Web appc pentesting_05_2012__teasers

  • 235 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
235
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
20
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. �������������������������������������������������� �������������������������� ������������������������� / ������������������������� / ����������������� / �������������������� / ������������������������� / �������������������������������� / ��������������������� / ������������������ / ��������������� / ���������������� �������������� / �������������������������������������������� ������������� / �������������������������������������������� ���������� �������������� / ��������������������������������������������� ���������������������������������������������� �������������������������� Visit digitalforensicsmagazine.com ��������������������������������������� ��������������������������������������� ������������������������������ NEXT ISSUE OUT SOON SUBSCRIBE NOW������������������������������������������������������������������������� �������������������������������
  • 2. EDITOR’S NOTEHello Everyone! CLOUD SOLUTIONSSpring has finally come and let’s hope that the warming will A walk in the clouds: Securingalso concern the science world. I don’t know if you haveheard, but the library of Harvard University, the wealthiestuniversity in the world can’t afford to buy all desirable 06 your Cloud Experience by Ian Moysepublication. What will be its impact on global society? Wedon’t know. But we do know that Harvard library is spending The benefits of cloud computing are resounding, buton this publications unimaginable $3.75M per year. Its council businesses are still wary of the security implications.claims that prestigious magazines suppliers are slowingdown the speed of global economy growth by winding prices How are you assured that your data is as safe onof the newspapers, which they call ‘products’. the cloud as it is in your own network? What are the security pros and cons of utilising the cloud? And Let’s hope it will be the beginning of judging book by itscontent and not cover. In this case, Pentest Magazine will be what steps should you be making to ensure yourblooming, as there are tons of information useful to everyone cloud experiences are not only beneficial to yourwho just wants make some effort and reach for them. users, but are secure for your business. We open this month edition with article on SecuringCloud by Ian Moyse, sales director at www.workbooks.com.He writes about threats that appear during cloud computing FOCUS How to Successfully Attack DNS?and he proves positively that you can utilize Cloud, privateand public, securely. It creates new security challenges butis still worth using. If we put advantages and disadvantages 12 by Aleksandar Braticof that to reasonable mathematical equation, the first DNS is a very attractive to attack as very often ITwill often outnumber the last. Research shows that most administrators forget to implement measures tocommon apprehensions are data security and privacy. Sohow should we secure our data? After reading the Walk in secure DNS service. DNS listens on port 53 where UDPthe Clouds you will have better understanding of how to is used to resolves domain names to IP addressesprevent cloud leeks. and vice versa. It can also enlist TCP on the same port Next article is devoted to attacking DNS, which may be for zone transfer of full name record databases. It isneuralgic point since many administrators do not secure it estimated that 20% of total Internet traffic amount isproperly. As UDP is a connectionless protocol, a denial ofservice attack is very difficult to trace and block as they DNS traffic.are highly spoofable. Aleksander Bratic describes in detailtechniques of request flooding, response flooding, recursiverequest flooding, exploiting the DNS trust model (domain BASICS Web Application Vulnerability:Hijacking), cache poisoning and DNS hijacking. We sacrifice some space to well-known MySQL attacks. 18 MySQL Attack on WebsiteIt is so popular that we encourage you to check if you are Databasefollowing countermeasures we recommend. Check if you by Mr. Ooppsscan make safer what you consider safe now. Firewall andwell-thought data storage might help the website. The article MySQL Attacks are an often used technique tomay be a brief review to experienced users and brilliant attack databases through a website. This is done bylesson for the beginners. In the Close Up section we take a closer look at webantiviruses. This is a disclosure on how to successfully trickthe web AV by the technique of cloaking, which has beenaround since the 90s. So maybe it’s time to take care of it.You cannot rely only on your AV. The article is very short butit makes it even more convincing and valid since it is enoughspace to present the issue of cloaking. And for everyone who wants to relax and have a bit ofhigh-quality fun this summer (no matter how it sounds) westrongly recommend Cyber Styletto chapter 6 as the actionenters the higher-level there. Enjoy reading! Wojciech Chrapka & PenTest Team 05/2012(7) Page 4 http://pentestmag.com
