• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Pen test 06_2012__teasers
 

Pen test 06_2012__teasers

on

  • 319 views

 

Statistics

Views

Total Views
319
Views on SlideShare
319
Embed Views
0

Actions

Likes
0
Downloads
12
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Pen test 06_2012__teasers Pen test 06_2012__teasers Document Transcript

    • Global����������������Management Recruitment ������������������������������������������������������������������� ������������������������������������������������������������������������������������������������������������ ����������������������������������������������������������������������������������������� ��������������������������������������������� ��������������������������������������������������������������������������������� ����������Permanent��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� ��������������������������������������������������������������������������������������������������������� � ���������������������� ����������������������������������������������������������������������������������������� ������ ���������������������������������������� ������ ��������������������������������������������������������� ������ ������������������������������������������������������������������ ������ �������������������������������������������������������������������������������������������� ������ ��������������������������������������������� ������ ������������������������������������� ������ ������������������������� ����������������� ������������������ ������ ���������������������������������� ������ ����������������������������������������� ������������������������������������������������������������������������������������������������������������������������������������������ ���������������������������������������������������������� ���������������������������������������������������������������������������� ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� �������������������������������������������������������������������������������������������������������������� � ����������������� ����������������������������������������������������������������������������������������������������������� � ����������������� �������������������������������������������������������������������������������������������������������������� � ������������������ ������������������������������������������������������������������������������������������������������������ � �������������������������������� ������������������������������������������������������������������������������������ ������ ������������������������������������������������������������������������������������������������� ������������������� ����������������������������������������������������������������������������������������������������������� � ������������������� �������������������������������������������������������������������������������������������������������� ������ ��������������������������������������������������������������������������������������������� ������ ������������������������������������������������������������������������ ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������ ���������� ��������������������������������� ��� ��������������������� ������������������������������ ������ ����������������� �����������������������
    • Global I.T. Security Training & Consulting www.mile2.com IS YOUR NETWORK SECURE? ������������������������������������������������������������ �� ���������������������������������������������������������������� ����������������������������������������������������������� ������������������������������������������������������ mile2 Boot Camps A Network breach... Could cost your Job! Available Training Formats �� ���� ������������������������ � � ������������������������� ��� ���� �������������� ������� � ����������������� ��� ���� �������������������� �������� � ������������������������������������������� ��������� ������������������ ������ � ���������������������������������� ��� ���� ���������������������������� ������ � ���������������������������������������������� ������������������� � � ����������������������������������������� Other New Courses!! �������� � ������������������������������������� ���� ��������������������� ��������� � ��������������������������������������� �������� ������������������� ���� ����������� � � ���������������������� �������� � ������������������������������� ���������� ��������������������������� ��������� ��������������������������� � � �������������������������� ���������� �������������������������� ������� ����������������������������������� ��������� �������������������������������������������������� ����������������� ��������������� ������������� INFORMATION ASSURANCE ������� � ������������������������������������������������ SERVICES ���������������������������������������� ��� ������������������� ������������������������������ ��� ������������������������� ��������� � ���������������������������������������� ��� ������������������������������������� ��� �������������� � � ����������������� �������������������������������������������� �������� � �����������������������������������(ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of ��������������CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC. ��������������� 11928 Sheldon Rd Tampa, FL 33626
    • EDITOR’S NOTE 06/2012 (14) Dear Readers! Is there or is there not cyberwar? There are those who claim that the world we know is going to be torn apart by those who will seize and hold the power through cyber attacks. For others, war rhetoric is not only an exaggeration but also a threat to security. We decided to take up those matters and devote this issue of PenTest to cyberwar and cybercrime topics. The Cyberwar section is composed of two articles that present two contradictory views on cyberwar. Johan Snyman arguing that There Is No Cyberwar engages in polemics with Cecilia Mcguire who writes about Digital Apocalypse.... Whose arguments are more convincing? Read and decide on TEAM which side of the barricade you are.Managing Editor: Malgorzata Skora Four articles in the section Cybercrime are to portray present situation andmalgorzata.skora@software.com.pl problems in the IT Security world and how they can influence a pen tester’s life.Associate Editor: Shane MacDougall Billy Stanley in his article The State of Information Security describes present-dayshane@tacticalintelligence.org situation, defines the problem, describes the adversaries and proposes solution.2nd Associate Editor: Aby Rao If you are not convinced yet, John Strand will try to prove that Penetration Testingabyrao@gmail.com Can Save Lives. This time Jon Ringler prepared for you a great article aboutBetatesters / Proofreaders: Johan Snyman, Jeff Weaver, cyber criminals using Defense in Depth. The author refers to cyberwar andDan Felts, William Whitney, Marcelo Zúniga Torres, proposes how pen testers can evolve and start winning it. David Cook’s articleHarish Chaudhary, Cleiton Alves, David Kosorok may especially interest those who are curious about the law issues. We all inSenior Consultant/Publisher: Paweł Marciniak our countries have examples of invalid, paradoxical or imprecise laws. In the article entitled Uncertain Law Leaves Penetration Testers in Limbo David revealsCEO: Ewa Dudzicewa.dudzic@software.com.pl meanders of the hacking law. This time we would like to present to you 2nd International Conference onArt Director: Ireneusz Pogroszewski Cybercrime, Security and Digital Forensics. The fight between bad and goodireneusz.pogroszewski@software.com.pl guys is always grueling and requires unification of forces. The conferenceDTP: Ireneusz Pogroszewski chairman, Dr. Ameer Al-Nemrat, talks about co-operation between many playersProduction Director: Andrzej Kuca and other purposes of this big meeting in London.andrzej.kuca@software.com.pl Ironically, thanks to risk and attacks pen testers are needed on the market. To help you find better job opportunities we have for you two great interviews. ThePublisher: Software Press Sp. z o.o. SK02-682 Warszawa, ul. Bokserska 1 first one is with James Foster from Acumin, an international Information SecurityPhone: 1 917 338 3631www.pentestmag.com and Risk Management recruitment company. The second one is with, already known to you, Debbie Christofferson, International Board Director at ISSA, onWhilst every effort has been made to ensure the high quality of seeking employment, working as a freelancer and introducing changes at yourthe magazine, the editors make no warranty, express or implied, company.concerning the results of content usage.All trade marks presented in the magazine were used only for PenTest Regular ends with regular sections PainPill and Read. John B.informative purposes. Ottman presents fourth chapter of his book Save the Database, Save the World. Dean Bushmiller in his article Pen Testing Scope Drift: Everyone gets excited; No one is getting paid convinces how important is to focus on your tasks and notAll rights to trade marks presented in the magazine are let yourself drift away.reserved by the companies which own them.To create graphs and diagrams we used program I hope that you will find this issue worthwhile. If you have any suggestionsby for us concerning topics, problems you want to read about or people you would like to know better thanks to PenTest please, feel free to contact us at en@pentestmag.com.Mathematical formulas created by Design Science MathType™ Thank you all for your great support and invaluable help.DISCLAIMER!The techniques described in our articles may only Enjoy reading!be used in private, local networks. The editors Malgorzata Skorahold no responsibility for misuse of the presentedtechniques or consequent data loss. & PenTest Team 06/2012 (14) June Page 4 http://pentestmag.com
