ITOnlinelearning offers cybersecurity courses ranging from beginner to professional levels, including CompTIA Security+, CISSP, CEH, CHFI, and ECSA/LPT. The document provides contact information for the company and recommends calling an advisor for tailored advice on courses. Zed Attack Proxy (ZAP) is an easy-to-use, open source tool for penetration testing web applications. It can be used to map an application, discover vulnerabilities, and aid in exploitation. The document provides instructions for setting up ZAP and using it to test the Damn Vulnerable Web Application (DVWA) for educational purposes.
This document discusses network security and Cisco's advanced services for network security. It provides an overview of security threats over time, the challenges faced by IT organizations in implementing security, and how an architectural approach to security is required. It describes Cisco's security services across the security lifecycle from assessment to design to implementation. Specific services covered include security posture assessment, network security design review and development. It also discusses best practices for perimeter security, authentication and authorization, and intrusion detection system design.
This document discusses virtual events and provides an overview of different types of virtual event platforms and technologies. It explores why virtual events are increasing in popularity now due to factors like the COVID-19 pandemic limiting in-person gatherings. The document outlines different experiential realms for virtual events, from passive and entertainment-focused to more active and educational. It also introduces the M.A.S.T.E.R. framework for planning virtual events, which involves assessing objectives, developing a strategy, mapping appropriate technologies, executing the plan, and reviewing/revising.
The Executive Protection Institute (EPI) is considered the world's top school for personal protection training. It was founded in 1978 by Dr. Richard Kobetz, who established personal protection as a respected profession. EPI offers intensive, hands-on training programs taught by highly experienced instructors to prepare students as Personal Protection Specialists. Its flagship 7-day "Providing Executive Protection" program is the most selective in the field and certifies graduates as PPS upon completion. EPI also provides networking opportunities through its exclusive alumni association, Nine Lives Associates.
This document provides an overview of implementing intrusion prevention systems. It describes the purpose and operations of network-based and host-based IPS, how IPS signatures are used to detect malicious traffic, and how to configure and monitor Cisco IOS IPS using the command line interface and Security Device Manager. The objectives are to describe IPS functions, signatures, alarms, actions, and monitoring, as well as configure and verify Cisco IOS IPS.
This document discusses building organizational competency for process safety. It defines competency as the state of being well-qualified to perform a task, which individuals and organizations gain through education, training, experience, and natural abilities. The document outlines key areas of competency for process safety, including understanding hazards and risk evaluation, and implementing strong management systems to control risk. It provides examples of career progressions in technical competencies like process hazard analysis. Finally, it emphasizes that human error is the root cause of most accidents, and that human factors and management systems play a key role in controlling human error.
This document discusses weaknesses in current computer security approaches and proposes a new "Secure Computing Infrastructure" (SCI) approach. It notes that operating systems and applications currently lack basic immune systems to defend against attacks. The SCI would integrate existing components like a separation kernel and Erlang virtual machine to create a more secure fault-tolerant environment. A phased approach is proposed beginning with a feasibility study and moving to proof of concept, field trials, and eventual full implementation. The goal is to develop a foundational security solution that is taught more widely in education.
The document discusses application security challenges and presents HP Fortify Software Security Center as a solution. It describes how the solution proactively identifies and eliminates risks in legacy applications and prevents risks during development. The solution protects applications across in-house, outsourced, commercial and open source development by embedding security into the entire software development lifecycle. It also provides comprehensive coverage across multiple vulnerability categories and programming languages.
This document discusses network security and Cisco's advanced services for network security. It provides an overview of security threats over time, the challenges faced by IT organizations in implementing security, and how an architectural approach to security is required. It describes Cisco's security services across the security lifecycle from assessment to design to implementation. Specific services covered include security posture assessment, network security design review and development. It also discusses best practices for perimeter security, authentication and authorization, and intrusion detection system design.
This document discusses virtual events and provides an overview of different types of virtual event platforms and technologies. It explores why virtual events are increasing in popularity now due to factors like the COVID-19 pandemic limiting in-person gatherings. The document outlines different experiential realms for virtual events, from passive and entertainment-focused to more active and educational. It also introduces the M.A.S.T.E.R. framework for planning virtual events, which involves assessing objectives, developing a strategy, mapping appropriate technologies, executing the plan, and reviewing/revising.
The Executive Protection Institute (EPI) is considered the world's top school for personal protection training. It was founded in 1978 by Dr. Richard Kobetz, who established personal protection as a respected profession. EPI offers intensive, hands-on training programs taught by highly experienced instructors to prepare students as Personal Protection Specialists. Its flagship 7-day "Providing Executive Protection" program is the most selective in the field and certifies graduates as PPS upon completion. EPI also provides networking opportunities through its exclusive alumni association, Nine Lives Associates.
This document provides an overview of implementing intrusion prevention systems. It describes the purpose and operations of network-based and host-based IPS, how IPS signatures are used to detect malicious traffic, and how to configure and monitor Cisco IOS IPS using the command line interface and Security Device Manager. The objectives are to describe IPS functions, signatures, alarms, actions, and monitoring, as well as configure and verify Cisco IOS IPS.
This document discusses building organizational competency for process safety. It defines competency as the state of being well-qualified to perform a task, which individuals and organizations gain through education, training, experience, and natural abilities. The document outlines key areas of competency for process safety, including understanding hazards and risk evaluation, and implementing strong management systems to control risk. It provides examples of career progressions in technical competencies like process hazard analysis. Finally, it emphasizes that human error is the root cause of most accidents, and that human factors and management systems play a key role in controlling human error.
This document discusses weaknesses in current computer security approaches and proposes a new "Secure Computing Infrastructure" (SCI) approach. It notes that operating systems and applications currently lack basic immune systems to defend against attacks. The SCI would integrate existing components like a separation kernel and Erlang virtual machine to create a more secure fault-tolerant environment. A phased approach is proposed beginning with a feasibility study and moving to proof of concept, field trials, and eventual full implementation. The goal is to develop a foundational security solution that is taught more widely in education.
The document discusses application security challenges and presents HP Fortify Software Security Center as a solution. It describes how the solution proactively identifies and eliminates risks in legacy applications and prevents risks during development. The solution protects applications across in-house, outsourced, commercial and open source development by embedding security into the entire software development lifecycle. It also provides comprehensive coverage across multiple vulnerability categories and programming languages.
Joseph A. Stump is seeking a career in telecommunications or information technology after 10 years of service in the US Army Signal Corps. He has a broad range of expertise from IT, RF, satellite and microwave communications fields. He has extensive experience as an instructor in these fields and leadership experience overseeing teams and managing budgets.
Events Secured By PLN9
PLN9 Security Services
Total security solutions for Manned Guarding
Electronic Security with Tyco.
Manned Guarding,
Event Management,
Industrial Security,
Mall Security,
Hotel Security,
Building Management.
Security Audit
Security Training
Electronic Security- Distributor of Tyco Fire Products & Tyco Security Products
ATI Technical CONOPS and Concepts Technical Training Course SamplerJim Jenkins
This three-day course is designed for engineers, scientists, project managers and other professionals who design, build, test or sell complex systems. Each topic is illustrated by real-world case studies discussed by experienced CONOPS and requirements professionals. Key topics are reinforced with small-team exercises. Over 200 pages of sample CONOPS (six) and templates are provided. Students outline CONOPS and build OpCons in class.
Mena Fire Safety Conference Qatar April 2011harrissafety
Fire Safety MENA 2011 will provide a platform for government ministries and industry experts including developers, contractors, architects and consultants to share and gain knowledge in this increasingly critical market.
Discover how to achieve best-practice fire risk management and integrate cost-effective, state-of-the-art strategies that mitigate fire hazards.
Learn from the experience of regional experts on how to comply to regional fire safety codes, regulations and standards across the Middle East and North Africa region.
This document discusses various training methods including classroom, electronic computer-based training (CBT), electronic online training, and blended training. It provides advantages and disadvantages of each method. Classroom training allows instructors to present material to groups but may not be interactive. CBT is flexible and standardized but requires computer literacy. Electronic online training saves on travel but is impersonal. Blended training combines methods to create a more integrated approach. The document also discusses using a free online safety training platform that provides over 300 training modules to individuals and companies.
BCM Institute MTE Dr Thomas Phelan - Closing the Gap on Emergency Management ...BCM Institute
BCM Institute MTE Series: http://www.worldcontinuitycongress.com/wcc08/mte.html
Dr Thomas Phelan, Founding Member U.S. Department of Homeland Security and President of Strategic Teaching Associates, presents Closing the Gap on Emergency Management and First Responders during a Meet-The-Experts seminar organised by BCM Institute which aimt to Bridge Economic Defence and Civil Defence.
1. The document describes a lesson on cryptographic systems that includes objectives, concepts, and examples.
2. Some key concepts covered are encryption, hashes, digital signatures, and how they provide confidentiality, integrity, and authentication of data.
3. Examples of encryption techniques described include transposition ciphers, substitution ciphers like the Caesar cipher, and the Vigenère cipher table.
An overview of software compliance management and how it relates to software asset management. Also, our services to address these issues are discussed.
The CCIE certification offered by Cisco certifies network engineers with expert-level skills in planning, operating, and troubleshooting complex network infrastructures. There are two requirements to obtain CCIE certification - passing a written exam and an intensive 8-hour hands-on lab exam. The CCIE certification is divided into several tracks including Routing and Switching, Security, Service Provider, and Voice, with each track focusing on different specializations within networking.
Investigation Course into a single, consolidated
course. This new course, titled "Personnel Security
The Center for Development of Security Excellence Adjudication and Investigation," provides a more
(CDSE) continued its efforts to professionalize the streamlined learning experience for students.
DoD security workforce during FY11. Key successes
included launching the Security Fundamentals CDSE instructors conducted mobile training at
Professional Certification, the first certification numerous DoD and federal agency locations in
under the new Security Professional Education the United States and overseas, including training
Development program. Over 700 security provided in Iraq in support of Operation New Dawn.
professionals earned this certification. CDSE
This session will arm you with all the key information you need to to figure out Open Source software licensing issues, understand legal situation, etc. The aim is to present your obligations in terms of OSS licences, patent and intellectual property, before launching a project.
Next, a method developed within QualiPSo project will be presented!
The document provides information about EC-Council and its Certified Ethical Hacker certification. EC-Council was founded in 2001 in response to the 9/11 attacks to provide cybersecurity education and training. It has since become a leading provider of cybersecurity certifications, including the popular CEH certification. The document outlines the history and mission of EC-Council, lists its certifications and training partners, and provides details about its Certified Ethical Hacker certification course modules and eligibility.
Walid Hamdy El Sisi is seeking a challenging position in data networking. He has over 10 years of experience working in network operations and support roles for internet service providers in Egypt. He holds numerous professional certifications including CCNA, CCNP Security, JNCIS-ENT, EC-Council C|EH, and specializations in Cisco security technologies.
The Ultimate Certification for Network Administrators
A vendor-neutral, hands-on, instructor-led, comprehensive network security certification training program.
The program prepares network administrators on network security technologies and operations to attain Defense-in-Depth Network security preparedness.
The document discusses different aspects of becoming an IT security expert, including various fields within IT security, common security certifications, and ways to gain expertise in specific areas. It outlines fields like security design/implementation, monitoring, management, prevention, and damage control. It also lists many security certifications offered by companies like CompTIA, Cisco, (ISC)2, GIAC, RSA, and EC-Council that can help professionals specialize and prove their expertise in different IT security domains.
Network security specialist Catherine Paquetl fills you in on advanced threat protection that integrates real-time contextual awareness, intelligent security automation and superior performance with industry-leading network intrusion prevention, Sourcefire.