  • 3. CONTENTSincluding portions of SQL statements in a web form entry field inan attempt to get the website to pass a newly formed rogue SQLcommand to the database.WEB APP Bypassing web antiviruses22 by Eugene Dokukin aka MustLive Eugin Dokukin, pentester with 17 years experience, istesting systems for searching of viruses at web sites. He made ashort brief on how easy it is to develop effective cloaking method TEAMby integrating three elements: User-Agent, IP and DNS. Editor: Wojciech Chrapka wojciech.chrapka@software.com.plCLOSE-UP Conferences in 201224 Betatesters: Ankit Prateek, Robert Keeler, Aidan Carty, Kyle Kennedy, Daniel Wood, Johan Snyman by PenTest TeamProgrammer is a constantly undereducated person. Being up to Senior Consultant/Publisher: Paweł Marciniakdate with the latest trends and solutions often decides if you areseen as a top-shelf coder. We are presenting conferences where CEO: Ewa Dudzic ewa.dudzic@software.com.plall the new trends are mixed and exchanged between groups andindividuals in vivid and revitalizing atmosphere. And where you Art Director: Ireneusz Pogroszewskican shine with your knowledge. ireneusz.pogroszewski@software.com.pl DTP: Ireneusz PogroszewskiCYBER STYLETTO Cyber crime novella- Cyber Styletto Production Director: Andrzej Kuca30 – Chapter 6 andrzej.kuca@software.com.plby Mike Brennan and Richard Stiennon Marketing Director: Ewa DudzicCyber crime novella- Cyber Styletto – Chapter 6 ewa.dudzic@software.com.pl Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. To create graphs and diagrams we used program by Mathematical formulas created by Design Science MathType™ DISCLAIMER! The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss. 05/2012(7) Page 5 http://pentestmag.com
  • 4. CLOUD SOLUTIONSA walk in the CloudsSecuring your Cloud Experience The benefits of cloud computing are resounding, but businesses are still wary of the security implications. How are you assured that your data is as safe on the cloud as it is in your own network? What are the security pros and cons of utilising the cloud? And what steps should you be making to ensure your cloud experiences are not only beneficial to your users, but are secure for your business. What you will learn What you should know In this article you will learn about the security areas to This article is aimed at those with a fundamental consider when adopting cloud solutions and some of the understanding of cloud and security concepts, but is written questions to ensure you ask. to be informative for anyone in an IT or business role who is concerned or has read about cloud security issues.S ecurity is one of the most important factors (being availability and accessibility). A good reference point for companies who want to store data and for this being the Cloud Industry Forums 2011 Cloud operate using the cloud and it continues to Adoption and Trends Survey where 64% cited Security asbe highlighted as the greatest concern in end user their most significant cloud concern.studies. Implementing and utilizing a cloud solution Another study, carried out by network performancebrings great potential benefits, but also introduces monitoring company Network Instruments, addedchallenges around securing content and access confirmation that the top cloud challenge is the securitycontrol. The cloud offers the promise of large potential of corporate data, with 45% of respondents surveyedsavings in infrastructure costs and improved business reporting it as their key concern.agility, but concerns about security are a major As with other major technology transitions, cloudbarrier to implementing cloud initiatives for many computing has gained widespread attention andorganizations. Before transitioning to the cloud, you scrutiny in the media. We have seen stories aboundneed to figure out how to implement and enforce an around cloud, SaaS (Software as a Service), PaaSeffective security program. (Platform as a Service), etc, both in the consumer (eg. Cloud security refers to the computer, network and iCloud) and business worlds. Many of the stories haveinformation security of cloud computing providers and scare mongered, seeing cloud as a pure risk and citingincorporates data protection, infrastructure and governance exposures such as Sony and Blackberry as examplesissues. Security concerns surrounding cloud computing of security and reliability in the cloud, of which youare generally considered to be security and privacy (of the could hardly fail to notice. Sony is a good case in point,information stored), compliance (with legislation and user where the press reported in April 2011 “Two of Sony’scompany policy) and legal/contractual issues. In end user online gaming services, were hacked, compromisingsurvey, after survey, the top 2 issues that surface to the top confidential data of more than 100 million customers.”are security (data being the typical lead in this) and reliability under banner headings of being a cloud failure! This 05/2012(7) Page 6 http://pentestmag.com
  • 5. could be better named as an internet issue. Sony $20 a share. However today only a year on how manywasn’t delivering a service hosting on behalf of of the 24 million affected Sony users have desertedcustomers, more delivering a service accesed over the provider, relatively few, but in the scheme of thingsthe ‘cloud’ such as Instant Messenger, Amazon or any there was moral outrage, but consumer apathy bore outother online seller or provider of wares. The core issue and the news has passed!was that they held customers identities and payment As an increasing number of legacy IT Vendors movedetails! This breach could have rung true if hacked for to offer cloud computing as part of their portfolio,any online E-tailor such as Ebay, Paypal, Amazon or they have played down the concerns around security.others you may use and yourself trust. The “Cloud’s” However, even with industry heavyweights nowgeneric branding is utilised quickly in such