eForensics Free Magazine 01.12. teaser
Upcoming SlideShare
Loading in...5
×
 

eForensics Free Magazine 01.12. teaser

on

  • 870 views

 

Statistics

Views

Total Views
870
Views on SlideShare
870
Embed Views
0

Actions

Likes
0
Downloads
56
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    eForensics Free Magazine 01.12. teaser eForensics Free Magazine 01.12. teaser Document Transcript

    • FREE VOL. 1 NO. 1 ORACLE FORENSICS Detection of Attacks Through Default Accounts and Passwords in Oracle • ADVANCED STEGANOGRAPHY: ADD SILENCE TO SOUND • LIVE CAPTURE PROCEDURES • MOBILE PHONE FORENSICS: HUGE CHALLENGE OF THE FUTURE • ISSUES IN MOBILE DEVICE FORENSICS • INVESTIGATING FRAUD IN WINDOWS-BASED DRIVING EXAMINATION THEORY SYSTEMS AND SOFTWARE • DRIVE AND PARTITION CARVING PROCEDURES Issue 1/2012 (1) Julywww.eForensicsMag.com 1
    • Improve your Firewall AuditingAs a penetration tester you have to be an expert in switches, routers and other infrastructure devicesmultiple technologies. Typically you are auditing sys- this could mean manually reviewing the configura-tems installed and maintained by experienced peo- tion files saved from a wide variety of devices.ple, often protective of their ownmethods and technologies. On Device Auditing Scanners Nipper Studioany particular assessment testersmay have to perform an analysis ofWindows systems, UNIX systems,web applications, databases, wire-less networking and a variety ofnetwork protocols and firewalldevices. Any security issues identi-fied within those technologies will Password Encryption Settingsthen have to be explained in a waythat both management and system Physical Port Auditmaintainers can understand.The network scanning phase of apenetration assessment will quick- Network Address Translationly identify a number of security Network Protocolsweaknesses and services runningon the scanned systems. Thisenables a tester to quickly focus Time Synchronizationon potentially vulnerable systems Warning Messages (Banners) *and services using a variety of tools Network Administration Services *that are designed to probe and Network Service Analysis *examine them in more detail e.g.web service query tools. However Password Strength Assessment *this is only part of the picture and Software Vulnerability Analysis *a more thorough analysis of most Network Filtering (ACL) Audit *systems will involve having admin- Wireless Networking *istrative access in order to exam-ine in detail how they have been * * Limitations and constraints will prevent a detailed auditconfigured. In the case of firewalls, enquiries@titania.com T: +44 (0)845 652 06212
    • infrastructure devices, you can speed up the audit process without compro- mising the detail. You can customize the audit policy for your customer’s specific requirements (e.g. password policy), audit the de- vice to that policy and then create the report detailing the issues identified. The reports can include device spe- cific mitigation actions and be custom- ized with your own companies styling. Each report can then be saved in a variety of formats for management of the issues.Although various tools exist that can examinesome elements of a configuration, the assessmentwould typically end up being a largely manualprocess. Nipper Studio is a tool that en-ables penetration testers, and non-securityprofessionals, to quickly perform a detailedanalysis of network infrastructure devices.Nipper Studio does this by examining theactual configuration of the device, enablinga much more comprehensive and preciseaudit than a scanner could ever achieve.With Nipper Studio penetration testerscan be experts in every device that thesoftware supports, giving them the abil-ity to identify device, version and con-figuration specific issues without havingto manually reference multiple sourcesof information. With support for around100 firewalls, routers, switches and other Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of produc- ing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titania’s products are used in over 40 countries by government and military agencies, financial institu- tions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems. www.titania.comwww.eForensicsMag.com 3
