This document discusses different types of SQL injection attacks:
1. Error-based SQL injection exploits errors returned by the database directly to the user, such as debugging information.
2. Union-based SQL injection abuses the SQL UNION operator to display the results of additional queries.
3. Blind SQL injection is more difficult, as it does not return direct errors or results. The attacker must craft queries to test for conditions to extract information one bit at a time. Automated tools can help but sometimes custom scripts are needed to fully exploit blind SQL injection vulnerabilities.
APIs are everywhere today and can be a great building block of modern applications. But all too often APIs are not truly great. Rather than love your API, developers curse it. How can you avoid that fate? In this session we'll look at the most common mistakes API providers make and you can avoid making them too. Do you offer a bad developer experience (DX)? Poor, inconsistent API design? Unreliable services? This talk is a deep dive on not just what to avoid but what to do instead. And you'll leave knowing how to get developers to love your API, not hate it.
APIs are everywhere today and can be a great building block of modern applications. But all too often APIs are not truly great. Rather than love your API, developers curse it. How can you avoid that fate? In this session we'll look at the most common mistakes API providers make and you can avoid making them too. Do you offer a bad developer experience (DX)? Poor, inconsistent API design? Unreliable services? This talk is a deep dive on not just what to avoid but what to do instead. And you'll leave knowing how to get developers to love your API, not hate it.
ViO Presentation The Future of Communications and Virtual EnvironmentsWill Burns
A quick presentation concerning the future of communications and virtual environments, given on May 2nd 2010 in SecondLife at the ViO Business Group Auditorium
This is our vision of AdBlock's Big Ideal and the way we can implement it.
For more information, please, contact us through avemishch@arriba.com.ua or www.arriba.com.ua
On Digital Transformation - 10 ObservationsMike Arauz
The ideas about technology that have become lenses and points of view I return to as I try to makes sense of how things are changing, and what can be done. This is a digital world, so none of this is etched in stone. But from what I’ve seen so far, these things seem to be true.
Growing Newspaper websites with rich media and social networkingChris Houchens
Chris Houchens addresses the Inland Press Small Newspaper Conference about using video, audio, rich media, and social networking to grow readers and advertisers on newspaper websites
Social Media is becoming commonplace in our society, both at work and at home. It's responsible for a major paradigm shift in how we communicate with each other. This presentation addresses that shift and discusses how our privacy is being eroded as a result and what you can do about it.
20 Factsand34 Examples About Social Media Oct09 Christian Palaufotocasa
Conferencia presentada por Christian Palau Sanz, director de Anuntis Inmobiliaria -Fotocasa, Inmogeo, Rexia- en la Online Marketing Expo Barcelona, 29 de octubre de 2009.
ViO Presentation The Future of Communications and Virtual EnvironmentsWill Burns
A quick presentation concerning the future of communications and virtual environments, given on May 2nd 2010 in SecondLife at the ViO Business Group Auditorium
This is our vision of AdBlock's Big Ideal and the way we can implement it.
For more information, please, contact us through avemishch@arriba.com.ua or www.arriba.com.ua
On Digital Transformation - 10 ObservationsMike Arauz
The ideas about technology that have become lenses and points of view I return to as I try to makes sense of how things are changing, and what can be done. This is a digital world, so none of this is etched in stone. But from what I’ve seen so far, these things seem to be true.
Growing Newspaper websites with rich media and social networkingChris Houchens
Chris Houchens addresses the Inland Press Small Newspaper Conference about using video, audio, rich media, and social networking to grow readers and advertisers on newspaper websites
Social Media is becoming commonplace in our society, both at work and at home. It's responsible for a major paradigm shift in how we communicate with each other. This presentation addresses that shift and discusses how our privacy is being eroded as a result and what you can do about it.
20 Factsand34 Examples About Social Media Oct09 Christian Palaufotocasa
Conferencia presentada por Christian Palau Sanz, director de Anuntis Inmobiliaria -Fotocasa, Inmogeo, Rexia- en la Online Marketing Expo Barcelona, 29 de octubre de 2009.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
20 Comprehensive Checklist of Designing and Developing a Website
Security kaizen consumerization
1.
2.
3. Editor’s Note
April/june 2011 . 2nd Issue
After the release of our first issue, we
Chairman & Editor-in-Chief received a lot of positive feedbacks, a lot
Moataz Salah of improvement ideas and a lot of reviews.
Editors people wanted to help making security kaizen
magazine a better magazine, wanted it to be Egypt | The First Cyber Revolution 4
Fady Osman
Brad Smith one of the top information security magazines
Omar Sherin in the world.
Osama Kamal To be honest, I didn’t expect that we will have
Grey Hat
Amr Thabet that success in such short period, nor did I Types of SQL Injection 10
Ahmed Saafan
Vinoth Sivasubramanian
expect that one day I’ll appear on the Egyptian Phone Owning 12
Paul de Souza TV to talk about our initiate and our Magazine.
Mohamed Enab
So I wanna attribute our success to all my
Language editors readers, anyone contributed with an article or Stuxnet: and the truth shall set you free 16
Salma Hisham even a small comment, everyone criticized our 18
Salma Bakr
A visit to RSA Conference
work, all of you guys were a huge help to us
Lobna Khaled Electronic Voting | Security Challenges 20
I still have a lot of people to thank for their
Graphic Design help in the last couple of months but the An Interview with Clement Dupuis 22
Mohamed Fadly space won’t allow me to do that. so Thanks
everyone, we wouldn’t have made it this far
Web Site Design without you.
Mariam Samy Rootkits: A Deeper Look 26
Security kaizen is issued
As I said we are always kaizenning our Password Crack 30
every 3 months magazine and due to the tons of requests we
received, a new version of the magazine will
Reproduction in whole or part without be released in Arabic to cover more readers Best Practice
written permission is strictly prohibited on the Arabic countries. Also Security kaizen
All copyrights are preserved to magazine was able to get special offers for our A Simplified Approach to Achieve Security in a 34
www.bluekaizen.org
readers in various worldwide conferences; you Consumerized Environment
can check more details about that through the Cyberspace as a War Fighting Domain 38
magazine or on our website.