    • CONTENTSCYBERWAR (banner ads, etc.) that users are allowed to access. They Digital Apocalypse:06 flow right by IDPS and Malware Detection Systems through The Artillery of Cyber War the same type of techniques. by Cecilia McGuireCyberspace is now the digital frontier of choice for executing CONFERENCE 2nd International Conference on 32many combat operations, by extending the medium in whichgreater levels of power can now be accessed by Machiavelli Cybercrime, Security and Digitalagents, militants and nation-states. Forensics by Aby Rao There Is No Cyberwar12 The threat from cybercrime and other security breaches by Johan Snyman continues unabated and the financial toll is mounting. ThisWith the growth in cyber-attacks and the large amounts is an issue of global importance as new technology hasquoted when estimating the costs of these attacks, it has provided a world of opportunity for criminals.become the norm for mainstream news agencies to carrynews on security matters, data breaches and attacks. INTERVIEW Looking for a Job – Interview with 34Unfortunately, what is reported in the media is rarely the fullstory and the image painted is often the one of imminent James Foster from Acumindisaster, destruction and lawlessness. by PenTest Team PenTest Team received many questions concerning situationCYBERCRIME on the job market. Many of our readers is in the process of Uncertain Law Leaves Penetration16 looking for, changing jobs or starts their own businesses. Testers in Limbo Since our main aim is to respond to needs of our readers, by David Cook PenTest features an interview with James Foster from aA question that I am often asked is, “How can a penetration recruitment company with 14 years of experience.tester or ethical hacker be sure that his activities remain “You must create a plan...” – 36lawful?” The reality is that the law regarding cyber crime isfairly ambiguous and I do have sympathy with penetration Interview with Debbie Christoffersontesters and ethical hackers, given the potential minefield by Aby Raothat surrounds them. You must comprehend the core business and be able to understand and communicate security risk in terms of its How Cyber Attackers and Criminals20 impact to that business. While technology competence is Use Defense in Depth Against Us key, it is not the deciding factor in success – an ability to by Jon Ringler create and execute to a longer term strategy determinesCyber attackers are forcing IT Professionals and your fate.organizations into an unsustainable stance, exhaustingavailable resources, and adapting advanced techniques PAINPILL Pen Testing Scope Drift: Everyone 42to walk right in the front door and strut past the people,process, and technology utilized by Defense in Depth. gets excited; No one is getting paid by Dean Bushmiller Penetration Testing Can Save Lives24 You do love your job, right? You do want to pound a buffer by John Strand overflow for hours or even days until the system yields. YouThere are a number of ways that a cyber attack can do want to find that way in, right?destroy lives. Careers can end, finances can get ruinedand companies can cease to be relevant. What is sad is READ Save the Database, Save the World 46when these tragic side effects of a cyber attack occur and asimple penetration test would have discovered some basic – Chapter 4flaws in an organization’s defenses. by John B. Ottman “Virus-Like Attack Hits Web Traffic,” was the BBC News The State of Information Security28 World Edition headline. The article declared “An attack by by Billy Stanley fast-spreading malicious code targeting computer serversMalware authors have figured out how to evade AV by has dramatically slowed Internet traffic…continually tweaking their binaries. They can circumventcontent filtering systems by hacking legitimate sites 06/2012 (14) June Page 5 http://pentestmag.com
    • CYBERWARDigital ApocalypseThe Artillery of Cyber WarCyberspace is now the digital frontier of choice for executing manycombat operations, by extending the medium in which greater levelsof power can now be accessed by Machiavelli agents, militants andnation-states. Squads of cyber militants going under the banner ofAnonymous and LulzSecare, motivated by the ease in which they cannow execute high impact operations whilst avoiding detection, are justa few of the much publicised names synonymous with cyber terrorism.T he multi-dimensional characteristics of cyber analysis this paper aims to emphasise that deterring space have dissolved the boundaries between Cyber War is the key to addressing this challenge. digital landscape and physical security, facilitatingcyber-attacks that produce devastating impacts to critical Cyber Warfare – A Definitioninfrastructure, as well as Corporate and Government Over the past few decades experts and academicsassets. have explored whether the possibility of a Cyber War Global security experts face the challenge of attempting was in fact a plausible threat. Early pioneers navigatingto develop techniques to deter and prevent these global through this new landscape had conjured up post-threats. This challenge is complicated further by the rate apocalyptic visions of the impact of Cyber War, bearingat which the digital paradigm continues to evolve at a resemblances to scenes from a science fiction film.rate which is often considerably faster than the ability to Today, Cyber War is no longer being examined from akeep up with these developments. This disparity has, theoretical perspective, as these dynamic threats haveunsurprisingly, created an impression, shared throughout emerged throughout the global systems and networks.the cyber community, that implementing strategies to Experts are no longer debating the possibility of Cybercontrol the digital domain has become unachievable. War but what can be done to stop these threats.As a result of these challenges and many others, Cyber Despite the widespread acknowledgement of CyberWarfare is set to be one of the greatest challenges posed War, the definition of these threats remains underto the 21st Century. scrutiny. Experts such as Bruce Schneier have stated This article will examine the characteristics of Cyber that many definitions of Cyber War in current circulationWar operations in order to clarify the ambiguities are flawed as they confuse a range of other computersurrounding these concepts. Such an examination is security related concepts such as Information Warfare,necessary in order to ensure that the components of Hacking and Network Centric Warfare. In order to, clarifyCyber War are not confused with interrelated disciplines ambiguities surrounding Cyber War, for the purpose ofsuch as Information Warfare. Real world examples of this discussion, Cyber War is defined as:Cyber Attacks will then be discussed in order to assessthe “nuts and bolts” of cyber-attack operations and to “Internet-based conflict involving politically motivated attacksexamine whether the world is really prepared for the on information and information systems. Cyber warfarepossibility of a “digital apocalypse”. Throughout the attacks can disable official websites and networks, disrupt 06/2012 (14) June Page 6 http://pentestmag.com
    • or disable essential services, steal or alter classified data, andcripple financial systems – among many other possibilities.”(Rouse, 2010)For the purpose of this discussion, the focus of CyberWar conflicts will be examined in terms of its impactto the physical realm, in particularly to its impact tocritical infrastructures.The First Warning ShotsRecorded examples of the impact of cyber-attackson critical infrastructures have been around for over The Most Comprehensive Exhibitiona decade. One of the earliest cyber-attacks on critical of the Fastest Growing Sectors of recent yearsinfrastructure took place in January 2000, in Queensland, in the Center of EurasiaAustralia. Where a disgruntled former employee at amanufacturing company hacked into the organisationscomputer, using privileged knowledge of the system,and took control of the Supervisory Control and DataAcquisition (SCADA) system. The protagonist was INFORMATION, DATA AND NETWORK SECURITY EXHIBITIONable to maliciously attack the system causing physicalpumps to release raw sewage, producing a considerableamount of damage. Although this attack is not constituted OCCUPATIONAL SAFETY AND HEALTH EXHIBITIONas cyber warfare, it demonstrated the possibility for adigital attack to create a detrimental financial impact and SMART HOUSES AND BUILDING AUTOMATION EXHIBITIONcreate havoc on critical infrastructures. Since this time,there have been a number of attacks classed as acts ofcyber war, such as the 2007 attacks, launched againstthe Government of Estonia. In this example, attackersutilised a variety of different attack methods such asDenial of Services (DoS), website defacement and 16th INTERNATIONAL SECURITY AND RFID EXHIBITION 16th INTERNATIONAL FIRE,other malware. This was one of the earliest examples EMERGENCY RESCUE EXHIBITIONdemonstrating the increased level of sophistication ofcyber-attacks to be launched against a nation-state.The Digital ArtilleryThe arsenal of a Cyber War attack consists of the usualsuspects, such DoS, attacks on DNS infrastructure,anti-forensic techniques, and wide-scale use of Worm,Zombies, Trojan and clichéd methods of electronicsattack. However Cyber War represents much more thana DoS attack. When assessing state-of-the-art CyberWar Artillery, one name comes to mind – Stuxnet.State-of-the-Art: StuxnetThe ultimate state-of-the-art weapon identified in thecyber warfare arsenal, so far, is the Stuxnet worm. Firstlaunched in to the digital landscape in June 2009, Stuxnet SEPTEMBER 20th - 23rd, 2012has become one of the heavily scrutinised, real worldexamples of Cyber Warfare attacks, with global security IFM ISTANBUL EXPO CENTER (IDTM)and technology communities still struggling to fullycomprehend the complexities of its design almost twoyears on since its initial release. Stuxnet’s internationalattention has been achieved from the sheer sophistication THIS EXHIBITION IS ORGANIZED WITH THE PERMISSIONS OF T.O.B.B. 06/2012 (14) June IN ACCORDANCE WITH THE LAW NUMBER 5174.
