Security kaizen   consumerization
Upcoming SlideShare
Loading in...5
×
 

Security kaizen consumerization

on

  • 1,047 views

 

Statistics

Views

Total Views
1,047
Views on SlideShare
1,047
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Security kaizen   consumerization Security kaizen consumerization Document Transcript

  • Editor’s Note April/june 2011 . 2nd Issue After the release of our first issue, we Chairman & Editor-in-Chief received a lot of positive feedbacks, a lot Moataz Salah of improvement ideas and a lot of reviews. Editors people wanted to help making security kaizen magazine a better magazine, wanted it to be Egypt | The First Cyber Revolution 4 Fady Osman Brad Smith one of the top information security magazines Omar Sherin in the world. Osama Kamal To be honest, I didn’t expect that we will have Grey Hat Amr Thabet that success in such short period, nor did I Types of SQL Injection 10 Ahmed Saafan Vinoth Sivasubramanian expect that one day I’ll appear on the Egyptian Phone Owning 12 Paul de Souza TV to talk about our initiate and our Magazine. Mohamed Enab So I wanna attribute our success to all my Language editors readers, anyone contributed with an article or Stuxnet: and the truth shall set you free 16 Salma Hisham even a small comment, everyone criticized our 18 Salma Bakr A visit to RSA Conference work, all of you guys were a huge help to us Lobna Khaled Electronic Voting | Security Challenges 20 I still have a lot of people to thank for their Graphic Design help in the last couple of months but the An Interview with Clement Dupuis 22 Mohamed Fadly space won’t allow me to do that. so Thanks everyone, we wouldn’t have made it this far Web Site Design without you. Mariam Samy Rootkits: A Deeper Look 26 Security kaizen is issued As I said we are always kaizenning our Password Crack 30 every 3 months magazine and due to the tons of requests we received, a new version of the magazine willReproduction in whole or part without be released in Arabic to cover more readers Best Practicewritten permission is strictly prohibited on the Arabic countries. Also Security kaizen All copyrights are preserved to magazine was able to get special offers for our A Simplified Approach to Achieve Security in a 34 www.bluekaizen.org readers in various worldwide conferences; you Consumerized Environment can check more details about that through the Cyberspace as a War Fighting Domain 38 magazine or on our website. Finally, this was just a start and we are always eager to kaizen, improve and reach new horizons. We still need more volunteers from all countries. so Join us and be part of our For Advertisement in security kaizen. Security Kaizen magazine and www.bluekaizen.org website: Mail: Info@bluekiazen.org Phone: 010 267 5570 2 3
  • No one, not even Mark Zuckerberg the founder of Facebook, nor Jack Dorsey the founder of Twitter had imagined that one day their websites will help in a countrys revolution, take down a president or change a regime. Egypt’s well educated youth, whose through the streets, to regroup themselves sole dream is to see Egypt a better after being distracted by security agents country, lead peaceful demonstrations either by water, tear gas or real bullets. on the 25th of January 2011, which is the National Police Day, against injustice and freedom suppression. On the 11th of February 2011, Hosny Mubarak finally declared his resignation as the President of the Arab Republic of Egypt. Just to give you a few examples of people who joined the revolution: Wael Ghoneim (EMEA Marketing Manager of Google) who was arrested by the police on the third day of demonstrations; Dr. Ahmed Zewail (Egyptian Nobel Prize Winner in Chemistry), Dr. Mohamed By the end of the first day of the revolution, ElBaradei (former Director General of Tuesday 25th of January, Egyptian the International Atomic Energy Agency), Intelligence banned the access of Twitter and many Egyptian celebrities. from inside Egypt. They also banned some online opposition newspapers like What is unique about this El-Dostor. But that didn’t stop Egyptians revolution? from accessing Twitter and those websites using different proxies and in few minutesEGYPT It will be recorded in history that Egypt’s a series of proxies and ways to get around revolution was the first Cyber revolution the ban were shared among Egyptians. in the World. On the first three days, The Egyptian hackers quickly reacted to protesters used their smart phones, those actions by attacking the website Blackberries or iPhones to guide the of El-Ahram (one of the main Egyptian demonstrations. It all started with Government newspapers) and that of the Facebook. Then Twitter played a very Ministry of Interior Affairs using DDOS crucial role in guiding demonstrators (Distributed Denial of Service Attacks).The First Cyber Revolution We won’t continue talking about the revolution and its political development, you can get back to the news for more information. We will now concentrate about the technical part and our view regarding what happened later, withThe Full True Story on How Egypt respect to cutting all means of communications across Egypt.Shutdown the Internet for 5 whole days 6 5 April/june 2011 www.bluekaizen.org
  • By the second day, Wednesday 26th of (ADSL, dial-up, etc) The bandwidth of international lines is what is known as POP. The bandwidth isJanuary, Facebook usage was blocked To summarize the situation, all means of sold to ISPs and companies as requested, then distributed to the home end-usersin some areas, especially in El-Tahrir communication were down, except land and then distributed across Egypt using or companies. Check figure 2 for the line phones. Telecom Egypt cables, which are the only Internet hierarchy in Egypt.Square (Liberty Square) where most cables available! This is done throughprotesters gathered. Facebook wastotally banned on the third day (Thursday How was the Internet cut? International27th of January) of the protests. During ISP1 room ISP2 room Companiesthose three days, the situation was a real In order To know how the Internet waswar between the Government and the cut in Egypt, we first need to know theprotesters; on the streets and on the web. Telecom Egypt physical hierarchy of Internet in Egypt.On Friday 28th of January, in the early (switching & testing rooms) We will try to simplify the details as Telecom Egyptmorning - Friday is the weekend in much as possible so that readers with linesmost Islamic countries - the following no telecommunication background grasp International Cablescommunication services were down: how it works easily. In AlexandriaAll mobile phone communications SEA-ME-WEA4/Flag(voice calls, mobile internet, SMS, etc.) Different countries are connectedi.e. Egypt’s three operators were down together using a network of optical fibers, Core POP1 Core POP2 Core POP3completely with all their services with very high bandwidth, in seas andAll internet connections by all providers oceans. Check figure 1. Edge PoP1 Services to users in PoP1 Services to users in PoP1 Figure 2: Internet hierarchy in Egypt Therefore, in order to cut the Internet according to every ISP’s Network Design, across Egypt you have more than one but the easiest  way is to withdraw their option: Border Gateway Protocol routes (BGP ● Egyptian Government can disconnect protocol is a protocol used by border all the lines from the source (here the routers to transfer information between landing point of international cables is different autonomous systems), and most Alexandria). But this will disconnect all probably this is what happened with most the lines connecting Egypt to the outside ISPs world and that was not the case; only ● If the ISP refused to cut the service (like 88% of the Internet usage in Egypt was in NOUR CASE), the Government can down and nearly12 % was still working. cut the service by itself through Telecom So this option was not likely to have been Egypt POPs but in Nour Case which is used not a residential Provider and most of Figure 1: Submarine cable disruption map ● Authorities can intimidate the ISPs to its customers are big companies, Egypt For Egypt, all international lines have two landing points (Alexandria shut down the services to users. This was security agencies accepted or agreed not and Suez), for example the SEA-ME-WEA4 line is the line which clearly published by Vodafone, that some to cut the internet on Nour Customers, connects South East Asia-Middle East-Western Europe, and it Egyptian security agencies ordered them but that made TEdata and Linkdot net, carries telecommunications between Singapore, Malaysia, Thailand, to shutdown all mobile services. Shutting the biggest service providers in Egypt, Bangladesh, India, Sri Lanka, Pakistan, United Arab Emirates, Saudi- down the Internet from the ISP’s side complained that Nour is still working and Arabia, Sudan, Egypt, Italy, Algeria and France. can be made by many different ways that may affect their business , that’s 6 7 April/june 2011 www.bluekaizen.org
