This document summarizes an issue of the IT Security Magazine. It discusses security threats facing mobile devices and explores how to defend against them. The issue contains several articles on topics like mobile malware trends, smartphone security and privacy, and defending cell phones and PDAs from threats. It aims to make readers more aware of security risks involving their mobile devices and information accessed through these devices.
Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself.
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself.
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
Kaspersky North American Virus Analyst SummitPR Americas
Kaspersky Lab analysts are seeing over 50,000 new malware threats per day in the lab. The best defense against these threats is knowledge. Our Global Research and Analysis Team provided succinct presentations and discussion about the latest Internet threats that exist today, and offered tips to protect attendees from cybercriminals. These presentations provided a greater understanding of the threat landscape and what to expect throughout the rest of 2010.
We are delighted to have Gary Miliefsky on our second Hacker Hotshot of 2013! Gary is the Editor of Cyber Defense Magazine, which he recently founded after years of being a cover story author and regular contributor to Hakin9 Magazine. In partnership with UMASS, he started the Cyber Defense Test Labs to perform independent lab reviews of next generation information security products. Gary is also the founder of NetClarity, Inc., which is the world's first next generation agentless, non-inline network access control (NAC) and bring your own device (BYOD) management appliances vendor based on a patented technology which he invented.
The report focuses on three things that stood out in the second half of 2012: botnets (with special reference to ZeroAcess), exploits (particularly against the Java development platform) and banking trojans (Zeus). Also discussed are multi-platform attack in which a coordinated attack campaign is launched against both desktop and mobile platforms, state of today's web concerning malware hosting and malvertising, and an update on the mobile threat scene.
Cyber Warfare is now a reality. The game changer was Stuxnet, followed by Flame, Duqu and Gauss. And these weren’t created overnight. F-Secure Labs estimates that it took more than 10 man years to develop Stuxnet, and even more time and resources to create Duqu and Flame.
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
In the final installment of our mobile penetration testing trilogy, we dive deep to find security flaws in mobile apps by dissecting the code with reverse-engineering and code analysis.
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
It’s not just you. The frequency of severe vulnerabilities in internet-facing enterprise software being massively exploited at scale has increased drastically. The amount of time between disclosure and exploitation of these vulnerabilities has been reduced to near-zero, leaving defenders with less time to react and respond. While combating internet-wide opportunistic exploitation is a sprawling and complex problem, there is both an art and a science to staying ahead of large exploitation events such as Log4J.
In this talk we will share insights and challenges from operating a huge, shifting, adaptive, distributed sensor network listening to internet background noise and opportunistic exploitation traffic over the past four years. We will give a blunt state of the universe on mass exploitation. We will share patterns and unexplainable phenomena we’ve experienced across billions of internet scans. And we will make recommendations to defenders for preparing for the next time the cyber hits the fan.
Editor speak,Devil facts,Programmers Area ,Career Guide,Know your hard disk,Learn Linux,Software of the month,Hardware/Software Problem,Customizable Web Pages,Algorithms As A Technology,Timeline : 53 Years of Hard Drives,Desktop go to die,Nikesh Arora President, Global Sales Operations and Business Development in Google,hdparm -c3 /dev/hdX ,hdparm,alias md="mkdir" ,An unexpected error (768) occurred at line 5118 in <drive>\xpclient\base\boot\setup\setup .c Press any key to con- tinue,Error Message: “Fatal System Error: 0x000000a0 (0x00000002,0x00070124, 0x00000000,0x00000000),First Look software,http://groups.yahoo.com/group/,infinitytechmagazine,infinitytechmagazine@yahoogroups.com ,http://www.orkut.co.in/Community.aspx?
UN session about modern ICT threat landscape.
The session was aimed to introduce recent threats targeting UN agencies and some potential recommendations to improve detection, investigation and understanding of these threats and their goals.
42 - Malware - Understand the Threat and How to RespondThomas Roccia
Malware are becoming more and more complex. In this talk presenting with Jean-Pierre Lesueur at the School 42, we explained the business model behind as well provided an understanding of the Malware Threat.
Kaspersky North American Virus Analyst SummitPR Americas
Kaspersky Lab analysts are seeing over 50,000 new malware threats per day in the lab. The best defense against these threats is knowledge. Our Global Research and Analysis Team provided succinct presentations and discussion about the latest Internet threats that exist today, and offered tips to protect attendees from cybercriminals. These presentations provided a greater understanding of the threat landscape and what to expect throughout the rest of 2010.
We are delighted to have Gary Miliefsky on our second Hacker Hotshot of 2013! Gary is the Editor of Cyber Defense Magazine, which he recently founded after years of being a cover story author and regular contributor to Hakin9 Magazine. In partnership with UMASS, he started the Cyber Defense Test Labs to perform independent lab reviews of next generation information security products. Gary is also the founder of NetClarity, Inc., which is the world's first next generation agentless, non-inline network access control (NAC) and bring your own device (BYOD) management appliances vendor based on a patented technology which he invented.
The report focuses on three things that stood out in the second half of 2012: botnets (with special reference to ZeroAcess), exploits (particularly against the Java development platform) and banking trojans (Zeus). Also discussed are multi-platform attack in which a coordinated attack campaign is launched against both desktop and mobile platforms, state of today's web concerning malware hosting and malvertising, and an update on the mobile threat scene.
Cyber Warfare is now a reality. The game changer was Stuxnet, followed by Flame, Duqu and Gauss. And these weren’t created overnight. F-Secure Labs estimates that it took more than 10 man years to develop Stuxnet, and even more time and resources to create Duqu and Flame.
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
In the final installment of our mobile penetration testing trilogy, we dive deep to find security flaws in mobile apps by dissecting the code with reverse-engineering and code analysis.
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
It’s not just you. The frequency of severe vulnerabilities in internet-facing enterprise software being massively exploited at scale has increased drastically. The amount of time between disclosure and exploitation of these vulnerabilities has been reduced to near-zero, leaving defenders with less time to react and respond. While combating internet-wide opportunistic exploitation is a sprawling and complex problem, there is both an art and a science to staying ahead of large exploitation events such as Log4J.
In this talk we will share insights and challenges from operating a huge, shifting, adaptive, distributed sensor network listening to internet background noise and opportunistic exploitation traffic over the past four years. We will give a blunt state of the universe on mass exploitation. We will share patterns and unexplainable phenomena we’ve experienced across billions of internet scans. And we will make recommendations to defenders for preparing for the next time the cyber hits the fan.
Editor speak,Devil facts,Programmers Area ,Career Guide,Know your hard disk,Learn Linux,Software of the month,Hardware/Software Problem,Customizable Web Pages,Algorithms As A Technology,Timeline : 53 Years of Hard Drives,Desktop go to die,Nikesh Arora President, Global Sales Operations and Business Development in Google,hdparm -c3 /dev/hdX ,hdparm,alias md="mkdir" ,An unexpected error (768) occurred at line 5118 in <drive>\xpclient\base\boot\setup\setup .c Press any key to con- tinue,Error Message: “Fatal System Error: 0x000000a0 (0x00000002,0x00070124, 0x00000000,0x00000000),First Look software,http://groups.yahoo.com/group/,infinitytechmagazine,infinitytechmagazine@yahoogroups.com ,http://www.orkut.co.in/Community.aspx?
UN session about modern ICT threat landscape.
The session was aimed to introduce recent threats targeting UN agencies and some potential recommendations to improve detection, investigation and understanding of these threats and their goals.
42 - Malware - Understand the Threat and How to RespondThomas Roccia
Malware are becoming more and more complex. In this talk presenting with Jean-Pierre Lesueur at the School 42, we explained the business model behind as well provided an understanding of the Malware Threat.
Malware attacks and data thefts are on the rise as evident from the recent news headlines. The mere use of antivirus software wouldn’t serve the purpose. The reason being, antivirus programs block attacks by using patterns or signatures to identify malicious software code. This signature-based detection was successful when the threats were lesser and spread over a good time frame.
A presentation made during the international Youth Exchange called Digital Danger and financed Erasmus+ Programme through Dům zahraniční spolupráce and the European Union
MasGlobal is a one-stop shop for cyber security consulting services in the USA. We provide cyber security services to protect systems, networks, programs, devices, and data from cyberattacks.
