Security 107 - Security Research and False Positives
Author: Bill Ricardi
Reviewer: uTest
When you are doing your research on bugs, security, or networking tools, you will most likely use a search engine at some point. I tend to use Google ( http://www.google.com ) more often than not. They tend to have the most relevant results, with excellent integrated tools (such as GMail, Google Documents, and Google Maps) and their search engine implements Boolean expressions (http://www.google.com/support/websearch/bin/answer.py?hl=en&answer=136861 ).
Boolean search is the key to efficient, highly targeted web research. It allows you to use special symbols to broaden, narrow, or restrict your results. The main functions on Boolean search are:
Exact phrase using " "
If you put a phrase within double quotes and search for it, the results will be restricted to pages that match the entire, exact phrase. It also requires that the word or words appear on the page, no matter how many other words you include in your search. For example if you search for:
from each sun to each moon
You'll get a bunch of astronomy sites, because they mention these words so often. But that isn't what you were looking for, most likely, if you typed that exact phrase. Now try it again, in quotes:
"from each sun to each moon"
And presto, you get the musical West Side Story, which uses that exact phrase! Similarly, you can put some phrases or words within quotes, and leave some out. The portion of your search inside the quotes must appear in that exact order, and the portion outside will weight the results towards pages that contain those additional keywords, if available. For example, search for:
fashion wood whistles
Depending on your country, you may get different results of course. But in the U.K. you'll certainly get the fashion store, Whistles, on Saint John's Wood Street in London. However, if you wanted to learn how to fashion (make) whistles made of wood, you might want to try this instead:
fashion "wood whistles"
As you can see the results are much more appropriate, talking about wooden whistles, how to fashion them, where to find them, etc. Exact phrase matching is a powerful way to limit and prioritize your search results.
Required word using +
The plus symbol is a shortcut for the AND function. You can use it to require that specific words be included in the search results, in no particular order. It also disables synonyms and spelling corrections, so that the word is represented exactly as you typed it. For example:
unwarranted santa claus convictions
The results for this are all over the map. And really, with such a broad array of words, it’s no surprise. However, a simple requirement for the search engine to take one word as a requirement and not 'correct' it in any way produces startling results:
unwarranted santa claus +convictions
Suddenly the primary results are all about the life of Nelson Goodman. If you know an author uses a certain word a lot, and you can't remember the name of the author, searching for the subject matter that they like to write about and putting a + next to their favorite word is a great way to find them. For example:
poker rake unwittingly chips loser
The top result is an article about Facebook poker. But you remember that the author likes to use the word 'unwittingly' a lot, so you force the search engine to look for it, exactly as written:
poker rake +unwittingly chips loser
And the author that you're looking for jumps right to the top of the results! In this case, it happens to be me, but it would work for anyone who has a pet word in their vocabulary that they tend to use more than others.
Exclude words using -
If you need to weed out results from genres that don't apply to what you're searching for, you can put a minus sign in front of a word that you want to exclude from the results. The classic example of this comes from a simple search:
jaguar
You'll get results for the car, the sports teams, and all manner of computer related stuff. If you want to weed out the results that you aren't interested in, try:
jaguar -sport -cars -computer
And suddenly you have facts about the big cats, right at the top of the search. In this way you can slowly refine your search, without having to brainstorm for new keywords that you can add.
There are other functions that are supported by some search engines, including wildcard use. But these are the three main Boolean functions that you can use to dramatically improve your search results, and thus your research. You'll be able to include exactly what you're looking for, and exclude results that don't apply to your situation. With practice, your increased search efficiency will save you a lot of time, and hopefully help you to find more bugs and make you more money!
Standard Security Resources
There are certain security resources that you will always be using. Standard security related websites include:
http://httpd.apache.org/security/ - All of the known Apache HTTPD bugs in one place.
http://nvd.nist.gov/ - NIST cyber security division.
http://cve.mitre.org/ - The CVE security vulnerabilities and exposures database.
http://www.us-cert.gov/cas/alldocs.html – Computer Emergency Readiness Team database.
http://technet.microsoft.com/en-us/library/bb625087.aspx – Technet Library for IIS exploits.
http://secunia.com/ - Secunia research archives.
A Word on False Positives
Good security often means generating false data that automated scanners will mistake for vulnerabilities that just aren't there. It might be as simple as changing a website's 404 error message, or as complex as changing the challenge and response system that your brand of UNIX normally uses. Either way, generating false positives is an excellent way to waste a hacker's time and effort. In addition, it can waste a security tester's time and effort.
You're going to run into false positives in security testing, no doubt. The most common one that you'll come across is the false detection of 'indicator' web pages, such as those that might indicate an installation of Lotus Domino or database software. If the web server is configured to send you to the home page instead of generate a 404 error, it will give you all manner of false positives.
My advice is to use common sense, and manually confirm the presence of detected operating systems, services, and web pages before reporting any bugs that involve their existence. When your research seems to be leading in a direction that does not make sense, you should immediately attempt some kind of manual confirmation of your 'evidence'. Otherwise, you might find yourself wasting an hour of your time and coming up with nothing at all.