  • why Nour was also down on Monday by Twitter, Facebook and SMS services. AndTelecom Egypt not by Nour Engineers.So maybe they also knew more than that!Nour was down for a business reason not Whatever they knew, the decision was Conclusionfor a security reason. taken to cut all communications including all the Internet and mobile facilities. This story gave us some facts that don’t exist only in Egypt but in mostWhy were the Internet and countries that use the Internet: But unfortunately this was the most stupid Internet traffic is monitored, especially social media networks and thismobile communication cut? decision, because people who were can be checked in the customers part of www.narus.com where you will at home, waiting for brothers, sisters, find nearly 1/3 of their customers are countries governmentsWhat happened by the end of Friday relatives and friends to come back, Today, social media networks are not used only for connecting withexplains why Egyptian Intelligence cut couldn’t communicate with them. They friends or making business marketing, but they can be used in issues affectingall communications in the country. This couldn’t call their friends, couldn’t connect whole countries; revolutions, wars, etc.day was named: Friday of anger, where to the Internet to know their latest activities This story also gave us some questions, for which we hope to find answers:millions of people went out in the streets on social media, and couldn’t even send On which level do governments have the right to control essential life facilities,and the highest number of dead people a single SMS! So, more people went out like communications, electricity and others, to civilians even in cases ofwas reported on this day as well. in the streets, maybe not to protest but to emergency? merely show their anger at this decision. Will you support a law, if it doesn’t exist in your country, that considers theEgyptian Intelligence uses a solutioncalled NarusInsight. The NarusInsight Internet and telecommunication systems as main human needs like electricitySolution for Intercept, as narus.com says, Was the Internet 100% cut supply, water supply and others, which can’t be cut with such a way?!delivers unmatched flexibility to intercept across Egypt? Finally Egypt’s story was a real proof that Internet in general and socialIP communications content and identifying media networks in specific can really change the world. Virtual life can causeinformation, enabling law enforcement The answer is NO, according to most revolutions, wars, crimes and more. Egypt started the revolution on the virtualand government organizations around statistics nearly 88% of the Internet network and transferred it to a real story, a real TRUE STORY.the world to effectively gather evidence connection was down. What about theof illegal activity in the multifaceted world rest 12%. Well, we have different cases,of IP communications. for example: NOUR was the only service providerNarusinsight can monitor users’ traffic, that kept working for 3 days out of the 5including recollecting their mails, days (they were down only for 2 days –chats and other data. Built on the Monday and Tuesday – while the InternetNarusInsight Traffic Intelligence System, was back across Egypt on Wednesday)the NarusInsight Solution for Intercept All international MPLS Lines were workingpassively monitors multiple links on the fine, so companies who had MPLS Linesnetwork. It monitors each packet on the through any provider were working in thenetwork link and analyzes it against a whole 5 daystarget list input by the providers or directly One of the solutions was to use theby a law enforcement agent. If the packet international land line to dial up anmatches the target criteria, it is captured external service provider in France or anyfor formatting and delivery to storage, country using a dial up modem, but thislaw enforcement or directly to optional costs a lot of much of coursecontent rendering and analysis tools. Another solution was to have a satellite connection, this way you won’t passEgyptian Intelligence or National Security by Telecom Egypt lines but again this Referencesknew that a lot of people will gather on solution is so expensive and still not http://www.narus.comthis Friday, and they knew in the last 3 reliable for huge companies but it is better http://www.wikipedia.org/days how they collect themselves using than nothing 8 9 April/june 2011All images included in this article are copyrighted to their respected owners. www.bluekaizen.org
  • GREY HAT The database will simply display the results in the search query as you can see in the following image.Types of By Fady Osman SQL injection SQL injection is probably the most dangerous known web attack. Sometimes it could lead to remote code execution that gives the hacker a full control of the system. In this article we will talk about SQL injection types.1- Error based SQL injection : The exploitation of the errorIn this case the database simply the based SQL injection is fairly straight. For Another thing to notice here is that the database language can be this query:application sends back the database example the attacker can make an invalid the database version reveals also theerrors directly to the user. Sometimes comparison between an integer and the operating system information which is http://[site]/page.asp?id=1; IF (ASCIthis happens because the developer of data he needs to extract. To make things something that should be disabled by the I(lower(substring((USER),1,1)))>97)the website didn’t turn off debugging on clear lets see an example (Assuming MS database administrator. WAITFOR DELAY ‘00:00:10’the server. SQL database). 3- Blind SQL injection : the above query will wait for ten seconds Injection : or 1=user()-- This is the hacker’s last choice since it only if the first letter of the user name take a fairly long time. I worked once is not “a” then you have to do this with Response : Syntax error converting the nvarchar value ‘ahmed’ to a column of with blind SQL injection and to be all other letters of the user name. Then data type int. honest it wasn’t a pleasant experience you move to the password hashes and it took me all the night to successfully so on. This makes it obvious that using exploit this vulnerability. Even with some automated tools or scripts is fundamentalFrom this example you can see that the 2- Union based SQL injection : tools available like sqlmap, sometimes otherwise it will take you days to retrieveuser name ‘Ahmed’ which is the output of Union based SQL injection as the name you need to write your own scripts to only the basic information.the user function is sent back in the error suggests abuses the union operator. successfully exploit blind sql injection.message. The attacker can also retrieve The basic idea is to append the data Now let’s talk about how blind sql About the author: Fady Osman isother information from the database. that the attacker wants to a table that is injection works. In this case the database an information security professional, already displayed in the page. See this will not give you any output not even researcher, and author. He focusesTip : If you don’t have a good experience example from DVWA (A vulnerable web an error message so you need to find mainly in the areas of exploitationwith databases and what useful functions application created for training hackers another way to retrieve data. This can be ,reverse engineering ,web securityyou can go to this website which will give and to be used in educational classes). done by asking database questions like and c programming. His team wonyou a cheat-sheet for SQL injection : Inject this code inside the id parameter : “if the first letter of the user name is not the second place in the MIE 2010http://www.pentestmonkey.com null’ union select @@version,2# an a then wait for 10 seconds” which in competition organized by IEEE Egypt. GREY HAT 10 11 April/june 2011 www.bluekaizen.org
  • Let’s pretend we’re a phone Phone owning Notice in the above example that our Service / Device Class shows we’re a computer. Notice the Link mode is SLAVE ACCEPT. We want to change all of By Brad Smith this so we look like another cell phone. This article will show you how to get started in performing Type this at the command prompt: penetration testing on cell phones to see if it can be hciconfig -a hci0 class 0x500204 compromised by accessing their data via Bluetooth (BT). hciconfig -a hci0 lm accept, master; This is an important part of penetration testing as many hciconfig -a hci0 lp rswitch,hold,sniff,park; bad things can be done to someone’s phone without their hciconfig -a hci0 auth enable knowledge. If they own your Phone, they own your life. hciconfig -a hci0 encrypt enable hciconfig -a hci0 name Resume Now run hciconfig –a again and notice the differences. The last command to change the nameThis is an advanced article so you need Bluetooth was designed as a serial port is important because that’s what appearsthe following base knowledge: replacement. Just like serial ports of old, on the screen. Would you take a callYou need to be able to boot a Backtrack you need to set an IRQ and a Memory from “bt-0” or “Resume” or “ “?4r2 disk on a compute that has Bluetooth address to interact with other devices.device installed. You can use other Bluetooth needs a Channel and Memory Notice what the Service / Device Class is now. You’re a Phone!distros if you like but BackTrack has 32 addresses set to interact with othertools just for Bluetooth. phones. Let’s Start Who else is out there? With Backtrack booted up to the command line and the Bluetooth adapter There are several good tools for scanning on Backtrack, l2ping (that’s an installed type: hciconfig you should see all the “acceptable” devices. If no L not the number 1), hcitool device appears on the list and you have scan, sdptools browse and the device plugged in, well, your device this one BTscanner. won’t work. Sorry, you need to try a What we’re after is the Address different device. Not all BT adapters of the device, think MAC are created equal. address of a network card and the cannel each service is If a device appears (hci0) then bring it offered on. When you click on a up: hciconfig hci0 up, just like it was a device it gives you more information, specifically the cannel of each service wireless card. offered and memory addresses of the device. The hciconfig –a command should return a list of features for all the Bluetooth adapters on the computer. It should look like this: GREY HAT 12 13 April/june 2011 www.bluekaizen.org
  • What Now?Let’s start with a simple program that does lots. My favorite is bluebuggerbecause you can change Option parameters quickly till it works properly.Notice the different modes that bluebugger offers.You can do it all from the command line:~#./bluebugger –m Ron –c 7 –a xx:xx:xx:xx:xx:xx dial 1900badpeopleLets look at this command, simply add the channel andconnection name (here it’s a blank, I use Resume).Seems to simple yes? Very true, it doesn’t work onevery phone that has the Bluetooth on so you needto try lots of different.I look at a lot of Phones and some brands are easierto penetrate than others. Which ones? Depends onmodel, make and how it’s setup.With so many Bluetooth tools here are a few allpurpose basic tools to learn: Hciconfig, Bluescan,l2Ping, SDPTool, hcitool, BTScanner, Bluesnarfer,Bluebugger, Carwhisper.Bluetooth devices are growing number daily. Security is poor at best,coupled with the predicted increase in mobile threats, and NOW is the timeto secure yours and your businesses Bluetooth devices. Here’s help! NIST “Guide to Bluetooth Security” 800-121 www.Backtrack-Linux.org www.soldierx.com/bbs/201001/Bluetooth-hacking-wth-Backtrack-4 www.trifinite.org About the author: Brad started breaking his toys at a very early age. When he wrote his first computer buffer overload in 1972 which totally wrecked the University computer system, he realized the potential to break much larger things. Now he spends his time teaching other to break small things that have large importance, like cell phones. GREY HAT 14 17 jan/march 2011 www.bluekaizen.org