ABOUT THE PRESENTER
Catherine Paquet, CCSI, CCNP Security, CCNP Routing and Switching, is a network security specialist. She began her internetworking career as a LAN manager, then MAN manager, and eventually became a nationwide WAN manager with the Department of National Defence. Paquet lectures around the world on security topics, including firewalls, VPNs, intrusion prevention, identity systems, email and Web security, and router and switch security. During her spare time, she authors Cisco Press books, and she volunteers as a network security analyst to nonprofit organizations. Paquet attended the Royal Military College Saint-Jean (Canada) and holds an MBA in Management Information Systems (MIS) from York University.
This document summarizes James McKinlay's presentation on "Cyber Hygiene at speed and scale - How to Clean a Datacenter". The presentation discusses the benefits of implementing vulnerability assessment and management (VMaaS) in managed datacenters to improve security. It recommends starting with quick wins like installing VMaaS agents, building a knowledgebase of patches, and linking VMaaS to configuration management databases. Long-term, security automation could be expanded to correlate software assets, maintain baselines, query systems, and collect security details. The takeaway is that datacenter operators should prioritize basic security hygiene and work with managed service providers to integrate more proactive security measures.
This document summarizes Cisco's physical security solutions including converged networking platforms, IP video surveillance cameras, access control systems, and emergency response technologies. It outlines the benefits of convergence for reducing total cost of ownership. Traditional separate systems for data, voice, video and physical security are consolidated onto a single IP network. Cisco provides an open platform to deliver the right security information to the right person at the right time through detection, analysis and response. Product lines include IP cameras, access control gateways, video management software and emergency notification systems.
SCYBER addresses an urgent need in cybersecurity training by developing the skills needed to proactively detect and combat cyber threats. The course spends 60% of time in hands-on labs where students monitor, analyze, and respond to actual cyber attacks. It teaches 4 major competencies - monitoring security events, configuring detection/alarming, analyzing traffic for threats, and appropriately responding to incidents. Key differentiators include being system agnostic, lab-heavy, teaching an inside-out approach, ease of entry for security professionals, and helping students understand why things are threats.
Joseph A. Stump is seeking a career in telecommunications or information technology after 10 years of service in the US Army Signal Corps. He has a broad range of expertise from IT, RF, satellite and microwave communications fields. He has extensive experience as an instructor in these fields and leadership experience overseeing teams and managing budgets.
Events Secured By PLN9
PLN9 Security Services
Total security solutions for Manned Guarding
Electronic Security with Tyco.
Manned Guarding,
Event Management,
Industrial Security,
Mall Security,
Hotel Security,
Building Management.
Security Audit
Security Training
Electronic Security- Distributor of Tyco Fire Products & Tyco Security Products
ATI Technical CONOPS and Concepts Technical Training Course SamplerJim Jenkins
This three-day course is designed for engineers, scientists, project managers and other professionals who design, build, test or sell complex systems. Each topic is illustrated by real-world case studies discussed by experienced CONOPS and requirements professionals. Key topics are reinforced with small-team exercises. Over 200 pages of sample CONOPS (six) and templates are provided. Students outline CONOPS and build OpCons in class.
Mena Fire Safety Conference Qatar April 2011harrissafety
Fire Safety MENA 2011 will provide a platform for government ministries and industry experts including developers, contractors, architects and consultants to share and gain knowledge in this increasingly critical market.
Discover how to achieve best-practice fire risk management and integrate cost-effective, state-of-the-art strategies that mitigate fire hazards.
Learn from the experience of regional experts on how to comply to regional fire safety codes, regulations and standards across the Middle East and North Africa region.
This document discusses various training methods including classroom, electronic computer-based training (CBT), electronic online training, and blended training. It provides advantages and disadvantages of each method. Classroom training allows instructors to present material to groups but may not be interactive. CBT is flexible and standardized but requires computer literacy. Electronic online training saves on travel but is impersonal. Blended training combines methods to create a more integrated approach. The document also discusses using a free online safety training platform that provides over 300 training modules to individuals and companies.
BCM Institute MTE Dr Thomas Phelan - Closing the Gap on Emergency Management ...BCM Institute
BCM Institute MTE Series: http://www.worldcontinuitycongress.com/wcc08/mte.html
Dr Thomas Phelan, Founding Member U.S. Department of Homeland Security and President of Strategic Teaching Associates, presents Closing the Gap on Emergency Management and First Responders during a Meet-The-Experts seminar organised by BCM Institute which aimt to Bridge Economic Defence and Civil Defence.
1. The document describes a lesson on cryptographic systems that includes objectives, concepts, and examples.
2. Some key concepts covered are encryption, hashes, digital signatures, and how they provide confidentiality, integrity, and authentication of data.
3. Examples of encryption techniques described include transposition ciphers, substitution ciphers like the Caesar cipher, and the Vigenère cipher table.
An overview of software compliance management and how it relates to software asset management. Also, our services to address these issues are discussed.
The CCIE certification offered by Cisco certifies network engineers with expert-level skills in planning, operating, and troubleshooting complex network infrastructures. There are two requirements to obtain CCIE certification - passing a written exam and an intensive 8-hour hands-on lab exam. The CCIE certification is divided into several tracks including Routing and Switching, Security, Service Provider, and Voice, with each track focusing on different specializations within networking.
Investigation Course into a single, consolidated
course. This new course, titled "Personnel Security
The Center for Development of Security Excellence Adjudication and Investigation," provides a more
(CDSE) continued its efforts to professionalize the streamlined learning experience for students.
DoD security workforce during FY11. Key successes
included launching the Security Fundamentals CDSE instructors conducted mobile training at
Professional Certification, the first certification numerous DoD and federal agency locations in
under the new Security Professional Education the United States and overseas, including training
Development program. Over 700 security provided in Iraq in support of Operation New Dawn.
professionals earned this certification. CDSE
This session will arm you with all the key information you need to to figure out Open Source software licensing issues, understand legal situation, etc. The aim is to present your obligations in terms of OSS licences, patent and intellectual property, before launching a project.
Next, a method developed within QualiPSo project will be presented!
The document provides information about EC-Council and its Certified Ethical Hacker certification. EC-Council was founded in 2001 in response to the 9/11 attacks to provide cybersecurity education and training. It has since become a leading provider of cybersecurity certifications, including the popular CEH certification. The document outlines the history and mission of EC-Council, lists its certifications and training partners, and provides details about its Certified Ethical Hacker certification course modules and eligibility.
Walid Hamdy El Sisi is seeking a challenging position in data networking. He has over 10 years of experience working in network operations and support roles for internet service providers in Egypt. He holds numerous professional certifications including CCNA, CCNP Security, JNCIS-ENT, EC-Council C|EH, and specializations in Cisco security technologies.
The Ultimate Certification for Network Administrators
A vendor-neutral, hands-on, instructor-led, comprehensive network security certification training program.
The program prepares network administrators on network security technologies and operations to attain Defense-in-Depth Network security preparedness.
The document discusses different aspects of becoming an IT security expert, including various fields within IT security, common security certifications, and ways to gain expertise in specific areas. It outlines fields like security design/implementation, monitoring, management, prevention, and damage control. It also lists many security certifications offered by companies like CompTIA, Cisco, (ISC)2, GIAC, RSA, and EC-Council that can help professionals specialize and prove their expertise in different IT security domains.
Network security specialist Catherine Paquetl fills you in on advanced threat protection that integrates real-time contextual awareness, intelligent security automation and superior performance with industry-leading network intrusion prevention, Sourcefire.
ABOUT THE PRESENTER
Catherine Paquet, CCSI, CCNP Security, CCNP Routing and Switching, is a network security specialist. She began her internetworking career as a LAN manager, then MAN manager, and eventually became a nationwide WAN manager with the Department of National Defence. Paquet lectures around the world on security topics, including firewalls, VPNs, intrusion prevention, identity systems, email and Web security, and router and switch security. During her spare time, she authors Cisco Press books, and she volunteers as a network security analyst to nonprofit organizations. Paquet attended the Royal Military College Saint-Jean (Canada) and holds an MBA in Management Information Systems (MIS) from York University.
This document summarizes James McKinlay's presentation on "Cyber Hygiene at speed and scale - How to Clean a Datacenter". The presentation discusses the benefits of implementing vulnerability assessment and management (VMaaS) in managed datacenters to improve security. It recommends starting with quick wins like installing VMaaS agents, building a knowledgebase of patches, and linking VMaaS to configuration management databases. Long-term, security automation could be expanded to correlate software assets, maintain baselines, query systems, and collect security details. The takeaway is that datacenter operators should prioritize basic security hygiene and work with managed service providers to integrate more proactive security measures.
This document summarizes Cisco's physical security solutions including converged networking platforms, IP video surveillance cameras, access control systems, and emergency response technologies. It outlines the benefits of convergence for reducing total cost of ownership. Traditional separate systems for data, voice, video and physical security are consolidated onto a single IP network. Cisco provides an open platform to deliver the right security information to the right person at the right time through detection, analysis and response. Product lines include IP cameras, access control gateways, video management software and emergency notification systems.
SCYBER addresses an urgent need in cybersecurity training by developing the skills needed to proactively detect and combat cyber threats. The course spends 60% of time in hands-on labs where students monitor, analyze, and respond to actual cyber attacks. It teaches 4 major competencies - monitoring security events, configuring detection/alarming, analyzing traffic for threats, and appropriately responding to incidents. Key differentiators include being system agnostic, lab-heavy, teaching an inside-out approach, ease of entry for security professionals, and helping students understand why things are threats.
This curriculum vitae is for Varsharani K, an Information Security Analyst with 2 years of experience in SIEM, vulnerability management, and Symantec. She has worked with tools like IBM Q-Radar, AlienVault SIEM, Qualys Guard, and Symantec Endpoint Protection. Her current role is with Capgemini India where she monitors Q-Radar health, analyzes logs for vulnerabilities, and notifies teams to remediate issues. She also has experience managing vulnerabilities for Warner Brothers through Qualys Guard and providing recommendations based on scan reports.
During the Next Generation Network and Data Centre – Now and into the Future ...Cisco Canada
Rapid changes in the world around us, driven by cloud, mobility and the Internet of Everything, are creating significant opportunities for global organizations. With these environmental changes, the sophistication with which cyber threats and attacks are carried out continues to grow rapidly, and attackers are increasingly able to circumvent traditional security systems. To learn more, please visit our website here: http://www.cisco.com/web/CA/index.html
2021 01-27 reducing risk of ransomware webinarAlgoSec
Micro-segmentation protects your network by limiting the lateral movement of ransomware and other threats in your network. Yet successfully implementing a defense-in-depth strategy using micro-segmentation may be complicated.
In this second webinar in a series of two webinars about ransomware, Yitzy Tannenbaum, Product Marketing Manager from AlgoSec and Jan Heijdra, Cisco Security Specialist, will provide a blueprint to implementing micro-segmentation using Cisco Secure Workload (formerly Cisco Tetration) and AlgoSec Network Security Policy Management.
Join our live webinar to learn:
• Why micro-segmentation is critical to fighting ransomware
• Understand your business applications to create your micro-segmentation policy
• Validate your micro-segmentation policy is accurate
• Enforce these granular policies on workloads and summarized policies across your infrastructure
• Use risk and vulnerability analysis to tighten your workload and network security
• Identify and manage security risk and compliance in your micro-segmented environment
As you move your IT Infrastructure into the cloud, how secure can you expect your applications to be? Join Alert Logic and Internap on this webcast for an enlightening discussion on the state of cloud security and how it impacts security management decisions, especially in the context of deploying infrastructure to hosted and cloud environments.