    • Dear Readers! Digital forensics is a very young field of science but nowadays it’s becoming more and more popular. Logo eForensics Magazine napis Free Although it was originally designed for investiga- TEAM ting crimes, soon it has become a big part of com- Editor: Aleksandra Bielska puter systems engineering and contributed to the aleksandra.bielska@software.com.pl development of mobile devices. To meet your pro- fessional interests we have created a new publica- Associate Editors: Sudhanshu Chauhan (sudhan- shu.chauhan@software.com.pl), Praveen Parihar tion devoted to digital forensic issues. I present to (praveen.parihar@software.com.pl), Hussein Rajabali you our first eForensics offspring - eForensics Free (hussein.rajabali@software.com.pl) Magazine. It’s a monthly compilation of the best Betatesters/Proofreaders: Nicolas Villatte, Jeff We- articles from four titles: eForensics Mobile, eForen- aver, Danilo Massa, Cor Massar, Jason Lange, Himan- shu anand, Dan Hill, Raymond Morsman, Alessandro sics Computer, eForensics Database and eForensics Fiorenzi, Nima Majidi, Dave Mikesch, Brett Shavers, Network. Cristian Bertoldi, Jacopo Lazzari, Juan Bidini, Olivier Caleff, Johan Snyman Within the issue of eForensics Free you will find two positions concerning mobile forensics, an ar- Senior Consultant/Publisher: Paweł Marciniak ticle about network forensics, three pieces focused CEO: Ewa Dudzic on computer forensics and an article about databa- ewa.dudzic@software.com.pl se forensics. Art Director: Mateusz Jagielski The article created by M-Tahar Kechadi and La- mateuszjagielski@gmail.com mine Aoud will discuss an increasingly important DTP: Mateusz Jagielski role of mobile forensics in criminal investigations, Production Director: Andrzej Kuca law disputes and in information security. Eamon andrzej.kuca@software.com.pl Doherty will describe tools used to recover data Marketing Director: Ewa Dudzic from mobile devices. Craig S. Wright will introduce you to free tools Publisher: Software Media Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 which can be used to create a powerful network Phone: 1 917 338 3631 forensics and incident response toolkit. Arup Nan- www.eforensicsmag.com da will show you how to identify potential attacks by adversaries through default accounts. George DISCLAIMER! Chlapoutakis guides you step by step through digi- tal forensic investigation. The techniques described in our articles may only be Last but not least, I would like to announce the used in private, local networks. The editors hold no beginning of two article series. One of them, by responsibility for misuse of the presented techniques or Craig S. Wright, will take you through the process consequent data loss. of carving files from a hard drive . The other, by Praveen Parihar, will take you on a journey through advanced Steganography. Thank you all for your great support and invaluable help. Enjoy reading! Aleksandra Bielska & eForensics Team4
    • 6 . ISSUES IN MOBILE DEVICE FORENSICSby Eamon Doherty MOBILEThis article discusses some of the mobile devices and accessories that one may encounter on a suspect duringan investigation, examples of usage of these mobile devices and accessories and the tools that one can use toexamine them. The article also starts off with some certifications that make one more marketable in this emergingfield. In this article author discusses using tools such as Access Data’s FTK, Guidance Software’s Encase, andRecoverMyFiles to recover evidence from a digital camera with a FAT file system.12. MOBILE PHONE FORENICS: HUGE CHALLENGE OF THE FUTUREby M-Tahar Kechadi, Lamine AouadWhile the processes and procedures are well established in traditional hard drive based computer forensics, theircounterparts for the rapidly emerging mobile ecosystem have proven to be much more challenging. In this articleauthor shares some thoughts about the reasons leading to this, as well as the current state of mobile digital foren-sics, what is needed, and what to expect in the future.8. LIVE CAPTURE PROCEDURESby Craig S. Wright NETWORKAs we move to a world of cloud based systems, we are increasingly finding that we are required to capture andanalyse data over networks. Once, analysing a disk drive was a source of incident analysis and forensic material.Now we find that we cannot access the disk in an increasingly cloud based and remote world requiring the use ofnetwork captures. This is not a problem however. The tools that are freely available in both Windows and Linux offera means to capture traffic and carve out the evidence we require. In this article author introduces a few tools that,although free, can be used together to create a powerful network forensics and incident response toolkit.24. ADVANCED STEGANOGRAPHY: ADD SILENCE TO SOUNDby Praveen Parihar COMPUTERSteganography is a very comprehensive topic for all techno-geeks because it involves such an interesting andcomprehensive analysis to extract the truth, as we have heard this term many times in the context of terrorist acti-vities and their communications. In this article author discusses methods of Steganography.28. INVESTIGATING FRAUD IN WINDOWS-BASEDDRIVING EXAMINATION THEORY SYSTEMS AND SOFTWAREby George ChlapoutakisFraud can take many forms, can take place practically anywhere, any when and any how. Theoretical driving exa-minations are now computerized in most parts of the world and the overwhelming majority of such systems tend tohave some to no security at all, relying instead