    • CYBERWARin design which is composed of a comprehensive array of encrypted configuration blocks. In order to load theseattack exploits and covert methods for avoiding detection. .dll files, Stuxnet has the capability to evade detectionStuxnet is the magnum opus in the malware hall of fame. of a host intrusion protection programs which monitor The Stuxnet worm infects computers running any LoadLibrary calls. These .dlls and encryptedWindows OS, and is initially distributed via USB drives configuration blocks are stored in a wrapper referredthereby enabling it to gain access to systems logically to as the ‘stub’. Two procedures are then employedseparated from the Internet. Once access has been to call Exported function. Extract .dll is then mappedgained it then orchestrates a variety of exploits from its into memory module and calls one of the exports fromtoolkit designed to specifically target vulnerabilities its mapped .dll. A pointer to the stub is then passed as aintelligent design is able to identify in the target host. parameter. Stuxnet then proceeds to inject the entire DLL Stuxnet’s artillery includes uses an array of exploit into another process, once exports are called. Injectingmethods, meticulously designed to circumvent the logical processes can include existing or newly created arbitrarysequence security measures, one layer at a time. Exploits process or a preselected trusted process.included Stolen Digital Certificates, Rootkits, Zero-DayExploits, methods for evading Anti-Virus detection, The Process of Injectionhooking codes, complex process injections, network Targeted trusted processes are directed at a number ofinjection, to name a few. These exploits however do standard Windows processes associated with a rangenot affect just any old computer, aside from propagating of security products, including – McAfee (Mcshield.exe);further. The extraordinarily designed piece of malware has Kaspersky KAV (avp.exe); Symantec (rtvscan.exe);one solitary target in mind – Industrial Control Systems/ Symantec Common Client (ccSvcHst.exe); TrendSupervisory Control and Data Acquisition* (ICS/SCADA) PC-cillin (tmpproxy.exe) to name a few. Stuxnet thenand attached computer systems. With a specific ICS/ searches the registry for any indication that McAfee,SCADA being targeted in Iran, Stuxnet reprograms the Trend PC-cillin or Kaspersky’s KAV (v.6-9) software isProgrammable Logic Controller (PLC), made by Siemens, in operation. If Stuxnet is able to identify any of theseto execute in the manner that the attack designers have technologies it then extracts the version which is usedplanned for them to operate within. to target how to process injections or whether it is* Bruce Schneier argues that Stuxnet only targets ICS and press releases unable to by-pass these security products.have mis-referenced Stuxnet to also target SCADA “is technicallyincorrect”. For further details refer to: http://www.schneier.com/blog/archives/2010/10/stuxnet.html Elevation of Administrative Access Rights Another feature of Stuxnet is in its ability to elevateWhile experts are still dissecting Stuxnet, it is apparent access rights to run with the highest level of privilegesthat the creation is the work of a team of highly skilled possible. Stuxnet detects the level of privileges assignedprofessionals. Some estimates have stating that it to it and if these are not Administrative Access Rights itwould have taken a team of 8 – 10 security experts then executes zero-day privilege escalation attacks,to write over the course of 6 months (Schneier). Many such as MS10-073.are referring to Stuxnet’s creation as a “marksman’s The attack vector used is based on the operatingjob” due to its targeted approach and expert precision. system of the compromised computer. If the operating Given Stuxnet is considered to be one of the greatest system is Windows Vista, Windows 7, or Windowsmalware masterpieces the temptation to examine its Server 2008 R2 the currently undisclosed Taskarchitecture in greater detail could not be resisted. Scheduler Escalation of Privilege vulnerability isSymantec’s “W32.Stuxnet Dossier Version 1.4” provides exploited. If the operating system is Windows XP ora detailed analysis delineating the technical attributes Windows 2000 the Windows Win32k.sys Local Privilegecomposed within Stuxnet and this 69 page document Escalation vulnerability (MS10-073) is exploited.created by members of their Security Response Teamis used as the basis for the following examination. The Load Pointsfull array of technical features is outside of the scope of Stuxnet loads the driver “MrxCls.sys” which is digitallythis article so a brief overview of Stuxnet’s architectural signed with a compromised Realtek certificate (whichcomponents will be summarised below. Verisign previously revoked). Another version of this driver was also identified to be using a digital certificateBreaking Down Stuxnet from JMicron. The aim of the Mrxcls.sys is to inject copiesThe Core – .DLL files of Stuxnet into specific processes therefore acting as theAt the core of Stuxnet is a large .dll file containing central load-point for exploits. Targeted processes includean array of resources, diverse exports as well as – Services.exe; S7tgtopx.exe; CCProjectMgr.exe. 06/2012 (14) June Page 8 http://pentestmag.com
    • The Target: Programmable Logic Controllers India and Belgium. This information can then be usedWe now arrive at Stuxnet’s ultimate goal – infecting by Duqu’s creators to then launch a premeditated cyberSimatic’s Programmable Logic Controller (PLC) assault against the designated target. By default Duqu isdevices. Stuxnet accomplishes this by loading blocks designed to operate for a set period of time (either 30 orof code and data (written in SCL or STL languages) 36 days depending on the configuration). After which thewhich are then executed by the PLC in order to control Duqu will automatically remove itself from the system. Aindustrial processes. In doing so, Stuxnet is able to comparison of Duqu and Stuxnet demonstrates:orchestrate a range of functions such as: • Duqu’s executables were created using the same• Monitoring Read/Writes PLC blocks source code as Stuxnet.• Covertly masks that the PLC is compromised • Duqu’s payload resembles no similarity to that of• Compromise a PLC by implementing its own blocks Stuxnet. Duqu’s payload is written with the intention or infecting original blocks. of conducting remote access capabilities whereas Stuxnet’s payload is designed to sabotage an ICS/The Grand Finale SCADA.Now that Stuxnet has finally exploited the PLC it has • Duqu’s Payload aims to capture keystrokes andachieved it has reached its final destination. Where system information rather than modify targetStuxnet is then able to execute its final exploits which systems.is to slow down or speed up frequency motors. For • Duqu (being a Trojan) do not contain any self-example when the frequency of motor is running propagation capabilities as found in worms likebetween 807Hz and 1210Hz, Stuxnet adjusts the output Stuxnet.frequency for shorter periods of time to 1410Hz and • Duqu in one example is distributed by attackerssubsequently to 2Hz and then back to 1064Hz. These using specially crafted email containing a wordfrequencies are typically used by centrifuges in uranium document which exploits an unpatched 0-dayenrichment plants. Ultimately Stuxnet is designed to vulnerability todestabilize ICS/SCADA by changing the speeds in • Like Stuxnet, Duqu’s utilities include stolen signinguranium centrifuges to sabotage operations, with the certificates for signing drivers stolen from apotential for devastating consequences. company in Taiwan, with an expiry date of August 2nd 2011. These certificates were later revoked onLittle Brother – Duqu October 14th 2011.In the September of 2011, researchers at the BudapestUniversity’s Laboratory for Cryptography and System The resemblances in design of Stuxnet and DuquSecurity (CrySyS) made the alarming discovery of a indicate that they were most likely developed by theTrojan resembling Stuxnet. Their fears were confirmed same authors. Kaspersky Lab’s Analysts examiningafter dissecting this new threat revealed components the source code of both programs state that – “Wewere close