  • new & NEWSnew & NEWS “white papers, cleaning tools, contacting customers, working with top AV vendors, even magazine interviews”. Isn’t this what Another statement that also reflects severe undermining of the terms “due diligence, and responsibility” is a they are paid to do? question they highlighted in yellow: “Has the customer done all he can?“.Stuxnet: What is really strange is their genius Imagine a car manufacturing company conclusion that future infections are that sold you a very expensive car “unlikely”, and this is due to the fact that equipped with an advanced airbag the malware pattern is now detected by up system, then someone smashes into to date anti-virus programs. Eureka !! your car and the airbag doesn’t work,and the truth shall set you free Yes, future “Stuxnet” infections might while in hospital the car company lawyer By Omar Sherin be unlikely, but this is certainly not the asks you why didn’t you bring an airbag end of this type of attacks as long as top from home just in case! vendors like Siemens still use “hard coded & publicly available” passwords on critical What is Stuxnet: it’s the most complicated piece of malware ever systems in the year 2010 and don’t even written. Up till now there has been wide speculations that it was admit that this is the REAL problem. written by a specific country to attack the Siemens computer control systems used in the nuclear program of Iran. Security experts I was able to locate the hard coded (built- heavily criticized Siemens because the worm exploited, among in) user names and passwords in Siemens many things, a “hard coded password” in the Siemens system. The technical online forums: Stuxnet worm infected critical energy companies in 125 countries. login=’WinCCConnect’ password=’2WSXcder’ login=’WinCCAdmin’ password=’2WSXcdeLast month Siemens Internal CERT The slides confirmed that the malware(Computer Emergency Response Team) is capable of transferring data outside ofreleased some slides about Stuxnet as a the infected system back to the commandform of “Official Communication” within and control servers, yet nothing has beentheir constituents. The slides were taken proven specially that the two C&C serversoffline few hours later. ( • www[.]mypremierfutbol[.]com • www[.] About the author: My name is Omar Sherin and I am the OWASP Egypt chapter chair todaysfutbol[.]com ) and a member of the OWASP Leaders Board.I have more than 8 years of professionalBut as I was reading through the slides I were brought down by Symantec. “I corporate and national level Information security experience plus more years as a securitydecided to take a copy just in case they would like to add that both servers where and online privacy advocate. I also hold a diploma from Carnegie Mellon’s Tepperdo just that. In the official slides (Here), located in Germany”. School of Business in entrepreneurship and corporate innovation.I’ve worked for severalSiemens confirmed that Stuxnet was multinational firms in the oil and gas sector, communication, government and professional services sector, in my spare time I’m an active Information Security blogger and Speaker.a “targeted” attack by using terms like Then the Siemens slides claim that all Specialties“targeting a very specific configuration, known infections are now clean and zero • SCADA Securitycertain PLC blocks and specific processes enterprise damages reported. Yet they • Critical Infrastructure Information Protection (CIIP)or (project)“. These bold statements didn’t specify their definition of “damage”, • Business Continuity and Disaster Recoverysimply means that Stuxnet makers had is it seeing the enterprise up in flames or • Information Security and IT Audit(one target) in mind, and this should few bytes of data going out? The slides • Risk Assessment , GAP Analysis, Security policieseliminate any theory out there denying go on listing the great deeds of Siemens • Digital Forensics and web application pen testingthat its a state sponsored malware. since the discovery of the malware: new & NEWS 16 17 April/june 2011 www.bluekaizen.org
  • A visit to By Osama Kamal He showed some videos of the show, with 800 nodes. They have 46K records scamming people in cafe shops or even daily handled by 5 information security in casinos that have very tight security analysts. In 2007, they had 4000 nodes, mechanisms to prevent fraud, and the message was to highlight the importance and danger of social engineering attacks. The video is available on RSA Conference website; a highly recommended one. One of the interesting presentations was about Mature SIEM implementation, by Bradford Nelson and Ben. It discussed a real implementation in one of the US Government entities, where they divided the SIEM evolution into 3 phases: Infancy, Growth, and Maturity. In Infancy 2M records/day, and 14 analysts. In 2010, mode, you need to focus on collection they had 30K nodes, 326M records and and aggregation. In Growth mode, you 32 analysts. These are pretty insightful need to focus on real-time monitoring, numbers if you are planning for a SOC. unsupported sources, and environmental They started with logs like failed logins, modeling. In mature phase, you start port scans, and AD changes. Later developing processes, adding external they added IPS, packet capture, and threat feeds, putting alerts into business packet drops, then apps, users, social context, aggressive normalization and media, auto ticketing handlers, honeynet correlation, and adding application/user sensors, and all connections. That is a lot behaviour analysis. to handle!RSA conference is by far the biggest by giving an example of an unusual According to the presenters, you shouldcommercial event I have attended. It definition. He then asked people to use start defining your requirements first, then The conference is an excellent chance tois not just an expo with more than 400 their mobile phones and computers to do procurement, design, deployment, and get updated with new technologies frominformation security companies, but it search for that term on the Internet and then content delivery. The requirements vendors. It is all about the defence side,is also a place where you get to meet showed that google search revealed a definition is very important and should not the offence side such as Blackhat.information security rock-stars and the top totally wrong definition as he was able use vendors literature combined with If you in are in security business, thismanagement officials of big companies. to poison the search results by creating your own technical and business needs. conference should be your target.In addition, the event also has a lot of a Wikipedia page and a YouTube video, You can simply look for use cases tosessions, mostly panel discussions, with some link building techniques to give understand more. Things to consider About the author:where you listen to the people who the wrong definition on top of the search are: start slowly, you can use NIST 800- An independent security analystare shaping the security industry or results. 53, and 800-92 as a start; go for quick with over 13 years of experienceare heavily involved in it in one way or wins; and do not try to spend lots of time in security operation, design,another. Hugh Thompson also hosted Alexix in unsupported logs. Also check your architecture, and incident Cornan, who runs a show in BBC; the data collection rates, and build your key handling. Running his own blogMy favourite keynote was the one of Real Hustle. He showed how easy it is to performance indicators and metrics. www.okamalo.com for almost 2Hugh Thompson gave about social scam people using “misdirection”, which years, currently focusing on openengineering, entitled “People Security”. is one part of a good scam. It does not They gave some numbers from their source information gathering,He showed how easy you can mislead matter how smart you are, even security environment, when they started in 2004 and threat intelligence”.people through search engine poisoning conscious people can be scammed. new & NEWS 18 19 April/june 2011 www.bluekaizen.org
  • Electronic Voting votes. Electronic Voting can be used in presidential elections, parliament members’ elections and also inside the backup so as to maintain confidentiality and integrity of data. And by having the backup, availability is guaranteed. Security Challenges parliament while voting for legislations and policies. We need to forget about the previous “funny” way by which votes These DRE machines should be hardened and certified through audits, so as to ensure security. For sure machines By Mohamed Enab inside the parliament were handled and“Cyber Revolution”… a catchy expression lot of factors. If you simply play in the move to E-Voting; the Speaker of thewe use these days! This type of “revolution” voting software by a virus or a bug then People’s Assembly of Egypt used tois conducted over the Internet using social you might have an undesirable president just check the votes for legislations andnetworks, such as Facebook and Twitter, or parliament member for example. policies only by the eye!and this is the first time in history that Therefore, due to its critical risks and that Let us see how we can implement thepeople start a revolution against unfair some countries already had voting fraud Electronic Voting system; usually theand oppressive government systems by incidents, Electronic Voting needs to be system will machines all over the countrya Cyber Revolution. assessed and analyzed well to check to collect the votes. These machines areTo help maintain the principles of this whether it is can be applied safely in our connected in a secure way to a centralrevolution and sustain it to use it anytime country. Basically a voting system has point for analysis and monitoring. So ifwe are again confronted by governments four main characteristics;1 we spread our devices over 700 sitesthat lack freedom of speech, we should 1. Accuracy: The goal of any voting for example, and then the central point Figure 1 DRE Machine used in Brazilput some “controls” into our lives to system is to establish the intent of each notices that some suspicious activitiesguarantee as much as we do not reinvent individual voter, and translate those then investigations may start and track may differ from one type of election tothe wheel, especially while no political intents into a final tally. To the extent any distrustful activity. But what kind of another, but the concept is the same.party is in control and there is some sort that