on the invigilators of the exam to catch those suspected of fraud.But, what happens when the invigilators fail and you, the digital forensic investigator, is asked to look into the ca-se?In this article author shares his experience from the point of view of the digital forensics investigator.32. DRIVE AND PARTITION CARVING PROCEDURESby Craig S. WrightThis article is the start of a series of papers that will take the reader through the process of carving files from a harddrive. We explore the various partition types and how to determine these (even on formatted disks), learn what thestarting sector of each partition is and also work through identifying the length the sector for each partition. In this,we cover the last two bytes of the MBR and why they are important to the forensic analyst. We start by learningabout hard disk drive geometry. In this article author takes the reader through the process of carving files from ahard drive.38. DETECTION OF ATTACKS THROUGH DEFAUL ACCOUNTSAND PASSWORDS IN ORACLE DATABASEby Arup NandaAn Oracle database comes with many default userids (and, worse, well known default passwords), which ideallyshouldn’t have a place in a typical production database but database administrators may have forgotten to remo-ve the accounts or lock them after setting up production environment. This provides for one of the many ways anadversary attacks a database system – by attempting to guess the presence of a default userid and password,either by brute force or by a social engineering techniques. In this article author will show you how to identify suchattacks and trace back to the source quickly and effectively. You will also learn how to set up a honey pot to luresuch adversaries into attacking so as to disclose their identity.www.eForensicsMag.com 5
    • MOBILE6
    • CYBER CRIME LAWYERS Pannone are one of the first UK firms to recognise the need for specialist cyber crime advice. We can both defend and prosecute matters on behalf of private individuals and corporate bodies. We are able to examine material or secure evidence in-situ and will then represent your needs at every step of the way.  Our team has a wealth of experience in this growing area and are able to give discrete, specialist advice. Please contact David Cook on 0161 909 3000 for a discussion in confidence or email david.cook@pannone.co.uk www.pannone.comwww.eForensicsMag.com 7
    • MOBILE MOBILE PHONE FORENSICS: HUGE CHALLENGE OF THE FUTURE While the processes and procedures are well established in tra- ditional hard drive based computer forensics, their counterparts for the rapidly emerging mobile ecosystem have proven to be much more challenging. This article shares some thoughts about the re- asons leading to this, as well as the current state of mobile digital forensics, what is needed, and what to expect in the future. The information and data era is rapidly evolving. As a result, suspect he was about to arrest was using his smartphone to there has been an exponential growth of consumer electro- listen to the police secure channels streaming via the Inter- nics, and especially mobile devices over the past few years, net! [2]. All classes of crimes can involve some type of digital with ever-increasing trends and forecasts for the coming evidence (a photo, a video, a received or emitted call, messa- years. Mobile devices have already overtaken PCs, and mobi- ges, web pages, etc.). These devices are also commonly used le data traffic is expected to increase 18-fold over the next five is social networking nowadays, and in carrying out sensitive years to approach 11 Exabyte per month, according to Cisco operations online, including online banking, shopping, electro- systems [1]. Their computing power, storage, and functionality nic reservations, etc. Hacking becomes then a huge problem. have tremendously increased. Phones have been transfor- In February 2011, hackers were remotely monitoring the calls med from simple handheld devices, essentially emitting and made and received from about 150,000 infected mobile de- receiving calls or text messages, into highly effective devices vices in China [3]. Another example is the Zeus man-in-the capable of doing more or less everything a desktop or a laptop -mobile Trojan, discovered in September 2010, which was the computer can do, and even more. A large range of Android first Trojan in the mobile devices environment to compromise -based smartphones, iPhones, BlackBerrys, and even tablets the online banking’s two-factor authentication mechanism [4] products, are all examples of these mobile devices. Their ty- [5]. It is indeed quite easy for cyber criminals to build a Trojan pical storage capacity today is higher than a powerful desktop application nowadays [6], because these mobile systems are back in the late 1990s! And the vast majority can also be fed at their early