to being identical to Stuxnet indicating that believe Duqu and Stuxnet were simultaneous projectsthe writers were indeed the same authors, or persons supported by the same team of developers”.with access to the source code of Stuxnet. Theylabelled this new threat “Duqu” due to its design in The Launch Pad – Tildedwhich it creates file names with the prefix ~DQ. How did Stuxnet and Duqu manage to launch some of Duqu is a remote access Trojan designed to steal the most effective cyber-attacks on record so far?information from the victim machine and is designed to The “launch pad” for this cyber artillery goes by theact as a precursor to a future malware attack, similar to name of Tilded.the Stuxnet operation. Duqu is designed to act in much The Tilded platform is modular in nature and isthe same way as a reconnaissance agent gathering designed to conceal the activities of malicious softwareintelligence from a variety of targets, and like Stuxnet; by employing techniques such as encryption, therebyDuqu’s primary targets are industrial infrastructure. evading detection by anti-virus solutions. By utilisingData sources collected by this Trojan include design the Tilded platform developers of cyber weapons candocuments, keystrokes records and other system simply change the payload, encryption techniquesinformation. Once this intelligence has been gathered by or configuration files in order to launch any numberthe Trojan, it is then returned to the command and control of exploits against a range of targets. File namingservers, over HTTP and HTTPS, positioned across conventions used by Tilded’s developers employedglobal locations such as China, Germany, Vietnam, the Tilde symbol and the letter “d” combining the two 06/2012 (14) June Page 9 http://pentestmag.com
    • CYBERWAR References • Clayton, M. (2012). Alerts say major cyber attack aimed at gas pipeline industry. Retrieved 12th of May 2012 from: http:// www.msnbc.msn.com/id/47310697/ns/technology_and_science-christian_science_monitor/t/alerts-say-major-cyber-attack- aimed-gas-pipeline-industry/#.T65jgesti8D • Kamluk, V (2011). The Mystery of Duqu: Part Six (The Command and Control servers). Retrieved 12th of May 2012 from: http:// www.securelist.com/en/blog/625/The_Mystery_of_Duqu_Part_Six_The_Command_and_Control_servers • Kovacs, E. (2011). Stuxnet, Duqu and Others Created with ‘Tilded’ Platform by the Same Team. Retrieved 12th of May 2012 from: http://news.softpedia.com/news/Stuxnet-Duqu-and-Others-Created-with-Tilded-Platform-by-the-Same-Team-243874.shtml • RAND (2009). Cyberdeterrence and Cyberwar. Retrieved 12th of May 2012 from: http://www.rand.org/pubs/monographs/2009/ RAND_MG877.pdf • Rouse, M. (2010) Cyberwarfare. Retrieved 12th of May 2012 from: http://searchsecurity.techtarget.com/de�nition/cyberwarfare • Schneier, B. (2010) Stuxnet. Retrieved 12th of May 2012 from: http://www.schneier.com/blog/archives/2010/10/stuxnet.html • Symantec (February 2011). W32.Stuxnet Dossier Version 1.4. Retrieved 12th of May 2012 from: http://www.symantec.com/ content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf • Symantec (November 2011). The precursor to the next Stuxnet W32.Duqu Version 1.4. Retrieved 12th of May 2012 from: http:// www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf • Teksouth Corporation (2010). Cyber Warfare in the 21st Century: Guiding Doctrine and an Initial Conceptual Framework. Retrieved 12th of May 2012 from: http://www.slideshare.net/slahanas/cyber-warfare-doctrine • Westervelt, R. (2012). Tilded platform responsible for Stuxnet, Duqu evasiveness. Retrieved 12th of May 2012 from: http://searchsecurity.techtarget.com/news/2240113299/Tilded-platform-responsible-for-Stuxnet-Duqu-evasivenessresulted in adopting the name – Tilded. The Tilded team for developing new strategies within the Cyber Securityof developers however still remain unknown. community, so that detection of these unconventional What we do know about Tilded is that it has undergone threats can be done so with greater accuracy and prior tosignificant changes since its inception in 2007 with them developing the capability to orchestrate operations.subsequent revisions created through to 2010. The RAND Corporation has stated that as long as systemsresearchers at Kaspersky have been able to confirm have flaws, Cyber-attacks will be possible and “…as longthat a number of projects were undertaken between this as nations rely on computer networks as a foundationperiod where programs based on the “Tilded” platform for military and economic power and as long as suchwere circulated in cyberspace, Stuxnet and Duqu being computer networks are accessible to the outside, theytwo examples. While other researchers have indicated are at risk”. Deterrence therefore is the key.another variant exists, the Stars worm (also targeting Despite these challenges, real progress is beingICS/SCADA systems) resembles Stuxnet. How many made. As the nature of Cyber Warfare becomes betterother programs have also been created but may not yet understood, in spite of its complexities, a foundationhave been detected remains to be determined. What for understanding these multifaceted threats is nowis clear is that as Tilded and similar programs continue being established. The next challenge being facedto develop, we will see enhanced prototypes being is in developing strategies/frameworks to deter thecatapulted into the digital limelight. motivational factors leading to the creation of these threats whereby influencing the mindset of cyberAre We Prepared for a Digital Apocalypse? militants will be the key defence mechanism availableOn the May 6th 2012, the US Department of Homeland to preventing a digital apocalypse.Security reported that a major Cyber Attack was beinglaunched against computer systems used for a national CECILIA MCGUIREgas pipeline company supplying a total of twenty five Cecilia McGuire is a dynamic fresh thinkerpercent of the United States energy. The cyber strike has and quiet achiever. Like many Gen-Y’s,been traced back to a single source and many experts she has spent the past decade living abelieve that this is an early indicator of a highly organised somewhat nomadic existence havingCyber Warfare operation. Early detection of the warning worked globally, expanding her awarenesssigns of such an attack has instilled reassurance of international security requirementsthroughout the wider global community that adequate and foresight into upcoming trends. She attributes muchmechanisms are now in place to ensure, at the minimum, of her in�uence to growing up in an unconventional familya wide-scale cyber-attack will be detected and deterred in rural Australia, amongst a blend of western and easternprior to it accomplishing any major impact. philosophical paradigms. In 2010, she completed a Masters of As discussed, the dynamic and often unpredictable Information Security and now lives in Sydney where she workscomposition of emerging threats reveals the critical need as a Security Consultant. 06/2012 (14) June Page 10 http://pentestmag.com