Finally, this was just a start and we are always
eager to kaizen, improve and reach new
horizons. We still need more volunteers from
all countries. so Join us and be part of our
For Advertisement in security kaizen.
Security Kaizen magazine and
www.bluekaizen.org website:
Mail: Info@bluekiazen.org
Phone: 010 267 5570
2 3
4. No one, not even Mark Zuckerberg the founder
of Facebook, nor Jack Dorsey the founder
of Twitter had imagined that one day their
websites will help in a country's revolution,
take down a president or change a regime.
Egypt’s well educated youth, whose through the streets, to regroup themselves
sole dream is to see Egypt a better after being distracted by security agents
country, lead peaceful demonstrations either by water, tear gas or real bullets.
on the 25th of January 2011, which is
the National Police Day, against injustice
and freedom suppression. On the 11th
of February 2011, Hosny Mubarak
finally declared his resignation as the
President of the Arab Republic of Egypt.
Just to give you a few examples of
people who joined the revolution: Wael
Ghoneim (EMEA Marketing Manager of
Google) who was arrested by the police
on the third day of demonstrations; Dr.
Ahmed Zewail (Egyptian Nobel Prize
Winner in Chemistry), Dr. Mohamed By the end of the first day of the revolution,
ElBaradei (former Director General of Tuesday 25th of January, Egyptian
the International Atomic Energy Agency), Intelligence banned the access of Twitter
and many Egyptian celebrities. from inside Egypt. They also banned
some online opposition newspapers like
What is unique about this El-Dostor. But that didn’t stop Egyptians
revolution? from accessing Twitter and those websites
using different proxies and in few minutes
EGYPT
It will be recorded in history that Egypt’s a series of proxies and ways to get around
revolution was the first Cyber revolution the ban were shared among Egyptians.
in the World. On the first three days, The Egyptian hackers quickly reacted to
protesters used their smart phones, those actions by attacking the website
Blackberries or iPhones to guide the of El-Ahram (one of the main Egyptian
demonstrations. It all started with Government newspapers) and that of the
Facebook. Then Twitter played a very Ministry of Interior Affairs using DDOS
crucial role in guiding demonstrators (Distributed Denial of Service Attacks).
The First Cyber Revolution We won’t continue talking about the revolution and its political development,
you can get back to the news for more information. We will now concentrate
about the technical part and our view regarding what happened later, with
The Full True Story on How Egypt respect to cutting all means of communications across Egypt.
Shutdown the Internet for 5 whole days
6 5 April/june 2011
www.bluekaizen.org
5. By the second day, Wednesday 26th of (ADSL, dial-up, etc) The bandwidth of international lines is what is known as POP. The bandwidth is
January, Facebook usage was blocked To summarize the situation, all means of sold to ISPs and companies as requested, then distributed to the home end-users
in some areas, especially in El-Tahrir communication were down, except land and then distributed across Egypt using or companies. Check figure 2 for the
line phones. Telecom Egypt cables, which are the only Internet hierarchy in Egypt.
Square (Liberty Square) where most
cables available! This is done through
protesters gathered. Facebook was
totally banned on the third day (Thursday How was the Internet cut? International
27th of January) of the protests. During ISP1 room ISP2 room Companies
those three days, the situation was a real In order To know how the Internet was
war between the Government and the cut in Egypt, we first need to know the
protesters; on the streets and on the web. Telecom Egypt
physical hierarchy of Internet in Egypt.
On Friday 28th of January, in the early (switching & testing rooms)
We will try to simplify the details as
Telecom Egypt
morning - Friday is the weekend in much as possible so that readers with lines
most Islamic countries - the following no telecommunication background grasp International Cables
communication services were down: how it works easily. In Alexandria
All mobile phone communications SEA-ME-WEA4/Flag
(voice calls, mobile internet, SMS, etc.) Different countries are connected
i.e. Egypt’s three operators were down together using a network of optical fibers,
Core POP1 Core POP2 Core POP3
completely with all their services with very high bandwidth, in seas and
All internet connections by all providers oceans. Check figure 1.
Edge PoP1 Services to users in PoP1
Services to users in PoP1
Figure 2: Internet hierarchy in Egypt
Therefore, in order to cut the Internet according to every ISP’s Network Design,
across Egypt you have more than one but the easiest way is to withdraw their
option: Border Gateway Protocol routes (BGP
● Egyptian Government can disconnect protocol is a protocol used by border
all the lines from the source (here the routers to transfer information between
landing point of international cables is different autonomous systems), and most
Alexandria). But this will disconnect all probably this is what happened with most
the lines connecting Egypt to the outside ISPs
world and that was not the case; only ● If the ISP refused to cut the service (like
88% of the Internet usage in Egypt was in NOUR CASE), the Government can
down and nearly12 % was still working. cut the service by itself through Telecom
So this option was not likely to have been Egypt POPs but in Nour Case which is
used not a residential Provider and most of
Figure 1: Submarine cable disruption map ● Authorities can intimidate the ISPs to its customers are big companies, Egypt
For Egypt, all international lines have two landing points (Alexandria shut down the services to users. This was security agencies accepted or agreed not
and Suez), for example the SEA-ME-WEA4 line is the line which clearly published by Vodafone, that some to cut the internet on Nour Customers,
connects South East Asia-Middle East-Western Europe, and it Egyptian security agencies ordered them but that made TEdata and Linkdot net,
carries telecommunications between Singapore, Malaysia, Thailand, to shutdown all mobile services. Shutting the biggest service providers in Egypt,
Bangladesh, India, Sri Lanka, Pakistan, United Arab Emirates, Saudi- down the Internet from the ISP’s side complained that Nour is still working and
Arabia, Sudan, Egypt, Italy, Algeria and France. can be made by many different ways that may affect their business , that’s
6 7 April/june 2011
www.bluekaizen.org
6. why Nour was also down on Monday by Twitter, Facebook and SMS services. And
Telecom Egypt not by Nour Engineers.So maybe they also knew more than that!