Cybersecurity Training Seminars, 44 Courses : Tonex TrainingBryan Len
Cybersecurity used to be thought of as a specialized, niche occupation. But with the advance of cybercrimes over the past few years, just about everyone with access to a laptop, desktop or mobile device has had to do something to protect their electronic data.
Who Should Attend?
All IT professionals security scientists and government personnel who want to learn the foundation of
cybersecurity in detail as well as keep up on trends in the cybersecurity field.
The truth is, hackers still lean heavily on human error for launching a cyberattack – especially in the work arena. Research shows that around 90 percent of all cybercrimes stemmed from some type of human error or behavior. A data compromise is much more likely to come from an employee leaving a laptop on the bus than from a preplanned, malicious cyberattack.
Other common employee IT mistakes that can lead to disastrous scenarios for a company:
Opening email attachments from strangers
Forwarding email attachments from strangers
Using unimaginative passwords
Using the same password for years
Leaving sticky notes on your desk with passwords
Clicking on advertisements
Using work computers for personal use.
Cybersecurity training 4 major parts are :
Cybersecurity foundation: 28 Courses
Iot security: 1 Course
Risk management framework training: 6 Courses
Wireless security training : 9 Courses
Tonex has been documenting the cybercrime evolution for 25 years when it first began training organizations on how to better deflect contemporary cyberattack.The experts from Tonex are Different because they take into account your workforce’s special learning requirements. In other words, Tonex personalize their training – Tonex has never been and will never be a “one size fits all” learning program.
Participants are introduced to a wide variety of topics including cutting edge ways of mitigating cybersecurity vulnerabilities and protecting information systems of cyber-resilient environments, mobile devices, networks or cloud computing systems.
Learn more.
Cybersecurity Training Seminars : Tonex Training
https://www.tonex.com/cybersecurity-training-seminars/
The document provides information on various certification and training options for penetration testing and ethical hacking. It discusses several vendors that provide both online and bootcamp training programs, and lists the costs associated with each. It provides details on certifications from vendors like CompTIA, EC-Council, GIAC, Mile2, and Offensive Security. These certifications range in focus from foundational security skills to advanced penetration testing. The document also notes some free online resources available for additional preparation.
The document provides an overview of the CompTIA Security+ certification exam objectives. It describes the purpose of the exam as validating foundational security skills and knowledge for IT security professionals with 2 years of experience. It outlines the 6 domains covered in the exam, including network security, compliance and operational security, threats and vulnerabilities, application/data/host security, access control and identity management, and cryptography. For each domain, it lists the objectives and example topics that may be included on the exam.
The document outlines the Cyberoam Certified Network & Security Professional (CCNSP) certification course. The CCNSP certification prepares security professionals to recognize insider and external threats while gaining expertise in networking, security fundamentals, and deploying Cyberoam's identity-based unified threat management solution. The training course is divided into 12 modules covering topics such as Cyberoam product overview, firewalls, user authentication, web filtering, application firewalls, VPNs, logging, and more.
The document outlines the Cyberoam Certified Network & Security Professional (CCNSP) certification course. The CCNSP certification prepares security professionals to recognize insider and external threats while gaining expertise in networking, security fundamentals, and deploying Cyberoam's identity-based unified threat management technology. The training course is divided into 12 modules covering topics such as Cyberoam product overview, firewalls, user authentication, web filtering, application firewalls, VPNs, logging, and more.
Automotive Cybersecurity: Test Like a HackerForAllSecure
Learn the techniques used by award-winning hacking teams (as well as in some real-world attacks) to identify and exploit vulnerabilities in OEM components and other automotive software. This presentation covers fundamental principles, as well as how to easily incorporate these techniques into unit or functional test stages - bringing an extra layer of protection to connected automobiles. We'll cover both how to best fit this type of testing into your pipeline to maximize speed and coverage, as well as discuss how to fit this offensive cyber security approach alongside your existing vulnerability scanning programs. Whether you're a vehicle manufacturer, integrator, or OEM - we'll discuss how to leverage hacking-based security techniques to improve protection across the supply chain and keep vehicles and drivers safer. What we'll cover:
- Successful exploits of components and vehicles - what these attacks had in common
- Layering offensive techniques atop existing security programs - what to do and what to avoid
- How to test integrated systems with multiple components from different OEMs working in tandem
- Integrating offensive testing into different stages in software development and component integration
Originally presented at https://www.automotive-iq.com/events-automotive-cybersecurity
The document contains the resume of Mohamed Fathy Mahmoud Fathallah seeking a position as an Information Security Specialist. It outlines his education including graduating with a 73.4% grade point average in Communication and Electronics from Tanta University in 2014. It also details his technical skills in network security, information security, system security, system administration, programming languages, and mobile networks. His experiences include working as a Security Engineer since 2015 implementing various security tools and conducting vulnerability assessments and penetration tests.
Tesis ini membahas pengembangan sistem aplikasi point of sale berbasis web menggunakan bahasa pemrograman PHP untuk perusahaan parfum bernama Perfume House di Banda Aceh. Metode yang digunakan adalah waterfall untuk menganalisis kebutuhan bisnis dan pengguna, merancang sistem berorientasi objek, dan menguji sistem sesuai standar kualitas ISO 9126.
The article discusses using the Sulley fuzzing framework to test a vulnerable FTP server. Sulley allows users to describe a network protocol using a simple object-oriented grammar, and then generates test cases to fuzz the protocol. The article will demonstrate how to use Sulley to fuzz an FTP server by describing the protocol and having Sulley generate test inputs.
This interview discusses Pavol Luptak's career in IT security. Some of the key points discussed include:
- Pavol obtained his BSc and MSc degrees focused on computer science and ultra-secure systems. He holds prestigious security certifications like CISSP and CEH.
- He is the leader of the Slovak OWASP chapter and co-founder of security organizations. He is responsible for IT security.
- In the past, Pavol demonstrated vulnerabilities in public transport ticketing systems across Europe.
- He has over 12 years of experience in penetration testing, security auditing, social engineering and digital forensics.
- Pavol discussed some of the challenges he faced
The article discusses two opposing views on cyberwar. On one side, Cecilia McGuire argues that cyberspace has become a new digital frontier for combat operations by nation-states, militants, and other actors. She believes cyber attacks could lead to a "digital apocalypse." On the other side, Johan Snyman argues that reports of cyberwar are exaggerated and that the impacts of cyber attacks are often overstated. The issue presents differing perspectives on the threat of cyberwar without making a clear conclusion.
PenTest Magazine is a monthly publication focused on penetration testing. It features articles from penetration testing specialists and experts in vulnerability assessment. Each issue covers aspects of pen testing from methodologies and tools to real-life solutions. In addition to the monthly issues, there are additional publications on the 15th and 7th of each month focused on specific topics and the latest in pen testing. The target readership includes penetration testing specialists, security professionals, and IT security enthusiasts.
This document provides information about PenTest Magazine, a weekly downloadable IT security magazine focused on penetration testing. It features articles from penetration testing specialists and experts covering all aspects of pen testing. Each issue also includes news, tools reviews, technical articles, and interviews. The magazine aims to create a community around evolving and improving IT security. Advertising opportunities are also outlined, including rates for various ad sizes in the magazine and on the website.
The document provides a review of SecPoint Cloud Penetrator, an online vulnerability assessment tool. The summary is:
1) The reviewer was impressed with the thoroughness of SecPoint's reports, which provided impact information and references for each vulnerability beyond just the CVE identifier.
2) SecPoint correctly identified a high-risk issue related to one server being blacklisted that could impact email availability.
3) While the interface was not evaluated, the reviewer believes the tool would be valuable for security teams and that the cost is reasonable compared to alternatives.
4) Some enhancements around timestamps and source/target identifiers on each report page were suggested, but overall the assessment of the tool was
Ce hv6 module 42 hacking database serversAmiga Utomo
This document discusses hacking of database servers. It covers attacking Oracle databases by finding Oracle servers on a network, exploiting default accounts and passwords. It also discusses the Oracle Worm Voyager Beta. The document then discusses hacking SQL Server by exploring 10 hacker tricks including vulnerability scanning and SQL injection. It describes how hackers use tools like Query Analyzer and odbcping to hack SQL Servers. The document concludes with an overview of security tools that can be used to detect vulnerabilities and protect databases.
This document provides a summary of the contents of an issue of a digital forensics magazine.
The issue includes articles on securing cloud computing experiences, successfully attacking DNS, MySQL attacks on websites, bypassing web antiviruses, and upcoming security conferences. It also continues a cyber crime novella series.
2. ITOnlinelearning offers Network Security courses for the beginner through to the professional.
From the CompTIA Security+ through to CISSP, Certified Ethical Hacker (CEH),
Certified Hacking Forensic Investigator (CHFI) and Security Analyst/Licensed Penetration tester (ECSA/LPT).
Tailored Advice and Discounts
0800-160-1161 or
Please Call one of our Course Advisors for help and Tailored Advice -during office hours
(Mon-Fri 9am-5.30pm)
Telephone: 0800-160-1161
International: +44 1795 436969
Email: sales@itonlinelearning.co.uk
support@itonlinelearning.co.uk
Registered Office: 16 Rose Walk, Sittingbourne, Kent, ME10 4EW
3. Global I.T. Security Training & Consulting
www.mile2.com
IS YOUR NETWORK SECURE?
In February 2002, Mile2 was established in response to the
TM
critical need for an international team of IT security training
experts to mitigate threats to national and corporate secu-
rity far beyond USA borders in the aftermath of 9/11. mile2 Boot Camps
A Network breach...
Could cost your Job!
Available Training Formats
1. F2F Classroom Based Training
GENERAL SECURITY TRAINING 2. CBT Self Paced CBT
CISSPTM CISSP & Exam Prep 3. LOT Live Online Training
C)ISSO Certified Information Systems Security Officer 4. KIT Study Kits & Exams
C)SLO Certified Security Leadership Officer 5. LHE Live Hacking Labs (War-Room)
ISCAP Info. Sys. Certification & Accred. Professional
Worldwide Locations
PENETRATION TESTING (AKA ETHICAL HACKING) Other New Courses!!
C)PTETM Certified Penetration Testing Engineer ITIL Foundations v.3 & v.4
C)PTCTM Certified Penetration Testing Consultant CompTIA Security+, Network+
ISC2 CISSP & CAP
SECURE CODING TRAINING
C)SCETM Certified Secure Coding Engineer SANS GSLC GIAC Sec. Leadership Course
SANS 440 Top 20 Security Controls
WIRELESS SECURITY TRAINING SANS GCIH GIAC Cert Incident Handler
C)WSETM Certified Wireless Security Engineer
C)WNA/PTM Certified Wireless Network Associate / Professional
We practice what
DR&BCP TRAINING we teach.....
INFORMATION ASSURANCE
DR/BCP Disaster Recovery & Business Continuity Planning SERVICES
Other Mile2 services available Globally:
1. Penetration Testing
VIRTUALIZATION BEST PRACTICES
2. Vulnerability Assessments
C)SVMETM Certified Secure Virtual Machine Engineer 3. Forensics Analysis & Expert Witnesses
4. PCI Compliance
DIGITAL FORENSICS 5. Disaster Recovery & Business Continuity
C)DFETM Certified Digital Forensics Examiner
(ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of 1-800-81-MILE2
CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC. +1-813-920-6799
11928 Sheldon Rd Tampa, FL 33626
4. F
R
E
E Editors note
Dear Readers! Attacks
Get it on with ZAP
06by Gareth Watters
To thank you for your support with creating PenTest
community we decided to publish PenTest Free.