    • CYBERWARThere Is NoCyberwarWith the growth in cyber-attacks and the large amounts quotedwhen estimating the costs of these attacks, it has become thenorm for mainstream news agencies to carry news on securitymatters, data breaches and attacks. Often this has led to info-secprofessionals being quoted (and misquoted) and interviewedvoicing their opinions and commenting on these issues.U nfortunately, what is reported in the media is by John Arquilla and David Ronfeldt. Since then many rarely the full story and the image painted is more have joined the chorus of voices, warning of the often the one of imminent disaster, destruction impending doom. Sergey Novikov, head of Kasperskyand lawlessness. Lab Global Research and Analysis Team is recently quoted as saying: “The recent spate of targeted attacksThe Hype on major corporations and state organizations all overLast year, in a speech to service members at US the world, the use of malicious programs as weaponsStrategic Command, US Defense Secretary Leon for waging cyber war and conducting espionage andPanetta painted a very grim picture of the world we the cutting edge technology of stat-backed malwarelive in at the moment: “We’re now in a very different (Stuxnet, Duqu, etc), all herald the beginning of the newworld, where we could face a cyber-attack that could cyber era – the era of cyber warfare” [4].be the equivalent of Pearl Harbor. I mean, cyber these With the growth in cyber-attacks and the largedays – someone using the Internet can take down our amounts quoted when estimating the costs of thesepower grid system, take down our financial systems attacks, it has become the norm for mainstreamin this country, take down our government systems, news agencies to carry news on security matters,taken down our banking systems. They could virtually data breaches and attacks. Often this has led to info-paralyze this country” [1]. US Senate Commerce sec professionals being quoted (and misquoted) andCommittee Chairman Jay Rockefeller said recently interviewed voicing their opinions and commenting onduring a senate hearing: “Today’s cyber criminals have these issues. Unfortunately, what is reported in thethe ability to interrupt life-sustaining services, cause media is rarely the full story and the image paintedcatastrophic economic damage, or severely degrade is often the one of imminent disaster, destruction andthe networks our defense and intelligence agencies lawlessness.rely on” [2]. According to the American chairman of theJoint Chiefs of Staff, Army General Martin E. Dempsey: The Doubters“A cyber-attack could stop our society in its tracks” [3]. There are a few who do not agree with the war rhetoric, The belief that cyber-armageddon is upon has been who believe that it is not helping security when thearound for a good few years. In 1993 the world was threats are exaggerated and fear governs our decisions.warned that “Cyberwar is coming” in a paper authored Thomas Rid and Peter McBurney published an article 06/2012 (14) June Page 12 http://pentestmag.com
    • ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
    • CYBERCRIMEUncertain LawLeaves Penetration Testers in LimboA question that I am often asked is, “How can a penetration testeror ethical hacker be sure that his activities remain lawful?” Theeasy response is that the terms of engagement should be definedin advance. The law is concerned with unauthorised access tocomputer systems, so an IT security consultant should be wellaware of what they are actually authorised to do.T he reality, however, is that the law regarding and getting away with it in the majority of cases. The cyber crime is fairly ambiguous and I do have case that focused Parliament on the necessity for sympathy with penetration testers and ethical specific hacking laws dates back as far as 1988 to thehackers, given the potential minefield that surrounds Schifreen and Gold case.them. British Telecom had introduced a simple computer The term “ethical hacking” seems like an oxymoron communication system called Prestel, which workedat first glance, but is clearly the only effective method of by dialling the computers number and then having theensuring that a company can be relatively certain that telephone system connect the dialler to the appropriateits system can withstand certain computer attacks. Prestel centre. A subscriber to this system would then The Ethical Hacking Council defines the goal of be asked to enter their password and identity numberthe ethical hacker as to “help the organisation take in order to access their respective section of thepre-emptive measures against malicious attacks by database.attacking the system himself; all the while staying within A man called Robert Schifreen was attending athe legal limits”. trade show and observed an engineer for Prestel enter his details in the system – a username of 22222222Background to Hacking Law and a password of 1234. Presumably, this was anIt is easy to appreciate the difficulties faced by administrator account and Schifreen, along with hisParliament when drafting statute, but never more so friend Stephen Gold, were then able to thoroughlythan in respect of the laws relating to computer offences. explore the Prestel system. Once in the system, theyThe evolution of hardware technology is arguably now changed some data and even managed to gain accessmoving more swiftly than consumer demand, but it is in to the personal message box of the Duke of Edinburgh,the progression of software systems that we are seeing Prince Phillip, leaving the message, “Good afternoonan absolute sea-change. HRH Duke of Edinburgh” in the process. After these The Internet has proven to be a societal equaliser – exploits, Schifreen sold his story to the Daily Mail andarmed with only a computer and access to the Internet, even appeared on television to discuss what he hadthere is the potential for us all to become hackers. We been a part of.are now seeing 15 year old hackers targeting large Unfortunately for Schifreen, the Prestel computercorporate bodies, causing them significant disruption network was more successful and widely used than 06/2012 (14) June Page 16 http://pentestmag.com
    • CYBERCRIMEHow Cyber Attackersand Criminals Use Defense in Depth Against UsThe concept of Defense in Depth has actually been reverseengineered and used against the IT Professionals and is nowutilized by attackers using this concept to provide them theattack vector they require to facilitate a successful attack. Cyberattackers are forcing IT Professionals and organizations intoan unsustainable stance, exhausting available resources, andadapting advanced techniques to walk right in the front door andstrut past the people, process, and technology utilized by Defensein Depth.C yber attackers are provoking organizations to Traditional military strategies and ideas can no longer implement a layered defensive stance that is be applied at the root of their intent when dealing with complex, far-reaching, unmanageable, extremely Cyber Security as the tactical landscapes of both havecostly, and requires a team of subject matter experts to changed. We need to learn to adapt or continue sufferingrun. As Information Technology (IT) professionals, we are the cyber-consequences.familiar with the concept of Defense in Depth. For thoseunfamiliar with the concept, the adaptation for Cyber- Defense in Depth as Designedsecurity is to layer multiple defense mechanisms to Defense in Depth at its inception was a military strategydelay (not prevent) a successful attack until appropriate originally defined by the National Security Agency (NSA).preventative measures are deployed. As IT professionals, The goal of this Defense in Depth strategy was to elongatewe are also familiar with the requirement for us to stay up and delay rather than prevent the success of an attackerto date on technologies, education, current events, etc. therefore exhausting their resources and causing themNow that defense in depth has been around for a while to diminish their forces while buying time and keepingand professed by all organizations, another look at the attackers at bay. Instead of defeating an attacker andconcept, how it is implemented, and if it is still effective defending their territory with a single, strong defensiveagainst Cyber Warfare and Cyber Crime is worth a look. mechanism, Defense in Depth relied on the tendencyFigure 1. Traditional Defense in Depth 06/2012 (14) June Page 20 http://pentestmag.com