Nour was down for a business reason not Whatever they knew, the decision was Conclusion
for a security reason. taken to cut all communications including
all the Internet and mobile facilities. This story gave us some facts that don’t exist only in Egypt but in most
Why were the Internet and countries that use the Internet:
But unfortunately this was the most stupid Internet traffic is monitored, especially social media networks and this
mobile communication cut? decision, because people who were can be checked in the customers part of www.narus.com where you will
at home, waiting for brothers, sisters, find nearly 1/3 of their customers are countries governments
What happened by the end of Friday
relatives and friends to come back, Today, social media networks are not used only for connecting with
explains why Egyptian Intelligence cut
couldn’t communicate with them. They friends or making business marketing, but they can be used in issues affecting
all communications in the country. This
couldn’t call their friends, couldn’t connect whole countries; revolutions, wars, etc.
day was named: Friday of anger, where
to the Internet to know their latest activities This story also gave us some questions, for which we hope to find answers:
millions of people went out in the streets
on social media, and couldn’t even send On which level do governments have the right to control essential life facilities,
and the highest number of dead people
a single SMS! So, more people went out like communications, electricity and others, to civilians even in cases of
was reported on this day as well.
in the streets, maybe not to protest but to emergency?
merely show their anger at this decision. Will you support a law, if it doesn’t exist in your country, that considers the
Egyptian Intelligence uses a solution
called NarusInsight. The NarusInsight Internet and telecommunication systems as main human needs like electricity
Solution for Intercept, as narus.com says, Was the Internet 100% cut supply, water supply and others, which can’t be cut with such a way?!
delivers unmatched flexibility to intercept across Egypt? Finally Egypt’s story was a real proof that Internet in general and social
IP communications content and identifying media networks in specific can really change the world. Virtual life can cause
information, enabling law enforcement The answer is NO, according to most revolutions, wars, crimes and more. Egypt started the revolution on the virtual
and government organizations around statistics nearly 88% of the Internet network and transferred it to a real story, a real TRUE STORY.
the world to effectively gather evidence connection was down. What about the
of illegal activity in the multifaceted world rest 12%. Well, we have different cases,
of IP communications. for example:
NOUR was the only service provider
Narusinsight can monitor users’ traffic, that kept working for 3 days out of the 5
including recollecting their mails, days (they were down only for 2 days –
chats and other data. Built on the Monday and Tuesday – while the Internet
NarusInsight Traffic Intelligence System, was back across Egypt on Wednesday)
the NarusInsight Solution for Intercept All international MPLS Lines were working
passively monitors multiple links on the fine, so companies who had MPLS Lines
network. It monitors each packet on the through any provider were working in the
network link and analyzes it against a whole 5 days
target list input by the providers or directly One of the solutions was to use the
by a law enforcement agent. If the packet international land line to dial up an
matches the target criteria, it is captured external service provider in France or any
for formatting and delivery to storage, country using a dial up modem, but this
law enforcement or directly to optional costs a lot of much of course
content rendering and analysis tools. Another solution was to have a satellite
connection, this way you won’t pass
Egyptian Intelligence or National Security by Telecom Egypt lines but again this References
knew that a lot of people will gather on solution is so expensive and still not http://www.narus.com
this Friday, and they knew in the last 3 reliable for huge companies but it is better http://www.wikipedia.org/
days how they collect themselves using than nothing
8 9 April/june 2011
All images included in this article are copyrighted to their respected owners. www.bluekaizen.org
7. GREY HAT The database will simply display the results in the search query as you can see in the
following image.
Types of By Fady Osman
SQL injection
SQL injection is probably the most dangerous
known web attack. Sometimes it could lead
to remote code execution that gives the
hacker a full control of the system.
In this article we will talk about
SQL injection types.
1- Error based SQL injection : The exploitation of the error
In this case the database simply the based SQL injection is fairly straight. For Another thing to notice here is that the database language can be this query:
application sends back the database example the attacker can make an invalid the database version reveals also the
errors directly to the user. Sometimes comparison between an integer and the operating system information which is http://[site]/page.asp?id=1; IF (ASCI
this happens because the developer of data he needs to extract. To make things something that should be disabled by the I(lower(substring((USER),1,1)))>97)
the website didn’t turn off debugging on clear lets see an example (Assuming MS database administrator. WAITFOR DELAY ‘00:00:10’
the server. SQL database).
3- Blind SQL injection : the above query will wait for ten seconds
Injection : or 1=user()-- This is the hacker’s last choice since it only if the first letter of the user name
take a fairly long time. I worked once is not “a” then you have to do this with
Response : Syntax error converting the nvarchar value ‘ahmed’ to a column of with blind SQL injection and to be all other letters of the user name. Then
data type int. honest it wasn’t a pleasant experience you move to the password hashes and
it took me all the night to successfully so on. This makes it obvious that using
exploit this vulnerability. Even with some automated tools or scripts is fundamental
From this example you can see that the 2- Union based SQL injection : tools available like sqlmap, sometimes otherwise it will take you days to retrieve
user name ‘Ahmed’ which is the output of Union based SQL injection as the name you need to write your own scripts to only the basic information.
the user function is sent back in the error suggests abuses the union operator. successfully exploit blind sql injection.
message. The attacker can also retrieve The basic idea is to append the data Now let’s talk about how blind sql About the author: Fady Osman is
other information from the database. that the attacker wants to a table that is injection works. In this case the database an information security professional,
already displayed in the page. See this will not give you any output not even researcher, and author. He focuses
Tip : If you don’t have a good experience example from DVWA (A vulnerable web an error message so you need to find mainly in the areas of exploitation
with databases and what useful functions application created for training hackers another way to retrieve data. This can be ,reverse engineering ,web security
you can go to this website which will give and to be used in educational classes). done by asking database questions like and c programming. His team won
you a cheat-sheet for SQL injection : Inject this code inside the id parameter : “if the first letter of the user name is not the second place in the MIE 2010
http://www.pentestmonkey.com null’ union select @@version,2# an a then wait for 10 seconds” which in competition organized by IEEE Egypt.
GREY HAT 10 11 April/june 2011
www.bluekaizen.org
8. Let’s pretend we’re a phone
Phone owning Notice in the above example that our Service / Device Class shows we’re a
computer. Notice the Link mode is SLAVE ACCEPT. We want to change all of
By Brad Smith this so we look like another cell phone.