Every month you will get five great articles that will Let’s take a look around Zed Attack Proxy and see what
teach and keep you up to date with IT security is- it’s all about, but before we go on let’s emphasize some of
sues. the greatest ZAP’s attributes. It’s easy, it’s free and open
In the first issue you will find articles devoted to source, ZAP in fully internationalized, has extensive user
attacks. We have chosen the most popular titles and guides and unlike some similar tools, has the ability to
here you can read the best articles devoted to Zed save sessions to go back to later for reports, which is an
Attack Proxy, internationalized, free and of great imperative requirement for pen testers as report writing
help as far as report writing is concerned. Probe Re- tends sometimes not to be our strongest area.
quest Based Attack article is a great technical tuto-
Wireless Eurynomus: A Wireless
14(802.11) Probe Request Based Attack
rial for anyone interested in wireless attacks. Can we
train a computer user to be sufficiently security liter-
ate? What's the best way to defend one from phish- by Hitesh Choudhary and Pankaj Moolrajani
ing attacks? You can read about this in the article of In the recent years, the proliferation of laptop computers
Ian Moyse. and smart phones has caused an increase in the range of
In the section Cyberwar you can read about digi- places people perform computing. At the same time, net-
tal frontier and the impact of cyber attacks on our work connectivity is becoming an increasingly integral
lives. Are we living in the times of an ongoing cy- part of computing environments.
berwar? See what our author has to say about this
Securing Users from Phishing,
18Smishing & Social Media Attacks
problem. Last but not least, we would like you to
read article about pentesting SCADA written by our
regular author Stefano Maccaglia. by Ian Moyse
I hope that you will find this issue a valuable com- Some experts believe one of the best solutions
pilation and encouragement to stay with us for good. to thwart phishing attacks is end-user training,
If you have any suggestions for us concerning top- but can we really train every computer user
ics, problems you want to read about or people you to be sufficiently security literate? Will it
would like to know better thanks to PenTest please, ever be the case that anyone can distin-
feel free to contact us at en@pentestmag.com. guish a phishing message from a genu-
ine bank email?
Thank you all for your great support and invalu-
able help.
Enjoy reading!
Malgorzata Skora
& PenTest Team
01/2012
5. F
R
E
CONTENTS E
Cyberwar
Digital Apocalypse: The Artillery of Cyber
22War
by Cecilia McGuire
Cyberspace is now the digital frontier of choice for executing
many combat operations, by extending the medium in which
greater levels of power can now be accessed by Machiavelli
agents, militants and nation-states. Squads of cyber militants
going under the banner of Anonymous and LulzSecare, moti-
vated by the ease in which they can now execute high impact TEAM
operations whilst avoiding detection, are just a few of the much
Supportive Editor: Ewa Dudzic
publicized names synonymous with cyber terrorism. The multi- ewa.dudzic@software.com.pl
dimensional characteristics of cyber space have dissolved the
Product Manager: Małgorzata Skóra
boundaries between digital landscape and physical security, fa- malgorzata.skora@pentestmag.com
cilitating cyber-attacks that produce devastating impacts to criti-
Betatesters / Proofreaders: Robert Keeler, Daniel Wood,
cal infrastructure, as well as Corporate and Government assets. Scott Christie, Massimo Buso, Hussein Rajabali, Aidan Carty,
Jonathan Ringler, Thomas Butler, Dan Felts, Gareth Watters,
SCADA Stefanus Natahusada, Francesco Consiglio, Harish Chaudhary,
Wilson Tineo Moronta, Scott Stewart, Richard Harold,
The Box holes. Pen Testing a SCADA plat- Ryan Oberto, William R. Whitney III, Marcelo Zúñiga Torres
28 form Senior Consultant/Publisher: Paweł Marciniak
by Stefano Maccaglia
In the last decade SCADA systems have moved from propri- CEO: Ewa Dudzic
ewa.dudzic@software.com.pl
etary, closed, networks to open source solutions and TCP/
IP enabled networks. Their original “security through ob-
Art Director: Ireneusz Pogroszewski
scurity” approach, in terms of protection against un- ireneusz.pogroszewski@software.com.pl
authorized access, has fallen, together with their in- DTP: Ireneusz Pogroszewski
terconnection limits. This has made them open to
Production Director: Andrzej Kuca
communicate with the rest of the world, but vul-
andrzej.kuca@software.com.pl
nerable, as our traditional computer networks.
Publisher: Software Press Sp. z o.o. SK
02-682 Warszawa, ul. Bokserska 1
Phone: 1 917 338 3631
www.pentestmag.com
Whilst every effort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concerning the results of content usage.
All trade marks presented in the magazine were used only for
informative purposes.
All rights to trade marks presented in the magazine are
reserved by the companies which own them.
To create graphs and diagrams we used program
by
Mathematical formulas created by Design Science MathType™
DISCLAIMER!
The techniques described in our articles may only
be used in private, local networks. The editors
hold no responsibility for misuse of the presented
techniques or consequent data loss.
6. F
R
E
E attack
Get it on with Zed
Attack Proxy
Let’s take a look around Zed Attack Proxy and see what it’s all
about, but before we go on Iet’s emphasize some of the greatest
ZAP’s attributes. It's easy, it’s free and open source, ZAP is fully
internationalized, has extensive user guides and unlike some
similar tools, has the ability to save sessions – a great help as far as
writing reports is concerned.
Y
ou can download Zed Attack Proxy from code.google.com/p/zaproxy/wiki/HelpStartProx-
http://code.google.com/p/zaproxy/. Note: If ies.
you don’t already have it installed, you need When you open ZAP for the first time you will be
to download and install java http://www.java.com. prompted to create an SSL Root CA Certificate as
ZAP is at it’s heart an interception proxy and has in Figure 2. In the context of this article, we will be
to be configured in-line between your browser and working with the secure login to a vulnerable web
your application. For instructions to configure ZAP application. Therefore we shall create a SSL Root
as a proxy for all the major browsers go to http:// CA certificate.
Figure 1. Setup of ZAP for use in a Penetration Test
01/2012 Page 6 http://pentestmag.com
7. F
R
E
E
Option Dynamic SSL Certificates tem (browser). In other words when you’re not
OWASP ZAP allows you to transparently decrypt testing in a safe environment, but on productive
SSL connections. For doing so, ZAP has to encrypt machines, be aware that you could be opening an
each request before sending to the server and de- additional attack vector to your system if your cer-
crypt each response, which comes back. But, this tificate was in the wrong hands. ZAP generates a
is already done by the browser. That’s why, the on- certificate that is unique to you, so keep this cer-
ly way to decrypt or intercept the transmission, is tificate safe.
to do a ‘man in the middle’ approach. Next you configure ZAP’s Local Proxy port: Go
To Tools -> Options -> Local Proxy -> localport Set-
Overview tings: Localhost 8090.
In other words, all data sent to and received from Then configure your browser to use ZAP as a
the server is encrypted/decrypted by using the proxy. In this example we are using Firefox run-
original server’s certificate inside ZAP. This way, ning Foxyproxy: Go To Edit ->- Preferences -> Net-
ZAP knows the plain text. To establish a SSL pro- works – > Settings -> Choose to Use ZAP for all
tected session from you (your browser), ZAP is URLs.
using it’s own certificate. This is the one you can Now you’re ready to go. All you need is your tar-
create. Every certificate created by ZAP will be get application (Pentester) or your own Web Appli-
signed for the same server name. This way, your cation that’s under development (Developer). for
browser will do regular SSL encryption. the context of this article we will use DVWA (Damn
Import Certificate in to Mozilla Firefox – Firefox Vulnerable Web Application)
is using it’s own certificate store. Installation and
late on validation is done in the same preferences DVWA – Damn Vulnerable Web App
dialog: (User: admin Password: password)
Damn Vulnerable Web App (DVWA) is a PHP/
• Go to Preferences MySQL web application that is damn vulnerable.
• Tab Advanced It’s main goals are to be an aid for security profes-
• Tab Cryptography/Certificates sionals to test their skills and tools in a legal envi-
• Click View certificates ronment, help web developers better understand
• Click tab Trusted root certificates the processes of securing web applications and
• Click Import and choose the saved owasp_ aid teachers/students to teach/learn web applica-
zap_root_ca.cer file tion security in a class room environment.
• In the wizard choose to trust this certificate to
identify web sites (check on the boxes) WARNING!
• Finalize the wizard Damn Vulnerable Web App is damn vulnerable!
Do not upload it to your hosting provider’s pub-
Attention Risks lic html folder or any working web server as it will
When adding self generated Root CA certificates be hacked. I recommend downloading and install-
to your list of trusted root certificates, anyone with ing XAMPP onto a local machine inside your LAN
the root certificate can smuggle data into your sys- which is used solely for testing. http://code.google.
com/p/dvwa/
Tip
If you fancy skipping past the installation and setup
of dvwa, I suggest downloading SamuraiWTF, you
will find that this great distro already has DVWA al-
ready installed setup and ready to go.
The next thing to do for a beginner new to de-
velopment or pentesting is explain how ZAP’s ad-
vanced components can be useful as a tools in a
basic web application penetration test.
Basic Web Application Penetration Test: Recon
-> Mapping -> Discovery/Enumeration -> Exploi-
Figure 2. SSL Root CA Certificate tation.
01/2012 Page 7 http://pentestmag.com
8. F
R
E
E attack
ZAP is useful in the Mapping context using the • Sites tab – A Hierarchical representation of
proxy and spider. ZAP is useful in the Discovery con- your application
text with the active vulnerability scanner and fuzzer, • History Tab – Lists all the requests (GET/
brute forcing web directories and files with DirBuster. POST) and the order they are made
ZAP is useful in the Exploitation phases when • Search tab – Search ZAP gathered information
you combine it’s findings with exploitation tools • Port Scan – a basic port scanner allows you to
such as like SQLMap,BeEf and Metasploit. scan and shows which ports are open on the
target sites.
Basic Web Application Penetration Test • Output tab – This shows various informational
– Mapping messages.These can include the stack traces
To do comprehensive mapping, you must navigate of unexpected exceptions
through your web application. Ensure to follow and • Alerts tab – Shows you any potential issues
explore through all of the functionality of the appli- and vulnerabilities ZAP has found. (See Ex-
cation. Click each link, traverse through all tabs and ploitation for more info.)
areas of your application. Press all buttons, fill in
and submit all forms. If your application supports Click on entries in Sites or History – correspond-
multiple roles then do this for each of the roles e.g. ing requests and responses will be visible in the
User, Admin. Note: In order to use multiple roles, it’s Request and Response Tabs If you right-click on
best to save each role as a separate ZAP sessions. any item – A whole load of extra options and func-
Zap maps out the web application in a hierarchi- tionality becomes available.
cal manner as in the sites tab displayed in Figure 3. Zap passively scans the Requests and Re-
The lower pane brings together all the tabs for web sponses and reports any potential problems,
application pen. testing in a universal status bar. but does not submit any responses on your
behalf.
Tip
In Zap – Double click on a tab and it the tab for a Spider
better view – Double click and it will revert back to Can be activated by the play button on the Spider
the lower status bar. tab or Right-Click Attack on the sites tree.
Figure 3. A completed mapping of DVWA
01/2012 Page 8 http://pentestmag.com
9. F
R
E
E
The spider looks for pages that weren’t found in those hidden files and directories. And if that was
the manual recon/mapping. Running the spider, not enough DirBuster also has the option to per-
will crawl the website and find URLs that you may form a pure brute force, which leaves the hidden
have missed are hidden. It places them in the directories and files nowhere to hide!