For more information: https://www.masglobalservices.com/services/
IBM MobileFrist Protect - Guerir la Mobilephobie des RSSIAGILLY
La Mobilephobie : Un ensemble de craintes qui touche généralement les RSSI et d'autres professionnels de la sécurité, relativement à l'adoption et au déploiement d'une stratégie de sécurité Mobile qui favorise l'accès à travers l'entreprise, le partage des données de l'entreprise ou des interactions avec les partenaires, clients et autres tiers via des appareils mobiles et les applications.
Application Security not only consists in the use of software, hardware, and procedural methods to protect applications from external threats, it is more than technology, is a path not a destination, it is about risk management and implementing effective countermeasures to identify potential threats and understand that each threat presents a degree of risk.
Once an afterthought in software design, security is becoming an increasingly important concern during development as applications become more frequently accessible over networks and are, as a result, vulnerable to a wide variety of threats. Security measures built into applications and a sound application security routine minimize the likelihood that unauthorized code will be able to manipulate applications to access, steal, modify, or delete sensitive data.
Join up in a tour of various scenarios identifying the basic concepts about Application Security, learning about some of the most recent vulnerabilities and data breaches, as well as examples of how easy it can be to hack you.
eScan, one of the leading Anti-Virus and Content Security Solution providers, has studied on a recent poll that says 32% of the top IT professionals agreed that data breaches and malware are the top threats that any organization faces.
A Multi-Layer Real Time Remote Monitoring & Corporate Network System For Viru...ijccsa
Corporations face a dangerous threat that existing security technologies do not adequately address, which includes malware, track ware and adware, describes any program that may track online and/or offline PC activity and locally saves or transmits those findings to third parties without user’s knowledge or consent. The same activities that make our employees efficient and productive doing research over the internet, sharing files, sending instant messages to customers and coworkers, and emailing status information while travelling are making our IT infrastructures vulnerable to mobile malicious code, Spyware, viruses, Trojan horses, phishing, and pharming. Gateway firewalls and antivirus software is no match for these new, virulent threats. To ensure the needed protection, organizations need to incorporate content level protection into their overall security strategies. As web-borne threats become more complex and virulent, companies must face the need to supplement their existing, traditional security measures. So, in this paper, we will highlight about our work which attempts to keep a real time track of each events of the client’s behavior inside a network.
International Journal on Cloud Computing: Services and Architecture (IJCCSA)ijccsa
As web-borne threats become more complex and virulent, companies must face the need to supplement their existing, traditional security measures. So, in this paper, we will highlight about our work which attempts to keep a real time track of each events of the client’s behavior inside a network.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
The Art of the Pitch: WordPress Relationships and Sales
Mobile Security - Hakin9 Magazine
1.
2.
3.
4. 04/2011 (40)
PRACTICAL PROTECTION IT SECURITY MAGAZINE
Dear Readers,
The incredible technology progress allows us to use our
mobile devices for almost every aspect of our lifes. We
use cell phones to buy tickets, to make wire transfers, visit
team
facebook and much more. Practically speaking, our devices
are full of personal information that can be accessed by a
Editor in Chief: Karolina Lesińska hacker with little effort.
karolina.lesinska@hakin9.org
How to defend against emerging threats that target mobile
devices, mobile services, and mobile content? Should we be
Editorial Advisory Board: Matt Jonkman, Rebecca Wynn,
Steve Lape, Shyaam Sundhar, Donald Iverson, Michael Munt concerned with the security of cell phones, smartphones, and
other mobile devices?
DTP: Ireneusz Pogroszewski
Art Director: Ireneusz Pogroszewski In this issue we are exploring the field of mobile
ireneusz.pogroszewski@software.com.pl security. Our experts share their knowledge on cell phone /
Proofreaders: Justin Farmer, Michael Munt smartphone threats and security.
Our ID fraud expert talks about mobile malware trends
Top Betatesters: Rebecca Wynn, Bob Folden, Shayne Cardwell, and analyses the threats it brings. Rebecca Wynn prepared
Simon Carollo, Graham Hili.
a great article on smartphones security and privacy in
Special Thanks to the Beta testers and Proofreaders who helped terms of being a part of Personal Area Network. Our regular
us with this issue. Without their assistance there would not be a contributor, Gary Miliefsky give us an overview on defending
Hakin9 magazine.
cell phones and PDA’s ans explains why it is risky to allow
Senior Consultant/Publisher: Paweł Marciniak
mobile devices access corporate networks with sensitive
CEO: Ewa Dudzic information.
ewa.dudzic@software.com.pl
I am sure this issue will make you to take a closer look at
your mobile device security.
Production Director: Andrzej Kuca
andrzej.kuca@hakin9.org
As always, we look forward to hear from you!
Marketing Director: Karolina Lesińska
Enjoy your reading
karolina.lesinska@hakin9.org Karolina Lesińska
Subscription: Iwona Brzezik
Email: iwona.brzezik@software.com.pl
Publisher: Software Press Sp. z o.o. SK
02-682 Warszawa, ul. Bokserska 1
Phone: 1 917 338 3631
REGULARS
www.hakin9.org/en
6 in Brief
Whilst every effort has been made to ensure the high quality of
Latest News From the IT Security World
the magazine, the editors make no warranty, express or implied, Armando Romeo, eLearnSecurity
concerning the results of content usage.
All trade marks presented in the magazine were used only for
ID Theft Protect
informative purposes.
8 Tools
All rights to trade marks presented in the magazine are Passware Forensic Kit 10.3
reserved by the companies which own them.
To create graphs and diagrams we used program by Michael Munt
by
Spyshelter
The editors use automatic system by Graham Hili
Mathematical formulas created by Design Science MathType™
42 ID fraud expert says...
DISCLAIMER! Mobile Malware Trends and Analysis
The techniques described in our articles may only by Julian Evans
be used in private, local networks. The editors
hold no responsibility for misuse of the presented
techniques or consequent data loss. 46 Emerging Threats
Why are Zero-Days Such a Big Deal?
by Matthew Jonkman
4 04/2011
5. CONTENTS
BASICS
10 How to use Netcat
by Mohsen Mostafa Jokar
Netcat is a network utillity for reading and writing network connections that
support TCP and UDP protocol. Netcat is a Trojan that opens TCP or UDP
ports on a target system and hackers use it with telnet to gain shell access
to the target system.
14 Security – Objectives, Process and Tips
by Rahul Kumar Gupta
In a world where business is moving towards e-commerce and happening
over the Internet, B2B, B2C, and C2C applications have always been an
area of major security concern due to the pitfalls of HTTP security and the
number of integration points.
ATTACK
22 The Backroom Message That’s Stolen Your Deal
by Yury Chemerkin
Do you want to learn more about bigwig? Is someone keeping secrets from
you? Need to silently record text messages, GPS locations and call info
of your child or employee? Catch everybody at whatever you like with our
unique service.
DEFENSE
28 Smart phones Security and Privacy
by Rebecca Wynn
All the threats that attack your enterprise computer centers and personal
computer systems are quickly encompassing mobile devices. Smart
phones are part of your Personal Area Network (PAN) and the user needs
to remember that everything that is done on them, data saved in them,
communications that touch them in anyway (voice, SMS, email) should be
viewed as public and not private.
32 Defending Cell Phones and PDA’s
by Gary S. Miliefsky
We’re at the very early stages of Cell Phone and PDA exploitation through
‘trusted’ application downloads, Bluetooth attacks and social engineering.
With so many corporations allowing these devices on their networks or not
knowing how to block their gaining access to corporate and government
network resources, it’s a very high risk situation.
SPECIAL REPORT
36 My RSA Conference 2011 Trip Report
by Gary S. Miliefsky
Annual Trek to the Greatest INFOSEC Show on Earth. What’s New and
Exciting Under the Big Top of Network Security.
www.hakin9.org/en 5
6. In brief
agencies, there is one project that is yet to be uncovered.