stages. memory cards. This tremendous computational and storage capacity have Valuable information can then be obtained from a mobile de- turned mobile devices into data repositories capable of com- vice: text messages, e-mails, communication logs, contacts, puting and storing a large amount of personal, organisatio- multimedia files, geo-location information (GPS and Wi-Fi hot- nal and also sensorial information. Indeed, although these spots), etc. These can only help answering crucial questions devices can be input limited, they have remarkable context in cybercrime investigations, and solve the related cases. Ho- awareness because of all the sensors and various connectivi- wever, there are still a huge number of challenges facing a ty options. Unfortunately, criminals use this technology. They forensics investigator in obtaining forensically sound evidence have not missed this proliferation of mobile systems and its from these devices. In this article, we present the process of data revolution, and these devices are being used as a sup- recovering digital evidence and its challenges, and then share port to criminal activities. some information about current methods and tools, and few For instance, earlier this year, a US officer found out that the prospects for the future.8
    • secureninja.com Forging IT Security Experts • Security+ • CISSP® • CEH (Professional Hacking) v7.1 • CAP (Certified Authorization Professional) • CISA • CISM • CCNA Security • CWNA • CWSP • DIACAP • ECSA / LPT Dual Certification Expert IT • ECSP (Certified Secure Programmer) Security • EDRP (Disaster Recovery Professional) Training & • CCE (Computer Forensics) Services • CCNA Security • CHFI • ISSEP • Cloud Security Free Hotel Offer on • Digital Mobile Forensics • SSCP • Security+ Select Boot Camps Offers ends on Jan 31, 2012 – Call 703-535-8600 and • Security Awareness Training mention code: PentestNinja to secure your … And more special rate. Welcome Military – Veterans Benefits & GI Bill Post 9/11 Approved WIA (Workforce Investment Act) Approvedwww.secureninja.com Sign Up & Get Free Quiz Engine 703 535 8600 From cccure.org www.eForensicsMag.com 9
    • NETWORK LIVE CAPTURE PROCEDURES As we move to a world of cloud based systems, we are increasingly finding that we are required to capture and analyse data over ne- tworks. Once, analysing a disk drive was a source of incident analysis and forensic material. Now we find that we cannot access the disk in an increasingly cloud based and remote world requiring the use of network captures. This is not a problem however. The tools that are freely available in both Windows and Linux offer a means to capture traffic and carve out the evidence we require. As we move to a world of cloud based systems, we are in- Tcpdump creasingly finding that we are required to capture and analyse Tcpdump uses the libpcap library. This can capture traffic data over networks. To do this, we need to become familiar from a file or an interface. This means that you can save a with the various tools that are available for these purposes. capture and analyse it later. This is a great aid in incident re- In this article, we look at a few of the more common free tools sponse and network forensics. that will enable you to capture traffic for analysis within your With a file such as, “capture.pcap”, we can read and display organisation. the data using the „-r” flag. For instance: tcpdump -r capture. Once, analysing a disk drive was a source of incident analy- pcap will replay the data saved in the file, “capture.pcap”. By sis and forensic material. Now we find that we cannot access default, this will display the output to the screen. In reality, the the disk in an increasingly cloud based and remote world data is sent to STDOut (Standard Out), but for most purposes requiring the use of network captures. This is not a problem the console and STDOut are one and the same thing. however. The tools that are freely available in both Windows Using BPF (Berkley Packet Filters), you can also restrict the and Linux offer a means to capture traffic and carve out the output - both collected and saved. In this way, you can collect evidence we require. all data to and from a host and then strip selected ports (or For this reason alone we would require the ability to capture services) from this saved file. Some of the options that apply and analyse data over networks, but when we start to add all to tcpdump include (quoted with alterations from the Redhat of the other benefits, we need to ask, why are you not already tcpdump MAN file): doing this? -A Print each packet (minus its link level header) in ASCII. LIVE CAPTURE PROCEDURES -c Exit after receiving a set number of packets (defined In the event that a live network capture is warranted, we can after c). easily run a network sniffer to capture communication flows -C Before writing