instances, committing heavily to the cloud, customers are far fromas a useful hyped term and one that covers anything blindly trusting the cloud model.internet based. It is a wide sweeping brush that Sony While IT teams may embrace cloud services as abecame the poster child for. way to achieve cost savings and increased business The Sony leak was followed on with a report later flexibility, these technologies are introducing newby an independent security expert that found 67% of components and environments which change thethe users whose passwords were published on the security challenge once more. Security challenges inSony leak, were still using the same password that the cloud should be familiar to any IT manager – losswas leaked a year prior in the Gawker 2010 breach. of data, threats to the infrastructure, and complianceMeaning users who knew their password had been risks, with focus varying depending on the size ofleaked previously and knew they used the same organisation you represent. Cloud security is a complexpassword on Sony Online had not believed a need topic with many considerations ranging from protectionor taken the action to change it! Users responsibility of hardware and platform technologies in the datafor their part in security remains an issue whether on centre through to regulatory compliance and defendingnetwork or in the cloud of course! cloud access through different end-point devices. Sony of course started paying a its toll however with Whether you are implementing a private or publica flow of share price drops in the weeks following the cloud or a hybrid model that includes both, securityissue going public, taking it from above $30 down to must be a strong component of your solution.Figure 1. Concerns about adoption of cloud 05/2012(7) Page 7 http://pentestmag.com
  • 6. CLOUD SOLUTIONS IT Security in itself, bar cloud, already beholds a great of delivery, updating, configuring and responding todeal of responsibility. It must protect corporate assets threats. With a public cloud and carefully chosenfrom an ever increasing volume and sophistication vendor the security of the cloud component is doneof attacks, ensure any regulatory compliance is met, for you, typically with you retaining control over accessmonitor and protect the business against internal management and policies through your managementthreats and keep information from leaking through an portal. There are pro’s and cons of each aproach andever increasing number of mediums including email, do not assume vendors are all equal, doing diligencethe web and social networks. Over the past decade and asking pertinent questions is key. Also understandthe IT security market has expanded rapidly as vendor that utiliskng a public cloud vendor does not mitigatesolutions to thwart all the attack types have come into your security responsibilities as there remains abeing and IT security has become more complex with a need to secure your endpoints,user access and userneed not only to understand basic point solutions, but security.to correlate together a range of vendor offerings in a Private cloud security has similarities to that ofcoherent manner and ensure they are also configured security in the traditional datacentre. Worries remainand updated accurately. Attackers have become more around network security, authentication, auditing andadept at penetrating systems, often still using the user identity management. However you are no longer areas the weak link, and whereas they used to only care in complete control of the workloads, or even of theabout high-profile or larger targets, they are also now operating systems that are running in your datacenter.setting their sights on smaller companies to achieve With private cloud, the consumers of your servicestheir goals. can spin up new operating systems and create new To this end existing on-site security solutions and applications depending on the service model you makeinfrastructure may not be sufficient or cost effective available to your users. Therefore you need to addressto protect against the dynamic growing and changing new areas such as the following:attack landscape. This is not a reason alone to considera move to the cloud, but cloud security approaches are • Deciding who has the rights access and consumenow recognised as highly effective (in reducing cost and your cloud services?complexity) defence mechanisms, when approached • Do you have controls for the behaviors of thediligently. services and operating systems that your private A 2012 survey commissioned by Microsoft indicated cloud customers will be able to run up?for example that SMBs are gaining significant IT security • Are you able to identity self service users that mayadvantages from cloud computing, with 35% surveyed represent potential threats, such as anyone usingexperiencing “noticeably higher” levels of security since stolen credentials?moving to the cloud and 32% spending less time each • Do you have mechanisms to ensure that usersweek managing security than companies not using the cannot migrate their user role into an administrationcloud. Security, rather than acting as a barrier to cloud role?adoption in smaller businesses, is in fact one of the • Do you have a way to automate security responseskey benefits that they can experience by moving to the to incidents, such as possible denial of servicecloud. situations? The economies of scale and flexibility the cloudbrings can be a friend and a foe from a security aspect. Public cloud is going to require that you do yourThe