Security �rm RSA Security Breached This project is about creating personas management
RSA Security is one of the biggest players in the software to be used on social networks.
enterprise security landscape, featuring advanced Personas, according to a June 2010 USAF, project
authentication, access control and data loss prevention have to be replete with background, history, supporting
products. The hype about the breach occurred to the details, and cyber presences that are technically,
company spread to almost every security news website. culturally and geographically consistent. Although the
Company’s CEO announced, in a urgent message, intelligence project is not new, the leaked emails reveal
that the breach is to be considered an APT – advanced that Aaron Barr and other government contractors bid on
persistent threat. a USAF, U.S. Air force, project to build such software.
The last time we heard about this term was during the The final goal of the software is not revealed in the
days of Aurora exploit where Fortune 50 US companies, emails. Nor is possible to determine whether HBGary
including Google, suffered data loss due to a targeted actually won the contract.
attack from chinese IP addresses. Regardless the use According to USCENTCOM, the project is used to
and abuse of the term, this is a targeted breach for counter extremist ideology and propaganda, and to
which there’s still not much information. ensure that credible voices in the region are heard.
The fact that this term is being used again, might refer Regions being areas of the world where the highest
to similarities in the way the breach has been conducted: concentration of violent extremists and enemies are
a long term infiltration through custom malware built to present.
steal specific internal projects documents. According to Anonymous group it is also possible to
As for now, there’s no information available in regards to use this type of software to shift public opinion or bring
the type of technique used. Nor is known the threat posed good or bad reputation to companies/government.
to the customer of the SecurID two-factor authentication Basically a way to create multiple zombies with a
technology. Customers are financial institutions, banks consistent and proved background, to influence actual
and enterprises from all over the world. humans through social networks. Anonymous group
SecurID is a tehcnology used by 40 million people has promised to dive into this topic to find out who is
worldwide, to generate one time passwords by means involved and for which goals.
of tokens. These passwords are tied to common login
credentials assigned to the person, making it a two- Source: Armando Romeo,
factor authentication. SecurID is the project that seems www.elearnsecurity.com
to have suffered the most leaked documentation. RSA
is still working with authorities to trace back the attack Rustock Botnet Taken Offline by Microsoft
and is already in contact with main and most affected Rustock is one of the oldest and most annoying botnets
customers, namely banks, to mitigate the exposure. living on the internet. It is accounted for billions of spam
emails sent every day from roughly a million of infected
Source: Armando Romeo, PC’s worldwide. Or actually we should say It was.
www.elearnsecurity.com Wednesday March 16th, a federal judge gave green
light to law enforcement agents to seize computers
Social Media Zombies: Hbgary, Usaf And being part of the command and control for the botnet,
The Government thus decapitating the entire botnet all at once. The same
HBGary ownage has probably been the most prominent day, graphical stats of the Rustock throughput shown
example of complete take over carried out by hackers in the death of the botnet at around 2pm, with the total flow
the internet history. Not just for the data leakage in itself, of spam email falling from 70% to 0%.
but for the type of highly confidential and embarrassing In fact, with Rustock accounted for 50 to 70% of the
data uncovered that caused the resignation of the CEO, overall spam on the Internet, we are in front of the
Aaron Barr and an unrecoverable bad reputation for the most giant effort against a botnet ever. Microsoft had
whole company. launched a civil lawsuit against the John Does behind
Unless you have been in North pole without internet in the botnet, because spam email affected Hotmail
the past couple of months, you’ve already heard of how servers and impacted the user experience of their client
the Anonymous group, the group of hacker defending software, including Office and Windows. Botnet indeed
the Wiki Leaks cause, had infiltrated HBGary’s CEO exploited vulnerabilities into Microsoft products to
email and posted most of his conversation on the grow. Moreover, Microsoft claimed that the botnet was
internet (among the other things). violating the corporation trademarks through phishing
In the number of embarrassing relationships and emails fraudulently inviting users in lotteries being
secret projects between HBGary and US government sponsored by Microsoft.
6 04/2011
7. In brief
Thanks to this, Microsoft lawsuit and the cooperation The security flaw could cause a crash or allow a
between companies such as FireEye and the authorities, hacker to take control of an infected system. It appears
hard drives, network equipment and computers have that the attack is limited to some organizations rather
been seized: this was critical for the overall success than a universal threat. The Flash, Reader and Acrobat
since the million bots spread all over the internet were updates will be released next week. Reader X will be
coded to accept commands from specific PC’s only, the patched on the scheduled update on June 14th. Note:
C&C PC’s, and not from specific IP addresses. Due to Reader X for Windows contains a sandbox which should
this, Microsoft executives claimed that the operation go some way to stopping malicious files from writing/
was 100% successful and that they are monitoring any spreading to an operating system.
counter move of the creators.
Source: ID Theft Protect
Source: Armando Romeo,
www.elearnsecurity.com Social network malvertising on the rise
A recent security report has highlighted a significant rise
Microsoft MPE Privilege Flaw Identi�ed in the number of malware and malvertising attacks on
Microsoft’s Malware Protection Engine has been social networks. After three months of browsing on social
patched as Argeniss security expert identifies an networks it is claimed that a user has a 95% chance of
elevation of privilege vulnerability in which an attacker landing on an infected page. Dasient recorded that more
who already had administrative access to a Windows than one million websites were infected with malware in
operated system. Websites that allow users to upload Q4, 2010.
web pages are more at risk of this threat. Malicious advertising (otherwise known as malvertising)
Microsoft was worried enough by this flaw to actually on search engines and websites has more than doubled
develop and release a patch as part of its Windows from 1.5 million to 3 million from Q3 to Q4 2010. Ad
Update. Microsoft did say it hasn’t seen anyone take networks are major culprits for delivering this malicious
advantage of the bug yet, the flaw was reported to the payload. Social networks though will continue to be
company by security researcher Cesar Cerrudo, but targeted by malvertising ads as hackers look to test drive
Microsoft thinks that hackers could develop code that their techniques to push users to infected web pages.
reliably exploits the issue.
Source: ID Theft Protect
Source: ID Theft Protect
Identity theft is top concern for US citizens
Virus Hits London Stock Exchange (LSE) The latest US Federal Trade Commission (FTC) consumer
The London Stock Exchange website was attacked by complaints report shows that identity theft is a top concern
malware hidden inside an advert on February 28th. The for US consumers. Identity theft has been the number
Stock Exchange also had a technology problem on the one concern for US consumers for the last 11 years with
same day, which meant it was unable to trade and had the agency receiving more than one million complaints
to deal with an unexpected security problem. The advert in 2010 of which 19% were related to complaints about
was infected with hidden malicious code which when a identity theft.
user clicked on it would have installed malware onto
their computers. Source: ID Theft Protect
Google Safe Browsing showed a warning when
visiting the londonstockexchange.com website. Google South Korean websites hacked
did remove the warning once the malicious content had Hackers have attacked around 40 South Korean
been removed. government and private websites. Targets include
websites at the presidential office, the foreign ministry,
Source: ID Theft Protect the national intelligence services and some major
financial institutions, according to US reports.
Adobe Flash Zero-Day Flaw Identi�ed Government officials have warned of a substantial
March 14th, Adobe confirmed that there is an un- threat to the country’s computers, with the National Cyber
patched bug in Adobe Flash Player using Microsoft Security Centre reporting signs of a denial-of-service
Excel documents. Hackers are embedding malicious attack. During a computer system check on Thursday,
Flash files within Microsoft Excel documents and then South Korean IT security firm AhnLab found malicious
sending the document as an attachment on an email. software which was designed to attack websites.
Adobe though, has confirmed that these attacks are not
targeting reader or Acrobat users. Source: ID Theft Protect
www.hakin9.org/en 7
8. REVIEW
Passware Forensic Kit 10.3
H
aving reviewed Passware products in the
URL: http://www.lostpassword.com/kit-forensic.htm
past, I was rather pleased to be offered the
Cost: $795
opportunity to test their latest release of the Annual Subscription after first year $295
Forensic Kit. 10 Passware Kit Agents $295
Now one of the most important update that they have 20 Passware Kit Agents $495
made to the Forensic Kit (in my opinion) is the option 100 Passware Kit Agents $1,195
to use distributed password recovery. Included with 500 Passware Kit Agents $2,395
the Forensic Kit are 5 extra Agents, this means that
you can install the Agent onto 5 machines and then
utilise these extra machines to aid you in the recovery Even hard drives protected by Bitlocker and external
of the password and your not just limited to these 5, as drives with Bitlocker to go can be decrypted and
you can see from the list above you can have upto 500 recovered, and now Passware have also included this
agents running. facility for Truecrypt. You are able to decrypt mounted
Each Agent that is running has full support for multiple containers and find the passwords for unmounted
CPUs, GPUs, and TACC accelerators simultaneously. drives.