a raw packet to a savefile, check whether to and from the compromised or otherwise suspect system. There are many tools that can be used (such as WireShark, the file is currently larger than a given file_size. Where SNORT and others) to capture network traffic, but Tcpdump is this is the case, close the current savefile and open generally the best capture program when set to capture raw a new one. traffic. The primary benefit is that this tool will minimize any -d Dump the compiled packet-matching code in a human performance issues while allowing the data to be captured in a readable form to standard output and stop. format that can be loaded into more advanced protocol analy- sers for review. -dd Dump packet-matching code as a C program fragment. That stated there are only minor differences between Tc- -ddd Dump packet-matching code as decimal numbers (prce pdump and Windump and most of what you can do in one is ded with a count). the same on the other (some flags do vary). -D Print the list of the network interfaces available on the system and on which tcpdump can capture packets.10
    • COMPUTERADVANCED STEGANO-GRAPHY: ADD SILENCETO SOUNDSteganography is a very comprehensive topic for all techno-geeksbecause it involves such an interesting and comprehensive analysisto extract the truth, as we have heard this term many times in thecontext of terrorist activities and their communications. Steganography means covert writing: hiding confidential So, changing that LSB only affects 1/256th of the intensityInformation into a cover file. This cover file can be in the form and humans simply cannot perceive a difference. In fact, it isof pdf, xls, exe, jpeg, mp3 or mp4, etc. difficult to perceive a difference in 1/16th of an intensity chan- ge, so we can easily alter the 4 LSBs with little or no percep-Least Significant Bit (LSB) Method is very famous & tible difference.fascinating when Steganography is discussed because when Here we have shown these two images which illustrates whywe discuss the case study of hiding a secret text behind an Steganography has become famous and how an image doesimage it actually sounds interesting, To understand this con- not get distorted even if we embed secret or confidential in-cept, first we need to understand how an image is classified formation.and what happens when a small bit is altered in an imagewhich has been described below:Images are composed of small elements which are calledpixels and we have basically three types of images. A pixel isthe essential component of an image:1) Black and white – each pixel is composed of a single bit andis either a zero or a one.2) Grayscale – each pixel is composed of 8 bits (in rare cases,16 bits) which defines the shade of grey of the pixel, from zero(black) to 255 (white).3) Full color – also called 24-bit color as there are 3 primarycolors (red, green, blue), each of these are defined by 8 bits.Although we can have different types of images, but we assu-me that a grayscale image has been used and 8-bit grayscaleconsists of pixels which have 28 = 256 possible levels of grey,and each component in an image contributes its different partssuch as:1. LSB (Least Significant Bit) contributes 1/256th of theinformation (Original Image)2. MSB (Most Significant Bit) contributes ½ of the in-formationwww.eForensicsMag.com 11
    • COMPUTER INVESTIGATING FRAUD IN WINDOWS-BASED DRI- VING EXAMINATION THEORY SYSTEMS AND SOFTWARE Fraud can take many forms, can take place practically anywhere, any when and any how. Theoretical driving examinations are now com- puterized in most parts of the world and the overwhelming majo- rity of such systems tend to have some to no security at all, relying instead on the invigilators of the exam to catch those suspected of fraud. But, what happens when the invigilators fail and you, the di- gital forensic investigator, is asked to look into the case? Where does one start, where does one go and where does one end up? What do we investigate, how do we go about it and what tools with? In this article, I will attempt to share my experiences investi- This means we are going to be dealing with the nightmare gating such systems from the point of view of the digital foren- scenario where our crime scene is possibly several months sic investigator who first arrives in the scene of the crime, from old and very seriously tainted (as non-essential government the moment of arrival to the end report submitted to the client. bodies tend to respond fairly slowly and after much red-tape to such cases), and where normal digital forensic processes and Let us, then, start our journey from the moment we (the di- practices don’t usually work. The nightmare comes from the gital forensic investigators) get the fateful call, where we are fact that, in such a scenario, you cannot explicitly trust the data told it’s a case of fraud in the