concentration of data presents an attractive target diligence on the cloud provider. For example askingto attackers, but cloud defences can be more robust, where they host, who with, where your data is located,scalable and cost-effective than a self-build and who has access to it, what security policies do theymanage approach! You must face the reality though operate, what access do you have to apply your ownthat many employees will be using cloud services security policies (access control for example). Is yourregardless if this is offered up by the business and IT data striped across multi-location datacentre’s? Doas official policy. they apply data mingling where your data is in the How does security differ with private vs. public same host and database as other customers’ or areclouds? Businesses directly control the security of you allocated a separate and discrete data store in theprivate clouds whereas with a public cloud rely on service?the standardised delivery and security of the cloud Very few, if any, companies will move completelyprovider. Doing it yourself can give you control but to the cloud in the short term, there are too manyit also gives you the responsiblity and overheads legacy systems to maintain that are cloud unfriendly. 05/2012(7) Page 8 http://pentestmag.com
  • 7. Regulation will also play a part in areas which Off the back of cloud and mobile devices comesdelay or restrict cloud being a viable solution authentication. How does a user authenticate(for now). securely to the cloud service (private or public)? Do Cloud brings great advantage to mobile users and they login via a browser on the mobile device or havewith estimates from Gartner that by 2014 around a mobile client that pre-authenticates that device?80% of professionals will use at least two personal If a client login how will the user remember an everdevices to access corporate systems and data, the increasing number of passwords? (which in most usertwo are likely to become more entwined. The growth domains is already an issue despite the promises ofof mobile access and BYOD (Bring Your Own Device) Single Sign On and Directory Systems). Also cloudcultures is moving the security perimeter out past the services like web sites tend to use different user IDorganisations infrastructure to bold new areas. The and password formats, some being email address,cloud has delivered an expectation of applications some first name surname and some employeethat are free from the constraints of legacy desktop number and with varying password lengths and rulestied clients and that can be accessed anywhere from around characters to be utilised. All of this is a securitypretty much any device. Cloud combined with mobile/ aspect that needs to be considered. How will youBYOD can deliver major benefits to productivity and secure users outside your directory and with systemsflexibility of an organisations workforce, but introduces accessible from any device? With cloud applicationsa new range of security concerns. IDC recently stated the user credentials become even more valuable as“Mobility will present the greatest security challenge in the login is often no longer tied to a VPN connectionthe next five years.” or device, so ensuring that the user (person) side of Security experts have highlighted how BYOD password protection doesn’t slip up is essential in thecan put an organization’s network at risk because cloud world, as if it wasn’t already! (sic).workers could inadvertently transfer a virus-infected Data governance and security has headline visibilityfile into the network or gain access and ownership whenever cloud is mentioned and is a top concernover restricted organisational data by downloading for adoption. Under new guidance from the Nationalit on to a non-work owned and secured device. With Institute of Standards and Technology, users andCloud of course the user is increasingly likely to want not providers have ultimate responsibility for theto use a mobile device and with a mobile device the security and privacy of data stored on the public cloud.user is likely to demand more access to cloud like Guidance co-author and NIST Computer Scientistapplications. The fact is that Perimeterless Security Tim Grance commented “accountability for securityis harder. and privacy in public cloud deployments cannot be delegated to a cloud provider and remains an obligation for the organization to fulfil.” This is a good thing and to be expected. Utilising cloud does not and should not totally devolve you of security responsibility for your users behaviour. In pursuing public cloud services, the guidelines recommend that organisations: • Carefully plan the security and privacy aspects of cloud computing solutions before implementing them. • Understand the public cloud computing environment offered by the cloud provider. • Ensure that a cloud computing solution of cloud resources and cloud applications satisfies organisational security and privacy requirements. • Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.Figure 2. Which of these was the primary reason for adopting A simple question that often gets asked of a cloudcloud-based services? vendor “is where is your datacentre located?”. 05/2012(7) Page 9 http://pentestmag.com