This article will show you how to get started in performing Type this at the command prompt:
penetration testing on cell phones to see if it can be hciconfig -a hci0 class 0x500204
compromised by accessing their data via Bluetooth (BT). hciconfig -a hci0 lm accept, master;
This is an important part of penetration testing as many hciconfig -a hci0 lp rswitch,hold,sniff,park;
bad things can be done to someone’s phone without their hciconfig -a hci0 auth enable
knowledge. If they own your Phone, they own your life. hciconfig -a hci0 encrypt enable
hciconfig -a hci0 name Resume
Now run hciconfig –a again and notice
the differences.
The last command to change the name
This is an advanced article so you need Bluetooth was designed as a serial port is important because that’s what appears
the following base knowledge: replacement. Just like serial ports of old, on the screen. Would you take a call
You need to be able to boot a Backtrack you need to set an IRQ and a Memory from “bt-0” or “Resume” or “ “?
4r2 disk on a compute that has Bluetooth address to interact with other devices.
device installed. You can use other Bluetooth needs a Channel and Memory Notice what the Service / Device Class is now. You’re a Phone!
distros if you like but BackTrack has 32 addresses set to interact with other
tools just for Bluetooth. phones.
Let’s Start Who else is out there?
With Backtrack booted up to the command line and the Bluetooth adapter There are several good tools for scanning on Backtrack, l2ping (that’s an
installed type: hciconfig you should see all the “acceptable” devices. If no L not the number 1), hcitool
device appears on the list and you have scan, sdptools browse and
the device plugged in, well, your device this one BTscanner.
won’t work. Sorry, you need to try a What we’re after is the Address
different device. Not all BT adapters of the device, think MAC
are created equal. address of a network card
and the cannel each service is
If a device appears (hci0) then bring it offered on. When you click on a
up: hciconfig hci0 up, just like it was a device it gives you more information, specifically the cannel of each service
wireless card. offered and memory addresses of the device.
The hciconfig –a command should
return a list of features for all the
Bluetooth adapters on the computer. It
should look like this:
GREY HAT 12 13 April/june 2011
www.bluekaizen.org
9. What Now?
Let’s start with a simple program that does lots. My favorite is bluebugger
because you can change Option parameters quickly till it works properly.
Notice the different modes that bluebugger offers.
You can do it all from the command line:
~#./bluebugger –m Ron –c 7 –a xx:xx:xx:xx:xx:xx dial 1900badpeople
Lets look at this command, simply add the channel and
connection name (here it’s a blank, I use Resume).
Seems to simple yes? Very true, it doesn’t work on
every phone that has the Bluetooth on so you need
to try lots of different.
I look at a lot of Phones and some brands are easier
to penetrate than others. Which ones? Depends on
model, make and how it’s setup.
With so many Bluetooth tools here are a few all
purpose basic tools to learn: Hciconfig, Bluescan,
l2Ping, SDPTool, hcitool, BTScanner, Bluesnarfer,
Bluebugger, Carwhisper.
Bluetooth devices are growing number daily. Security is poor at best,
coupled with the predicted increase in mobile threats, and NOW is the time
to secure yours and your businesses Bluetooth devices.
Here’s help!
NIST “Guide to Bluetooth Security” 800-121
www.Backtrack-Linux.org
www.soldierx.com/bbs/201001/Bluetooth-hacking-wth-Backtrack-4
www.trifinite.org
About the author: Brad started breaking his toys at a very
early age. When he wrote his first computer buffer overload
in 1972 which totally wrecked the University computer
system, he realized the potential to break much larger
things. Now he spends his time teaching other to break
small things that have large importance, like cell phones.
GREY HAT 14 17 jan/march 2011
www.bluekaizen.org
10. new & NEWS
new & NEWS “white papers, cleaning tools, contacting
customers, working with top AV vendors,
even magazine interviews”. Isn’t this what
Another statement that also reflects
severe undermining of the terms “due
diligence, and responsibility” is a
they are paid to do? question they highlighted in yellow: “Has
the customer done all he can?“.
Stuxnet:
What is really strange is their genius Imagine a car manufacturing company
conclusion that future infections are that sold you a very expensive car
“unlikely”, and this is due to the fact that equipped with an advanced airbag
the malware pattern is now detected by up system, then someone smashes into
to date anti-virus programs. Eureka !! your car and the airbag doesn’t work,
and the truth shall set you free Yes, future “Stuxnet” infections might while in hospital the car company lawyer
By Omar Sherin be unlikely, but this is certainly not the asks you why didn’t you bring an airbag
end of this type of attacks as long as top from home just in case!
vendors like Siemens still use “hard coded
& publicly available” passwords on critical
What is Stuxnet: it’s the most complicated piece of malware ever
systems in the year 2010 and don’t even
written. Up till now there has been wide speculations that it was
admit that this is the REAL problem.
written by a specific country to attack the Siemens computer control
systems used in the nuclear program of Iran. Security experts
I was able to locate the hard coded (built-
heavily criticized Siemens because the worm exploited, among
in) user names and passwords in Siemens
many things, a “hard coded password” in the Siemens system. The
technical online forums:
Stuxnet worm infected critical energy companies in 125 countries.
login=’WinCCConnect’
password=’2WSXcder’
login=’WinCCAdmin’
password=’2WSXcde
Last month Siemens Internal CERT The slides confirmed that the malware
(Computer Emergency Response Team) is capable of transferring data outside of
released some slides about Stuxnet as a the infected system back to the command
form of “Official Communication” within and control servers, yet nothing has been
their constituents. The slides were taken proven specially that the two C&C servers
offline few hours later. ( • www[.]mypremierfutbol[.]com • www[.] About the author: My name is Omar Sherin and I am the OWASP Egypt chapter chair
todaysfutbol[.]com ) and a member of the OWASP Leaders Board.I have more than 8 years of professional
But as I was reading through the slides I were brought down by Symantec. “I corporate and national level Information security experience plus more years as a security
decided to take a copy just in case they would like to add that both servers where and online privacy advocate. I also hold a diploma from Carnegie Mellon’s Tepper
do just that. In the official slides (Here), located in Germany”. School of Business in entrepreneurship and corporate innovation.I’ve worked for several
Siemens confirmed that Stuxnet was multinational firms in the oil and gas sector, communication, government and professional
services sector, in my spare time I’m an active Information Security blogger and Speaker.