Driving Test Centre and we have you collect or any information that you are given and cannot been called to investigate it and present a report. corroborate in a straightforward way. To begin with, it should be stated that, as most driving test The data has been tainted, the exams are running 2-3 times centres are part of a country’s internal services, we are going a week and the test centre cannot be closed down for the du- to always be dealing with a mixture of government officials (of ration of the investigation, so we are told we have to release middle-management persuasion) and local law enforcement, the (many, plus servers) computers within a very specific and and we are always going to be needing to deal with red-tape finite length of time (1-2 days at most). -style bureaucracy, where everything is moving much more slowly than when dealing with the private sector. So, we arrive in the vicinity of the crime scene (the building).12
    • COMPUTERDRIVE AND PARTITIONCARVING PROCEDURESThis article is the start of a series of papers that will take the readerthrough the process of carving files from a hard drive. We explorethe various partition types and how to determine these (even onformatted disks), learn what the starting sector of each partition isand also work through identifying the length the sector for eachpartition. In this, we cover the last two bytes of the MBR and whythey are important to the forensic analyst. This process is one thatwill help the budding analyst or tester in gaining an understandingof drive partitions and hence how they can recover and carve thesefrom a damaged or formatted drive. We start by learning about harddisk drive geometry. This article is the start of a series of papers that will the re- The commands we will start with to copy our MBR (masterader through the process of carving files from a hard drive. boot record):We explore the various partition types and how to determinethese (even on formatted disks), learn what the starting sector • dd if=Image.dd of=MBR.img bs=512 count=1of each partition is and also work through identifying the length • ls -al *imgthe sector for each partition. In this, we cover the last two by- • khexedit MBR.img &tes of the MBR and why they are important to the forensicanalyst. This process is one that will help the budding analyst Here, we first extract the MBR from our image file (in this caseor tester in gaining an understanding of drive partitions and IMG.dd) and extract the data to a file called MBR.img. Notehence how they can recover and carve these from a damaged that we have extracted only the first 512 bytes and we can vali-or formatted drive. We start by learning about hard disk drive date the size of this image file using the command “ls -al *img”.geometry. MASTER BOOT RECORD (MBR) The format of this article is a step by step process that is de- In most drive formats (there are exceptions with some RISCsigned to take the reader through the analysis of a hard drive. systems etc.) that we will analyse, each Partition entry is al-Although the process may vary somewhat for each drive, the ways 16 bytes in length. More, the end of any MBR marker isfundamentals remain the same and following these steps will 0x55AA (ALWAYS)! Many modern Linux, Macintosh and theallow the analyst to recover drive partitions that have been most recent of Intel PCs have started using GPT instead ofdamaged or formatted even when the automated tools fail. MBR. MBR limits the size of partitions to 2.19TB, this is why it starts to be replaced. We will look at other partition formatsTHE BEGINNING in later papers. There are a number of commands we shall be using in thisarticle that are fairly standard on most Linux distro’s. In this Partition Offset Byte Placearticle, it is assumed that the analyst has already creates abitwise raw image of the hard disk drive to be examined using 1st 0x01BE 446“dd” or a similar tool. 2nd 0x01CE 462 3rd 0x01DE 478 4th 0x01EE 492 Table 1 The HDD tablewww.eForensicsMag.com 13
    • Global I.T. Security Training & Consulting www.mile2.com IS YOUR NETWORK SECURE? In February 2002, Mile2 was established in response to the TM critical need for an international team of IT security training experts to mitigate threats to national and corporate secu- rity far beyond USA borders in the aftermath of 9/11. mile2 Boot Camps A Network breach... Could cost your Job! Available Training Formats 1. F2F Classroom Based Training GENERAL SECURITY TRAINING 2. CBT Self Paced CBT CISSPTM CISSP & Exam Prep 3. LOT Live Online Training C)ISSO Certified Information Systems Security Officer 4. KIT Study Kits & Exams C)SLO Certified Security Leadership Officer 5. LHE Live Hacking Labs (War-Room) ISCAP Info. Sys. Certification & Accred. Professional Worldwide Locations PENETRATION TESTING (AKA ETHICAL HACKING) Other New Courses!! C)PTETM Certified Penetration