In a report put out a few days ago by Larry Suto, an application security consultant, various web app vulnerability testers (Acunetix, IBM’s AppScan, Portswigger.net BurpSuitePro, Cenzic’s Hailstorm, HP’s WebInspect, NT Objectives’ NTOSpider, and Qualys’ managed scanning service) were run against a test site and almost universally fared very poorly (except NTOSpider). As a whole, the tools missed nearly half of the existing vulnerabilities. We do use one of the tools on the list (not saying which), which is a bit of a drag to heat such news about. The interesting thing to think on with these sorts of tools is, even if they are so terrible, can you afford to switch away from them? The tool that we use is the corporately “blessed” choice, and I know that it would be like pulling teeth from a statue to even propose getting it on the chopping block. These tools, in general, are hideously expensive and the vendors for them are not likely to mail you back a check for any of the licensing fees if you become unhappy with the product. Will some of them clean up their act a bit as a result of this? Maybe at best.
http://ha.ckers.org/files/Accuracy_and_Time_Costs_of_Web_App_Scanners.pdf
Edit: Responses from HP and Acunetix
http://www.acunetix.com/blog/news/latest-comparison-report-from-larry-suto/
Both basically saying that that Larry is full of something brown and smelly and doesn’t know how to use their products properly. Also pointed out is that NTOSpider did so well because it was tested against the NTO test site 
Just got parts in for the new cisco lab machine 
Edit: Got everything assembled. I had to order a lower profile cooler than the stock one, but everything else looks good. Still a bit of wiretying to do.
My replacement for the vulnerable Kingston DTBB came in yesterday afternoon. My first comment would be that it is noticeably heavier than the old drive, I would imagine on account of being filled with epoxy as an anti-tampering mechanism. The other thing that I found interesting is that it says “secured by spyrus” on the side of the case. After a bit of digging, I found this:
http://www.spyrus.com/news/2010_1_28.asp
It would appear that, after failing miserably at their own hardware encryption design, Kingston has decided to farm this out to someone else. Looking over some of the specs, the 5000 also begins to look very similar to a certain ferrous unlocking device…
I finally was able to talk to someone at Kingston this morning. They’ll be swapping me out to a Data Traveler 5000 and theoretically upgrading me from a 2gb to a 4gb. I’ll send the old one off in the mail today and should theoretically have the new sometime later this week. I’ll bet we see the new ones getting picked on fairly shortly.
Things are back up and going again. It will take a bit to get all of the entries imported from the other site, but I hope to have the done in the next few days.
The new Nmap is now released The OS detection DB is supposed to be new and spiffified, can’t wait to try it out
The folks at SySS have discovered a vulnerability in hardware-encryption-using flash drives produced by Kingston, SanDisk, and Verbatim (link to their papers on the topic is here). It appears that all three are using generally the same vulnerable architecture. The problem lies in the use of a fixed unlock key that tell the flash drive to open the encrypted storage. The authentication that generates the unlock key all happens in software on the machine that the drive is plugged in to. If you can tweak the software to indicate that all passwords are the correct password (a very common software license cracking process), then away you go to the encrypted storage area.
It so happens that I have a DataTraveler BlackBox from Kinsgton rolling around, so I thought I’d see what they were going to do about the issue. I called Kingston tech support, as recommended on their page about the vulnerability (http://www.kingston.com/driveupdate/) to see about the update. According to the tech, it’s going to be a software patch, and won’t be available for a couple weeks yet. He said that they do have one that they’re testing now, but don’t want to release it without testing it thoroughly.
From reading over the vulnerability, I’m not confident that a software patch will really fix things. I imagine that with all the attention that this has gotten, there will be some enterprising folks beating on the patched version as soon as it comes out.
For those of you that were under a rock yesterday and did not notice, Twitter was down for a bit last night, a bit over an hour all told. It turns out that their DNS settings were hijacked, redirecting the majority of their traffic to other sites. A group calling itself “The Iranian Cyber Army” took credit for the attack.
My IronKey arrived today, courtesy of ethicalhacker.net. As a nice surprise, it was an 8gb model instead of a 4. I’ll get a picture up shortly.
Edit: Pic added. Mmmmmm blurry goodness
My order from ciscokits came in a bit ago and appears to be mostly intact. The network hardware shipped in one big box, weighing in at 85 pounds. The box had a big “heavy” sticker on it and had actually split down the side and been taped back together at some point in its journey. It looks like a couple of the switches have broken faceplates, so I’ll have to see what can be done about that. Also, the hardware for the rack seems to not be present. Presumably it will be coming in a separate shipment. I’ve gone through and powered everything up and it all seems to be working. The only hitch was one device that the ram module had crept out of the socket a bit. Easily resolved by re-seating the ram.
Hey there, nice rack!
Edit: Rack arrived, pic of everything put together added