a “targeted” attack by using terms like Then the Siemens slides claim that all
Specialties
“targeting a very specific configuration, known infections are now clean and zero • SCADA Security
certain PLC blocks and specific processes enterprise damages reported. Yet they • Critical Infrastructure Information Protection (CIIP)
or (project)“. These bold statements didn’t specify their definition of “damage”, • Business Continuity and Disaster Recovery
simply means that Stuxnet makers had is it seeing the enterprise up in flames or • Information Security and IT Audit
(one target) in mind, and this should few bytes of data going out? The slides • Risk Assessment , GAP Analysis, Security policies
eliminate any theory out there denying go on listing the great deeds of Siemens • Digital Forensics and web application pen testing
that its a state sponsored malware. since the discovery of the malware:
new & NEWS 16 17 April/june 2011
www.bluekaizen.org
11. A visit to By Osama Kamal
He showed some videos of the show, with 800 nodes. They have 46K records
scamming people in cafe shops or even daily handled by 5 information security
in casinos that have very tight security analysts. In 2007, they had 4000 nodes,
mechanisms to prevent fraud, and the
message was to highlight the importance
and danger of social engineering attacks.
The video is available on RSA Conference
website; a highly recommended one.
One of the interesting presentations was
about Mature SIEM implementation, by
Bradford Nelson and Ben. It discussed
a real implementation in one of the US
Government entities, where they divided
the SIEM evolution into 3 phases:
Infancy, Growth, and Maturity. In Infancy 2M records/day, and 14 analysts. In 2010,
mode, you need to focus on collection they had 30K nodes, 326M records and
and aggregation. In Growth mode, you 32 analysts. These are pretty insightful
need to focus on real-time monitoring, numbers if you are planning for a SOC.
unsupported sources, and environmental They started with logs like failed logins,
modeling. In mature phase, you start port scans, and AD changes. Later
developing processes, adding external they added IPS, packet capture, and
threat feeds, putting alerts into business packet drops, then apps, users, social
context, aggressive normalization and media, auto ticketing handlers, honeynet
correlation, and adding application/user sensors, and all connections. That is a lot
behaviour analysis. to handle!
RSA conference is by far the biggest by giving an example of an unusual
According to the presenters, you should
commercial event I have attended. It definition. He then asked people to use
start defining your requirements first, then The conference is an excellent chance to
is not just an expo with more than 400 their mobile phones and computers to
do procurement, design, deployment, and get updated with new technologies from
information security companies, but it search for that term on the Internet and
then content delivery. The requirements vendors. It is all about the defence side,
is also a place where you get to meet showed that google search revealed a
definition is very important and should not the offence side such as Blackhat.
information security rock-stars and the top totally wrong definition as he was able
use vendors literature combined with If you in are in security business, this
management officials of big companies. to poison the search results by creating
your own technical and business needs. conference should be your target.
In addition, the event also has a lot of a Wikipedia page and a YouTube video,
You can simply look for use cases to
sessions, mostly panel discussions, with some link building techniques to give
understand more. Things to consider About the author:
where you listen to the people who the wrong definition on top of the search
are: start slowly, you can use NIST 800- An independent security analyst
are shaping the security industry or results.
53, and 800-92 as a start; go for quick with over 13 years of experience
are heavily involved in it in one way or
wins; and do not try to spend lots of time in security operation, design,
another. Hugh Thompson also hosted Alexix
in unsupported logs. Also check your architecture, and incident
Cornan, who runs a show in BBC; the
data collection rates, and build your key handling. Running his own blog
My favourite keynote was the one of Real Hustle. He showed how easy it is to
performance indicators and metrics. www.okamalo.com for almost 2
Hugh Thompson gave about social scam people using “misdirection”, which
years, currently focusing on open
engineering, entitled “People Security”. is one part of a good scam. It does not
They gave some numbers from their source information gathering,
He showed how easy you can mislead matter how smart you are, even security
environment, when they started in 2004 and threat intelligence”.
people through search engine poisoning conscious people can be scammed.
new & NEWS 18 19 April/june 2011
www.bluekaizen.org
12. Electronic Voting votes. Electronic Voting can be used
in presidential elections, parliament
members’ elections and also inside the
backup so as to maintain confidentiality
and integrity of data. And by having the
backup, availability is guaranteed.
Security Challenges parliament while voting for legislations
and policies. We need to forget about
the previous “funny” way by which votes
These DRE machines should be
hardened and certified through audits, so
as to ensure security. For sure machines
By Mohamed Enab inside the parliament were handled and
“Cyber Revolution”… a catchy expression lot of factors. If you simply play in the move to E-Voting; the Speaker of the
we use these days! This type of “revolution” voting software by a virus or a bug then People’s Assembly of Egypt used to
is conducted over the Internet using social you might have an undesirable president just check the votes for legislations and
networks, such as Facebook and Twitter, or parliament member for example. policies only by the eye!
and this is the first time in history that Therefore, due to its critical risks and that Let us see how we can implement the
people start a revolution against unfair some countries already had voting fraud Electronic Voting system; usually the
and oppressive government systems by incidents, Electronic Voting needs to be system will machines all over the country
a Cyber Revolution. assessed and analyzed well to check to collect the votes. These machines are
To help maintain the principles of this whether it is can be applied safely in our connected in a secure way to a central
revolution and sustain it to use it anytime country. Basically a voting system has point for analysis and monitoring. So if
we are again confronted by governments four main characteristics;1 we spread our devices over 700 sites
that lack freedom of speech, we should 1. Accuracy: The goal of any voting for example, and then the central point Figure 1 DRE Machine used in Brazil
put some “controls” into our lives to system is to establish the intent of each notices that some suspicious activities
guarantee as much as we do not reinvent individual voter, and translate those then investigations may start and track may differ from one type of election to
the wheel, especially while no political intents into a final tally. To the extent any distrustful activity. But what kind of another, but the concept is the same.