Sites page with a spider icon. It is recommend to
manually explore and map the web application Tip
first and then use spider. If the spider does find ZAP also allows for custom files to be used, in the
unseen links, revert back through the application SamuraiWTF training course we used CeWL (Cus-
through your browser and visit those URLs. tom Word List generator) by DigiNinja. CeWL is a
ruby app which spiders a given url to a specified
Tip depth, optionally following external links, and re-
A good crawl will enable you to have a better ac- turns a list of words which can then be used for
tive scan. password crackers such as John the Ripper. John
the Ripper can aswell be used to create a wordlist
Basic Penetration Test – Discovery that has different versions of the words that CeWL
Active scanner collected for example – ex@mpl3 These custom
Active vulnerability scanner attacks the application wordlists can then be imported and used by ZAP
and performs a number of known attacks. for Brute Forcing and Fuzzing.
Active scanner is there to find basic vulnerabili-
ties (Only to be used in development environment Fuzzer
unless explicitly permitted in writing by the Web ZAP also has fuzzing capabilities through its in-
App. owner in case of a Penetration test – It is ille- tegrated use of yet another OWASP Project
gal to run active scans without legal consent). JBroFuzz. ‘Fuzz testing or fuzzing is a software
Damn Vulnerable Web Application (DVWA) as it testing technique, often automated or semi-au-
is aptly named is an excellent resource for viewing, tomated, that involves providing invalid, unex-
and learning about vulnerabilities. Once you’ve pected, or random data to the inputs of a com-
completed the above steps above you should be puter program. The program is then monitored
able to see the results of the mappings and vulner- for exceptions such as crashes or failing built-in
abilities in your application in the Alerts tab Imme- code assertions or for finding potential memory
diately you can see a number of alerts for vulner- leaks. Fuzzing is commonly used to test for se-
abilities found. curity problems in software or computer systems’
- Wikipedia’
Brute Force To Fuzz a request string such as a password:
Use the brute force scanner to find unreferenced
files and directories. You can use the built in or • Select a request in the Sites or History tab
custom input files for Brute Force Scanner. ZAP • Highlight the string you wish to fuzz in the re-
Uses OWASP DirBuster and Fuzzing using anoth- quest tab
er OWASP Project JBroFuzz and Fuzzdb • Right-click in the Request tab and select ‘Fuzz’
ZAP uses OWASP DirBuster, a multi threaded • Select the Fuzz Category and one or more of
java application designed to brute force directories the Fuzzers
and files names on web/application servers. Often • Press the Fuzz Button
is the case now of what looks like a web server in • The results will then be listed in the Fuzzer tab
a state of default installation is actually not, and • Select them to see the full requests and re-
has pages and applications hidden within. DirBus- sponses
ter attempts to find these.
However tools of this nature are often as only Additional fuzzing text files are added continu-
good as the directory and file list they come with. A ously with each ZAP release and as stated earli-
different approach was taken to generating Dirbus- er you can also create and import your own cus-
ter. The Dirbuster list was generated from scratch, tom files.
by crawling the Internet and collecting the direc-
tory and files that are actually used by develop- Manual test
ers! DirBuster comes a total of 9 different lists, The above steps will find basic vulnerabilities. More
this makes DirBuster extremely effective at finding vulnerabilities become apparent when you to manu-
01/2012 Page 9 http://pentestmag.com
10. F
R
E
E attack
ally test the application by giving it some data, try- mation about a particular alert in the ‘Other info’.
ing loginsetc. In an advanced web application pen- tab, and best of all there is a solution and refer-
etration test scenario, a number of other tools such ence material provided for the alert.
as Nikto, Curl, SQLMap, Cewl etc would be used, You will see how intuitive and educationally ben-
See the OWASP Testing Guide for more details on eficial ZAP really is to developers/pentesters, es-
comprehensive Penetration Testing at https://www. pecially ones in the early stages of their careers.
owasp.org/index.php/OWASP_Testing_Project.
Break Points
Basic Penetration Test – Exploitation: A break point allows you to intercept a request from
Once you have performed your basic pentest map- your browser and to change it before is is submit-
ping and discovery, you are ready for exploitation ted to the web application you are testing. You can
or remediation depending on your role, develop- also change the responses received from the appli-
er or pentester. The considerable information that cation.The request or response will be displayed in
ZAP provides under the Alerts tab is key to a pen- the Break tab which allows you to change disabled
tester’s next move. or hidden fields, and will allow you to bypass cli-
ent side validation (often enforced using javascript).
Alerts It is an essential penetration testing technique. You
ZAP provides comprehensive information relating can set a ‘global’ break point on requests and/or re-
to all alerts and vulnerabilities it finds. All the exploi- sponses using the buttons on the top level toolbar.
tation material you need is here listing active and All requests and/or responses will then be inter-
passive vulnerabilities. Each alert gets flagged in cepted by ZAP allowing you to change anything
the History tab, gets a Risk Rating – Informational, before allowing the request or response to con-
Low, Medium or High. Also, they get an alert reli- tinue. You can also set break points on specific
ability rating – False Positive, Suspicious, Warning. URLs using the “Break...” right click menu on the
Sites and History tabs. Only those URLs will be
Tip intercepted by ZAP. URL specific break points are
I find it easiest at this point to review the alerts if shown in the Break Points tab.
you expand the Alert tab by double clicking it as in
Figure 4. Anti CSRF Tokens
For each alert a description is provided. You can Another advanced feature of ZAP that is not read-
save your own developer/pentester specific infor- ily available in similar, free versions of tools in this
Figure 4. Alerts tab expanded
01/2012 Page 10 http://pentestmag.com
11. F
R
E
E
area is Anti-CSRF token handling and token gen- was an app built by a developer, for a developer
eration. CRSF vulnerabilities occur by the way that and you can tell. It has subsequently been adopted
browsers automatically submit cookies back to an by an international community of information secu-
issuing web server with each subsequent request. rity professionals.
If a web application relies solely on HTTP cook-
ies for tracking sessions, it will inherently be at risk ZAP – Fully Automated Security Tests
from an attack like this. To conclude this extensive article, I am going to
Anti CSRF tokens are (pseudo) random param- change the context of how we see use of ZAP
eters used to protect against Cross Site Request and show how functional testing can be improved,
Forgery (CSRF) attacks. even fully automated and with adding security in to
They tokens may make a penetration testers job the process. sounds good eh!
hard if the tokens are regenerated every time a Many Web developers use applications like Se-
form is requested. ZAP detects anti CSRF tokens lenium, Webdriver and Watir to test their Web-Ap-
by attribute names – the list of attribute names plications. In this example we are using Selenium
considered to be anti CSRF tokens can be edited to drive the browser. Selenium records your ac-
using the Tools->Options->Anti-CSRF screen. tions in the browser such as mapping, clicking, in-
When ZAP detects these tokens it records the to- puts etc.. and then can re-test doing exactly the
ken value and which URL generated the token. The same tests while you complete iterations of say a
active scanner and the fuzzer both have options web application under development.
which cause ZAP to automatically regenerate the
tokens when it is required. If fuzzing a form with an Seleniumhq.org
anti CSRF-tokens on it, ZAP can regenerate the to- ‘Selenium automates browsers. That’s it. What you
ken for each of the payloads you want to fuzz with. do with that power is entirely up to you. Primar-
If you are a developer testing your own web ap- ily it is for automating web applications for testing
plication make sure the names of your anti-csrf to- purposes, but is certainly not limited to just that.
kens are included in ZAP for ease of use. Boring web-based administration tasks can (and
It’s clear to see that considerable effort has been should!) also be automated as well.
embedded in Zed Attack Proxy by Simon Bennetts Selenium has the support of some of the largest
and Axel Neumann and also the Global communi- browser vendors who have taken (or are taking)
ty of developers and individuals contributing. ZAP steps to make Selenium a native part of their brows-
Figure 5. Example ZAP setup for fully automated regression tests with security testing
01/2012 Page 11 http://pentestmag.com
12. F
R
E
E attack
er. It is also the core technology in countless other ner would be run. The REST API is asynchronous
browser automation tools, APIs and frameworks.’ and the will poll the scanner to see how it has pro-
A build tool such as Apache Ant can control a tool gressed.
like Selenium which will drive the browser. ZAP will detect passive vulnerabilities such as
We can then insert ZAP as a proxy and also drive missing HttpOnly or Secure Cookie Flags where-
zap from the Apache Ant build tool as in Figure 5. as the active scanner finds critical XSS and SQ-
So selenium records and drives a browser with Li other vulnerabilities It is important to remember
ZAP inserted as in intercepting proxy. This can be that there are some types of errors that can not be
very useful for functional and regression tests and found with automated scanning, so its important if
is a very effective way of testing web UI’s. Devel- security is taken seriously in your organisation, to
opers can write test cases to use their apps in the have the security team to have a review and pen-
way they expect users to use them and then imple- etration test of your application.
ment and record and re-test them with Selenium. By using ZAP in this way, the basic vulnerabilities
Regression tests give you a level of confidence in your web application should have been found
that any changes you have made haven’t caused and then are able fixed in the early stages of the
any issues or broken anything. They can’t test ev- development lifecycle.
erything, so you still want QA to give your applica- For more information and a full video example
tion a good independent test. go to Simon Bennetts video tutorial: http//code.
In the above example we would use Apache Ant google.com/p/zaproxy/wiki/SecRegTests.
to control ZAP by the rest api, to kick off things like
spider and active scanner. This gives some lev- Summary
els of automated security testing that you can use If you’re a developer interested in security or a pro-
in your continuos integration. The mapping/spi- fessional pen tester, ZAP definitely has something
der can be set to complete first, then active scan- for you. It is a powerful tool to aid developers and
QA testers with easily integrating security in to the
References SDLC and also serves from beginner up to ad-
Thanks to Simon Bennetts (@psiinon ) and Axel Neu- vanced penetration testers in their line of duty.
man (@a_c_neumann), OWASP, ZAP Guide & Creative
It’s going to take a lot of work to change the cul-
Commons Attribute Share-alike License:
ture of Information Security. It’s a risk management
• https://www.owasp.org/index.php/ZAP project on a grand scale. Get involved, educate,
• https://www.owasp.org/index.php/OWASP_Zed_At- spread the work, take action and help change the
tack_Proxy_Project culture.
• http:///www.owasp.org The extensible architecture and constant devel-
• https://www.owasp.org/index.php/Category:OWASP_
opment of ZAP makes for an exciting future for this
DirBuster_Project
• https://www.owasp.org/index.php/JBroFuzz Open Source project.
• http://samurai.inguardians.com/ For full instructions and a wealth of ZAP informa-
• Justin Searle (@meeas) tion, see the OWASP project page:
Google Summer Of Code 2012 Projects
There are 3 ZAP related google summer of code proj- WARNING Active scans must not be performed on Public
ects: websites
without the owners written permission as it
• Redesign of site crawler with sessions awareness – illegal.
Student: Cosmin Stefan – Org: OWASP – Mentor: Si-
mon Bennetts
• Enhanced AJAX integration – Student: Guifre Ruiz –
Org: OWASP – Mentor: Skyler Onken
• Websocket Testing Tool – Student: robert Koch – Gareth Watters (@gwatters) – CISSP,
Org: Mozilla – Mentor: Yvan Boily CISA, CPTE, MCSE, ITIL
Gareth Watters is an Information
‘This is really great news – its a great opportunity for Security specialist based out of Mel-
the students to work on a high profile security project, bourne Australia.
and ZAP will be significantly enhanced by their work!’ –
Simon Bennetts http://code.google.com/p/zaproxy/wiki/
GSoC2012.
01/2012 Page 12 http://pentestmag.com
13. Virscent Technologies Pvt. Ltd. a Brainchild of a team of IIT Kharagpur Graduates has
Ltd., Graduates,
been Incubated in E-Cell IIT Kharagpur It is an IT Solutions & Training Company,
Cell Kharagpur.