Testing Engineer ITIL Foundations v.3 & v.4 C)PTCTM Certified Penetration Testing Consultant CompTIA Security+, Network+ ISC2 CISSP & CAP SECURE CODING TRAINING C)SCETM Certified Secure Coding Engineer SANS GSLC GIAC Sec. Leadership Course SANS 440 Top 20 Security Controls WIRELESS SECURITY TRAINING SANS GCIH GIAC Cert Incident Handler C)WSETM Certified Wireless Security Engineer C)WNA/PTM Certified Wireless Network Associate / Professional We practice what DR&BCP TRAINING we teach..... INFORMATION ASSURANCE DR/BCP Disaster Recovery & Business Continuity Planning SERVICES Other Mile2 services available Globally: 1. Penetration Testing VIRTUALIZATION BEST PRACTICES 2. Vulnerability Assessments C)SVMETM Certified Secure Virtual Machine Engineer 3. Forensics Analysis & Expert Witnesses 4. PCI Compliance DIGITAL FORENSICS 5. Disaster Recovery & Business Continuity C)DFETM Certified Digital Forensics Examiner(ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of 1-800-81-MILE2CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC. +1-813-920-6799 11928 Sheldon Rd Tampa, FL 33626 14
    • DATABASEDETECTION OFATTACKSTHROUGH DEFAULT ACCO-UNTS AND PASSWORDS INORACLEAn Oracle database comes with many default userids (and, worse,well known default passwords), which ideally shouldn’t have a placein a typical production database but database administrators mayhave forgotten to remove the accounts or lock them after setting upproduction environment. This provides for one of the many ways anadversary attacks a database system – by attempting to guess thepresence of a default userid and password, either by brute force orby a social engineering techniques. In this article you will learn howto identify such attacks and trace back to the source quickly and ef-fectively. You will also learn how to set up a honeypot to lure suchadversaries into attacking so as to disclose their identity. Besides,you will also be able to determine why a legitimate user accountgets locked out that needs unlocking or a password reset.BACKGROUND An Oracle database typically comes with several default ac- se, likely ignore it resulting in the schema being present. Incounts. Some of them are necessary for database operations. other cases, the production database may be an upgrade fromExamples of such userids are SYS and SYSTEM which have its earlier incarnation as a development or QA database wherethe DBA privileges. Other default accounts such as SCOTT, these sample schemas were indeed necessary and created.SH, BI, etc. are for demonstration only and are never needed With the upgrade, these schemas have lost significance; but inby an application using that database. These accounts should the spirit of changing as little as possible during the databasenot have been created in the first place. The database creation upgrade, they are usually left untouched and continue to lin-assistant (DBCA) has a checkbox to install samples schema ger. Whatever the reason was, these default accounts leave a(the SCOTT user), which should have been unchecked for a backdoor entry to the database.production database. Many DBAs, while creating the databa- Another problem is the presence of default passwords.www.eForensicsMag.com 15
    • In the Upcoming Issue of FREE Smartphone Forensics & More... Available to download on August 13th If you would like to contact eForensics team, just send an email to en@eforensicsmag.com. We will reply a.s.a.p. eForensics Magazine has a rights to change the content of the next Magazine Edition.16
    • Now Hiring Teamwork Innovation QualityIntegrity Passion Sense of Security Compliance, Protection and Sense of Security is an Australian based information security and risk management consulting practice. From our offices in Sydney and Melbourne we deliver industry leading services and research to our clients locally, nationally and internationally. Since our inception in 2002, our company has performed tremendously well. We thrive on team work, service excellence and leadership through research and innovation. We are seeking talented people to join our team. If you are an experienced security consultant with a thorough understanding of Networking, Operation Systems and Application Security, please apply with a resume to careers@senseofsecurity.com.au and quote reference PTM-TS-12. info@senseofsecurity.com.au www.eForensicsMag.com www.senseofsecurity.com.au 17
    • The Only Magazine about Pentesting 200 Pages of the Best Technical Content Every Month 8500 Readers 4 Specialized Issues From theory to practice, from methodologies and standards to tools and real-life solutions!PenTest gives an excellent opportunity to observe security trends on the market for thereaders, and for companies – to share their invaluable knowledge.To learn more visit: http://pentestmag.com/.18For any questions or inquiries please mail us at: en@pentestmag.com.