party is in control and there is some sort that a voting system fails to do this, it machines should be used?! Maybe a I believe that in order to have “Cyber
of chaos around a certain country. That is undesirable. This characteristic also PC, but it can be infected by a virus or a Revolution”, we need to implement
is the time to put neutral controls over includes security: it should be impossible worm. Maybe a hardened machine! How systems in our countries which bring
Cyber Revolution. to change someone else’s vote, ballot can these machines be connected to the technology into our daily lives. And since
I said “controls”, right?! Yes, I did. Does stuff, destroy votes, or otherwise affect sites. secure voting is a crucial step in bringing
not this remind us, Security Professionals, the accuracy of the final tally. Usually machines used in E-Voting, in trustworthy entities for the sake of serving
of something we used to use in our daily 2. Anonymity: Secret ballots are countries like Brazil, India, USA, are our people, then special attention should
life when referring to Firewalls, IPS, IDS, fundamental to democracy, and voting Direct-Recording Electronic (DRE)2 voting be paid to deploying “Electronic Voting” in
etc. But what type of controls am I talking systems must be designed to facilitate machines. A DRE machine records votes our countries.
about?! voter anonymity. This also means by means of a ballot display provided
As we all know, the main objectives of confidentiality, in one way or another. with mechanical or electro-optical About the author:
Information Security is to protect the 3. Scalability: Voting systems need to components which can be activated by Five Years of Experience in
confidentiality, integrity and availability be able to handle very large elections. the voter (typically through buttons or a Information Security Consultation
touchscreen). Then data is processed Field & possess deep knowledge and
of our company, our organization and With the increase of population, we need understanding for security threats &
our country. What I see right now is that to invest on something that could sustain by means of a computer program.
Then voting data and ballot images countermeasure, security products
people believe in this revolution and along enough. & technologies, Information security
to help them trust it more and more is 4. Speed: Voting systems should produce are recorded in memory components. management systems, networks
to have a system that makes them feel results quickly. This is particularly After the elections, the DRE machine & operating systems. Having been
secure and safe when they give their important where people expect to learn produces a tabulation of the voting data in Banking Field for 2 years where
votes during elections or referendums. the results of their voting on the same day as a soft copy stored on a removable Money talks and Security is a great
We are talking here about “Electronic it took place, before bedtime or early the memory component and as a hard copy concern there and also in Information
Voting”. day after, and monitor the progress of the as well. The system may also provide a Security Consultation Field giving
I know that the idea is not new, and that it voting process. means for transmitting individual ballots consultation and advisory actions to
has been implemented in lots of countries So, these are the four main features or vote totals to a central location for customers to get the best of the breed
such as the USA, Spain, Australia, and that should characterize Electronic consolidating and reporting the results from security solutions and secure
by precincts at the central point. So data the organizations which have different
the Netherlands - just to name a few - Voting, and if we have a system that concerns & Business Objectives. I
either by Remote E-Voting or Polling can do that electronically then this will can be transferred securely through
encrypted links or flash memories with have right now Security Certifications
Place E-Voting. However, these systems guarantee neutral and falsification free like CISSP, CCSP, SSCP and have a
are not easy as you might think; they good networking/Telecommunication
2 Definition as per Wikipedia
are complex systems that depend on a 1 Adopted from Bruce Scheier Blog - Schneier on Security
background.
new & NEWS 20 21 April/june 2011
www.bluekaizen.org
13. An Interview with • What made you take the Free Information Sharing Route instead
Clement Dupuis
of selling your knowledge?
As you get past 50 years of age you realize that you do have quite of bit of wisdom
and knowledge that you have acquired over the years. At one point you need to get
someone ready to take over from you and finally retired.
By Moataz Salah
I am from a small lumberjack village in the deep woods of Quebec, Canada. In my
Clement Dupuis is a man that you village people always help each others, skills and knowledge are passed from father
can’t prevent yourself from respecting to son for generations, I taught doing the same on the Information Security side
his thoughts and his principles. could be a very interesting project.
His principles and beliefs were one
It started as a hobby and today the Family of Portals reaches over 150,000 security
of the main reasons to launch our
professionals in more than 120 countries around the world. It does make me feel
magazine, Security Kaizen Magazine. proud when someone sends me a message to thank me and my team for the work
Two years ago, I started quoting we are doing in helping the community.
one of his famous sayings in my
lectures ”Don’t be a leacher, Don’t I was asked many times WHY I do not charge a fee on some of my portals. With the
suck people blood till you get all the number of members we have we could be millionaire if I would have charged $10 per
information you need , share your person. We all need money, however we never have enough, it is a never ending
knowledge even with just a comment“ story. Above money there are people, when I am able to contribute to someone
career and help them progress and reach higher, I feel a lot better than getting $10
Clement Dupuis as a fee. People should always be priority number one.
Founder and Maintainer of
the CCCure Family of Portals
• Can you give us more ideas about your free information
sharing web sites and the free Services you deliver?
• Can you introduce yourself to Security Kaizen Readers?
Our portals contains large collection of Documents, links, forums, mailing lists, cram
Good day to all, study guides, quizzes, and a whole lot more.
My name is Clement Dupuis, I am the founder and maintainer of the CCCure Family The portals are large containers of knowledge that constantly get updated and better
of Portals. Twelve years ago I started to dedicate all of my free time to “Giving Back as more and more people are contributing.
to the community” which has been a way of life since then.
I had the privilege to work for 20 years for the Canadian Department of Defense and • What problems did you face when you started your free
was exposed to radio communication, satellite communication, and finally I got into information sharing web sites?
the computer world.