Offering Web, Security and Network Solutions, IT Consulting and Support Services to
ffering
numerous clients across the Globe.
We provide the following services:
a. Penetration Testing
b. Multimedia Services
c. Web Development
d. Training:
a. Corporate Training
b. Classroom Training
c. Training programs for Educational Institutions.
Our Partners:
1. E-Cell IIT Kharagpur
2. Education Project Council of India
Website: www.virscent.com
Blog : www.virscent.com/blog
14. F
R
E
E attack
Wireless Eurynomus
A Wireless (802.11) Probe Request Based Attack
In the recent years, the proliferation of laptop computers and
smart phones has caused an increase in the range of places people
perform computing. At the same time, network connectivity
is becoming an increasingly integral part of computing
environments.
A
s a result, wireless networks of various connect is a simple and one of the most conniving
kinds have gained much popularity. But facility provided by all the clients of wireless Ac-
with the added convenience of wireless ac- cess Points. This feature can also be used to com-
cess come new problems, not the least of which promise a client and the attack is counted as one
are heightened security concerns. When transmis- of the deadliest silent attacks.
sions are broadcast over radio waves, interception
and masquerading becomes trivial to anyone with Target Audience
a radio, and so there is a need to employ additional This attack can affect any of the technical and non
mechanisms to protect the communications. technical users of the 802.11 interface. But the
In this article we want to focus on some of the technical details of this attack require usage of
hidden flaws that were never taken seriously. Auto- Wireshark, a little understanding of packet details
Figure 1. Non-data transfer
Figure 2. Data transfer to the Internet
01/2012 Page 14 http://pentestmag.com
15. F
R
E
E
over wireless and some of the details about the
probe and beacon frames.
Scope Of Attack
This attack is almost new born to the world of wire-
less and the Internet. This attack is fully capable
of creating an intermediate connection between
any client and attacker. Talking about the scope of
this attack, it can be of wide variety. For example
if an attacker walks into a company premises and
just by monitoring the air, he can easily find out the
probes in air and can attack any laptop or he can
attack any smartphone and can collect contact de- Figure 4. Implementation
tails of clients. This is just a simple scenario; cases Hardware And Software Requirements
can be like T.J maxx credit card incident. (http:// To perform this attack, we will need an entire lab
news.cnet.com/2100-7348_3-6169450.html) setup with specific software requirements and
some hardware requirements. Hardware require-
Flow Diagrams For Attacks ments include:
Case -1
Attacker just wants to have connectivity (Non-data • Access point
transfer; Figure 1). In this scenario, the attacker • 2 laptop (1 as attacker and 1 as victim)
just wants to have connectivity over the victim, af- • Wireless card (internal or external)
ter that he might be interested to do some of the • 1 smartphone (optional requirement)
post tasks like launching a Metasploit module or
some of the custom coded exploits. And since the Software requirement
victim is only sending the gratuitous request, he
will only get some connectivity to the attacker’s fic- • Backtrack operating system (4-revision2 or
titious network. After that no data transfer will hap- higher version).
pen because of lack of internet connectivity. • All other required tools are preconfigured in it.
Case – 2 Understanding Probes And Beacons
Attacker wants to have connectivity as well as data When a client turns on its wireless interface, at
transfer to the Internet (Figure 2). In this scenar- the same time the wireless interface starts to send
io, the attacker wants the victim to connect with many probe requests to find if there is an access
the attacker’s machine so he could send the data point available or not. Similarly any access point is
packets to the Internet. In this case he only wants
to monitor the data.
Figure 3. Connecting over the Acess point Figure 5. Probe requests by clients
01/2012 Page 15 http://pentestmag.com
16. F
R
E
E attack
Figure 6. airbase-ng
also sending the beacon frames to show its pres- Figure 8. # ifconfig -a
ence. Once the client gets connected to an access
point, there is a facility provided by different ma- is destined for it or not. This is very similar to pro-
chines to remember that access point. Whenev- miscuous mode over the wired network, used for
er the client comes into the range it automatically the purpose of sniffing. After finding the probes
gets connected. This is simply because the client of the clients, we will create a soft AP or known
is continuously sending probe requests in the air to as virtual AP. A soft access point is created by a
find if any saved AP is available. set of software which continuously sends out the
beacon frames to show all nearby clients about its
Types Of Attacks presence. Since the client is already attempting to
connect to that access point. It will automatically
• IP level connectivity attacks (Metasploit based) connect to the attacker. Now, if a DHCP is running
• Relay the packets to AP (MITM based attacks) over the attacker it will automatically receive an IP
• Depending upon the usage, attacks can be in- or if there is no DHCP is running then client will re-
tegrated and the client is still unknown. ceive an IP of the range 169.xxx.xxx.xxx will sent
gratuitous packets. Once the IP is assigned, the
Attack Scenario tap interface created by soft AP, can have IP level
To understand (Figure 3) this attack, the working connectivity with the client and the best part is that
of the Access Point must be clear. So, what we the client remains unaware of the situation.
are trying to implement is, a client who is not con-
nected to any wireless AP and having his wireless Implementation
interface up and running. The wireless interface al- We have used a BackTrack machine (attacker) and
ways transmits some probe request from its PNL a I-Phone (victim) to implement our attack scenar-
i.e. Preferred Network List. It is just a sense of in- io. A monitor mode interface is being created at the
security and a shocking fact that it is independent top of a wireless interface, this monitor mode inter-
of any AP. First of all we will try to make a moni- face can be easily created by using airmon-ng set
tor mode interface in the air, which can accept all of tools. The wlan0 (wireless) interface is up and
the packets over the air regardless if the packet running (Figure 4).
# airmon-ng start wlan0
Monitor mode enabled on mon0 indicates that the
monitor mode has been created and now we can
monitor the air. To monitor the air, simply airodump
can be used over the mon0 interface. This along
Figure 7. Connection to Hitesh network Figure 9. # ifconfig at0; # ping 169.254.28.3
01/2012 Page 16 http://pentestmag.com
17. F
R
E
E
References • Type/model of wireless cards have been used for te-
sting – an alfa wireless external card AWUS036H se-
[1] www.aircrack-ng.org ries, but anyone can use their laptop inbuilt card
[2] www.aircrack-ng.org/doku.php?id=airodump-ng • Victim can have any operating system like windows
[3] www.wireshark.org/ xp or 7 or even linux machine, the probe request
[4] Interception Mobile Communications, The Insecuri- will always be sent into the air, since this is how the
ty of 802.11 – ISAAC www.isaac.cs.berkeley.edu/isaac/ the wireless auto connect feature works in all ope-
mobicom.pdf rating system. I didn’t tested it on MAC, and cannot
[5] An Overview of 802.11 Wireless Network Security say much about it. Regarding the antivirus that co-
Standards & Mechanisms mes to the post exploitation task, and if any ATTAC-
[6] By: Luis Wong (posted on January 19, 2005) KER wants to have Man In the Middle attack to per-
[7] Remote Access Point/IDS form, then a fully patched (with antivirus and firewall)
[8] By: Jared Kee (posted on April 10, 2012) machine can be compromised. because its the victim
who is trying to connect to us.
Comments • I used a IOS4 – jail breaked version for this experi-
• Type of access point used for testing – a zxdsl router ment purpose.
for this attack as a lab setup, but it will hardly matter Acknowledgment
if you use any other also, since all router broadcast Acknowledgment to Igneustech for providing appropri-
same beacon frames ate equipment and lab environment.
with the AP will also give the details of the clients to send DHCP request and failing so that finally it is
that are associated or trying to associate with the getting an IP range 0f 169.xxx.xxx.xxx.In the mean
network in the surroundings (Figure 5) while one can also set a DHCP and can easily trans-
fer the packets to the Internet via its bridge interface
# airodump-ng mon0 and can perform Man In The Middle Attacks. Now
the final step is to just up the at0 interface and set
After finding the probe request name, the attacker the ip of the same range and same subnet that can
can easily create a soft AP or virtual access point be easily done with the ipconfig utility (Figure 8)
with any of the bssid as well as any essid. Here
I have used an essid of name Hitesh just for the # ifconfig -a
sake of example.
Finally the proof of the IP level connectivity, Post
# airbase-ng -a <bssid> -e <essid/name> mon0 that one can easily launch some Metasploit mod-
ules or other various set of attacks (Figure 9).
The Airbase set of tools has got a lots of options,
it can send responses to any of the probe re- # ifconfig at0
quests that client is transmitting via its radio but # ping 169.254.28.3
for the sake of simplicity we have used this sce-
nario. The interesting thing about this soft AP is Hitesh Choudhary
that it also creates a tap interface. It’s little basic Hitesh Choudhary is a Jaipur based eth-
that our access point always have 2 cards in it, ical hacker serving free to Rajasthan
one is wireless and other is for wired interface. police to handle cyber crimes as well as
This tap interface is the same clone of wired in- pursuing his wireless research at M.I.T. ,
terface named as at0. (Figure 6). As a result of California. He has completed his RHCE,
this client will automatically get connected to this RHCSA, CEH and various other security
“hitesh” network since there is no DHCP running certifications.
over the attacker machine (Figure 7).
The client will get an IP address of the range 169. Pankaj Moolrajani
xxx.xxx.xxx and will try to send gratuitous packets. Pankaj Moolrajani is Jaipur based se-
One can also use these packets as an ARP packet curity researcher at Igneustech. He is
to send it back to the IP. So, there is can be attack at RHCE & RHCSS Certified.
every phase. One can also verify this by using Wire-
shark and capturing each and every packet. These
packet will show that client is again and again trying
01/2012 Page 17 http://pentestmag.com
18. F
R
E
E attack
Securing Users
from Phishing, Smishing & Social Media Attacks
Some experts believe one of the best solutions to thwart phishing
attacks is end-user training, but can we really train every computer
user to be sufficiently security literate? Will it ever be the case that
anyone can distinguish a phishing message from a genuine
bank email?