  • 8. CLOUD SOLUTIONSAdvised questions would also include “and is that of influencing your strategy, start educating now onwhere my data will be held?” and “Where is your the various forms of cloud and how to secure thembackup data center?”. Further questions have in you environment. Resistance and ignorance willarisen from recent reports highlighting that simply deliver only a short term strategy to cloud in the everlooking to keep data in the EU is not enough for competitive business world.European firms. In June 2011, the managing director Can you utilise Cloud, private and public securely?of Microsoft UK admitted that it would comply with Yes. Does it pose new security challenges? Anotherthe Patriot Act as its headquarters are based in the Yes. Do Cloud Security questions give you a reasonUS and that it would try to inform its customers of to ignore cloud and maintain the status quo of onany data request as it happened, but that it would network deployments? In places of course you willnot guarantee this! Meaning that if you do business decide that a specific application or requirement iswith a UK subsidiary of a US-based cloud operator, best served on network, but it is not an encompassingyou can choose to specify that English law applies no for sure! Cloud offers a lot of benefits, varying byand ensure they offer you a EU based data center organisation and application and the security aspectsoperating under EU data protection laws, but your can be overcome as others have been in the past.data is till open to US access if your vendor is US Educate, learn, adapt and adopt, as cloud is here toowned. If this is of concern, you need to ensure that stay in its varying form factors, there are too manyyour provider is European owned and legislated. Of success stories and businesses doing well utilizingcourse this would limit you from many mainstream cloud for security to be a pure play excuse anyproviders such as Amazon, Google and Microsoft so longer.there are always balances and measures to apply inyour decisions. Worth seeing Gartner believes all cloud customers should have Those wishing to learn more and participate in the cloudsome basic rights to protect their interests and defined can also find some great vendor independent resourcessix of these as being: such as:• The right to retain ownership, use and control one’s • http://www.cloudindustryforum.org/ own data, • https://cloudsecurityalliance.org/• The right to SLAs that address liabilities, • http://www.eurocloud.org/ u remediation and business outcomes,• The right to notification and choice about changes that affect the service consumer’s business processes,• The right to understand the technical limitations or requirements of the service up front, IAN MOYSE• The right to know what security processes the Ian Moyse has over 25 years provider follows, of experience in the IT Sector,• The responsibility to understand and adhere to with nine of these specialising software license requirements. in security For the last 8 years he has been focused in CloudIn addition to security approaches, more education Computing and has become ais also needed in cloud across all sectors to enable thought leader in this arena.businesses to understand and utilize this important He now holds the role of Salesnew technology option to its advantage in a secure Director at Cloud CRM providermanner and this need for understanding stretches past Workbooks.com. He also sits onsimply the border of the IT department. CompTIA’s the board of Eurocloud UK and the Governance Board of theCloud Essentials certification is an example option Cloud Industry Forum (CIF) and in early 2012 was appointed tothat enables employees of varying roles to validate the advisory board of SaaSMax. He was named by TalkinCloudtheir cloud knowledge, take online training and exam as one of the global top 200 cloud channel experts in 2011 andcondition testing. Expect to see more cloud courses in early 2012 Ian was the �rst in the UK to pass the CompTIAand exams providing the market with the required Cloud Essentials specialty certi�cation exam.validations in this new cloudy world. Lack of knowledge Sales Director www.workbooks.com, Eurocloud UK Boardbreeds concern and risk. If you are in IT or a position Member & Cloud Industry Forum Governance Board Member. 05/2012(7) Page 10 http://pentestmag.com
  • 9. Global I.T. Security Training & Consulting www.mile2.com IS YOUR NETWORK SECURE? ������������������������������������������������������������ �� ���������������������������������������������������������������� ����������������������������������������������������������� ������������������������������������������������������ mile2 Boot Camps A Network breach... Could cost your Job! Available Training Formats �� ���� ������������������������ � � ������������������������� ��� ���� �������������� ������� � ����������������� ��� ���� �������������������� �������� � ������������������������������������������� ��������� ������������������ ������ � ���������������������������������� ��� ���� ���������������������������� ������ � ���������������������������������������������� ������������������� � � ����������������������������������������� Other New Courses!! �������� � ������������������������������������� ���� ��������������������� ��������� � ��������������������������������������� �������� ������������������� ���� ����������� � � ���������������������� �������� � ������������������������������� ���������� ��������������������������� ��������� ��������������������������� � � �������������������������� ���������� �������������������������� ������� ����������������������������������� ��������� �������������������������������������������������� ����������������� ��������������� ������������� INFORMATION ASSURANCE ������� � ������������������������������������������������ SERVICES ���������������������������������������� ��� ������������������� ������������������������������ ��� ������������������������� ��������� � ���������������������������������������� ��� ������������������������������������� ��� �������������� � � ����������������� �������������������������������������������� �������� � �����������������������������������(ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of ��������������CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC. ��������������� 11928 Sheldon Rd Tampa, FL 33626
