true.

Let’s look at the varying types of risk in purchasing technology (this is not specific to application security technology)

  • Technology and Support Team Risk – With any technology, particularly complex technologies, there is a huge risk that the team responsible for creating that technology will change for the worse, and later versions of the product will get worse over time after the customer has spent a significant amount of money for a perpetual license where the product is supposed to last 3-5 years or more.  Customers expect to be able to get ongoing support for the product that they have purchased. This is particularly important with more complex products.
In building application security software, for example, building and maintaining a team of top developers is crucial because the industry-specific knowledge requried to create a leading product requires years of coding and domain expertise as is the case in many industries.
  • Bankruptcy Risk – Obviously, if a company goes bankrupt and is dissolved, there will be no further upgrades or support.
  • Strategic Risk – Companies can decide that the product purchased by the customer does not meet its overall strategy and end-of-life the product. Upgrades will be limited and support will likely wither during the last years of the product’s life.
  • Layoff Risk -When companies effect layoffs, products can suffer, which impacts both the technology on an ongoing basis as well as the support.
  • Risk of Sale – When private companies sell to larger companies, there is always the risk that technology and support teams will leave. This can even be the case if their shares vest over time if there are significant cultural or power conflicts or if the incentives are insufficient.

Let’s look at these risk factors by firm size, profitability and recency of technology acquisition:

Unprofitable Private Companies

  • Technology and Support Team Risk – Generally this risk is less because the core team has a significant equity stake in the company and will stay so long as the company has funding.
  • Bankruptcy Risk – This is the most significant risk. Pre-profitable companies rely on investors to fund losses and investors can be fickle. If funding dries up, the company can be forced to sell (in which case the team may leave) or liquidate.
  • Strategic Risk – Smaller companies typically have few products so this is a minimal risk.
  • Layoff Risk –  Smaller companies can cut back on growth if they cannot raise funds, harming development and support.
  • Risk of Sale – This is a significant risk.

Profitable Private Companies

  • Technology and Support Team Risk – Generally low because of equity incentives. Support can suffer with rapid growth.
  • Bankruptcy Risk – Less than for unprofitable private companies for obvious reasons.
  • Strategic Risk – Again, generally a minimal risk.
  • Layoff Risk – This can be a risk, although less than for unprofitable private companies.
  • Risk of Sale – This is the most significant risk. Most private companies do not go public and there is always the risk that the founders of a profitable private company of sufficient size will cash in and move to an island, harming the technical and support capabilities behind the product.

Large Company with Newly Acquired Technology

  • Technology and Support Team Risk – This is a significant risk.  Technology companies suffer significant attrition in their technical staffs post-acquisition.  Some founders leave because it is more lucrative to be an entrepreneur and some leave because they no longer have to work. For others, the work at large companies is not challenging enough and the entrepreneur in them feels stifled.
  • Bankruptcy Risk – Generally minimal.
  • Strategic Risk -This is a small risk short term.  See below for the longer term risks.
  • Layoff Risk – This is potentially a significant risk depending on the financial profile of the company.
  • Risk of Sale – Less of a risk than for smaller companies.

Large Company with Longstanding Technology

  • Technology and Support Team Risk – After a while, the creators of the technology leave and are replaced by a team that wants to work at a larger company.  This can be good or bad but is generally somewhat stable.
  • Bankruptcy Risk – Generally minimal.
  • Strategic Risk – This is a huge risk.  Large companies go through strategic review constantly.  Many products exist as parcels in larger groups controlled by a single executive or executive team.  When turnover occurs, priorities change and centi-million dollar acquisitions can be written off like week old bananas.  We were partnered with a company that wrote off a $150 million acquisition after 3 years because it didn’t make strategic sense.
  • Layoff Risk – When large companies are in financial trouble, they tend to cut across the Board which can significantly impact product quality and support both from a pure numbers as well as a morale standpoint.
  • Risk of Sale – Less of a risk than for smaller companies.

To sum up, the issue of company risk in technology purchases is far more complex than is ordinarily assumed.  The saying, “no one ever got fired for buying IBM” may not necessarily be true.  Conversely, I’m not arguing that buying from small companies because they are small makes any more sense than buying from large companies because they are large. IT professionals must evaluate the risks of the companies with whom they are doing business on a case by case basis.