T
he volume of phishing attacks has in- attains financial or personal login details that can
creased, as have their variety and sophis- be used to commit fraud or theft. Of course, it was
tication. Even security experts struggle to only a matter of time before people caught on to
identify some of the fakes. The phishers cast their email scams. Users read again and again not to
rods farther and with more efficiency than ever be- click on such links. Mail solutions became better
fore. They can easily download phishing site cre- at spotting phishing emails and filtering them into
ation tools and produce convincing messages and a junk email folder. Even free Web mail providers
pages. Expecting an average PC user to beat now catch the majority of these attacks.
these guys without any help is tantamount to pit- Once cybercriminals noticed their tradition-
ting an average golfer against Tiger Woods. al phishing approaches were returning lower re-
It can seem at times the only people who like sponse rates, they rapidly adjusted to new medi-
change are Internet attackers. And they don’t just ums. As a result, a new trend emerged: smishing
like it – they need it. Technology’s rapid chang- (social media phishing and SMS phishing) became
es give cybercriminals new attack vectors to ex- the new trend in cyber attacks.
ploit, and new ways to turn a profit out of someone The underlying concept is the same, but the at-
else’s misfortune. tack mechanism is different. Instead of targeting
Internet attackers have made a profession out users via email, cybercriminals use social media
of rapid change of a multitude of factors – attack messaging and text messaging advertising to lure
vector, sophistication, volume and approach. The victims.
malware market has been monetised and we are For hackers, it’s the perfect opportunity. They can
seeing the strongest ever driving forces to come cheaply buy lists of Facebook login details, hack in-
up with new approaches to beat security products to users’ accounts, and send personal-looking mes-
and users common sense. sages to an individual’s entire friend list. The majority
For example, take phishing. The concept is sim- of users are more trusting of a post from a friend than
ple: Send an email disguised as a message from a suspicious email in their in-box, making smish-
a bank, PayPal, or UPS. Wait for the user to click ing more effective at luring users to phishing sites.
a link in the message, and enter their private de- We seem to take phishing attacks for granted
tails into a phishing site, and presto! The attacker these days, in much the same way that we’ve ac-
01/2012 Page 18 http://pentestmag.com
19. F
R
E
E
cepted spam as a natural, and inevitable, by-prod- ple into losing their wallet at Three-card Monte. We
uct of email. Some experts believe one of the best let curiosity get the best of us, and at times can be
solutions to thwart phishing attacks is end-user gullible. Like street hustlers, cybercriminals aren’t
training, but I doubt training alone is a viable solu- afraid to experiment with hacking our inclinations
tion. Can we really train every computer user to be (or, as many security experts call it, social engi-
sufficiently security literate, such that anyone can neering). The volume of phishing attacks has in-
distinguish a phishing message from a genuine creased, as have their variety and sophistication.
bank email? I doubt its possibility, especially given Even security experts struggle to identify some of
how specific the details in spear phishing (phishing the fakes.
targeted at specific people and/or companies) at- The phishers cast their rods farther and with more
tacks have become. efficiency than ever before. They can easily download
It used to be that thieves could satiate their hunger phishing site creation tools (yes they exist) and pro-
for evil (and money) merely through the emulation of duce convincing messages and pages. Expecting
a consumer bank or a PayPal login screen. While an average PC user to beat these guys without
these low-hanging-fruit scams show no signs of any help is tantamount to pitting an average golfer
abating, even following major busts of phishing against Tiger Woods (albeit a few years ago; no of-
rings, we’ve seen new types of phishing attacks fense, Tiger). The criminal’s job is to create online
that wear the mask of a Web security product, scams that work, and the returns on their invest-
persuading users to follow through on fake spam ments are huge. Why would we expect non-crim-
quarantine messages, or security update alerts, inally-minded users to be more adept at spotting
sometimes using the name of real vendors. It’s all scams, than scammers are at reeling in the users?
very plausible. Technology has to step up its game. We need to
Unfortunately, the average user is not a trained continue to make it harder and less lucrative for
security expert – and why should he or she be? online scammers to do their “jobs.” That’s really
Criminals lure users into phishing and email scams the most effective way to stop phishers from at-
in much the same way street cons lure some peo- tacking our end users.
a d v e r t i s e m e n t
20. F
R
E
E attack
Phishing is a good example of how the Cy- to all linked friends of the individual, sending a
bercriminal utilises Social Engineering tech- ‘have you see this site’ message, an advert or
niques combined with technology to grift mon- simply a link to a fake site. Users are lulled into
ey from an innocent Internet bystander. Send an a greater trust of the message, having not been
email to the victim purporting to be from some- use to receiving this sort of message in this new
one else, be it a bank, paypal or from a spy- more trusted medium.
ware infected machine disguising the email in the SMS Phishing involves criminals switching their
form of a genuine email from a friends address. attacks to target a weaker link. Users are constant-
Wait on the susceptible user to click on it believ- ly educated to maintain suspicion when opening
ing it to be genuine, enter their private details into messages in email on a PC device and typical-
a fake site and hey presto the attacker has hood- ly have security software running on these ma-
winked you and has financial or personal login de- chines, be it antivirus, spyware protection, firewalls
tails of yours. The average phishing site that stays and other mediums of protection. Users have be-
online for an average of 5.9 days does enough come rapidly more mobile and take for granted the
damage to afford change (stat from APWG.com – ability to now access the internet from devices oth-
the Anti-Phishing Workgroup). er than their PC. Text messaging has become a
Users have read again and again in articles, ‘taken for granted’ communications medium with
in warnings on bank sites, in email services and many youngsters sending/receiving upwards of
from friends not to click on such links, but they still 100 messages a day.
do! Mail solutions have gotten better at discerning Attackers have found ways to send masses of
Phishing attacks and putting them correctly in to automated and believable looking text messages
anti-spam filters. Even in free webmail solutions to users including URL links for the user to view.
Phishing attacks are put into the junk folder the Major PC based web browser software now has
majority of the time. So users believe the Phish- phishing protection built in to alert the user to sus-
ing mails won’t reach them and they think twice picious sites, and users generally can hover over
before they click on a suspicious email. a link to display the true web site, but on mobile
So have the criminals sat on their laurels!? When phones we are not seeing the same browsers, the
they noticed the traditional Phishing approaches same versions nor the same protection levels to
returning a lower response rate they rapidly ad- help users avoid malicious fake sites.
justed to new mediums and we now have this new So user beware, what you see may not always
format of Smishing with two definitions, both harm- be what you get, particularly in the world of the cy-
ful and both sophisticated enough to be impacting ber transaction. When you see a message from
users. Variously termed as meaning Social Media someone you think you know, don’t assume it was
phishing or SMS Phishing they are both a progres- them who sent it from their account, look once,
sion of attackers approaches. think twice before you click, whether it be an email,
Social Media Phishing means instead of a social media message or a text message!
sending the advert, fake link, or message in
email they are utilising social media messag- IAN MOYSE
ing and advertising to direct the user through to Ian Moyse has over 25 years of ex-
their fake site location. Getting a posting on- perience in the IT Sector, with nine
to your Facebook page for example or receiving of these specialising in security For
a Social Media message seemingly has more trust the last 8 years he has been focused
equity with users than email, with users believing in Cloud Computing and has be-
fakes only come to them in email as Spam. On So- come a thought leader in this are-
cial web sites they seemingly have entered into a na. He now holds the role of Sales Di-
different mindset of trust. rector at Cloud CRM provider Workbooks.com. He also
You can cheaply buy lists of Facebook login de- sits on the board of Eurocloud UK and the Governance
tails on the web – for example a recent site was Board of the Cloud Industry Forum (CIF) and in early
seen offering 1000 facebook account login de- 2012 was appointed to the advisory board of SaaSMax.
tails for L16.50, very affordable at the worst of He was named by TalkinCloud as one of the global top
times. With such easy ammunition it’s not a big 200 cloud channel experts in 2011 and in early 2012 Ian
step for someone to utilise each of these ac- was the first in the UK to pass the CompTIA Cloud Essen-
counts and to send personal looking messages tials specialty certification exam.
01/2012 Page 20 http://pentestmag.com
21. scanning isn’t enough
Cyber Security Auditing Software
Device Auditing Scanners Nipper Studio
• Device information remains Audit without Network Traffic
confidential
Authentication Configuration
• Settings that allow you to hide Authorization Configuration
sensitive information in the Accounting/Logging Configuration
report
Intrusion Detection/Prevention Configuration
• Low cost, scalable licensing Password Encryption Settings
• Point and click GUI or CLI Timeout Configuration
scripting Physical Port Audit
• Audit without network traffic Routing Configuration
VLAN Configuration
Network Address Translation
It was refreshing Network Protocols
to discover Nipper and
to find that it supported so many Device Specific Options
devices that Cisco produces. Time Synchronization
Nipper enables Cisco to test
these devices in a fraction of Warning Messages (Banners) *
the time it would normally take Network Administration Services *
to perform a manual audit. For
many devices, it has eliminated Network Service Analysis *
the need for a manual audit to Password Strength Assessment *
be undertaken altogether.
Software Vulnerability Analysis *
Cisco
Network Filtering (ACL) Audit *
Business Benefits to Cisco
Wireless Networking *
• Nipper quickly produces
VPN Configuration *
detailed reports, including
* Limitations and constraints will prevent a detailed audit
known vulnerabilities.
• By using Nipper, manual Nipper Studio reduces manual auditing time by quickly producing a consistent,
testing has been altogether clear and detailed report. This report will;
eliminated for particular 1. Summarize your network’s security
Cisco devices.
2. Highlight vulnerabilities in your device configurations
3. Rate vulnerabilities by potential system impact and ease of exploitation
(using CVSSv2 or the established Nipper Rating System)
Multi-Platform Support for 4. Provide an easy to action mitigation plan based on customizable settings
that reflect your organizations systems and concerns.
5. Allow you to add previous reports and enable change tracking functionality.
You can then easily view the progress of your network security.
for free at
www.titania.com
enquiries@titania.com
T: +44 (0)845 652 0621
22. F
R
E
E Cyberwar
Digital Apocalypse
The Artillery of Cyber War
Cyberspace is now the digital frontier of choice for executing many
combat operations, by extending the medium in which greater levels
of power can now be accessed by Machiavelli agents, militants and
nation-states. Squads of cyber militants going under the banner of
Anonymous and LulzSecare, motivated by the ease in which they can
now execute high impact operations whilst avoiding detection, are just
a few of the much publicised names synonymous with cyber terrorism.
T
he multi-dimensional characteristics of cy- the world is really prepared for the possibility of a
ber space have dissolved the boundaries “digital apocalypse”. Throughout the analysis this
between digital landscape and physical se- paper aims to emphasise that deterring Cyber War
curity, facilitating cyber-attacks that produce dev- is the key to addressing this challenge.
astating impacts to critical infrastructure, as well as
Corporate and Government assets. Cyber Warfare – A Definition
Global security experts face the challenge of at- Over the past few decades experts and academics
tempting to develop techniques to deter and prevent have explored whether the possibility of a Cyber
these global threats. This challenge is complicated War was in fact a plausible threat. Early pioneers
further by the rate at which the digital paradigm con- navigating through this new landscape had con-
tinues to evolve at a rate which is often considerably jured up post-apocalyptic visions of the impact of
faster than the ability to keep up with these develop- Cyber War, bearing resemblances to scenes from
ments. This disparity has, unsurprisingly, created an a science fiction film. Today, Cyber War is no lon-
impression, shared throughout the cyber communi- ger being examined from a theoretical perspective,
ty, that implementing strategies to control the digi- as these dynamic threats have emerged through-
tal domain has become unachievable. As a result of out the global systems and networks. Experts are
these challenges and many others, Cyber Warfare no longer debating the possibility of Cyber War but
is set to be one of the greatest challenges posed to what can be done to stop these threats.
the 21st Century. Despite the widespread acknowledgement of
This article will examine the characteristics of Cyber War, the definition of these threats remains
Cyber War operations in order to clarify the ambi- under scrutiny. Experts such as Bruce Schneier
guities surrounding these concepts. Such an ex- have stated that many definitions of Cyber War in
amination is necessary in order to ensure that the current circulation are flawed as they confuse a
components of Cyber War are not confused with in- range of other computer security related concepts
terrelated disciplines such as Information Warfare. such as Information Warfare, Hacking and Net-
Real world examples of Cyber Attacks will then be work Centric Warfare. In order to, clarify ambigui-
discussed in order to assess the “nuts and bolts” ties surrounding Cyber War, for the purpose of this
of cyber-attack operations and to examine whether discussion, Cyber War is defined as:
01/2012 Page 22 http://pentestmag.com
23. F
R
E
E
worm. First launched in to the digital landscape in
“Internet-based conflict involving politically motivated at- June 2009, Stuxnet has become one of the heavily
tacks on information and information systems. Cyber war- scrutinised, real world examples of Cyber Warfare
fare attacks can disable official websites and networks, dis- attacks, with global security and technology com-
rupt or disable essential services, steal or alter classified da- munities still struggling to fully comprehend the com-
ta, and cripple financial systems – among many other possi- plexities of its design almost two years on since its
bilities.” (Rouse, 2010) initial release. Stuxnet’s international attention has
been achieved from the sheer sophistication in de-
For the purpose of this discussion, the focus of sign which is composed of a comprehensive array of
Cyber War conflicts will be examined in terms of attack exploits and covert methods for avoiding de-
its impact to the physical realm, in particularly to tection. Stuxnet is the magnum opus in the malware
its impact to critical infrastructures. hall of fame.