  • 10. FOCUSHow to SuccessfullyAttack DNS? DNS is a very attractive to attack as very often IT administrators forget to implement measures to secure DNS service. DNS listens on port 53 where UDP is used to resolves domain names to IP addresses and vice versa. It can also enlist TCP on the same port for zone transfer of full name record databases. It is estimated that 20% of total Internet traffic amount is DNS traffic.D NS was proposed by Paul Mockapetris in 1983 QR – A one bit field that specifies whether this (in RFC’s 882 and 883), as a distributed and message is a query (0), or a response (1). dynamic database – as opposed to the single OPCODE – A four bit field that specifies kind of querytable on a single host that was used by the earlier version in this message.of the internet, ARPAnet. Together with Jon Postel, he is AA Authoritative Answer – this bit is only meaningfulconsidered the inventor of DNS. in responses, and specifies that the responding name server is an authority for the domain name in question.Structure of a DNS packet This bit is used to report whether or not the responseID – A 16 bit identifier assigned by the program you receive is authoritative.that generates any kind of query. This identifier is TC TrunCation – specifies that this message wascopied to the corresponding reply and can be used truncated.by the requester to match up replies to outstanding RD Recursion Desired – this bit directs the namequeries. server to pursue the query recursively. Use 1 to demand recursion. RA Recursion Available – this be is set or cleared in a response, and denotes whether recursive query support is available in the name server. Recursive query support is optional. Z – Reserved for future use. RCODE Response code – this 4 bit field is set as part of responses. The values have the following interpretation: 0 – No error condition 1 – Format error – The name server was unable to interpret the query. 2 – Server failure – The name server was unable to process this query due to a problem with the nameFigure 1. Domain name system server. 05/2012(7) Page 12 http://pentestmag.com
  • 11. smart security interface©the multiplatform security connector integrated with all major PKIapplications and TMS platforms; it fully supports all wide spread smart cardsand architectures for government, corporate and bank projects; it alsointerfaces with smart phones, pre-boot systems and TPMiEnigma®the software application that turns your smart phone into a PKI smart card;unparalleled convenience for digital identity management; unbeatable securitythanks to the support of NFC chips and micro SD cardsplug´n´crypt®the product line for logical and physical access control covering different formfactors: USB token, smart card, micro SD card, soft token, also in combination����������������������������������������������������������������CSTC®PKI made simple and accessible to SMB: card initialization, management of������������������������������������������������������������������������������TMS infrastructurecontact:team@charismathics.com www.charismathics.com
  • 12. BASICSWebApplication Vulnerability: MySQL Attack on WebsiteDatabase MySQL Attacks are an often used technique to attack databases through a website. This is done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database.S QL stands for Structured Query Language. SQL are usually only used on their system. The standard is used to communicate with a database. It is SQL commands such as Select, Insert, Update, Delete, the standard language for relational database Create, and Drop can be used to accomplish almostmanagement systems. SQL statements are used to everything that one needs to do with a database.perform tasks such as update data on a database, orretrieve data from a database. Some common relational What are tables?database management systems that use SQL are: Within a SQL database there are tables which storeOracle, Sybase, Microsoft SQL Server, Access, etc. information. Tables can store any information on aMost database systems use SQL, most of them also website, ranging from usernames, passwords, andhave their own additional proprietary extensions that addresses, to text displayed on a web page, such as aFigure 1. SQL tables view 05/2012(7) Page 18 http://pentestmag.com