    • ������������������� � � � � � � � � � � ��������������������������� ������������������������������������������������������������������������������������������������������������������������������������������������������������� ������������������������������������������������������������� ������������������������������������������������������������������������������������������� ������������������������������������������������������������������������������������������������ �������������������������������������������������������������������������������� ������������������������������������������ ����������������������������������������������� �������������������������������������������������� �������������������������������������������� ������������������������������������������������� ����������������������������������������������� �������������������������������� ����������������������������������������������������� ������������������������������������������������ ����������������� ����������������������������������������������������������� �������������������������������� ��������������������������������������� �������������������������������������������������������������� �������������������������������� ����������������������������������� ����������������������������������������������������������� ��������������������������������� ������������������������������������������������������ �������������������������������� �������������������������������������� ��������������������������������������������� ������������������������������������� ��������������������������������� ���������������������������� ���������������������������������������������� ������������������������������������������������������������� ��������������������������������������������������������������� ������������������������������������������������������������������ �������������������������������������������������������������������� ���������������������������������������������������������������������� ��������������������������������������������������������������������� ������������������������������������������������������������������� ������������������������������������������������������� ����������������������������������������������������������������������������������������� �������������������������� �������������������������� ������������������ ��������������������� ����������������� ���������������� ����������������� ���������������������������������������������������� ������������������
    • CYBERCRIMEPenetration Testing CanSave LivesThere are a number of ways that a cyber attack can destroy lives.Careers can end, finances can get ruined and companies cancease to be relevant. What is sad is when these tragic side effectsof a cyber attack occur and a simple penetration test would havediscovered some basic flaws in an organization’s defenses.I n this article we will discuss some recent high-profile impact. Even more important is the necessity of all attacks and we will look at ways a penetration test penetration tests to have a human analyze data and should have discovered these vulnerabilities well focus on business logic with a clear focus on businessbefore the attackers did. However, it is important for risk. This is something automated tools will never beus to first try to understand exactly what a penetration able to do, but they can help the process. And thetest is. Currently there is a great debate in the back companies we will focus on clearly were impacted.corners of various hacker and security conferences The following incidents will highlight why penetrationaround the world on the topic. Many people have testing is essential and they will each highlight a keyspecific aspects they feel validates their view of what security weakness that a penetration test would havea penetration test is or is not. For the purposes of this uncovered.article let’s say a penetration test would be crystal-box and could include scanning with automated tools. RSA – One Size Testing Does Not Fit AllGranted, there are people who would argue that using The RSA attack appears to have been launched via aany sort of automated scanning tool is not part of spear-phishing attempt to two different groups withina penetration test. Let’s also assume those people RSA over a couple of days. The malicious emailsare trolls and they will shortly be back under their contained an Excel spreadsheet that was entitled “2011various bridges. A penetration test can be a number Recruitment Plan” and contained a Flash 0-day thatof things. For many organizations a penetration test triggered when the attachment was opened.will require automated tools for scanning existing When news that RSA was compromised hit thevulnerabilities, which will lead to possible exploits. Internet it sent shockwaves through the industry.For some more advanced organizations a full black- It was not just an issue of a major company beingbox test may be required. This will be based on how compromised, it was that so many other organizations’mature an organization it in its security lifecycle. security support structures were based on SecureID.Some organizations will require simple scans to get The very .asc and .xml files that seed the crypto in ourthem going in the right directions. Others companies, secure key fobs were exposed.which are more mature, will require more rigorous There are a couple of lessons to be learned fromtesting. However, a common theme that should exist this breach. The first, is how intrinsically intertwinedin any penetration test is a solid focus on business our security is with other companies. But there is 06/2012 (14) June Page 24 http://pentestmag.com
    • CYBERCRIMEThe State of InformationSecurityMalware authors have figured out how to evade AV by continuallytweaking their binaries. They can circumvent content filteringsystems by hacking legitimate sites (banner ads, etc.) that users areallowed to access. They flow right by IDPS and Malware DetectionSystems through the same type of techniques.F irewalls offer good protection for inbound more and more momentum. One of the more recent connection attempts, though the threat vector attacks to be publicized was the state-sponsored now consists of an attacker riding back in on Stuxnet worm which targeted centrifuge equipmentlegitimate outbound connections. at Iran’s nuclear facilities. While information security is much better today than • Terrorism – Over the years, hacking has beenit has ever been before; it is far from being in a position observed to both advance terrorist agendas into adequately deal with modern-day threats. In order to addition to launching full-fledged attacks.address the gap, we must dive deeper in to the problem • Financial – This is the largest motivating factorand develop an embraceable strategy for success. It behind hacking activities today. The black marketis only when we understand who our adversaries are for selling unethical and/or illegal activities is veryand what their motivations and tactics are will we be in lucrative for those that have a marketable service.a position to address the problem. Let’s have a closerlook. Attack Vectors Common attack vectors have certainly changed withThe Adversary time; indicating that we are dealing with a versatileEnemies in this type of fight are some of the toughest enemy. As we have learned their techniques andto identify and virtually impossible to stop. Some are deployed our defenses; they have been able to adapttoo young to drive a vehicle; while others are your quiet their offensive strategy in relatively short order. A fewnext door neighbor, a college student half-way around examples are as follows:the world, an eco-terrorist upset with your company’spolicies or a religious extremist defiant to be heard. • Network-based and noisy – Referring back toWhile the motivation varies, the common themes tend the slew of Microsoft RPC and SMB-relatedto revolve around the following: vulnerabilities; ultimately resulting in self-propagating malware• Personal / Pride – Though more of a vintage • Web-based/Drive-by – This vector is one of the motivation for launching an attack, this still happens most popular in use today and one of the toughest to a lesser degree within the hacking communities. to defend against. Attackers have learned how• Geo-Political – A considerable force that is gaining to bypass vendor validation processes when 06/2012 (14) June Page 28 http://pentestmag.com