But Passware have really excelled themselves in the With all these new features you would expect that
area of password recovery, now you are able to add in something else would have been removed but Passware
the power of Amazon Cloud computing whenever you have left nothing out at all, you can still scan the whole
need to. Passware are the first commercial application of your hard drive to identify all the files that have some
to offer this facility to its users and boy do you see the sort of protection on them and be given the details on
difference when your using it. From the moment it what sort of decryption routine would be required (many
connects you can see the amount of passwords that of them are instant).
are being tried rapidly start to increase, and from my You still have the facility to create a bootable cd
calculation it is roughly 10 times faster than if you were which will allow you to reset Administrators passwords
trying to recovery a password without it. on Windows systems. You still have the USB version
With over 180 different file types, not to mention available to you so you wont need to install the
being able to reset Windows 7 Administrator passwords application to your machines, just run it from a USB
many of which can be recovered or reset instantly there stick.
should never be an instance where you are unable to Finally and no means least there is a new option to
find the password in question. take an image of a machines memory via the Firewire
Memory Imager which you can then work on “offline”.
For the last 12 years Passware has constantly pushed
the envelope in password recovery and now having
over 30 tools incorporated within one easy solution, the
Forensic Kit will cover all your needs. It’s simple and
easy to use layout makes using this tool an absolute
breeze and a pleasure to use.
This is one tool that will always remain in my toolbox
and something I am more than happy to recommend to
others.
MICHAEL MUNT
8 04/2011
9. review
SpyShelter Application Review
S
pyShelter is an anit-keylogger application
on steroids. The software is very easy to
download from the website. After downloading,
installation is also fast and easy. During installation
SpyShelter provides the user with a choice regarding
what type of security level they want the software to
be installed. There are two choices a high and a lower
security level. Apart from this the installation requires
minimum user interaction and is fast to install the
application.
Once the software is installed on the machine a reboot
a reboot will be required. After reboot the software will
start up immediately. The first time the application starts
it asks the users for a valid username and registration
code. Once this information is entered the software will
be registered and full use is available. There is also a
time limited version which non registered users can use
to try the software.
Once the software is correctly installed on the local
machine, it starts monitoring the applications for any
malicious activity and for any key logger in particular.
When I installed the application for the first time I to be acting as some king of key logger. Here also
installed it in high level security mode. In this mode you will have the ability to add new rules for genuine
although it is the most safe to capture any malicious applications. The next tab is a Log view, this gives all
activity it also produces a lot of false positives when the events in a log format. The settings tab is further
profiling the applications. At this stage it depends really sub divided into 3 tabs. The General and Security tabs
what type of user you are. If you are a power user and offer the user to change language, and other features
you know exactly what your computer should be doing that can be found in security software such as right to
I would leave it on a high security setting. If you are deactivate application. The 3rd tab is very interesting
installing this for a user which is not very computer it provides a list of monitored system calls, and
literate I would level it on the lower level of security as basically we can specify the system level calls to look
this produces lower false positives. in applications. This is a very interesting feature in the
Once SpyShelter is installed on a system it will start software. The last tab is a general about screen.
automatically with every boot up. The application User Apart from key logging the application also can
Interface is clean and very simplistic. The application is protect from automatic screen captures and other
very gentle on the system resources and it uses limited intrusive mechanisms such as clipboard Capturing.
memory and processing power. As a comment i say the software does what it says on
The application can be accessed directly from the the box. It is a handy application to have on a machine
windows tool bar. Open the application windows as some extra layer of security. Compared to other
provide the user with a simple interface to setup the anti key loggers that come with other application it is
application. The graphical user interface consists of compare pretty was and even exceed them due to the
five screens which are divided out in Tab Panels. add functionality.
The General tab gives an overview of the software
information such as current processes scanned,
protection status and also the total of blocked
application. The second tab Is the protection tab here
the user can select or deselect what features of the
application. The third tab is a Black/White List here
you will have a list of applications that were found GRAHAM HILI
www.hakin9.org/en 9
10. BASICS
How to use Netcat
Netcat is a network utillity for reading and writing network
connections that support TCP and UDP protocol. Netcat is
a Trojan that opens TCP or UDP ports on a target system
and hackers use it with telnet to gain shell access to the
target system.
What you will learn… What you should know…
• You can use netcat for scan IP address • basic knowledge about TCP/IP and UDP protocol
• You can use Netcat for simple banner grabbing
• You can use netcat for an IRC messanger
N
etcat was originally released in 1996 and is • Full DNS forward/reverse checking, with ap-
often referred to as a Swiss Army knife utility, propriate warnings
and I must say for good reason. Netcat can • Ability to use any local source port
be used for port scanning, transferring files, grabbing • Ability to use any locally-configured network source
banners, port listening and redirection, and a backdoor. address
Netcat is a version of cat program, just as cat reads • Built-in port-scanning capabilities, with randomizer
and writes information to files, Netcat reads and writes • Built-in loose source-routing capability
information across network connections. Netcat was • Can read command line arguments from standard
originally coded for UNIX, but can be run on many input
operation systems. In 2006, www.insecure.org (Nmap • Slow-send mode, one line every N seconds
hacker) detected Netcat as the second strongest • Hex dump of transmitted and received data
network utillity and in 2003 and 2006 it gained fourth • Optional ability to let another program service
place. Some of Netcat features are: established connections
• Optional telnet-options responder
• Outbound or inbound connections, TCP or UDP, to
or from any ports
Figure 1. Application Management Figure 2. Set application’s permission
10 04/2011
11. How to use Netcat
To download Netcat go to Netcat.sourceforge.net or http:// name and address lookup for the specified host (see
nc110.sourceforge.net/. After downloading Netcat, to Figure 6 and 7). To specify a special port use -p port as
confirm that Netcat installed correctly, type nc –h or Netcat you can see below:
–h to display the help screen.
There are some differences between GNU/Linux and nc –l –p 12345
Windows versions. For example, the Lin- Windows version
show a persistent listening mode and in Linux version this In the above example Netcat is running in server
parameter is used for tunneling mode. Also, the Linux mode and listening to connections on port 12345. To
version includes –V that displays version information and specify more than one port for Netcat you can use a
in Windows this parameter does not exist. comma for seperate or even use range of port and
In this article we will explore a very useful useful common port names. Netcat can also scan ports in
command that you will need most. These options for client mode that the –p option is not necessary. If you
GNULinux version and Windows are the same. specify a range of ports, Netcat starts at the top and
For putting Netcat into server or listening mode use nc goes to the bottom. For example, if you ask Netcat to
–l command and nc Alone run Netcat in client mode. For scan ports 10–30, it will start at 30 and go backwards
close at end of file (EOF) from standard input (stdin) use to10.
-c option and this option is only available in Linux. To run To scan random ports use the –r option. For spoofing
Netcat at the background use -d option. the location you can use –s option to change the source
One of the most powerful commands is –e prog.This address of a packet. You can use Netcat as a telnet
option, available only in server mode, helps you to run server. In order to configure Netcat to answer Telnet
the specific program when a client connects to it. Please use the server-specific –t command. By defult Netcat
see flowing commands: use TCP, for UDP configured use the –u switch. Since
UDP is a connectionless protocol, it is recommended
nc –l –p 12345 –e cmd.exe (Windows) that you use timeouts with this option.
nc –l –p 12345 –e /bin/bash (Linux)
Both commands are similar,but on different systems. The
first command executes Netcat in server mode on port
12345 and execute cmd.exe, the second command works
similarly to the first command, but executes a bash shell in
Linux. To test this option start Netcat in server mode (see Figure 3. Firewall Management
Figure 3). Then open a second window and run Netcat in
client mode (see Figure 4). Now press enter. You will see
Microsoft banner information and a new command prompt.