a voting system fails to do this, it machines should be used?! Maybe a I believe that in order to have “Cyberof chaos around a certain country. That is undesirable. This characteristic also PC, but it can be infected by a virus or a Revolution”, we need to implementis the time to put neutral controls over includes security: it should be impossible worm. Maybe a hardened machine! How systems in our countries which bringCyber Revolution. to change someone else’s vote, ballot can these machines be connected to the technology into our daily lives. And sinceI said “controls”, right?! Yes, I did. Does stuff, destroy votes, or otherwise affect sites. secure voting is a crucial step in bringingnot this remind us, Security Professionals, the accuracy of the final tally. Usually machines used in E-Voting, in trustworthy entities for the sake of servingof something we used to use in our daily 2. Anonymity: Secret ballots are countries like Brazil, India, USA, are our people, then special attention shouldlife when referring to Firewalls, IPS, IDS, fundamental to democracy, and voting Direct-Recording Electronic (DRE)2 voting be paid to deploying “Electronic Voting” inetc. But what type of controls am I talking systems must be designed to facilitate machines. A DRE machine records votes our countries.about?! voter anonymity. This also means by means of a ballot display providedAs we all know, the main objectives of confidentiality, in one way or another. with mechanical or electro-optical About the author:Information Security is to protect the 3. Scalability: Voting systems need to components which can be activated by Five Years of Experience inconfidentiality, integrity and availability be able to handle very large elections. the voter (typically through buttons or a Information Security Consultation touchscreen). Then data is processed Field & possess deep knowledge andof our company, our organization and With the increase of population, we need understanding for security threats &our country. What I see right now is that to invest on something that could sustain by means of a computer program. Then voting data and ballot images countermeasure, security productspeople believe in this revolution and along enough. & technologies, Information securityto help them trust it more and more is 4. Speed: Voting systems should produce are recorded in memory components. management systems, networksto have a system that makes them feel results quickly. This is particularly After the elections, the DRE machine & operating systems. Having beensecure and safe when they give their important where people expect to learn produces a tabulation of the voting data in Banking Field for 2 years wherevotes during elections or referendums. the results of their voting on the same day as a soft copy stored on a removable Money talks and Security is a greatWe are talking here about “Electronic it took place, before bedtime or early the memory component and as a hard copy concern there and also in InformationVoting”. day after, and monitor the progress of the as well. The system may also provide a Security Consultation Field givingI know that the idea is not new, and that it voting process. means for transmitting individual ballots consultation and advisory actions tohas been implemented in lots of countries So, these are the four main features or vote totals to a central location for customers to get the best of the breedsuch as the USA, Spain, Australia, and that should characterize Electronic consolidating and reporting the results from security solutions and secure by precincts at the central point. So data the organizations which have differentthe Netherlands - just to name a few - Voting, and if we have a system that concerns & Business Objectives. Ieither by Remote E-Voting or Polling can do that electronically then this will can be transferred securely through encrypted links or flash memories with have right now Security CertificationsPlace E-Voting. However, these systems guarantee neutral and falsification free like CISSP, CCSP, SSCP and have aare not easy as you might think; they good networking/Telecommunication 2 Definition as per Wikipediaare complex systems that depend on a 1 Adopted from Bruce Scheier Blog - Schneier on Security background. new & NEWS 20 21 April/june 2011 www.bluekaizen.org
  • An Interview with • What made you take the Free Information Sharing Route instead Clement Dupuis of selling your knowledge? As you get past 50 years of age you realize that you do have quite of bit of wisdom and knowledge that you have acquired over the years. At one point you need to get someone ready to take over from you and finally retired. By Moataz Salah I am from a small lumberjack village in the deep woods of Quebec, Canada. In my Clement Dupuis is a man that you village people always help each others, skills and knowledge are passed from father can’t prevent yourself from respecting to son for generations, I taught doing the same on the Information Security side his thoughts and his principles. could be a very interesting project. His principles and beliefs were one It started as a hobby and today the Family of Portals reaches over 150,000 security of the main reasons to launch our professionals in more than 120 countries around the world. It does make me feel magazine, Security Kaizen Magazine. proud when someone sends me a message to thank me and my team for the work Two years ago, I started quoting we are doing in helping the community. one of his famous sayings in my lectures ”Don’t be a leacher, Don’t I was asked many times WHY I do not charge a fee on some of my portals. With the suck people blood till you get all the number of members we have we could be millionaire if I would have charged $10 per information you need , share your person. We all need money, however we never have enough, it is a never ending knowledge even with just a comment“ story. Above money there are people, when I am able to contribute to someone career and help them progress and reach higher, I feel a lot better than getting $10 Clement Dupuis as a fee. People should always be priority number one. Founder and Maintainer of the CCCure Family of Portals • Can you give us more ideas about your free information sharing web sites and the free Services you deliver?• Can you introduce yourself to Security Kaizen Readers? Our portals contains large collection of Documents, links, forums, mailing lists, cramGood day to all, study guides, quizzes, and a whole lot more.My name is Clement Dupuis, I am the founder and maintainer of the CCCure Family The portals are large containers of knowledge that constantly get updated and betterof Portals. Twelve years ago I started to dedicate all of my free time to “Giving Back as more and more people are contributing.to the community” which has been a way of life since then.I had the privilege to work for 20 years for the Canadian Department of Defense and • What problems did you face when you started your freewas exposed to radio communication, satellite communication, and finally I got into information sharing web sites?the computer world. The first 4 years were very lonely, you spend all of your free time building content,I was one of the very early pioneer who was attempting to use the Personal Computer answering queries, and you do not see anything being returned to you. Then all of(PC) in places and in ways it was never, ever attempted before. I had to combine a sudden my site was listed in books and magazines which drove a lot of traffic to it.modern equipment with outdated radio communication. Often time we had to talkwith the engineer that wrote the software to make things work. There was no better I felt like quitting the whole project many times. There were days when I would getway to learn the details behind the interfaces that we were using. negative feedback that made me feel like pulling the plug. However, my wife who is the calm and moderate person behind me would always remind me that for everyNetworking, Personal Computers, Server, and making them work together has been negative message I have most likely received 100 positive message. After a whilea hobby of mine for more than 20 years. It is always a privilege to have your hobby you learn to concentrate on the positive and accept that you cannot please 100% ofas your full time job. your visitors. new & NEWS 22 23 April/june 2011 www.bluekaizen.org
  • - HITB MagazineTime has always been my biggest challenge over the past 10 years. Maintaining - (IN)SECUREportals is VERY time consuming. - MISC Magazine - Professional Tester• Which Security Conferences Clement Dupuis must attend every - SecurityActsyear? - Security Kaizen - The Hackademy JournalThere are a few that I always attempt to attend such as BlackHat, Defcon, - UninformedCanSecWest, and Hacker Halted. They are some of the largest and also some ofthe best conference that exists out there. • What is your Comment about Security Kaizen Magazine ? and what is needed to rank it as one of the best magazines in• You are a big fan of CISSP, why is that ? Information Security field in the world?There are a lot of misconceptions related to the CISSP certification. It is NOT a Security Kaizen is a very interesting magazine and once I read through the firsttechnical certification, however it forces a Security Professionals to learn more about edition I know that it is a magazine that will only get better with time. The magazinedomains that he would not get exposed to in his daily tasks. is very young compare to other magazine that exists out there.The CISSP shows that a Black Box approach to security will not work. You can The success will depend on a few things: Content, Content, and Contentstack 10 security appliances and they will still be ineffective is there is no policies,procedures, or processes in place. If your provide great content the readers will come to read it. From what I have seen so far you are on the right path to do so.People have to realize that only hardware or software is not the answer to security.You have to have a good mix of policies, people, and process, the 3 P’s. Last but not least, ask for feedback and listen to your readers. Ask them what they wish to get and provide it to them. All of this will make it a great success.I was one of the first person to become a CISSP in Canada. I saw that it was a greatpackage but there was no resource to prepare for it. This is when I decided to createthe CCCure.Org web site. I wanted to help other in becoming certified and by the • From your experience, What is mostly needed in the