    • CONFERENCEA voice to be added tothe voices called to ...fight against cybercrimeDr. Ameer Al-Nemrat, Chairman of the 2ndInternational Conference on Cybercrime, Security andDigital ForensicsThe threat from cybercrime and other security breachescontinues unabated and the financial toll is mounting.This is an issue of global importance as new technologyhas provided a world of opportunity for criminals.Therefore, reducing the opportunities for cybercrime isnot a simple task but requires co-operation between manyplayers, computer security specialists, legal professionals,academia, public citizens, and law enforcement agencies,and fundamental changes in common attitudes and practices.Aby Rao: Please, tell us about the purpose ofCyber Forensics conference. Dr. Ameer Al-NemratAmeer Al-Nemrat: The threat from cybercrime and Dr. Ameer Al-Nemrat is a Senior Lecturer at the School of Architecture, Computing and Engineering (ACE) atother security breaches continues unabated and the University of East London (UEL). Dr Al-Nemrat is thethe financial toll is mounting. This is an issue of programme leader for the MSc Information Security andglobal importance as new technology has provided Computer Forensics, and MSc Cyber Crime. Dr Al-Nemrata world of opportunity for criminals. Therefore, Phd was the �rst PhD in Cybercrime Victimisation in the UKreducing the opportunities for cybercrime is not in 2009 and has published number of Journals, Conferencesa simple task but requires co-operation between papers, book chapters, and one of the editors of the book “ Issues in Cybercrime, Security, and Digital Forensics”. Dr Al-many players, computer security specialists, legal Nemrat has worked closely on cybercrime–related projectsprofessionals, academia, public citizens, and law with law enforcement agencies. A Cybercrime Programmeenforcement agencies, and fundamental changes project Led by Dr Al-Nemrat won a Good practice Awardin common attitudes and practices. Computer and from The European Commission under the Leonardo danetwork security are often key factors that determine Vinci scheme which focuses on the teaching and training needs of those involved in vocational education andthe likelihood of cybercrime, while digital forensics training.focuses on the detection, evidence gathering andprosecution of offenders. 06/2012 (14) June Page 32 http://pentestmag.com
    • INTERVIEWLooking for a JobInterview with James Foster from Acumin, an InternationalInformation Security and Risk Management RecruitmentCompanyPenTest Team received many questions concerning situation onthe job market. Many of our readers is in the process of looking for,changing jobs or starts their own businesses. Since our main aim isto respond to needs of our readers, PenTest features an interviewwith James Foster from a recruitment company with 14 years ofexperience. From this conversation you will learn, among others,about demand for penetration testers, expectations of employersbut also employees and pros and cons of being a freelancer.PenTest: James, Acumin is an international PT: How is the current demand forInformation Security and Risk Management pentesters?recruitment company. Please, tell us which JF: Pen Testers have grown in demand over the last 4-5professions are the most desirable within the years due to the importance and increased awarenessIT Security market? for organisations to understand potential vulnerabilitiesJames Foster: Acumin have a vast network within the in their technical landscape, and as a result their valueIT Security space having worked solely in this area for in the market has increased.the last 14 years servicing Information Security Vendors,Consultancies, System Integrators, and End Users. PT: In which country would a pentester most Our extensive End User client base provides us the likely find a good job?access to Information Security Managers and CISO’s JF: Pen Testers are in demand globally.in a variety of sectors which in turn provides invaluableknowledge of the challenges they face within an ever PT: Could you describe the expectations ofevolving Information Security landscape. employers towards employees? These End User challenges fundamentally feed the JF: The expectation of an employer towards ademand for innovative technology and services from Penetration Tester depends on the employer.If theInformation Security Vendors and Consultancies, and hiring manager works within an End User organizationthese challenges are regularly surveyed by Acumin then the requirement of the Pen Testing employee isand have formed a current snap shot of in demand to ensure the ongoing testing of Infrastructures and/orprofessions: Applications to highlight and report potential security vulnerabilities in order for remediation work to be• Penetration Tester (particularly CREST or CHECK conducted. As an employer running a team of Pen certified) Testers within a Consultancy, a key expectation they• Application Security Consultant / Architect will have aside from the obvious technical capabilities is• Data Loss Prevention Consultant a willingness to travel.• Governance, Risk and Compliance (GRC) It’s imperative that as a Penetration Tester you are Consultant prepared to travel a lot to different client sites. The 06/2012 (14) June Page 34 http://pentestmag.com
    • INTERVIEW“You must create a plan...”Debbie Christofferson, International Board Director atISSA, on seeking employment, working as a freelancer andintroducing changes at your company.You must comprehend the core business and be able tounderstand and communicate security risk in terms of itsimpact to that business. While technology competence iskey, it is not the deciding factor in success – an ability tocreate and execute to a longer term strategy determinesyour fate. Communication skills are critical, orally and inwriting, and an ability to build relationships and influenceothers across business units, and possibly across the globeif that’s where you operate. You must stay engaged in thebusiness, and keep current on your skills in IT, and riskswithin your own structure.Aby Rao: Can you tell us what convinced you opportunity to reroute or eliminate your headcount asto become a security specialist? unnecessary.Debbie Christofferson: During my Intel position as anIT Operations Supervisor, the manager who originally AR: What are some of the core competencieshired me was chartered to start up a Corporate of a security consultant?Information Security function. This supported the DC: You must comprehend the core business and beuprising of distributed computing, UNIX, firewalls, and able to understand and communciate security risk ina new breed of hacking experts. I knew then I wanted terms of its impact to that business. While technologyto be part of that team, for my previous manager and in competence is key, it is not the deciding factor inthis new field. It required you to create something out of success – an ability to create and execute to a longernothing, to be comfortable with ambiguity, to be good at term strategy determines your fate. Communicationworking across people and platforms, and to be a goodadvisor to the organization. I began sowing the seedsand plotting my course on how to get there. Debra Christofferson Debra Christofferson, CISSP, CIPP/IT, CISM serves ISSA as an International Board Director and was recognizedAR: What was the most difficult for you at the in 2011 as a Distinguished Fellow. She’s an experiencedbeginning of your career? security manager and consultant with global Fortune 500DC: Lack of structure and support. Automated tools experience, who is seeking a permanent strategic role indidn’t exist then – except unix scripts – and staffing a large progressive organization. For a no-fee copy of her 7-page Security Risk Management Plan, send email with awas minimal. Security had no credibility initially. You subject line of “PenTest Risk Plan” to: DebbieChristoffersonwere expected to know everything yet you were also at earthlink dot net.universally ignored, and often seen as others as an 06/2012 (14) June Page 36 http://pentestmag.com
    • Get prepared.We are Expanding Security, a Pen Testing and Training Company. We’ve beenpreventing deer-in-headlights look since 2006. We offer Pen Testing services plusour Live On Line training classes for ISSMP, ISSAP, CISSP, and Certified EthicalHacker. We give you online access to materials wherever you are. You need to keep your job secure, your business strong, and your staff on top of the game. See how good and fun training can be. Our courses are current to changing technology, and our training is the fastest, easiest way to master the relevant data you need NOW. Sign up for our free weekly PainPill and come to a free class. http://www.expandingsecurity.com/PainPill …with Freedom, Responsibility, and Security for All ™ www.ExpandingSecurity.com