It may seem a bit obscure but don’t worry, you’re running
a command prompt through Netcat. Ok, type Exit and you
will see that the Netcat server closes in the first window. Figure 4. Exception’s of black list
To start Netcat in server mode on a Linux box type nc –
l –p 12345 –e /bin/bash. Now open a command prompt in
Windows and start Netcat in client mode (see Figure 5).
To configure Netcat to use source routing, use -g or -
G option, but note that most routers block source-routed
packets, so this option is slightly obsolete. As I said Figure 5. Adding new exception
earlier, for display help use -h switch. Use the –i option
to set a delay, this option may be useful for scanning
ports with rate limiting. To place Netcat in listening
mode or server mode use the –l option. By defult Netcat
is a single-use program and when connection is closed
– Netcat closes. –l option reopens Netcat with the same Figure 6. Adding new exception
command line after the original connection is closed:
nc –l –p 12345 –e cmd.exe -L
Use the –n option to allow numeric-only IP addresses,
without –n, Netcat will display forward and reverse Figure 7. Adding new exception
www.hakin9.org/en 11
12. BASICS
Using Netcat as Simple Chat Interface nc –l –p 12345 < textfile
As I have mentioned before, Netcat is a networking program
designed to read and write data across connections. The In the above example, Netcat is started in server mode
easiest way to understand how Netcat works is to set up a on local port 12345 and is offering textfile. A client
server and client. In one terminal window, start the server: who connects to this server is pulling the file from the
server, and will receive textfile:
nc –l –p 12345
nc 192.168.1.4 12345 > textfile
In a second window, connect to the server with the
client: Netcat can also be used to push files. Please see the
example below:
nc localhost 12345
start Netcat in server mode: nc –l –p 12345 > textfile
when you enter a text in one of the windows and press push the file by starting Netcat in client mode:
enter, your text is sent to another window (see Figure 8). nc 192.168.1.4 12345 < textfile
Port Scanning with Netcat Banner Grabbing
For port scanning with Netcat use the following syntax: Finally, one of the main Netcat features is banner
grabbing. Banner grabbing is a technique to determine
nc –[options] hostname [ports] the brand, version, operating system and service or
application. Use the syntax below:
As we said, you scan use range, commas and name of
port for scanning. Below we show you some examples: nc -v IP port
nc –v 192.168.1.4 21, 80, 443 Listing 1. Message Syntax
nc –v 192.168.1.4 1-200
nc –v 192.168.1.4 http HELO host.example.com
MAIL FROM:<test@host.example.com>
Transferring Files with Netcat RCPT TO:<bob@example.com>
One application of Netcat is transferring files. Netcat DATA
can pull and push files. See the below example for From: [Alice] <alice@geek.com>
better understanding: To: <bob@example.com>
Date: Mon, 12 Apr 2010 14:21:26 -0400
Subject: Test Message
Hi there! This is supposed to be a real email...
Have a good day!
Alice
.
QUIT
Listing 2. Feed message to Netcat
Figure 8. Adding new exception
nc smtp.domain.com 25 < /tmp/message
220 myrelay.domain.com ESMTP
250 myrelay.domain.com
250 sender <alice@hacker.com> ok
250 recipient <bob@secure.net> ok
354 go ahead
250 ok: Message 222220902 accepted
221 myrelay.domain.com
#
Figure 9. Adding new exception
12 04/2011
13. Table 1. Netcat option for port scanning
Option Description
–i secs Delay interval for each port scanned
–r Randomize source and destination ports
–u UDP mode
–v Verbose
–z Zero-I/O mode (doesn’t make a full connection)
Target Target IP/Host
Port-range Port number or range to scan
References:
Netcat Power Tools
Hackers Beware – Defending Your Network From The Wiley
Hacker
Netcat Hacker Manual A Handy Pocket Guide for Your Cat
en.wikipedia.org/wiki/Netcat
http://nc110.sourceforge.net/
when you press enter, after few seconds you will see
some information about your IP address and port
number, then write HEAD / HTTP/1.0 and hit enter. Now
you can see some information about your victim.
Send an email with Netcat
Please make a text file and write your message like
this: see Listing 1. Now feed this text file to the Netcat
program as follows: see Listing 2. Your email has been
sent.
Using Netcat as a Port Scanner
We can say that Netcat is not the most powerful port-
scanning tool and Nmap can be better for this, but
Netcat can handle the task. In the table below you can
see port scanning: see Table 1.
You can use the following syntax:
nc -v -z target port-range
Connect to an IRC server with Netcat
You can use Netcat to connect to IRC network. It is very
easy and you only need to create a batch file. Create a
batch file and write the following command in it:
@echo off
echo Connecting you to IRC irc.2600.net
nc -v 208.111.35.75 6667
USER Nc
Nick YourNickHere
MOHSEN MOSTAFA JOKAR
www.hakin9.org/en
14. BASICS
Security – Objectives,
Process and Tips
In a world where business is moving towards e-commerce
and happening over the Internet, B2B, B2C, and C2C
applications have always been an area of major security
concern due to the pitfalls of HTTP security and the
number of integration points.
What you will learn… What you should know…
• Importance of security • Basic understanding of project development Life Cycle.
• Mapping of Security with SDLC. • Basic understanding of web application development.
• Do’s and Don’ts for improving and implementing Security
Requirements.
S
ecurity is a problem not just for business over there are other security threats which need to be taken
the web; it primarily covers applications that care of. Before we start discussing further, we should
are hosted on Internet, Extranet, Intranet and understand what is SECURITY?
Desktop applications. By definition Security is the ability to avoid being harmed
There are a few standard techniques, like using by any risk, danger or threat
the HTTPS protocol, RSA security, etc., that we can
use. However, security is not just limited to encrypting Therefore the question is: is it really possible to
data, providing a secure login process, or putting web develop a system which is foolproof and will remain so
applications behind a firewall. In addition to these, in the future? The answer is IMPOSSIBLE. Actually, a
100% secure system is unusable, and the requirement
�� here is contradictory in nature. Therefore what should
� ��
����� ��
��� �� we do? What approach should we follow?
��� ���
• Should we let the system be as it is and
���
vulnerable.
�
�����
���
• OR make our system at least secured against
�����
known risks and threats and on regular basis keep
���
monitoring the system and upgrading it to make it
��������
secured against newly indentified threats or risks.
���
��
Undoubtedly, the second approach is better and
��
����
��
more feasible. Security is a domain and there are
�
�����
many areas within the security domain itself and it is
��
��
��
practically impossible to cover everything in just a few
�� pages. This article identifies the security objectives,
�� �
�� ��
�� ��� process, useful tips, and a set of strategies that could
��� ��
�� �� be used to make web applications more secured.
Figure 1. Security’s relationship with other Architectural The primary audiences for this article are developers
Parameters and architects, hence the objective of this article is
14 04/2011
15. Security – Objectives, Process and Tips
to provide a head start for the security process and breakdown of system consequent to security issues
techniques. Subsequently, professionals can later may directly or indirectly lead to:
explore in more detail other approaches.
• Loss of business data.
Security Objectives – The known facts • Loss of customer’s personal data.
• Loss of financial data
• The cost of recovering from even a single data • Loss of employee’s data
breach now averages $6.3 million up 31 percent • Loss of intellectual properties etc.
since 2006 and nearly 90 percent since 2005. • Monetary losses.
(Source: Assessing Application Vulnerabilities. A • Loss in existing Business.
360 Degree Approach Dr. Brian Chess Founder • Loss of new business opportunity
and Chief Scientist Fortify) • Loss of credibility.