Middlesome token better understand what security is all about. east and arab countries to help them be an added value in the information security field instead of just importing technology• What is your Plan for the next coming years ? There is already an amazing number of software and hardware company comingI am now at the point where my portals needs to move to a better platform that will from the Middle east and Arab countries. Unfortunately some are nice players or areintegrate with the viral world of Social Media. This is one of the major project to come. not recognized in their own country.I also need to categorize content by geographical location. People loves to know Information Security and it’s associated technologies are still something that is upwhat is in their backyard and what resources they have locally. and coming in those regions. Leadership must start at the top at the government level. Cyber Security should no longer be seen as a luxury but as a necessity toAdding a few more certifications is also on the menu. Cloud Security and Risk security conduct business in a connected world.Management comes to mind. For the first time in history companies have suffered more losses and fraud online• Can you rate the top 5 magazines in the Security World? than the physical world in 2010. Where there is financial transaction and money involved there is also crime. The online world is no different than the physical world,This is a tough one. Some magazines cater to management, some others cater to in fact it is a lot easier to commit crime online than risking being caught in the actSecurity Testing, some will be for programmers, as you might have guessed I read a doing a physical crime.lot of security oriented magazines. On my short list I do have:- 2600 Quarterly Sharing information, Educating more people about these issues, and create a climate- Club Hack Magazine favorable to endless learning is one of the most effective tool one can use against- Hakin9 criminal activities over our networks and systems. new & NEWS 24 25 April/june 2011 www.bluekaizen.org
  • Step By Step 4. Types of Rootkits: 1. User-mode Rootkits: modify the system functions or hook I/O request packets (IRPs), which are sent Rootkits: This type of rootkits is simply working in the to the device drivers for the purpose of user mode and it hooks some functions in modifying the inputs and outputs to this a specific process, sometimes it loops on device driver. all processes except the system process- Kernel-mode rootkits can hook all es. It is done by injecting a code inside processes, including system processes A Deeper Look the virtual memory of this process, and then it patches the first instructions of at once; however, they are harder to detect and remove. By Amr Thabet the hooked function to force it to call the The problems of kernel-mode are mainly injected code. due to it being hard to program and very1. What is rootkit? of security called rings. Rings are simply Hence, the injected code modifies the sensitive to the changes of the operatingThe rootkit is simply a programme that a set of privileges or restrictions, whichgives you a permanent access to the enable hackers to work on them. input of this function, and then resumes system, and sometimes sensitive to the“root”, which is the highest privileged user There are four rings and they begin with the hooked function to modify the output changes of devices too.in UNIX system. ring-0, which is the highest privilege and of the very same function, and at lastThe rootkit can easily control the system it is called kernel-mode. Ring-3, that is, returns again to the process. 5. How Rootkits Work?or modify it on the fly to force it to hide the the lowest privilege and is called user- 2. Kernel-mode Rootkits: First of all, how Windows works shouldpresence of a specific virus or spyware. mode. All applications run in user-mode On the other hand, kernel-mode, the be understood. Windows is an operating and have specific privileges which they, second type of rootkits, works inside the system created to become a layer2. Why rootkits? by all means, cannot exceed. When system. These rootkits are installed as between the hardware devices and theIt gives you a permanent access to the operating system runs in the kernel- device drivers and they have the ability to software applications and users.the infected machine. For as much as mode, which has the highest privilege, ithackers’ belief, it is not only enough to can do everything ranging from modifyingpenetrate a system or compromise its the memory of the system, modifying thesecurity defenses, but also the ability to setting of the processor, to sending and Users And Applicationsstay hidden in the system to spy or control receiving signals from computer devices.it for your desired needs is a must. There is a single way to jump from ring-3Therefore, rootkits are mainly created to to ring-0, which is done by a processorhide the hacker inside the system from instruction named “Sysenter” - System Operating Systemadministrators, file monitors and firewalls. Enter, to call a specific function in theSome of the hiding techniques are hiding operating system.files in the hard disk, a connection port, 2. Patching and Hooking: Hardware Devicessome registry keys or a running process Hooking is a term given to the processin the machine. of intercepting or interrupting a call to aFurthermore, some other rootkits are system function like zwQueryDirectory It is created to be non-sensitive of the that do everything like managing filesespecially created for other needs, like File. Some examples are query files,keystroke monitor (keyboard spy), or which either function as modifiers to the hardware changes, to support multiple and directories, internet, connectivitypacket sniffer, which is a program that input (the path to a certain folder whose users and processes (applications), and so on.monitors all the data that is sent or files need to be queried), or modifiers to and to support system security from In order to understand the tricks of thereceived in the computer in order to steal the output (deleting the name of a specific malformed processes and from users to rootkits, the way the interface workspasswords or credit cards. file in order to hide it). users. should be first understood. Thus, Patching, in like manner, is very similar It supports a static interface between the life cycle of executing an API like3. Some Definitions: to hooking. Patching means modifying; applications and hardware devices called “FindFirstFileA()” from user-mode to1. User-mode Vs. Kernel-mode: modifying the first instructions of a specific Application Programming Interface (API). kernel-mode, to the device itself is shownThe computer processor has some type function to hook the inputs or the outputs This interface includes many functions below in this figure. of this function. Step By Step 26 27 April/june 2011 www.bluekaizen.org
  • to change the inputs, as the IRPs were or Packet Sniffers, could communicate to Execute SYSENTER FindFirstFile() Calls to Call To Function instruction with Function first received, and have the ability to set a the device directly to receive the pressed ZwQueryDirectoryFile FindFirstFile() Number (0x91) function named “IOCompletionRoutine”. keys or send an internet packet by User Mode The IoCompletionRoutine is executed passing with this way and software filters Kernel Mode after completing the request and before or any hooker. returning to user or the user-mode This part is very sensitive to the changes Search For Function Send an IRP Request to Execute fastfat.sys (and All application. of the hardware, which is a very hard task (0x91) in The System Service Dispatch Table ntQueryDirectoryFile() Device drivers attached IoCompletionRoutine has the ability to to work on, and (SSDT) to it) change the outputs of this request in actually it is only used by the elite hackers order to hide files, for example, or make as most people say. any other changes. sending signal to the Attached Devices Drivers Attached Devices could In a like manner, the rootkits have the Conclusion: device and gets the could set IoCompletion change the inputs of the ability to filter the inputs and the outputs The rootkit is considered a programme output /execute the Routine to change The IRP request of any request. or a tool that gives the root privileges IoCompletion Routines outputs (Preoperation Mode) and return to user (postoperation mode) Regarding the last example, the rootkit to be used for the purpose of hiding the could change the results of this query to presence of a specific virus or spyware. Each step is explained, in addition to the hooking mechanism that is used by rootkits. hide a file or change its This tool uses the hooking mechanism to1.User-Mode Part: a pointer to another function (for name in the results of QueryDirectory filter the inputs or outputs of the systemAt the user-mode, the applications have the last example NtQueryDirectoryFile()) IRP. functions, either in a user-mode or kernel-the ability to call a function of hundreds of and then calls to this function and the 4. Communicating With Devices: mode, to hide the malware process. Byfunctions in the Windows’ interface (APIs), execution in the kernelmode After the device driver gets the IRP, the same token, it can hide files fromand as it is seen in the last example, continues. the device driver communicates with the outputs of any query as if there is nothe application calls to FindFirstFileA(), At this part, the kernel-mode rootkits, the related device, the Hard Desk for malware in the computer.which calls to another API named as explained above, have the ability to instance, by sending signals to this device Some other rootkits use these privilegesZwQueryDirectoryFile(), which calls to change the pointer to a function in the or receiving signals from it. to log the key presses or sniff the internetKiFastSystemCall(), which executes a SSDT array with another function inside After getting the reply from the device, the packets to steal passwords or intrude onprocessor instruction “Sysenter” that the kernel-mode rootkit. device driver changes the output to the someone’s privates.converts you from user-mode to kernel- Additionally, other rootkits prefer to standard shape for windows or converts It is also described above in this articlemode and executes another function in hook these functions by patching its first the output into a more higher level and the life system cycle to execute a systemthe system in the kernel-mode named instructions like