Categories
Security

A different kind of spider

It’s always nice to discover a new tool or service that does things differently. Even if just a little. I remember when someone first told me about hipmunk. Just when I thought all flight search websites are pretty much the same, here’s one example of something different.

Arachni

Perhaps this wasn’t as obviously different as hipmunk is, but one of the tools I came across recently within the security testing world is Arachni. A number of things made it stand out a little. First of all, it is written in Ruby. That already sparked some curiosity. I’m not entirely sure why, but I guess I’m naturally more interested in programs and tools in Ruby and Python. The next thing that was evidently different from other web scanners was the fact that Arachni seems to be very pluggable and interface-able. Arachni appears to be geared towards interfacing with external scripts or programs though an API. One of its core features is its distributed architecture, allowing to launch many modules independently and control them programmatically.

After playing around with it, I came across some issues and couldn’t make it work as I expected. Most of them out of my own lack of knowledge or being lazy reading through the extensive documentation. Luckily, it didn’t take more than a few minutes after posting a question on github, that I received a response from Arachni’s creator, Tasos Laskos, aka Zapotek.
After chatting with Tasos a few times via email, I became even more intrigued about him and the project. I then decided it would be interesting to interview him for my blog. I have no experience interviewing people, but what the heck.

Tasos accepted my invitation for an interview, with the condition that it must be a text-based interview. So this interview was carried out via email alone. I personally suspect his voice is funny, but he (obviously) denied it :)
Tasos is certainly not an ordinary person. It becomes apparent when you read his blog, or even the documentation for Arachni. As you could see from the interview, Tasos appears to have very strong and clear opinions. He doesn’t mince his words, and very directly expresses what he thinks. Nevertheless, Tasos and Arachni seem to be doing something a little different, and there’s definitely more to wait for.

Categories
linux Security

updating lighttpd on debian squeeze against the BEAST

If you’re updating your debian stable (squeeze) and using Lighttpd as your web server, you might come across a security notice on how to fix your lighttpd against the BEAST attack.

lighttpd (1.4.28-2+squeeze1) stable-security; urgency=high

 This releases includes an option to force Lighttpd to honor the cipher order
 in ssl.cipher-list. This mitigates the effects of a SSL CBC attack commonly
 referred to as "BEAST attack". See [1] and CVE-2011-3389 for more details.

 To minimze the risk of this attack it is recommended either to disable all CBC
 ciphers (beware: this will break older clients), or pursue clients to use safe
 ciphers where possible at least. To do so, set

 ssl.ciphers =  "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
 ssl.honor-cipher-order = "enable"

 in your /etc/lighttpd/conf-available/10-ssl.conf file or on any SSL enabled
 host you configured. If you did not change this file previously, this upgrade
 will update it automatically.

 [1] http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html

There’s a mistake on this note however. Instead of