The first 4 years were very lonely, you spend all of your free time building content,
I was one of the very early pioneer who was attempting to use the Personal Computer answering queries, and you do not see anything being returned to you. Then all of
(PC) in places and in ways it was never, ever attempted before. I had to combine a sudden my site was listed in books and magazines which drove a lot of traffic to it.
modern equipment with outdated radio communication. Often time we had to talk
with the engineer that wrote the software to make things work. There was no better I felt like quitting the whole project many times. There were days when I would get
way to learn the details behind the interfaces that we were using. negative feedback that made me feel like pulling the plug. However, my wife who
is the calm and moderate person behind me would always remind me that for every
Networking, Personal Computers, Server, and making them work together has been negative message I have most likely received 100 positive message. After a while
a hobby of mine for more than 20 years. It is always a privilege to have your hobby you learn to concentrate on the positive and accept that you cannot please 100% of
as your full time job. your visitors.
new & NEWS 22 23 April/june 2011
www.bluekaizen.org
14. - HITB Magazine
Time has always been my biggest challenge over the past 10 years. Maintaining - (IN)SECURE
portals is VERY time consuming. - MISC Magazine
- Professional Tester
• Which Security Conferences Clement Dupuis must attend every - SecurityActs
year? - Security Kaizen
- The Hackademy Journal
There are a few that I always attempt to attend such as BlackHat, Defcon, - Uninformed
CanSecWest, and Hacker Halted. They are some of the largest and also some of
the best conference that exists out there. • What is your Comment about Security Kaizen Magazine ?
and what is needed to rank it as one of the best magazines in
• You are a big fan of CISSP, why is that ? Information Security field in the world?
There are a lot of misconceptions related to the CISSP certification. It is NOT a Security Kaizen is a very interesting magazine and once I read through the first
technical certification, however it forces a Security Professionals to learn more about edition I know that it is a magazine that will only get better with time. The magazine
domains that he would not get exposed to in his daily tasks. is very young compare to other magazine that exists out there.
The CISSP shows that a Black Box approach to security will not work. You can The success will depend on a few things: Content, Content, and Content
stack 10 security appliances and they will still be ineffective is there is no policies,
procedures, or processes in place. If your provide great content the readers will come to read it. From what I have seen
so far you are on the right path to do so.
People have to realize that only hardware or software is not the answer to security.
You have to have a good mix of policies, people, and process, the 3 P’s. Last but not least, ask for feedback and listen to your readers. Ask them what they
wish to get and provide it to them. All of this will make it a great success.
I was one of the first person to become a CISSP in Canada. I saw that it was a great
package but there was no resource to prepare for it. This is when I decided to create
the CCCure.Org web site. I wanted to help other in becoming certified and by the • From your experience, What is mostly needed in the Middle
some token better understand what security is all about. east and arab countries to help them be an added value in the
information security field instead of just importing technology
• What is your Plan for the next coming years ?
There is already an amazing number of software and hardware company coming
I am now at the point where my portals needs to move to a better platform that will from the Middle east and Arab countries. Unfortunately some are nice players or are
integrate with the viral world of Social Media. This is one of the major project to come. not recognized in their own country.
I also need to categorize content by geographical location. People loves to know Information Security and it’s associated technologies are still something that is up
what is in their backyard and what resources they have locally. and coming in those regions. Leadership must start at the top at the government
level. Cyber Security should no longer be seen as a luxury but as a necessity to
Adding a few more certifications is also on the menu. Cloud Security and Risk security conduct business in a connected world.
Management comes to mind.
For the first time in history companies have suffered more losses and fraud online
• Can you rate the top 5 magazines in the Security World? than the physical world in 2010. Where there is financial transaction and money
involved there is also crime. The online world is no different than the physical world,
This is a tough one. Some magazines cater to management, some others cater to in fact it is a lot easier to commit crime online than risking being caught in the act
Security Testing, some will be for programmers, as you might have guessed I read a doing a physical crime.
lot of security oriented magazines. On my short list I do have:
- 2600 Quarterly Sharing information, Educating more people about these issues, and create a climate
- Club Hack Magazine favorable to endless learning is one of the most effective tool one can use against
- Hakin9 criminal activities over our networks and systems.
new & NEWS 24 25 April/june 2011
www.bluekaizen.org
15. Step
By
Step 4. Types of Rootkits:
1. User-mode Rootkits:
modify the system functions or hook I/O
request packets (IRPs), which are sent
Rootkits:
This type of rootkits is simply working in the to the device drivers for the purpose of
user mode and it hooks some functions in modifying the inputs and outputs to this
a specific process, sometimes it loops on device driver.
all processes except the system process- Kernel-mode rootkits can hook all
es. It is done by injecting a code inside processes, including system processes
A Deeper Look the virtual memory of this process, and
then it patches the first instructions of
at once; however, they are harder to
detect and remove.
By Amr Thabet the hooked function to force it to call the The problems of kernel-mode are mainly
injected code. due to it being hard to program and very
1. What is rootkit? of security called rings. Rings are simply
Hence, the injected code modifies the sensitive to the changes of the operating
The rootkit is simply a programme that a set of privileges or restrictions, which
gives you a permanent access to the enable hackers to work on them. input of this function, and then resumes system, and sometimes sensitive to the
“root”, which is the highest privileged user There are four rings and they begin with the hooked function to modify the output changes of devices too.
in UNIX system. ring-0, which is the highest privilege and of the very same function, and at last
The rootkit can easily control the system it is called kernel-mode. Ring-3, that is, returns again to the process. 5. How Rootkits Work?
or modify it on the fly to force it to hide the the lowest privilege and is called user- 2. Kernel-mode Rootkits: First of all, how Windows works should
presence of a specific virus or spyware. mode. All applications run in user-mode On the other hand, kernel-mode, the be understood. Windows is an operating
and have specific privileges which they, second type of rootkits, works inside the system created to become a layer
2. Why rootkits? by all means, cannot exceed. When system. These rootkits are installed as between the hardware devices and the
It gives you a permanent access to the operating system runs in the kernel- device drivers and they have the ability to software applications and users.
the infected machine. For as much as mode, which has the highest privilege, it
hackers’ belief, it is not only enough to can do everything ranging from modifying
penetrate a system or compromise its the memory of the system, modifying the
security defenses, but also the ability to setting of the processor, to sending and Users And Applications
stay hidden in the system to spy or control receiving signals from computer devices.
it for your desired needs is a must. There is a single way to jump from ring-3
Therefore, rootkits are mainly created to to ring-0, which is done by a processor
hide the hacker inside the system from instruction named “Sysenter” - System Operating System
administrators, file monitors and firewalls. Enter, to call a specific function in the
Some of the hiding techniques are hiding operating system.