the usermode then returns to the user-mode application query from the usermode to the kernel-KiSystemService() rootkits. after calling to IoCompletionRoutine. mode to the hardware devices to reply toAt this part, the user-mode rootkits, as 3. Device Drivers: In this stage, the rootkits cannot hook the someone’s request in a high level replypreviously explained, have the ability to After executing ntQueryDirectoryFile() signals to the devices, but some rootkits with the transparency of the hardwarehook one of these functions by patching function, this function sends to the with another tasks, such as Key Loggers changes.its first instructions by another which related device driver a request named About the author: I’m Amr Thabet. I’m a Freelancer Malware Researcher and a student atallows the rootkit to change the inputs or “I/O Request Packet (IRP)” to query on Alexandria University faculty of engineering in the last year.the outputs of these functions. a specific directory. This packet will be I’m the Author of Pokas x86 Emulator, a speaker in Cairo Security Camp 2010 and invited to2. SSDT: received by the appreciate device driver become a speaker in Athcon Security Conference 2011 in Athens, Greece.While executing “Sysenter” instructions, I begin programming in 14. I read many books and researches in the malware, reversing and and all device drivers attached to it. antivirus fields and a I’m a reverser from nearby 4 years.the processor converts you into the Windows allows device drivers to bekernel-mode (ring-0), and executes attached to any device driver to filter References:KiSystemService() function which search its input, change its output or complete 1. Addison Wesley Professional Rootkits - Subverting the Windows Kernelin an array named “System Service the request without the need of the real 2. The Rootkit Arsenal : Escape and Evasion in the Dark Corners of the System, by ReverendDispatch Table (SSDT)” with the function device driver itself. Bill Blundennumber as an index in the array and gets These device driver filters have the ability 3. Rootkit - Wikipedia, the free encyclopedia, at this link: http://en.wikipedia.org/wiki/Rootkit Step By Step 28 29 April/june 2011 www.bluekaizen.org
  • is a common human nature to choose dictionary words. However, a relationship understandable words for the password. exists between those passwords and This, unfortunately, eliminates a big dictionary words. There are several search space of the non-readable hybrid optimisations that take advantage character combinations, and simplifies the of this human vulnerability in order to mission for crackers. A dictionary attacks produce a better password guessing against a password exploits this human schema. Xieve technology is devised By Ahmed Saafan vulnerability by using dictionary words as by Passware to predict possible human the main source of the key space. This readable alterations of dictionary words Since a long time, passwords have been the most popular way for attack can be done on either the original [5]. It uses an algorithm that mutates and authentication and proving identity. Some new biometric techniques have hash or the authentication mechanism, in combines dictionary words to produce a evolved recently and have proven great accuracy and security. However, case the hash is not available. slightly bigger enhanced key space which they are not used except in very sensitive places due to their high cost. are still orders of magnitude smaller than Hence, passwords are the main method of authentication used in networks. Thanks to electronic social media; the the original full key space, but way more This article is about password cracking techniques, optimisations, and tools. overall security awareness is in a state capable of finding the correct password.A the hash, the process will try all different of continuous improvement. It is getting ccording to the information base possibilities and combinations of the harder for crackers to guess passwords, GPU Optimizations: Another orthogonal that the cracker has, password password until the hash of the attempted because people are starting to use more aspect for password cracking optimisation cracking may be classified trial matches the original hash value. complex words. Despite being complex, is the hardware dimension. Moderninto two types: informed cracking and Otherwise, in an uninformed cracking, the the words are still readable. Hence, a few Graphical Processing Unites (GPUs) canuninformed cracking. In informed regular authentication procedure has to optimisations are devised by crackers to be used to optimise password crackingcracking methods, the cracker has prior be used in trying all different possibilities improve dictionary attacks: methods due to its vectorisation. Theyknowledge about the password. Thisknowledge could be the password key along with a way to identify the successful support complex vector processors that log in attempt. Customized Dictionaries: are capable of bulk vector computations.space (i.e. the possible combinations of Typically, people choose passwords Typically, this is used for graphicalthe password), the password structure The obvious time limitation is what relevant to their context. A slew of tools processing. However, it is also very(for example, the fist character must be makes this attack almost unfeasible in are out that analyse human profiles handy in password cracking due to itsa number and the following characters its original form, given that the password (Facebook accounts, blogs, Websites high parallelism. Crackers use GPUmust be at least 6 alpha-numeric), or the is cryptographically secure enough. ...etc) to generate a word list of password frameworks to boost password crackingcryptographic hash (i.e. The output of However, there are several variations candidates. This word list is later used by arranging password key space valuesa non-revisable mathematical function to this attack discussed later that might as the key space for brute forcing. This into vectors with the maximum size thatapplied on the password). On the other be feasible to use in cracking complex technique has been proven to be one of the GPU processor can handle at once,hand, in uninformed cracking, the cracker passwords. the most effective methods in penetration and process those combinations in bulkshas ultimately no information about the testing. Common password list generator as a single trial. Obviously, the morepassword. It is noteworthy to mention that A very common programme for multi- tools include (CUPP, CeWL, and Crunch). powerful the GPU is, the more speed-uppassword cracking in this context meanspassing through the authentication threaded (parallel) password brute gain is achieved; one GPU processing forcing is THC Hydra, which has been Hybrid Optimisations: cycle trial could include more than 10challenge successfully regardless of updated recently to support advanced Another password choosing habit that key trials. According to Elcomesoft, aknowing the original password. CPU optimisation techniques [1]. can be abused is when a user slightly security research company specialised modifies a dictionary word to be a non- in password cracking; the speedup canBrute Force Dictionaries dictionary, and uses it as a password. reach 50000% [8]. The chart below (byBrute forcing is the most basic method A natural enhancement to the brute Words such as (pa$$w0rd, koolB0y, ElcomeSoft) shows the possible speed-for cracking a password. It can be used force approach is trying to narrow down applepie ...etc) are technically not up gain for different GPUs.regardless of the cracker possession ofthe original hash value. If the cracker has the possible password key space. It Step By Step 30 31 April/june 2011 www.bluekaizen.org
  • challenges such as the windows net-bios which is able to crack any WPA password file sharing protocol. A common tool used in less than 20 minutes [9]. for pass-the-hash attack is Pass-The- Hash Toolkit from security-database [7]. Conclusion Also, the notorious Metasploit Framework It is very clear that black hats are moving has pass-the-hash capabilities. towards more convoluted techniques to crack passwords. A highly technical The Cloud cracker now would try to pass the hash, Cloud computing is “the trend” nowadays. create a profile for the target user to Unless you have been hiding under a infer a password key space, optimize rock for the last two years, you must have and enhance the key space using heard about cloud computing. Amazon mutation algorithms, and at the end,Rainbow Tables a secure password, can be cracked in Elastic Cloud Computing (EC2), and buy some rainbow tables online, orIn informed cracking, when the cracker 160 seconds [4]. You can get the pre- Microsoft Azure are popular examples. rent an on-demand cluster from a cloudhas a hold of the password hash, the computed rainbow tables for most known With such gigantic infrastructure available infrastructure service, and that’s it…original password cannot be inferred algorithms from a number of commercial on-demand, crackers are leaning your password is cracked! Even worse,due to the inherent non-reversibility websites, such as rainbowcrack [2] and towards using it for evil. Distributed a bot-master who controls a herd ofof password hashes. So, it is a matter ophcrack [3]. computing systems can be used to divide zombies (botnet) through Trojan horsesof trial and error. Password cracking the password trials among the working can use the botnet capabilities to crackusing rainbow tables is typical in such Pass-the-hash cluster, since the password cracking passwords pretty much the same way itscenarios. It is an example of the classic If the cracker already has the password process is naturally divisible where each would be done using cloud computing,time-memory trade-off. In the original hash, and the server uses the password node in the cluster would try a subset of only for free!. Therefore, one should bebrute force method, the cracker must hash only to prove the users identity (e.g. the key space. very vigilant when choosing a password,try to hash all possible passwords to windows network authentication), the because no one knows what is lurking incompare it with the original hash each cracker then can create a custom script You can start a 100 node high computing the dark hallway.time a cracking procedure is in place. that just sends the saved hash to the cluster with high end GPU capabilities and About the author: Ahmed Saafan isRainbow tables, on the other hand, server when requested without knowing