• 92 percent of exploitable vulnerabilities are • Losing competitive edge over the competitor.
in software (Source The National Institute for
Standards and Technology (NIST)) The success of e-commerce/m-commerce solely depends
• The Web 2.0 characteristics that enable creativity, on support for secure financial transactions. Therefore the
productivity and collaboration also make the Web objectives of security should have EFFECTIVE security
2.0 ecosystem prone to successful attacks and implementation for systems so that business can be
theft. (Source: John Pescatore, Joseph Feiman, done more freely which directly or indirectly results in
Security Features Should Be Built Into Web 2.0 more business and improved credibility. There is an nice
Applications, March 5, 2008, The Gartner Group.) article written on Estimating Benefits from Investing in
Secure Software Development and it’s an good read
Business applications contain lot of confidential at the following – https://buildsecurityin.us-cert.gov/bsi/
data and processes, which include personal and articles/knowledge/business/267-BSI.html. To achieve
confidential data provided by customers and business this in today’s scenarios, the security should be a non
houses. Business applications perform numerous negotiable NFR and mandatory to implement. Security
transactions 24*7 and any kind of security breach or implementation results in an impact in the following terms:
������ ��������
������ �������� �������� ������
����� ������������ � ������ ���������
������������ ������
������
������� �������� ���������
������ �������� �������� �������� �������� �������� ��������
������� ���� ������������ �� ���� ���� ����������
�������� � ����
���
�� ����� ������� ���� �� ����� ������� ��������
�� ��
����� � ������ ����� � �������
�� ����� ����� �������� �� ������
�������� ���������� ������ ��
� ���������� ����� �
���������
�������� ��� ��������
���� ����
�������� ������� ������� ����� ����
Figure 2. Security Process
www.hakin9.org/en 15
16. BASICS
Table 1.
Phases Activities Tools or procedure Stakeholders (suggested)
Requirement Security Requirements Requirement Reviews, Identify Critical CIO, CTO, CISO, Solution Architect,
Gathering(Objectives ) and modules and con�guration identi�ed. Security Architect, Business
including User, Deployment Architect, QA
1. Compliance Requirements Manager, IT Manager, BA, Auditors
2. Risk Analysis.
3. Data and Application Archival &
retention policy
Architecture 1. Threat Modeling 1. Design Reviews Solution Architect, Security
& Design 2. De�ning Security Guidelines for 2. Prototyping – develop prototype to Architect, Deployment Architect,
Applications, Servers and network validate design QA Manager, IT Manager, BA,
which includes adoption of Industry Security Testers
Standard Compliance, Procedure for
Server hardening, Incident Handling
Policy, Wireless Policy, De�ning
Administrative entry points to
secure servers
3. De�ning Security benchmark for
Applications, Servers and network
De�ning Security Architecture
which includes, �rewall, VPN
Technology, Antivirus
4. De�ne Security Test Plan – Type
of test, their frequency and tools to
be used
Development 1. Threat Modeling 1. Identify Critical module, Security Architect, Development
2. Implementing Security Code con�guration and code. Manager, QA Manager, BA,
3. Implementing Security Guidelines 2. Integrating Static Analysis Testing Developer, Release Engineer,
4. Build Analysis Tools with CI and IDE” . Some of Security Testers
the static analysis tools are Fortify,
�ndbugs, Jdepend, classcycle,
Checkstyle, JCSC, JPro�ler
3. Code Reviews for Security Threats
Virus Scanning, Log reviews.
QA 1. Security test case creation 1. Execute the Security Test cases and Security Architect, Development
2. Security Testing – testing Security scripts Manager, Deployment Architect, IT
functionality with standard 2. Use Dynamic Analysis Tools like Manager, QA Manager, BA, Release
functional testing technique and SecurityQA Toolbar, Watcher, WebSecurify, Engineer, Security testers.
security tools. skip�sh, Spike Proxy, WebScan, Rational
3. Risk Analysis – Security testing AppScan, QualysGuard Web Application
based on attack patterns and threat Scanning, NeXpose,Cenzic’s Hailstorm,
models. ParosProxy, etc
Deployment Some of the activities are listed 1. Security Deployment Review, CTO, CISO, Solution Architect,
below which includes Security & compliance Security Architect, Business User,
1. Network Hardening Auditing, Implementing platform Deployment Architect, IT Manager,
2. Hardware hardening hardening strategies though platform QA Manager, Development
3. DB Hardening level checklist. Manager, Auditors, Developer,
4. Server and OS hardening (Web 2. Network device con�gurations Security tester
Server, Email Servers, DNS and like Usage of Firewalls, Log reviews
application's Service) . Use appropriate Tools, changing
5. Con�gure auditing for server. Administrative user and credentials,
6. Perform Security Test in etc.
production environment. Some of 3. Execute the Security Test cases and use
few Suggestion like Virus Scanning, Dynamic Security Testing tools specially
Network Scanning, Vulnerability port scanning, �rewall testing, VPN
Scanning war dialing, war driving, testing,, Scan and Access testing testing
integrity checks, etc. for Platform, OS, Web server & DB.
Maintenance 1. Security Deployment Review 1. Security Auditing, Log Review Security Architect, QA, Manager, IT
2. Updating Security Policies 2. Security Test case executions Manager, Development Manager,
3. Identifying New Security Threats, etc. BA, Developer, Security testers,
Release Engineer. On need basis –
CTO, CISO, Business User, Solution
Architect, Auditors
16 04/2011
17. Security – Objectives, Process and Tips
• Project Timelines and Costs – due to extended scope, for handling known threats is also known as Secure
new process & tools, increase in team size and software lifecycle professional (SSLP).
stakeholders.
• Architecture – security is inversely related to almost Table 1 summarizes the list of activities, procedure
all the architectural parameters like scalability, and stakeholders across the different phases of SDLC
performance, availability, flexibility, portability, perfor- with respect to security implementation. Security is a
mance, maintainability, usability and manageability continuous process (Figure 2). Just like other processes
(see Figure 1) it has a starting point and an end points, however it ends
only when the system is moved out of business.
Here the KEY is EFFECTIVE security implementation,
as there is cost associated with security imple-mentation, Risk Management versus Security
so we have to strike a right balance among them: Usually people interchangeably use risk management
and security words and think that they are same. Risk
• The level of security and type of Security that needs management deals with uncertain events and the
to be implemented (obviously without compromising modality to control them for smooth execution of the
security requirements and business) and cost project. Whereas security is an aspect where we make
required for the same. the system (which is result of Project mgmt) secured.
• Security and Architectural parameters e.g. we Few points worth mentioning about risk management
cannot have a system which is highly secure but its and security are given in following paragraph.
usability is low or vice-versa.
• Risk Management is a knowledge area which
Security process describes the process for risk identification, planning,
Security is largely an afterthought, normally we monitoring and controlling whereas security is a
think about the security in pre-deployment and post- domain and is a non functional requirement of the
development stage. This largely ignores the security project.
related issue that may be the part of the developed • Risk Management is for handling all types of Project
application. Enterprise Security primarily covers: Risk, which can be categorized as Organization
Physical, Network, Information, Application. Security risks (HR), Project Management, Risk (requirement,
implementation requirements can-not be achieved schedule, time, cost and quality), external risk
just by making application, as it also requires security (Political, weather) and technical risk (which covers
policies for: technological change risk, unrealistic requirements).
During RISK Mgmt we also plan and control for
• Client, server and network security. what happens if security requirements are not met.
• Physical security like installing tracking system, Security implementation denotes plugging all the
restricted access to server rooms, activity moni- open holes in the system either because of
toring systems, locking devices, etc technology or implementation or standards.
• Risk Management process spans across Planning,
As per CERT The number of vulnerabilities reported in Monitoring and controlling process excluding
major applications has increased at an average rate of execution. Whereas, the security execution phase
43% over the last 10 years. Application level security is one of the required phases as there are quite a
attacks are the primary technique used. Therefore, lot development related activities.
this article will be focusing on application security and
not the network, physical or information security. For In a nutshell, Risk Management is a process of plan-
effective security implementation: ning and controlling uncertain events or conditions that
can impact project and handling for smooth execution,
• We should treat security as the part of the application even after the project goes live; whereas security is
SDLC for successfully identifying and resolving all an aspect where we make applications secured. Risk
the security issues within an application. Mgmt plans and controls the security implementation
• We have to identify Security objectives, develop as one of the activity or tasks.
security guidelines, define security architecture,
identify all types of security threats, and perform Security Tips
security reviews and testing regularly. List of security tips described in this section should be
• All the stakeholders have to provide required followed to make secure web application. Although this
support at relevant time. Any stakeholder who is list is not comprehensive enough, but definitely a good
responsible for building software which is capable to start.
www.hakin9.org/en 17
18. BASICS
Web Application Security • Avoid using unsecured protocols, if not possible
to avoid, provide secured communication.