files in the hard disk, a connection port, 2. Patching and Hooking:
Hardware Devices
some registry keys or a running process Hooking is a term given to the process
in the machine. of intercepting or interrupting a call to a
Furthermore, some other rootkits are system function like zwQueryDirectory
It is created to be non-sensitive of the that do everything like managing files
especially created for other needs, like File. Some examples are query files,
keystroke monitor (keyboard spy), or which either function as modifiers to the hardware changes, to support multiple and directories, internet, connectivity
packet sniffer, which is a program that input (the path to a certain folder whose users and processes (applications), and so on.
monitors all the data that is sent or files need to be queried), or modifiers to and to support system security from In order to understand the tricks of the
received in the computer in order to steal the output (deleting the name of a specific malformed processes and from users to rootkits, the way the interface works
passwords or credit cards. file in order to hide it). users. should be first understood. Thus,
Patching, in like manner, is very similar It supports a static interface between the life cycle of executing an API like
3. Some Definitions: to hooking. Patching means modifying; applications and hardware devices called “FindFirstFileA()” from user-mode to
1. User-mode Vs. Kernel-mode: modifying the first instructions of a specific Application Programming Interface (API). kernel-mode, to the device itself is shown
The computer processor has some type function to hook the inputs or the outputs This interface includes many functions below in this figure.
of this function.
Step By Step 26 27 April/june 2011
www.bluekaizen.org
16. to change the inputs, as the IRPs were or Packet Sniffers, could communicate to
Execute SYSENTER FindFirstFile() Calls to Call To Function
instruction with Function first received, and have the ability to set a the device directly to receive the pressed
ZwQueryDirectoryFile FindFirstFile()
Number (0x91) function named “IOCompletionRoutine”. keys or send an internet packet by
User Mode
The IoCompletionRoutine is executed passing with this way and software filters
Kernel Mode after completing the request and before or any hooker.
returning to user or the user-mode This part is very sensitive to the changes
Search For Function Send an IRP Request to
Execute fastfat.sys (and All application. of the hardware, which is a very hard task
(0x91) in The System
Service Dispatch Table ntQueryDirectoryFile() Device drivers attached IoCompletionRoutine has the ability to to work on, and
(SSDT) to it) change the outputs of this request in actually it is only used by the elite hackers
order to hide files, for example, or make as most people say.
any other changes.
sending signal to the Attached Devices Drivers Attached Devices could
In a like manner, the rootkits have the Conclusion:
device and gets the could set IoCompletion change the inputs of the ability to filter the inputs and the outputs The rootkit is considered a programme
output /execute the Routine to change The IRP request of any request. or a tool that gives the root privileges
IoCompletion Routines outputs (Preoperation Mode)
and return to user (postoperation mode)
Regarding the last example, the rootkit to be used for the purpose of hiding the
could change the results of this query to presence of a specific virus or spyware.
Each step is explained, in addition to the hooking mechanism that is used by rootkits. hide a file or change its This tool uses the hooking mechanism to
1.User-Mode Part: a pointer to another function (for name in the results of QueryDirectory filter the inputs or outputs of the system
At the user-mode, the applications have the last example NtQueryDirectoryFile()) IRP. functions, either in a user-mode or kernel-
the ability to call a function of hundreds of and then calls to this function and the 4. Communicating With Devices: mode, to hide the malware process. By
functions in the Windows’ interface (APIs), execution in the kernelmode After the device driver gets the IRP, the same token, it can hide files from
and as it is seen in the last example, continues. the device driver communicates with the outputs of any query as if there is no
the application calls to FindFirstFileA(), At this part, the kernel-mode rootkits, the related device, the Hard Desk for malware in the computer.
which calls to another API named as explained above, have the ability to instance, by sending signals to this device Some other rootkits use these privileges
ZwQueryDirectoryFile(), which calls to change the pointer to a function in the or receiving signals from it. to log the key presses or sniff the internet
KiFastSystemCall(), which executes a SSDT array with another function inside After getting the reply from the device, the packets to steal passwords or intrude on
processor instruction “Sysenter” that the kernel-mode rootkit. device driver changes the output to the someone’s privates.
converts you from user-mode to kernel- Additionally, other rootkits prefer to standard shape for windows or converts It is also described above in this article
mode and executes another function in hook these functions by patching its first the output into a more higher level and the life system cycle to execute a system
the system in the kernel-mode named instructions like the usermode then returns to the user-mode application query from the usermode to the kernel-
KiSystemService() rootkits. after calling to IoCompletionRoutine. mode to the hardware devices to reply to
At this part, the user-mode rootkits, as 3. Device Drivers: In this stage, the rootkits cannot hook the someone’s request in a high level reply
previously explained, have the ability to After executing ntQueryDirectoryFile() signals to the devices, but some rootkits with the transparency of the hardware
hook one of these functions by patching function, this function sends to the with another tasks, such as Key Loggers changes.
its first instructions by another which related device driver a request named About the author: I’m Amr Thabet. I’m a Freelancer Malware Researcher and a student at
allows the rootkit to change the inputs or “I/O Request Packet (IRP)” to query on Alexandria University faculty of engineering in the last year.
the outputs of these functions. a specific directory. This packet will be I’m the Author of Pokas x86 Emulator, a speaker in Cairo Security Camp 2010 and invited to
2. SSDT: received by the appreciate device driver become a speaker in Athcon Security Conference 2011 in Athens, Greece.
While executing “Sysenter” instructions, I begin programming in 14. I read many books and researches in the malware, reversing and
and all device drivers attached to it.
antivirus fields and a I’m a reverser from nearby 4 years.
the processor converts you into the Windows allows device drivers to be
kernel-mode (ring-0), and executes attached to any device driver to filter References:
KiSystemService() function which search its input, change its output or complete 1. Addison Wesley Professional Rootkits - Subverting the Windows Kernel
in an array named “System Service the request without the need of the real 2. The Rootkit Arsenal : Escape and Evasion in the Dark Corners of the System, by Reverend
Dispatch Table (SSDT)” with the function device driver itself. Bill Blunden
number as an index in the array and gets These device driver filters have the ability 3. Rootkit - Wikipedia, the free encyclopedia, at this link: http://en.wikipedia.org/wiki/Rootkit
Step By Step 28 29 April/june 2011
www.bluekaizen.org