use it in parallel to crack Ultra complex a senior information security analystutilise pre-computed look-up tables for the original password. Since the server passwords in a matter of minutes! A and the technical team lead of Rayaall the key space required to brute force. does not know if this hash is generated on German hacker recently cracked a SHA- IT Security Services Team (RISST).And when a given hash is required to be the fly or cached, it will authenticate the 1 hash for 2$ according to the register Saafan, the founder of RISST’scracked, the problem is transformed to a cracker as a benign user [6]. The figure security magazine [9]. Also, a security application security division, issearch problem where the cracker is only below shows a typical authentication white hat, Moxie Marlinspike, created a specialized in software security andgoing to look up the correct hash value in scenario for a user trying to access a cloud WPA cracker for 17$/password, advanced penetration testing.the pre-computed tables. resource on a file server. Now, what if someone tapped the line, captured ReferencesRainbow tables cracking typically reduce the sent password hash in step 6, and http://freeworld.thc.org/thc-hydra/the complexity of finding the correct replayed it later on without knowing the http://project-rainbowcrack.compassword to orders of magnitude of its password? He will be granted access http://ophcrack.sourceforge.netrival brute force methods. According (under certain conditions). http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.htmlto a security researcher at “the coding http://www.lostpassword.com/attacks.htm#xievehorror” security blog, the password Pass-the-hash is very effective in cases http://www.sans.org/reading_room/whitepapers/testing/crack-pass-hash_33219 http://www.security-database.com/toolswatch/Pass-The-Hash-Toolkit-v-1-4.html“Fgpyyih804423”, which is considered of repeated or static server authentication http://www.elcomsoft.com/eprb.html#gpu http://www.theregister.co.uk/2010/11/18/amazon_cloud_sha_password_hack/ Step By Step 32 33 April/june 2011 www.bluekaizen.org
  • Social Social networks serve as fertile grounds for    Networks information leakage, malware and crime ware. Personally Personal laptops/mobiles may lead to malware/virus/ owned A Simplified Approach to    information leakage. Devices Newly introduced devices in the marketplace may Achieve Security in a New Devices    have potential threats; malware/virus/information leakage. Consumerized Environment New tools introduced into the environment by users, New Tools    such as a new mail client. Their potential threat is malware/virus/information leakage. By Vinoth Sivasubramanian Classify Data: 3. Mandatory health checks of laptops Abstract: This paper looks at simple ways that can be Information security professionals should connecting to the corporate network adopted by anyone into their IT environment. Without a doubt, be highly aware of which kind of data via network access protection to be those ways greatly help Information Security personnel to needs to be secured. They must assess performed to ensure that the laptops strike the right chord between security and consumerism. which information is valuable and which adhere to the security standards of the is not, and be able to strike the balance companyIntroduction: Consumerization is the on it. Capitalising the movement means between protecting custodial data, secret 4. Mandatory encryption of commu-latest catch phrase in the workplace. With boosting productivity by facilitating it with data and usual business data. According nications in transit between employeesthe growing penetration of broadband new ways of connecting and sharing, to a 2010 Forrester research study, owned devices and the companyand mobile technologies, the tools used staying competitive as an innovative security teams need to focus more on network via VPNin the workplace are changing rapidly. company and a workplace, and of course protecting secret data that provides long- 5. Enforce sync parsing to controlEarlier equipments and technologies delivering IT flexibly while managing term competitive advantages such as which data types can be synchronizedused to be released in enterprises and security. mergers and acquisitions product plans, between mobiles and the computer ofthen in marketplaces, but this trend is These are various methods on how earning forecasts and trade secrets, and the organisationhighly reversing nowadays. They are the security personnel can go about to other data that damage their reputation 6. Enable the biometric technology onintroduced first in the marketplace, and achieve the right balance between IT rather than protecting usual business data. company owned mobilesthen, they make their own way into security and consumerization. Example earning reports of many publicenterprises. Facebook, iPhone andGoogle Android are typical examples. Know your Threats: listed companies are posted into their White List Consumer Software:A recent Unisys study, conducted by Knowing and documenting the source websites which need not be protected at Consumer software are those thatIDC[1], exposes a troubling gap between of threats is the first basic step. A simple all. can be used on the computers of thethe activities and expectations of new documentation template is shown below. organisation, such as Skype, iTunes,generations of iworkers, and their The purpose of this template is to serve Establish Sound Security Policies: etc, and then they are easily publishedemployer’s readiness to manage secure as an example and it is intended for it not At the minimum, an information security on the organisational portal. In addition,rand support this movement and capitalise to be complete. policy revolving around consumerisation this list is circulated through other must contain the following. internal communication mechanisms of Threat Source C I A Description of source and their potential threats. 1. Mandatory encryption of any company the organization. Any other consumer Web 2.0 Applications, such as Wikis, and RSS feed owned secret/custodial data on their software that needs to be used will be can embed malicious links, which can induce the personally owned mobiles/devices incorporated into this white list only Web 2.0    user to enter into malicious sites/download malware/ 2. Mobile devices that are used for after getting the go ahead from the “IT Applications zero day threats to their computers that destroy the business must have the potential to have Security Team”. CIA of the organization. their data remotely wiped 34 35 April/june 2011 www.bluekaizen.org
  • Information Security Awareness personnel can monitor in real-time very well happen in a consumerised IT CMDB:Campaigns: the location of employees and limit or environment; so having a mature incident Benchmarking all consumer software,Reigning in a comprehensive information disable their ability to access sensitive management system in place is vital to tools, devices and equipment as persecurity awareness campaign will information, and they can go on isolate the incident and to ensure the good security practices, and having ameasure the awareness level through conducting sensitive transactions in availability of systems, which will both configuration management database forfrequent and infrequent quizzes and areas, such as coffee pubs, etc. The use lead to the continuity of the business. all tools/devices will ensure that any newtests. Thinking of various methodologies of advanced technologies such as these Change Management Methodology: devices, that fall under this category, willon how best to reach out to all employees will also enable security professionals to Employing robust change management match to these new standards. Creatingwithin the organization, and involving track employee’s activity when he/she is methodologies is important to ensure awareness to everyone using internalall employees of the organization right deploying overseas. that all new tools/devices which are to be communication mechanisms is a must.from senior management to contract used in accessing data from the corporateemployees are two things to be taken into Deploy Virtualized Desktops: network will need to go through a change Deploy Integrated End Point Solutions:consideration. When virtualised desktops are deployed, management process. This helps to make Deploying integrated end point manage- employees can access information on sure that all consumer items are evaluated ment solutions with a centralised man-Enforce Policy Monitoring Tools: their personal devices; but the core properly before they are released into the agement console is required to easeOnce policies are understood and infrastructure and data remain on corporate environment. the administration effort required fromaccepted, then comes the need to corporate servers behind the firewall. security administrators.enforce policies and monitoring tools justto ensure compliance to the same. This is Separate Networks Based on Datawhere technology comes to our rescue. Access:The usage of technological tools, such Creating separate VLANs for data Conclusion: While consumerisation is a healthy phenomenon, the security threatas VigilEnt Policy Center, will ensure the accessed from home and other locations brought about is real. Security administrators can take simple proactive steps suchlevels to which policies are being followed will ensure that the core corporate network as these to address threats brought about by consumerisation. By using the right mixin addition to reporting deviations on a is available in the event of an incident of processes, procedures, awareness and tools, they can always ensure security andreal time basis. occurring due to malware/spyware, etc. consumerisation which are in sync with each other. Moreover, creating separate VLANsRestrict Mobiles in Designated Areas: for accessing corporate data using References:The usage of mobile equipment in personally owned devices ensures that [1]: http://www.unisys.com/unisys/ri/topic/researchtopicdetail.jsp?id=700004.sensitive areas such as the data center rogue equipment do not get directlyshould be restricted, and monitoring connected to the corporate networkthe data center 24/7 through a CCTV without the help of an insider.camera is essential. Certain steps like About the Author: I am currently working with UAEmaintaining the records of the CCTV Deploy NAC/NAP: Exchange Center LLC as Manager – IT Audit. I havecamera for at least a period of 3 months Implementing Network Access Control/ around 7+ years of experience in information securityis recommended. This can be securely Network Access Protection ensures that in various domains such as finance, telecommunicationdisposed off or archived with necessary personally owned devices and mobiles and consulting. My great passion towards information security is the secret of my success. I am also a memberapprovals. that connect to the corporate network of International Cyber Ethics, and an ISSA educational have met the security standards of the advisory committee member. You can contact me on theEmploy Location Based Technology: company in reference to antivirus/latest following email-address:This is a new trend in technology which patches and so on. vinoth.sivasubramanian@gmail.comuses Global Positioning Systems. Incident Management System: In spiteInformation security managers and of best efforts, a security incident can 36 37 April/june 2011 www.bluekaizen.org