• Avoid or minimize the use of hidden form fields • Don’t used HTTP header information for making
especially for storing sensitive data like encrypted security decisions.
user- id or passwords, roles, payment information etc. • Restricted Access
• Do not use user input as it is to construct directory • Make sure that only required URL and Services
or file names and SQL queries. Also avoid passing are exposed with proper level of security.
this information as it is over the wire. • Ensure to provide only authorized access to the
• Always use fully qualified absolute path and system and application resources.
filename instead of relative paths. Given below is • Avoid putting everything in the web directory. By
one of the example this we, we restrict visitors to access our web
Wrong method resources (like data, files, configurations setting,
../../../<filename> etc) directly from browsers.
Suggested method • Remove sharing of files and folders from production
/examples/code/<filename> machines.
• Make sure the execution of files or programs which • Only required ports are opened. For example, if
have the capability to change the permission or FTP is not required on the Web Server, it should be
mode for other files should be restricted. closed.
• Do server side validations and do not rely only on • Make sure that directory listing is off. For example,
client side validation as it is very easy to bypass if somebody visits http://www.myexample.com/
client side validations. Make sure we remove examples/, in case default page is not available
unwanted characters, invisible characters and then directory listing should not be displayed.
HTML tags from user input and if required throw • Do not perform encryption logic on client side or in
back error(s) to the user. executables code (like applets, ActiveX controls,
• It is advisable to separate out the presentation etc) which gets downloaded at client side as it is
layer from business layer as this will provide quite possible that logic will get exposed to the
greater flexibility and allows better deployment of outer world.
security. • Avoid storing vital sensitive data like passwords,
• Do not write user credentials in code. roles etc in cookies or in file which are accessible
• Use the proper commenting mechanism. For to use for e.g. web directory.
example JSP developers put comment in HTML • Use POST instead of GET method and if possible
format rather than JSP format. before processing the request, always check
• Only validated request for URL redirect or forward at server side that if request method is not as
should be allowed. expected then we should throw error for e.g. we
• Proper Exception handling needs to be implemented created a form where a POST method request is
• It is advisable not to display application expected, but we are getting a GET request then
exceptions or error as it is. They should be we should throw an error.
wrapped within some user friendly messages. • Make sure we should not have MIXED-CONTENT
• Make sure that exceptions and errors are in HTML page i.e. we should not access any internal
properly handled, caught (for e.g. Nullpointer, resources with HTTP protocol if page is accessed
ArrayOutOfBound, DivideByError, etc.) and thrown or through HTTPS protocol as it will show Mixed
re-thrown as per the requirements. Again given Content Popup Window and also allows Active
below is a wrong example: hackers a chance. Given below is an example:
try { Wrong method
stmt1 <… src=http://www……>
stmt2 Suggested method
} catch (Exception t) { <…. src=//www…>.
} With this what will happen is that the protocol is
Stmt4 automatically attached to the URL based on the
• Secure Communication page protocol. i.e., if page is accessed with HTTP
• Make sure that the important and sensitive data protocol then internal resources will be accesed
is always in encrypted form. For example, make with HTTP protocol, similarly if page is accessed
use of SSL or IPSEC wherever necessary. Also, with HTTPS protocol then internal resources will be
it not advisable to transfer sensitive data using accessed with HTTPS protocol.
GET Protocol. • Proper Session Management Policies
18 04/2011
19. Security – Objectives, Process and Tips
• System should invalidate user session at logout solutions please refer to the following URL http://
and when time expires www.cert.org/advisories/CA-2000-02.html and http://
• We have to ensure that generate new session www.owasp.org/index.php/Cross-site_Scripting _
ID when users transitions from unauthenticated %28XSS%29
to authenticated. • Avoiding CSRF Attacks – stands for Cross Site
• Session ID should have enough randomness for Request Forgery. It compels a logged-on user’s
a period and it’s session life should be limited browser to send a request to a vulnerable web
• We should encrypt the cookie data and also application, which then performs the chosen action
unauthorized access to session data be avoided. assuming that the request is coming from a trusted
• Appropriate Logging and Auditing should be and authenticated user. It is also known as one
implemented and it should be secured. Also, make click attack or session riding. Read following URL
sure that sensitive data is not logged. Some of the for information http://www.owasp.org/index.php/
major things that we should log are: Cross-Site_Request_Forgery%28%29_Prevention_
• Startup and shutdown Cheat_Sheet
• Unsuccessful access attempt for resources (for • Avoiding Injection flaws – It allow attackers to
e.g. Denial of access resulting from excessive relay malicious code through a web application to
number of login attempts) another system by sending data to an interpreter
• Unauthorised access attempts. as part of a command or query. There are many
• User authentication. types of injection flows like SQL, OS commands,
• User role assignments. LDAP, XPath, XSLT, etc. Read following http://
• Permissions granted to users or groups. www.owasp.org/index.php/Injection_Flaws
• Actions by trusted users. • Support for P3P Headers – stands for Platform for
• Configuration changes. Privacy Preferences Project. It enables Web sites to
• Modifications to data (Sensitive, Public, Classified) express their privacy practices in a standard format
that can be retrieved automatically and interpreted
Also, ensure we log the date and time of each event, easily by user agent (a.k.a. browser). Policy
as well as the success or failure of major events. is delivered to the web page allowing the P3P
• Avoid using database administrator credentials enabled browser to make decisions by comparing
for connecting a Web application to database. this policy with the user’s stored preferences
Configure specific users and roles in the database before the page is displayed. The privacy policy
with required privileges and use them from web can be retrieved as an XML file or can be included,
application to connect to database. in compact form, in the HTTP header. Compact
• Make sure we encrypt all sensitive data in all types of policies are summarized P3P policies delivered
configuration files like xml, properties, csv files.Also we in the HTTP header that provide hints to user
have to ensure that the files are not in web directory. agents to enable the user agent to make quick,
• Make sure, if the application uses third party synchronous decisions about applying policy. For
products API’s, it should also be scanned from more information please read following links http://
security perspective. www.p3pwriter.com/, http://www.w3.org/P3P/
• Make sure only required and tested code goes in • We should follow government, industry and domain
production. For example, we should not push dynamic guidelines for e.g.
pages which were developed during development • PCI – credit card related guidelines.
time and subsequently they were no longer in use. • HIPPA – health care domain related guidelines.
• Make sure our system should be robust enough • GLBA – Financial Institution guidelines OWASP
against unwanted bots and crawlers. For this we (The Open Web Application Security Project)
should use robot.txt, captcha, Meta tags appropriately had releases their version of top security threats
• Avoiding XSS Attacks – stands for Cross Site in web application at http://www.owasp.org/
Scripting and it occurs when a web application index.php/Category:OWASP_Top _Ten_Project
gathers malicious data from a user. Here user and it is worth reading it.
does code injection into a vulnerable application in
order to gather data from them. It is a real threat for Database Security
authentication process, stealing user information, As no database product comes configured securely
changes setting and cookie values, etc. There are out of the box it is necessary to follow these steps to
three distinct types of XSS vulnerability (type 0, type prevent attacks from exploiting known vulnerabilities.
1 and type 2). CERT® Advisory had highlighted The checklist given in the subsequent paragraph is
threats with Malicious code and suggested some not comprehensive; the actual steps for hardening
www.hakin9.org/en 19
20. BASICS
a specific database platform may be more in-depth. Identifiable Information (PII), or otherwise sensitive
Please check the vendor specific security checklist for data should be protected from the Internet by a
more details and product specific security tips. These network firewall.
steps should be followed to secure a typical database • Administrative/DBA access should be limited to
server, but may not be appropriate in all cases. It is the fewer individuals as far as possible.
responsibility of the DBA associated with each platform • The data base for the web application should not
to ensure they understand the detailed tasks. be directly accessible from the public network from
where external user customer traffic arrives on.
• Make sure we do not save sensitive data like • Use complex names for database users. Use
Passwords, credit cards numbers in clear text complex passwords for these users.
format. All sensitive data should be encrypted. • Use IPSec or SSL to protect access to databases
• If possible, use the latest generation of database from other network servers.
server. • Auditing and logging is implemented, working and
• Install the latest vendor-provided patches for the also access to log file is secured. Also make sure
database. Be sure to include patches for database that sensitive information like passwords are not
support software that is not directly bundled with logged.
the database.
