1. Why choose
Nethemba s.r.o.
(company introduction)
Ing. Pavol Lupták, CISSP, CEH
www.nethemba.com
www.nethemba.com
2. Who we are?
a group of computer security experts from
Czech/Slovak republic with more than 10 years
of experience
holders of world renowned security
certifications – CISSP (Certified Information
System Security Professional), CEH (Certified
Ethical Hacker), SCSecA (Sun Certified
Security Administrator), LPIC3 (Linux
Professional Institute Certification)
www.nethemba.com
3. Our core business
penetration tests
comprehensive web application security audits
design and implementation of ultrasecure and
highavailability systems
security training & courses
design and development of secure VoIP
solutions
highly skilled Unix/Linux outsourcing
www.nethemba.com
4. Penetration tests
a method of evaluating the security of a
computer system or network by simulating an
attack by a malicious hacker
involves an active analysis of the system for
any weaknesses, technical flaws or
vulnerabilities and exploitation
experiences with almost all OS, smartphones,
PDAs
OSSTMM methodology is used
www.nethemba.com
5. Penetration test approaches
Black box a zeroknowledge attack no
relevant information about the target
environment is provided, the most realistic
external penetration test
White box a fullknowledge attack all the
security information related to an environment
and infrastructure is considered
Grey box a partialknowledge attack
www.nethemba.com
6. Penetration test phases
Discovery information about the target system is identified
and documented (WHOIS service, public search engines,
domain registrators, etc.)
Enumeration using intrusive methods and techniques to gain
more information about the target system (port scanning,
fingerprinting)
Vulnerability mapping mapping the findings from the
enumeration to known and potential vulnerabilities
Exploitation attempting to gain access through vulnerabilities
identified in the vulnerabilitymapping phase. The goal is to gain
userlevel and privileged (administrator) access to the system
(custom exploit scripts or exploit frameworks are used)
www.nethemba.com
7. Comprehensive web application audits
the most comprehensive and deepest web
application audit on Czech/Slovak market
strictly follows the OWASP Testing Guide
practical hacking demonstration (writing exploit
codes, database dump, XSS/CSRF
demonstration etc)
oneday meeting with application's developers
comprehensive report in English/Czech/Slovak
www.nethemba.com
8. OWASP involvement
OWASP (Open Web Application Security
Project) – the biggest and most respected free
and open application security community
our employees are OWASP chapter leaders for
Czech and Slovak republic attending OWASP
security conferences / trainings
we are OWASP Testing Guide (the best web
application security testing guide) contributors
www.nethemba.com
10. Ultra secure OSes
experts in design and implementation of ultra
secure OS (NSA SELinux, TrustedBSD,
Trusted Solaris)
suitable solution for highrisk critical
environment (banks, insurance companies)
providing full support and outsourcing of these
systems
www.nethemba.com
11. Customized security solutions
LAMP security hardening
configuration and implementation of:
WAF (Web Application Firewalls)
IDS (Intrusion Detection System) and IPS
(Intrusion Prevention System)
Honeypot & Honeynet
we are vendor independent and unbiased !
www.nethemba.com
12. Loadbalanced and high
availability clusters
design and implementation of big multiservers
redundant loadbalancer and high availability
clusters
based on Linux or any Unix system
ideal solution for the most visited web portals,
database clusters or redundant mail servers
that require high availability and security
www.nethemba.com
13. AntiDDoS hardening
suitable for customers that are threatened by
strong Distributed Denial Of Service attacks
(online casinos, banks, popular eshops)
provide antiDDoS server housing
design and implementation of geographical
clusters
own antiDDoS plugin to HAProxy (load
balancer) development
www.nethemba.com
14. VoIP design and implementation
design and implementation of complex VoIP
call centers based on Asterisk and OpenSER
focused on VoIP security (secure encrypted
calls, secure authentication)
we are Asterisk contributors (responsible for
T38 fax gateway development)
ideal for companies that do not trust their PSTN
lines or mobile phones
www.nethemba.com
15. Security training & courses
we offer security training and courses in many
security areas including:
web application security
secure programming
wireless network security
ultra secure NSA SELinux
penetration tests & web application hacking
www.nethemba.com
16. Highly skilled Unix/Linux
outsourcing
highly skilled and certified administrators
support of all UNIX systems
permanent monitoring of availability, security
patches etc.
good SLA conditions, 24x7 web / email /
telephone support
still on the top of “bleedingedge” technologies
www.nethemba.com
17. Security Research I
we have cracked the most used Czech and
Slovak Mifare Classic smartcards
we are the first ones in the world who have
implemented and publicly released our own
Mifare Classic Offline Cracker that can gain all
keys to all sectors from 1 billion smartcards(!!!)
in a few minutes
see https://www.nethemba.com/research
www.nethemba.com
18. Security research II
we have revealed a serious inherent
vulnerability in public transport SMS tickets
which is described in our paper “Public
transport SMS ticket hacking”
Public transport companies in Prague,
Bratislava, Vienna, Kosice, Usti nad Labem are
still vulnerable
we are open for any security research
www.nethemba.com
19. Presentations at security
conferences
our employees are frequent presenters on
many worldrenowned security conferences
(Confidence, Hacking At Random, SASIB,
Network Security Congress, OpenWeekend,
Barcamp, CVTSS, ..)
do not miss our upcoming presentation about
“Mifare Classic Attacks in Practice” at
Confidence 2.0 in Warsaw
www.nethemba.com
20. References
TMobile Czech Republic a.s.
NBS (National Bank of Slovakia)
ICZ, a.s
ITEG, a.s.
IPEX a.s.
Limba s.r.o.
Profesia, AUTOVIA, ui42, Ringier Slovakia, KROS,
Pantheon Technologies, Avion Postproduction,
Faculty of Philosophy / Comenius University etc.
www.nethemba.com
21. Any questions?
Thank you for listening
Ing. Pavol Lupták, CISSP CEH
www.nethemba.com