  • Cyberspace as a than the other domains. One of the globally operated classic shared components is the human Unclear boundaries interface with the domain and how the Fairly deregulated private sector can influence and shape Friend and foe traversing the same virtual the cyber battlefield much like the role of space non-combatants in the terrestrial domain. Many unsupervised points of entry Much like the US, many nations are Lacks attribution War Fighting viewing cyberspace as a war fighting Interdependent (domino effect) domain, and thus, many countries have Not resilient or secure enough been working around the clock to create Some of the shared physical domain cyber commands in the hopes of being components are: able to carry out both defensive and Human interaction offensive cyber operations. While this Political influence Domain seems to be the natural course of action, Similar command and control the lack of doctrinal substance, proper Similar mission sets strategy and operational know-how by Areas of effect some nations could destabilize the cyber By Paul de Souza domain and create economic, political As the Internet innovates and our world and military tension. Proper education moves into a more dependent cyber CSFI mission: and training in the area of cyber warfare reality, we must also defend our cyber “To provide Cyber Warfare awareness, guidance, and is one of the key elements to help nations freedoms and the ability to exist as security solutions through collaboration, education, volunteer properly develop their defenses businesses and as sovereign nations in work, and training to assist the US Government, US Military, responsibly and be able to fully cyberspace. Every cyber citizen should Commercial Interests, and International Partners.” comprehend cyberspace as a war fighting have the right to operate responsibly in domain without compromising the cyberspace and maintain the integrity of freedoms of other state actors. his or her activities in the virtual world.One of the big challenges that most cyber however, much of the warfare strategies, Some of the unique characteristics of the The militarization of some elements of thecommanders have, or for that matter tactics, doctrines and policies used in the cyber war fighting domain are: internet along with collaboration effortsanyone who is responsible for protecting physical domain can be applied to the between the private and public sectorscyber systems, is to make the connection cyber domain without the need to reinvent Decentralized become a necessity for one’s survival.between cyber operations and kinetic the wheel. Our cyber community should Privately owned (85% of the Internet) andwarfare. The virtual battlefield has many leverage these analogies more often.of the elements found in the physical One of the major changes in thinkingdomains of land, air, space, and sea. coming from the USAF is theDeputy Defense Secretary William J. acknowledgment that unplugging the About the author: Paul de Souza is the Founder/President/Director of CSFI (CyberLynn, III said, “Information technology Internet due to cyber-attacks is NOT an Security Forum Initiative) and its divisions CSFI-provides us with critical advantages in all option and that our cyber commanders CWD (Cyber Warfare Division) and CSFI-LPDof our warfighting domains, so we need must fight through the attacks and (Law and Policy Division). CSFI is a non-profitto protect cyberspace to enable those continue to be operational regardless organization with headquarters in Omaha, NEadvantages.” One of the discussions of the intensity and sophistication of with an office in ashington DC. Paul has overtaking place around the world revolves cyberattacks. 11 years of cyber security experience and hasaround the fact that the cyber domain is worked as a Chief Security Engineer for AT&T Mission assurance became a key where he designed and approved securea unique one. There is wisdom is this component of any cyber operation. networks for MSS. Paul has also consultedthought process as cyber demands However, in the cyber domain, it remains for several governments, military and privateunique skills sets and capabilities; true that the reaction time is much faster institutions on best network security practices. 38 39 April/june 2011 www.bluekaizen.org
  • HANDS ON TECHNICAL TRAINING SESSIONS17TH - 18TH MAY TECH TRAINING 1 - HUNTING WEB ATTACKERS The goal of this innovative training is to help white-hats improve their skills in the on-going cyber war against web attackers. Attendees will learn how to detect web intruders, and then how to strike-back so that they can better identify the assailants or neutralize their actions. This technical hunt will be based on hands-on exercises launched with the help of the instructor on a dedicated LAN. Students will have the opportunity to apply those special techniques in a real world environment. TECH TRAINING 2 - THE EXPLOIT LABORATORY: BLACK BELT The Exploit Laboratory Black Belt is a new and advanced class continuing from where The Exploit Laboratory left off. This class is for those curious to dig deeper into the art and craft of software exploitation and begins with a quick overview of concepts covered in The Exploit Laboratory, namely stack overflows, abusing exception handlers, heap overflows, memory overwrites, and other core concepts. We shall then focus on topics which involve breaking exploit prevention techniques like non executable stack, DEP, ASLR, etc. TECH TRAINING 3 - WINDOWS PHYSICAL MEMORY ACQUISITION & ANALYSIS The aim this intensive two-day course is to convert computer science and forensics professionals into fully operational live memory analysts for the Corporate, Law enforcement and Government environments. In this technical course, attendees will learn how to use software-based acquisition methods (with MoonSols utilities such as win32dd and win64dd, and even Windows itself) and the clockwork of different full memory dump file format. The audience will also learn the difference between hardware and software acquisition methods and how to do advanced analysis on these dumps. TECH TRAINING 4 - WEB HACKING 2.0 The course is designed by the author of “Web Hacking: Attacks and Defense”, “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges for pen-testers, consultants, auditors and QA teams. Web Hacking 2.0 is extensively hands-on class with real life challenges and lab exercises. Participants would be methodically exposed to various different attack vectors and exploits. The learning sessions feature real life cases, hands one exercises, new scanning tools and exploits.OTHER CONFERENCE HIGHLIGHTS19TH - 20TH MAYHITB LABS & HITB SIGINTFirst introduced in 2008, the HITB Labs form the third track in our quad-track line up. Catering for only 60 attendees,these sessions are intensive, hands-on presentations that require audience interaction so please bring your ownlaptops if you intend to attend. Seats are given out on a first come first serve basis so be sure to be at the room at least10 minutes before the session commences.The HITB SIGINT (Signal Intelligence/Interrupt) sessions are designed to provide a quick 15 minute overview formaterial and research that’s up and coming – stuff that isn’t quite ready for the mainstream tracks of the conference butdeserve a mention nonetheless. These session are not only for seasoned security professionals but is also open to allfinal year students based in The Netherlands or around Europe who want to present their projects to industry expertsand the security community.Lock Picking Village by TOOOL.nlSet up and run by members from the The Open Organization of Lockpickers (TOOOL Netherlands), attendees to thisyear’s event will get a chance to try their hand at picking, shimming, bumping, safecracking, and other physical securityattacks. It has always been customary for TOOOL-sponsored physical security sessions to offer some degree ofaudience interaction and hands-on training. Sometimes this has taken the form of publicly-submitted locks being givenon the spot security analysis, other times members of the general public with no lock-picking experience have beeninvited to attempt a bypass in order to demonstrate its ease.Capture The Flag - World DominationCapture The Flag – World Domination is an attack only competition set up and run for the very first time by the HITB.nlCTF Crew! The game mimics real world scenarios and events, bringing the technical attack fun of hacking into thecompetition. For the first time ever, the CTF introduces a new section, hardware hacking and lock picking! Whether it isto lock pick a simple lock to get a flag, to exploit a certain binary or a need to bypass the encryption on a embeddedsystem, this game will make even the most elite “hackers” sweat. There are over 30+ flags to capture and flag pointsdecrease after each submission. Fastest player to submit a flag gets more points compared to the next player. Thewinner is determined by who ever has the most points.Hackerspaces Village & Technology ShowcaseFree and open to public, attendees to the Hackerspaces Village will get an inside look at hackerspaces, their community,projects and even get their hardware hack-on! In the village you will find representatives from the various .EU andNetherlands based hackerspaces who will be on site showcasing their projects. Each hackerspace will also present inthe HITB SIGINT session highlighting the details of their current projects or developments. Alongside the hackerspaces,CTF and Lock Picking Village, there will also be a technology showcase of next generation network security technology,products and solutions.