Richard Brain, technical director at ProCheckUp, explains how the
results of his company's report on e-commerce security were
compiled
In the interest of consumer safety CW360.com commissioned
ProCheckUp to look at 20 popular Web sites. The flaws and
weaknesses discovered were found using ProCheckNet, a tool
developed by security firm ProCheckUp. This gathers publically
accessible information disclosed by servers that it uses to attempt
targeted attacks, akin to a real-life intelligent hacking attempt.
However no attacks were performed on these Web sites, as this would
have required prior written authorisation from the site
owners.
The ProCheckNet system was run at Level 1, its lowest level of
vulnerability discovery, providing banner grabbing and application
response finger printing. Internet servers publicly disclose this
information.
In communications between client software and server software
identification information is communicated. This is called the
banner and identifies the server to the client and vice versa.
ProCheckNet uses a set of standard clients, designed to ensures
that communications are legal and do not disrupt the servers.
Application response finger printing by ProCheckNet's clients
allows ProCheckNet to identify (precisely in some circumstances),
the exact application running irrespective of whether the banner
has been modified. The other unique technology utilised by
ProCheckNet within this test is encryption algorithm
identification, which advises on the strength and suitability of
the encryption algorithm used.
When a client connects to a server over an encrypted link, they
agree on an encryption algorithm to use. The ProCheckNet clients
use a database of all the common encryption algorithms to
cross-reference the agreed encryption algorithm and advise on its
strength.
Sometimes, banner grabbing certain applications will give no
indication of the version, or whether patches have been applied.
This is common to the majority of Microsoft-based Web sites. One
way to verify the security of these and to determine if patches
have been applied is to run exploits attacking the site. As this
legally requires permission from the site owner, this was not done.
However, evidence of how they are configured can be found from
other information publicly obtainable from the sites: poor
encryption; unnecessary firewall ports open or running obscure
Microsoft services with no patches (against the advice of
Microsoft).
Sites running on Unix servers generally give more predictable
results with banner grabbing, due to most Unix application vendors
disclosing full version and patch information within the banner.
This allows us to be more accurate in determining the security and
patch level of a Unix site using simple banner grabbing.
After identifying applications, the ProCheckNet system then
determines the configuration of the system, identifying any flaws
that may exist due to misconfiguration errors. Irrespective of any
firewalls and protective measures ProCheckNet can find
configuration details, applications and operating systems. All of
this highly detailed and specific information is used by
ProCheckNet attack systems to target any possible weaknesses or
flaws within the targeted system. The attacks used are not fixed
exploits, but are instead held as patterns that are modified to
precisely match the system under test.