The Stuxnet worm infects computers running
The First Warning Shots Windows OS, and is initially distributed via USB
Recorded examples of the impact of cyber-attacks drives thereby enabling it to gain access to sys-
on critical infrastructures have been around for over tems logically separated from the Internet. Once
a decade. One of the earliest cyber-attacks on criti- access has been gained it then orchestrates a va-
cal infrastructure took place in January 2000, in riety of exploits from its toolkit designed to specifi-
Queensland, Australia. Where a disgruntled former cally target vulnerabilities its intelligent design is
employee at a manufacturing company hacked into able to identify in the target host.
the organisations computer, using privileged knowl- Stuxnet’s artillery includes uses an array of ex-
edge of the system, and took control of the Super- ploit methods, meticulously designed to circumvent
visory Control and Data Acquisition (SCADA) sys- the logical sequence security measures, one lay-
tem. The protagonist was able to maliciously attack er at a time. Exploits included Stolen Digital Cer-
the system causing physical pumps to release raw tificates, Rootkits, Zero-Day Exploits, methods for
sewage, producing a considerable amount of dam- evading Anti-Virus detection, hooking codes, com-
age. Although this attack is not constituted as cyber plex process injections, network injection, to name
warfare, it demonstrated the possibility for a digital a few. These exploits however do not affect just any
attack to create a detrimental financial impact and old computer, aside from propagating further. The
create havoc on critical infrastructures. Since this extraordinarily designed piece of malware has one
time, there have been a number of attacks classed solitary target in mind – Industrial Control Systems/
as acts of cyber war, such as the 2007 attacks, Supervisory Control and Data Acquisition* (ICS/
launched against the Government of Estonia. In SCADA) and attached computer systems. With a
this example, attackers utilised a variety of different specific ICS/SCADA being targeted in Iran, Stux-
attack methods such as Denial of Services (DoS), net reprograms the Programmable Logic Controller
website defacement and other malware. This was (PLC), made by Siemens, to execute in the manner
one of the earliest examples demonstrating the in- that the attack designers have planned for them to
creased level of sophistication of cyber-attacks to operate within.
be launched against a nation-state. * Bruce Schneier argues that Stuxnet only targets ICS and press re-
leases have mis-referenced Stuxnet to also target SCADA “is technical-
The Digital Artillery ly incorrect”. For further details refer to: http://www.schneier.com/blog/ar-
The arsenal of a Cyber War attack consists of the chives/2010/10/stuxnet.html
usual suspects, such DoS, attacks on DNS infra-
structure, anti-forensic techniques, and wide-scale While experts are still dissecting Stuxnet, it is ap-
use of Worm, Zombies, Trojan and clichéd meth- parent that the creation is the work of a team of
ods of electronics attack. However Cyber War rep- highly skilled professionals. Some estimates
resents much more than a DoS attack. When as- have stating that it would have taken a team of 8
sessing state-of-the-art Cyber War Artillery, one – 10 security experts to write over the course of
name comes to mind – Stuxnet. 6 months (Schneier). Many are referring to Stux-
net’s creation as a “marksman’s job” due to its tar-
State-of-the-Art: Stuxnet geted approach and expert precision.
The ultimate state-of-the-art weapon identified in Given Stuxnet is considered to be one of the
the cyber warfare arsenal, so far, is the Stuxnet greatest malware masterpieces the temptation
01/2012 Page 23 http://pentestmag.com
24. F
R
E
E Cyberwar
to examine its architecture in greater detail could The attack vector used is based on the operating
not be resisted. Symantec’s “W32.Stuxnet Dos- system of the compromised computer. If the oper-
sier Version 1.4” provides a detailed analysis de- ating system is Windows Vista, Windows 7, or Win-
lineating the technical attributes composed with- dows Server 2008 R2 the currently undisclosed
in Stuxnet and this 69 page document created Task Scheduler Escalation of Privilege vulnerabil-
by members of their Security Response Team ity is exploited. If the operating system is Windows
is used as the basis for the following examina- XP or Windows 2000 the Windows Win32k.sys Lo-
tion. The full array of technical features is outside cal Privilege Escalation vulnerability (MS10-073) is
of the scope of this article so a brief overview of exploited.
Stuxnet’s architectural components will be sum-
marised below. Load Points
Stuxnet loads the driver “MrxCls.sys” which is digi-
Breaking Down Stuxnet tally signed with a compromised Realtek certificate
The Core – .DLL files (which Verisign previously revoked). Another ver-
At the core of Stuxnet is a large .dll file containing an sion of this driver was also identified to be using a
array of resources, diverse exports as well as en- digital certificate from JMicron.
crypted configuration blocks. In order to load these The aim of the Mrxcls.sys is to inject copies of
.dll files, Stuxnet has the capability to evade detec- Stuxnet into specific processes therefore acting as
tion of a host intrusion protection programs which the central load-point for exploits. Targeted process-
monitor any LoadLibrary calls. These .dlls and en- es include – Services.exe; S7tgtopx.exe; CCPro-
crypted configuration blocks are stored in a wrapper jectMgr.exe.
referred to as the ‘stub’. Two procedures are then
employed to call Exported function. Extract .dll is The Target: Programmable Logic Controllers
then mapped into memory module and calls one of We now arrive at Stuxnet’s ultimate goal – in-
the exports from mapped .dll. A pointer to the stub is fecting Simatic’s Programmable Logic Controller
then passed as a parameter. Stuxnet then proceeds (PLC) devices. Stuxnet accomplishes this by load-
to inject the entire DLL into another process, once ing blocks of code and data (written in SCL or STL
exports are called. Injecting processes can include languages) which are then executed by the PLC in
existing or newly created arbitrary process or a pre- order to control industrial processes. In doing so,
selected trusted process. Stuxnet is able to orchestrate a range of functions
such as:
The Process of Injection
Targeted trusted processes are directed at a num- • Monitoring Read/Writes PLC blocks
ber of standard Windows processes associat- • Covertly masks that the PLC is compromised
ed with a range of security products, including – • Compromise a PLC by implementing its own
McAfee (Mcshield.exe); Kaspersky KAV (avp.exe); blocks or infecting original blocks.
Symantec (rtvscan.exe); Symantec Common Cli-
ent (ccSvcHst.exe); Trend PC-cillin (tmpproxy.exe) The Grand Finale
to name a few. Stuxnet then searches the registry Now that Stuxnet has finally exploited the PLC
for any indication that McAfee, Trend PC-cillin or it has achieved it has reached its final destina-
Kaspersky’s KAV (v.6-9) software is in operation. tion. Where Stuxnet is then able to execute its
If Stuxnet is able to identify any of these technolo- final exploits which is to slow down or speed up
gies it then extracts the version which is used to frequency motors. For example when the fre-
target how to process injections or whether it is un- quency of motor is running between 807Hz and
able to by-pass these security products. 1210Hz, Stuxnet adjusts the output frequency
for shorter periods of time to 1410Hz and subse-
Elevation of Administrative Access Rights quently to 2Hz and then back to 1064Hz. These
Another feature of Stuxnet is in its ability to elevate frequencies are typically used by centrifuges in
access rights to run with the highest level of privi- uranium enrichment plants. Ultimately Stuxnet is
leges possible. Stuxnet detects the level of privi- designed to destabilize ICS/SCADA by chang-
leges assigned to it and if these are not Admin- ing the speeds in uranium centrifuges to sabo-
istrative Access Rights it then executes zero-day tage operations, with the potential for devastat-
privilege escalation attacks, such as MS10-073. ing consequences.
01/2012 Page 24 http://pentestmag.com
25. F
R
E
E
Little Brother – Duqu • Like Stuxnet, Duqu’s utilities include stolen
In the September of 2011, researchers at the Bu- signing certificates for signing drivers stolen
dapest University’s Laboratory for Cryptography from a company in Taiwan, with an expiry date
and System Security (CrySyS) made the alarming of August 2nd 2011. These certificates were
discovery of a Trojan resembling Stuxnet. Their later revoked on October 14th 2011.
fears were confirmed after dissecting this new
threat revealed components were close to being The resemblances in design of Stuxnet and Duqu
identical to Stuxnet indicating that the writers were indicate that they were most likely developed by
indeed the same authors, or persons with access the same authors. Kaspersky Lab’s Analysts ex-
to the source code of Stuxnet. They labelled this amining the source code of both programs state
new threat “Duqu” due to its design in which it cre- that – “We believe Duqu and Stuxnet were simul-
ates file names with the prefix ~DQ. taneous projects supported by the same team of
Duqu is a remote access Trojan designed to developers”.
steal information from the victim machine and is
designed to act as a precursor to a future mal- The Launch Pad – Tilded
ware attack, similar to the Stuxnet operation. How did Stuxnet and Duqu manage to launch
Duqu is designed to act in much the same way some of the most effective cyber-attacks on re-
as a reconnaissance agent gathering intelligence cord so far? The “launch pad” for this cyber artil-
from a variety of targets, and like Stuxnet; Duqu’s lery goes by the name of Tilded.
primary targets are industrial infrastructure. Da- The Tilded platform is modular in nature and is
ta sources collected by this Trojan include design designed to conceal the activities of malicious soft-
documents, keystrokes records and other sys- ware by employing techniques such as encryption,
tem information. Once this intelligence has been thereby evading detection by anti-virus solutions.
gathered by the Trojan, it is then returned to the By utilising the Tilded platform developers of cy-
command and control servers, over HTTP and ber weapons can simply change the payload, en-
HTTPS, positioned across global locations such cryption techniques or configuration files in order
as China, Germany, Vietnam, India and Belgium. to launch any number of exploits against a range
This information can then be used by Duqu’s cre- of targets. File naming conventions used by Til-
ators to then launch a premeditated cyber assault ded’s developers employed the Tilde symbol and
against the designated target. By default Duqu is the letter “d” combining the two resulted in adopt-
designed to operate for a set period of time (either ing the name – Tilded. The Tilded team of develop-
30 or 36 days depending on the configuration). ers however still remain unknown.
After which the Duqu will automatically remove it- What we do know about Tilded is that it has un-
self from the system. A comparison of Duqu and dergone significant changes since its inception in
Stuxnet demonstrates: 2007 with subsequent revisions created through
to 2010. The researchers at Kaspersky have been
• Duqu’s executables were created using the able to confirm that a number of projects were
same source code as Stuxnet. undertaken between this period where programs
• Duqu’s payload resembles no similarity to that based on the “Tilded” platform were circulated in
of Stuxnet. Duqu’s payload is written with the cyberspace, Stuxnet and Duqu being two exam-
intention of conducting remote access capabil- ples. While other researchers have indicated an-
ities whereas Stuxnet’s payload is designed to other variant exists, the Stars worm (also target-
sabotage an ICS/SCADA. ing ICS/SCADA systems) resembles Stuxnet. How
• Duqu’s Payload aims to capture keystrokes many other programs have also been created but
and system information rather than modify tar- may not yet have been detected remains to be de-
get systems. termined. What is clear is that as Tilded and simi-
• Duqu (being a Trojan) do not contain any self- lar programs continue to develop, we will see en-
propagation capabilities as found in worms like hanced prototypes being catapulted into the digital
Stuxnet. limelight.
• Duqu in one example is distributed by attack-
ers using specially crafted email containing a Are We Prepared for a Digital Apocalypse?
word document which exploits an unpatched On the May 6th 2012, the US Department of
0-day vulnerability to Homeland Security reported that a major Cy-
01/2012 Page 25 http://pentestmag.com