• Every server should be configured to only allow Other Security measures
trusted IP addresses and only those ports which
are required should be opened. • Virus scanning has to be performed on a regular
• Remove sample databases and database users. basis
• Create alternative administrative users for each • Implement Firewall effectively.
DBA, rather than allowing multiple individual users • Make sure unused ports in all servers are not
to regularly use the default administrative account. opened and regular auditing has to be done.
• Configure specific users and roles in the database • It is advisable to use industry standard cryptography
only with the privileges required and ensure that algorithm over homegrown algorithm.
access to the database is limited to the minimal • Security keys should be changed on regular basis
access necessary (at the level of Database, and also security keys have to be stored at a
tables, rows and columns). For example, reporting restricted location.
applications that just require read-only access • Regular backup should be taken.
should be appropriately limited. • Apply firmware and software patches or upgrades
• It is advisable that the database should require on regular basis.
authentication before returning any type of data. • When system migrates to production. Please do the
• Remove unwanted database stored procedures, following things
triggers. • Make sure we change all the credentials for
• Appropriate guidelines (HIPAA, Privacy Act, financial, users, roles
personnel, etc.) must be used for safeguarding the • Implementation of New IP Scheme(s), if required
sensitive data. • Creation/modification of DMZ(s), if required
• Whereever possible, isolate sensitive databases to • Router Configuration Changes,
their own servers. Databases containing Personally • Firewall Configuration Changes
������������
�������� ������
��
������������ �����
������ ��������
��
��
��
���
���
�
�������� ����� �����
��
��������
���
��
��
���������� ����������� �����
��
��
�
��
��
��
��
������
��������
��
��
����
�������
�� �� ����
������ ����
� �
Figure 3. Association of security across SDLC phases and span of security implementation across application layers
20 04/2011
21. Security – Objectives, Process and Tips
On the ‘Net
• http://www.w3.org/Security/Faq/www-security-faq.html
• http://advosys.ca/papers/printable/web-security.html
• http://www.cert.org/advisories/CA-2000-02.html
• http://www.webcredible.co.uk/user-friendly-resources/web-accessibility/wcag-guidelines-20.shtml
• http://msdn2.microsoft.com/en-us/library/aa302332.aspx
• http://msdn.microsoft.com/en-us/library/aa302433.aspx
• http://technet.microsoft.com/en-us/library/cc512638.aspx
• http://msdn.microsoft.com/en-us/library/aa480484.aspx
• http://msdn.microsoft.com/en-us/library/ms998258
• http://www.fortify.com/servlet/downloads/public/Fortify_360_Whitepaper.pdf
• http://java.sun.com/security/seccodeguide.html
• http://advosys.ca/papers/printable/web-security.pdf
• https://www.pcisecuritystandards.org/
• Implement additional or upgrade Technology/Tools, Threat Modeling and Security auditing should be
if required. given focus along with security reviews for successful
implementation. As threat landscape and requirements
Summary for applications keeps changing frequently there is a
Security is one of the greatest concerns as today most of need to perform regular security auditing and update
the applications that are build, have numerous integration security policies in order to make the system safer and
points. This is especially true for Web and Web Services compliant with current industry standards.
applications. Now a day’s security capabilities of delivered
application are one of the major criteria to evaluate Various forums/agencies/companies/researchers usually
deliverables as security is mapped directly with the publish list of top 10 security threats every year and
business. Therefore we should take security requirements it is advisable that we should keep track on these
very seriously vis-a-vis functional requirements. It’s time threats. OWSAP (The Open Web Application Security
we seriously focus on building secured web application Project) had releases their version of top 10 security
that does not jeopardize business at any stage, so that threats in web application at http://www.owasp.org/
business can be done without any hassle. index.php/Category:OWASP_Top_Ten_Project and it is
Software Security is all about making resources worth reading it. In addition to this there are few more
available through defined channel only to authenticated publication which has published top 10 security threats
resources based on their roles. For this we should for the year 2011.
• Thoroughly understands the business and it’s • http://www.itpro.co.uk/613333/top-10-threats-for-it-
ecosystem. security-in-2011
• Thoroughly understand technologies involved in • https://infosecisland.com/blogview/10546-Top-
developing the applications. Eight-Security-Threats-for-2011.html
• Thoroughly understands the Government, Legal, • http://www.itnewsafrica.com/?p=10072
industry and domain policies and guidelines.
• Thoroughly understand all types of users and their
roles & rights. RAHUL KUMAR GUPTA
Rahul Kumar Gupta is a postgraduate in Computer Applications,
Securing web applications requires: graduate in Business management and having around 8
certi�cations including SCEJA, ATG Commerce, PMP and JCP. He
• a combined effort across all phases of SDLC i.e. is having an experience of around 13 years (2010) in IT industry
requirement gathering, design, development, QA. and is working as Associate General Manager (Technology and
Deployment and maintenance. Architecture) for Product Engineering and Commerce and Service
• Requires security implementation across all layers i.e. applications with Indian IT giant HCL Technologies, NOIDA
client, server management, network mana-gement. (INDIA). He was also a co-technical reviewer for Professional
Java Ecommerce, Professional EJB and Professional JSP Site
Credits Design books of Wrox publication. He is actively involved in
The author wishes to thank his colleague Sunil Anand (Security
technical writings and published numerous technical articles
Architect) as domain expert, Vikas Wadehra and Ashish Saxena
for their valuable contribution as reviewer for this article. and whitepaper. You can catch him at rahgup@mailcity.com. For
more info visit http://rahgup.blogspot.com/
www.hakin9.org/en 21
22. ATTACK
The Backroom Message
That’s Stolen Your Deal
Do you want to learn more about bigwig? Is someone
keeping secrets from you? Need to silently record text
messages, GPS locations and call info of your child or
employee? Catch everybody at whatever you like with our
unique service.
What you will learn… What you should know…
• Each email-message (or sms-message) as part term of busi- • Basic knowledge about BlackBerry security
ness correspondence could be intercept
• Message can activate spyware
I
t lets you to intercept SMS or Email messages via the might just be that your partner is planning a surprise
Internet, catch cheating wives or cheating husbands, for you and has enlisted their help, so check the
stop employee espionage, protect children, etc. number carefully, particularly if it seems familiar to
Well, you’ve just read yet another advertising that you.
summarized several spyware products for every mobile
OS. To be beyond exception that Windows Mobile, Nothing personal...
Symbian, iOS (iPhone) are the most popular with Everyone knows that reading other people’s letters
consumer. All of kind has never had a distinct security or diaries, without the permission of the author isn’t
policy. But the BlackBerry devices are one of world’s ethical. All personal correspondence, or even just
top devices! It’s entirely explicable, though. There’s information such as SMS messages, address book,
unique thing is defensible. It has a proof-of-security email, ICQ history, indeed are called for fashionable
flow channel to transmit data from each to other. And word Privacy, or a Private, Data Privacy. Any attempt to
up to now, there’s no successful decoder for ciphered cheat with it behind author back is a direct violation of
technology. the individual privacy.
These days a lot of people are in use of a mobile One day, everyone has thought about what men
phone, it has made our lives easier and increased write to each other, or what was written by his friend or
communication, in spite of opportunity for a cheating. colleagues. It’s no necessarily malicious intent. Do they
You suppose your lover isn’t being faithful to you and have something to hide, to hatch a plot? Omnivorous
you ought to grant your suspicions or allay your fears. curiosity is one of the most popular human vice helps
So, the main of evidence can be new lover is linked with to fraudster to earn considerable sums of money every
your partner. day. They always ready to help to get into somebody
Telltale signs will be sms to the same number, late address phone book, email message or social
at night or early in the morning or both, if the same networking pages for all comers. After all do you can
number is appearing as a call at unsocial hours get access to cherished friend’s (lover’s, boss, foes)
then you really have something to be concerned chats?
about. However there can be a perfectly innocent The victim’s mobile phone is coveted human’s goal.
explanation for activity like this and its worth pausing This storage place may shed light on wrapped in
before jumping to conclusions. If the number that is mystery things. There’s no way to read others emails
appearing is that of a family member or good friend it or sms. You can take phone and read all you interested
22 04/2011