  • 13. WEB APPBypassing WebAntiviruses At beginning of April 2010 I’ve made the testing of systems for searching of viruses at web sites [1]. In my research I have examined different systems for searching of viruses at web sites, as standalone, as built-in the search engines – these systems can be called as web antiviruses. And later I have presented my results of testing of web antiviruses on conference UISG and ISACA Kiev Chapter #6 [2].I ’ve examined the next web antiviruses: Web Virus with built-in antivirus systems, because they are using Detection System, Google, Yahoo, Yandex, Norton bots of search engines with known user agents. Safe Web, McAfee SiteAdvisor, StopBadware. And I saw the using of cloaking method in maliciousevery web antivirus can face with malware’s attempts scripts many times during my researches since 2008.to hide from it (so malware will left undetected and Particularly I saw checking of Referer (and similarcontinue to infect visitors of web sites). In this article approach can be used for User-Agent). And theseI’ll describe methods of bypassing of web antiviruses, method of protection of malicious code from systemswhich developers of such system need to take into for searching of viruses create serious challenge foraccount to prevent possibilities of malware to hide from these systems.them. Antivirus companies and other security researchers are also sometimes finding cases of using cloakingBypassing of systems for searching viruses against search engines with built-in antiviruses.at web sites Example: in May 2010 many web sites on shared-In May 2010 I’ve published the article to The Web hosting at DreamHost and other hosting providers wereSecurity Mailing List Archives [3] about bypassing hacked and infected with malicious code, and the codesystems for searching of viruses at web sites. This for distributing of malware was using a cloaking forconcerns all systems for searching of viruses at web hiding itself from built-in antiviruses in search enginessites, including search engines with built-in antiviruses, Google and Yahoo.which have no counter-measures against it. Bypassing systems for searching of viruses at web Effective use of cloaking against websites is possible with using of cloaking (which is known antivirusesfrom 90s and is used for hiding from search engines In the end of August 2011 I’ve found that Google startedbots for SEO purposes). When User Agent is analyzing using User-Agent spoofing for its bots. Which can beand if it’s a search engine, then malicious code is not concerned with the desire to improve their system forshown, if it’s a browser – then shown. So the same searching viruses at web sites – so with using of cloakingcloaking which used for SEO, can be used for malware (UA spoofing is type of it) to decloak viruses at web sites.spreading and hiding from systems for searching of But it uses spoofing ineffectively and with consideredviruses at web sites. Particularly from search engines use of cloaking the malware can effectively hide from 05/2012(7) Page 22 http://pentestmag.com
  • 14. CLOSE-UPConferences in 2012 Programmer is a constantly undereducated person. Being up to date with the latest trends and solutions often decides if you are seen as a top-shelf coder. We are presenting conferences where all the new trends are mixed and exchanged between groups and individuals in vivid and revitalizing atmosphere. And where you can shine with your knowledge.June 3 – 6, 2012, Techno Security 2012 data: June 3 – 6, 2012& Mobile Forensics 2012 VIP Invitationfor PenTest Magazine readers [FREE VIP title: Techno Security & Mobile Forensic (two events)registration] organizer: TheTrainingCo. keywords: mobile devices forensic, digital investigations, multiple trainings place: Myrtle Beach, SC, USA description: This will be the 14th year for Techno Security and the 5th year for Mobile Forensics. Frequent attendees are some of the top practitioners in the world in the fields of Information Security, eDiscovery, Mobile Forensics, Digital Forensics and Technical Business Continuity Planning. Last year, there were over 1,000 people registered. Techno Security 2012 will include several sessions as well as pre- conference and post-conference events. You may choose between courses concentrated inter alia on Smart Devices, issues of Flasher Box and JTAG, Python Scripting with UFED Physical Analyzer and other trainings addressed to both advanced and inexperianced users. For full range you mast visit website. official page: www.techsec.comFigure 1. Golf tournament at this golf course is an additional if from pentest: free VIP registrationoption wojciech.chrapka@software.com.pl 05/2012(7) Page 24 http://pentestmag.com
  • 15. �������������������������� ���������������������� CloudPassage Halo is the award-winning cloud server security platform with all the security functions you need to safely deploy servers in public and hybrid clouds. Halo is FREE for up to 25 servers. cloudpassage.com/pen
  • 16. CYBER STYLETTOCyber Styletto 7 a.m., Sunday, San Francisco International AirportS �� tokes turned right, down a cramped aisle into the coach section of Air Asia charter flight 711, ���������� ��������� �������� ������� ��� �� �������� a non-stop to ������� ��� ����������� ������� ���� ������� ��� ����������� Macau packed with people eagerto try their luck at the MGM. Yvonne smirked as he ����������������������������������������������������������������shook his ������� ���� �������� ��� �� ����������� ���� �� �����������the head over the seat he’d been assigned, in �����������������������������������������������������middle of the last row. He wouldn’t even be able to lean ���� �������� ���� ������� ������� ������ �������� ����back during the ten-hour ��� �������� ��������� ���� ����������� ����������� flight with the bulkhead behindhim. He turned to������������������������������������������������ make sure she was following him, andsaw she was not. �������������������������������������������� ������������� ��� ������������ ��� ���� ����� ������ ��������� �������� ����� ����� �������������� “Where are you going?” he asked. ����� ���� ���� ����� �� ��������� ��� ������� ���������������������������������������������� �������� �� ����� ��������� ���� ��������� She smiled. “First class, of������ ������������ ����Woody ������ ���� course.”Buck, �����and the others all headed ������������� ������� their������� �� ���� left, holding in ����� laughter.