    • PAINPILLPen Testing Scope DriftEveryone gets excited; No one is getting paidYou do love your job, right? You do want to pound a buffer overflowfor hours or even days until the system yields. You do want to findthat way in, right? How long are you willing to spend? Last week Ihad someone ask me to “join their team.” That is a euphemism fortaking a pay cut so they can make money off me. The question is outthere: Would I do more work for less money? Would you? Would youdo it if there was no pay? Would you do it for less pay?P eople ask me what I do. I tell them I break into for that. If you are changing the scope you might cause networks for a living. Oh so you are a hacker? problems. If the client is changing scope, you should be Please, tell me all the juicy details. Uh, no. The getting paid. We need to look at how we abuse the scopedetails would bore you to death. Do you really want to and how the client does the same. The combination ofhear how cool an RPC DCOM exploit is when you get the two can lead to dissatisfaction on both sides. Let usshell? Do you even remember Blaster or Nachi? explore the boundaries of scope drift. No one, I mean NO ONE but pen testers are thrilled by The contract for pen testing by its very nature is vague.finding these flaws and exploiting them. You and I love If the client is very specific, you are lucky. Each client hasit. You do love your job, right? You do want to pound a an expectation of dynamic interactions on the penetrationbuffer overflow for hours or even days until the system testing project. Just like any customer or part-time boss,yields. You do want to find that way in, right? How long some prefer to micro-manage. Other clients set theare you willing to spend? expectations and wait for the outcome. You have your Last week I had someone ask me to “join their team”. own preferences. Sometimes you end up pushing theThat is a euphemism for taking a pay cut so they can client along so that you can get the current job done andmake money off me. The question is out there: Would I move on to the next. You might need a day to collectdo more work for less money? Would you? Would you more data. You might need to manage the scope itself todo it if there was no pay? Would you do it for less pay? fill those hours you are billing, but I doubt it. I hope you love what you do, but wait just a minute There is never enough time to do the job we reallyhere. Penetration testing is a job. The job comes with want to do. Learning an obscure implementation takesall the other baggage of a job like: paperwork, expense a few more hours than we thought. Just when it getsreports, legal issues, learning some weird one-off exciting, we are out of time or life gets in the way. Forapplication that you will never see again. example: The wife has left my dinner in the oven for so long it has gone past dried out and moved on toDoes this have anything to do with scope drift? dehydrated. I cannot tell you how many times I haveYes, it has everything to do with scope drift. You are paid said, I promise honey this will only take twenty minutesto do a job; when you are less efficient or waste time, you more. Just when we get into a rhythm of pivoting anddo not get paid for it. When the project scope dictates you exploiting, the kids come in and ask us to take them todo this, but then you do this and that, you do not get paid school. Is it really the next day already? 06/2012 (14) June Page 42 http://pentestmag.com
    • Now Hiring Teamwork Innovation QualityIntegrity Passion Sense of Security Compliance, Protection and Sense of Security is an Australian based information security and risk management consulting practice. From our offices in Sydney and Melbourne we deliver industry leading services and research to our clients locally, nationally and internationally. Since our inception in 2002, our company has performed tremendously well. We thrive on team work, service excellence and leadership through research and innovation. We are seeking talented people to join our team. If you are an experienced security consultant with a thorough understanding of Networking, Operation Systems and Application Security, please apply with a resume to careers@senseofsecurity.com.au and quote reference PTM-TS-12. info@senseofsecurity.com.au www.senseofsecurity.com.au
    • READ Save The Database, Save The World! Chapter 4 ENEMY TACTICS “Eighty-five percent of attacks [in 2009] were not considered highly difficult.”V irus-Like Attack Hits Web Traffic, was the BBC News World Edition headline. The article declared “An attack by fast-spreading malicious code targetingcomputer servers has dramatically slowed Internet traffic…InSouth Korea Internet services were shut down nationwide forhours on Saturday… The nationwide Internet shutdown wastriggered by ‘apparent cyber terror committed by hackers,’ thecountry’s Yonhap news agency reported.” On January 25, 2003 the world experienced one of thelargest Denial of Service (DoS) attacks in history as the SQLSlammer Worm was unleashed. The attack spread at lightspeed, and in as little as ten minutes infected as many as75,000 database servers, slowing down Internet traffic worldwide. While commonly known as the“SQL Slammer Worm,” this virus was not a SQL injectionattack, and it did not even use the SQL language. Named afterMicrosoft SQL Server, the database platform against which itwas targeted, the SQL Slammer Worm exploited a known bugin MS SQL Server for which a patch had been released sixmonths earlier. While some companies surely had updatedtheir MS SQL Server databases when the patch was releasedfrom Microsoft, many others had not. Regardless, the denialof service that followed impacted the entire Internet. Like the tsunami following an earthquake, the ensuing denial ofservice impact was far more devastating than the original wormattack. The SQL Slammer Worm took advantage of a commonsoftware bug called a buffer overflow. When instructions are readinto memory without the length of the string being checked by 06/2012 (14) June Page 46 http://pentestmag.com
    • smart security interface©the multiplatform security connector integrated with all major PKIapplications and TMS platforms; it fully supports all wide spread smart cardsand architectures for government, corporate and bank projects; it alsointerfaces with smart phones, pre-boot systems and TPMiEnigma®the software application that turns your smart phone into a PKI smart card;unparalleled convenience for digital identity management; unbeatable securitythanks to the support of NFC chips and micro SD cardsplug´n´crypt®the product line for logical and physical access control covering different formfactors: USB token, smart card, micro SD card, soft token, also in combination����������������������������������������������������������������CSTC®PKI made simple and accessible to SMB: card initialization, management of������������������������������������������������������������������������������TMS infrastructurecontact:team@charismathics.com www.charismathics.com
    • In the Upcoming Issue of Physical Pentesting Available to download on July 2ndIf you would like to contact PenTest team, just send an email tomaciej.kozuszek@software.com.pl or ewa.dudzic@software.com.pl.We will reply a.s.a.p.PenTest Magazine has a rights to change the content of the next Magazine Edition.
    • �������������������������������������������������� �������������������������� ������������������������� / ������������������������� / ����������������� / �������������������� / ������������������������� / �������������������������������� / ��������������������� / ������������������ / ��������������� / ���������������� �������������� / �������������������������������������������� ������������� / �������������������������������������������� ���������� �������������� / ��������������������������������������������� ���������������������������������������������� �������������������������� Visit digitalforensicsmagazine.com ��������������������������������������� ��������������������������������������� ������������������������������ NEXT ISSUE OUT SOON SUBSCRIBE NOW������������������������������������������������������������������������� �������������������������������
    • ���������������� “We help protect critical infrastructure one byte at a time”• ���� Checklists, tools & guidance•���� Local chapters• ������ builders, breakers and defenders• ���������� ������������������������������������������������� and more.. ��������������������������������