“Them too?” Stokes said. ������������������������������������ ������ ��� �������� ���������� ��� ���������� “We always fly up front.” He took the crumpled boarding pass and waved it ather. “Then what am I doing with this?” “Rohan, darling. I tried. But by the time I knew you �����������������were coming it������ ��������� �������� ������ you a first class seat,” �������� ���������� was too late to ��� ��� ��������� ��� �� ������ ��������� ������� ��� getshe said. ��������������������������������������������� ����������� ����������������������������������������������� ����� ���� �������� ������ ��������� ���� ����� ����� �� �������� He turned to go back to the gulag of the last row, then �������������������������������������������������stopped. ���� ��������� ������� ������ ����� ���� �������� ������� ������������������������������������������������� “Wait a minute,” he said. “When I showed up, youhadn’t even made your plans for this trip. You just didthis to spite me.” Yvonne had considered leaving for the hotel without him, but he’d only track her down through her cochlear The queue of passengers loading up behind Stokes as implant, and she was getting tired of that. He camehe blocked the aisle began to get restless. An old woman up the tunnel looking as though he’d been flying in apushed her carryon into his leg. She blurted something laundry hamper – his jacket and shirt were wrinkled,in Chinese. He didn’t know the words, but Yvonne could and one pant leg had risen high enough to show asee he understood her meaning as he dropped his head stretch of bare shin above his sock, and was held inand started walking back. In Macao the group had to wait place by static cling.almost a half hour for Stokes to disembark, since literallyeveryone else on board was in front of him. 05/2012(7) Page 30 http://pentestmag.com
  • 17. In the upcomingissue of the Web Application Devices Available to download on June 22thIf you would like to contact PenTest team, just send an email tomaciej.kozuszek@software.com.pl orewa.dudzic@software.com.pl . We will reply a.s.a.p.PenTest Magazine has a rights to change the content of the next Magazine Edition.
  • 18. Security Services :$50,000 Firewall ruined by a lack of cents! SERVICES AVAILABLE • $250,000 Intrusion Detection System • $50,000 Redundant Firewalls A UDI T S U P P O R T • $300,000 Salaries for IT Security Personnel Strategic and Technical • $400,000 Gee Whiz Computer Defense Shield assessments for audit firms, audit, and IT departments: Hacked because someone used password123 as a “temporary” password……. • Penetration Testing • Security Assessments • Disaster Recovery Apologies for the above marketing gimmick, but it was necessary to • Special Projects grab your attention. We could tell you that we offer superior information security services followed by a highly biased list of reasons, quotes of PE E R B A SE D E VA L U A TI O N industry sources, and facts to support our assertions. However, we both know that you know that game, so let’s change the rules and let Ongoing comparison against the truth in our advertisement speak for our work, and maybe you’ll peers of key IT security give us the opportunity to let our work speak instead. For the same metrics and controls. Periodic reasons that clever marketing can sell an inferior product; your entire reporting of key metrics. network can be hacked, starting with one little email. Interested, or S TA TI S TI C A L shall you skip to the next page? PE N E TR A TI O N Periodic rotation of As a proof in concept, the soft copy version of this document contains professional penetration custom embedded software control codes designed to gain control testers against your network over your computer, then masquerading as you, manipulate stock via a custom portal complete prices using information contained on your system. Buy buy! Sell Sell!. with the ability to limit the Sound farfetched? Maybe 5 years ago, but that is today’s new scope and depth of testing paradigm. Forgive the fear tactics, but the point is that skillful social according to client needs. manipulation in conjunction with “embedded software control codes” are the methods used by malicious parties to compromise (gain control U SE R E D UC A TI O N of) modern networks. This challenge can only be met with intelligence. Custom security training We combine software engineering, security know how, and data exercises for your organization analysis to offer real world peer based metrics of your security issues including use of penetration as well as deep dive technical assessments ranging from penetration / tests as a way of providing technical assessments to strategic reviews. users an unforgettable experience. Sleep better with our D3tangler™ technology! Our new patent pending D3tangler technology helps you win the evolving Contact: game of IT security. The technology solves all your security problems by Shohn Trojacek - trojacek@p2sol.com pressing a button! Don’t be fooled 120 N.cheap competitor’s products! by MAIN BRYAN, TX 77803 Tel 939.393.9081 www.p2sol.com securityservices @ p2sol dot com
  • 19. ���������������� “We help protect critical infrastructure one byte at a time”• ���� Checklists, tools & guidance•���� Local chapters• ������ builders, breakers and defenders• ���������� ������������������������������������������������� and more.. ��������������������������������