Vol3 issue 9 . Apr./Jun 2013
03
c
Securitykaizen Magazine Editor’s Note
Editor’s
Note
Sometimes it is too hard for you to take some decisions in your life, mostly due to people you care about, or due to timing and financial reasons or others. But in some cases, despite of all that, you have to take a decision without complicated calculations. You just feel it and you do it. Life is too short to keep planning and doubting your plans afterwards . Put your dreams in the decision phase;If it’s a wrong decision you will know and you will fix your route .Believe me that’s better than staying all your life asking yourself what if ? Thats why i decided to give up my full time job, after 6 years, and concentrate only on my own dream “ Bluekaizen”. I believe instead of wearing myself out as an employee at a multinationnel company; it is better for my country to add a new company in the security field that might make a change one day. I am writing this today because i can hear some voices saying: this is another community moving into business . But i would like to confirm that we will keep our main goals. Raising the level of information security knowledge in the region, building a new generation capable of protecting this country from different threats and contributing in establishing a real strategy for Information Security. So, how will we do business ? What we will do is that we will add some paid services ; like Security Training that we started in CSCAMP2012. Today, We are building a high quality unique security training catalog under Bluekaizen name. Our goal is to be one of the top 3 Security Training providers in Middle East in the next 3 years and we had already started by the Metasploit course in Egypt and we are going regionally by providing the famous Samurai Web Hacking course and SCADA PEN Testing Course by Justin Searl this june at Saudi Arabia.
www.bluekaizen.org
For Bluekaizen activities, We had our first Bluekaizen Gold Members Meeting in ITI in smart village at the beginning of March .By the end of the meeting, I got inspired by the ideas that were proposed by members. either awareness programs to universities and schools students, or the enhancements points for CSCAMP2013 and many other topics,limited by the space, i wont be able to discuss them here. Not to mention ofcourse; CSCAMP2013 preparations is on the move. Call for speakers is now open with a deadline end of August.Also , Today we are establishing an advisory board for CSCAMP events which will be responsible for filtering and choosing the talks and speakers. Cairo Security Camp this year will be a real new experience that you wouldn’t want to miss , we will have a plenty of space that can be used for different activities. We are open for any ideas or cooperation with all entities who would like to join CSCAMP2013.
contents Securitykaizen Magazine Content
contents Editor’s Note
Sometimes it is too hard for you to take some decisions in your life,
True Story Catching Anonymous
New & News
Android Swift Key became key logger Iran stopped VPN services Apple App store was Vulnerable United States Government websites has attacked by Tunisian Cyber Army and Al-Qaeda Electronic Army
How Hackers are caught due to their own mistakes?
Book Review Trojan Horse Review
04
User To User Google Vulnerability Reward Program for Security Researchers
New & News Interview
Best Practice
CEO and Founder of Kaspersky Lab
Fighting spam with pure functions
Chairman & Editor-in-Chief Moataz Salah Editors Haitham Mohamed Ahmed El Ashmawy Ahmed Aboul Ela Mohamed Ramadan Ebrahim Hegazy Louis Brandy Mohamed Ebrahim Amgad Magdy EG CERT Team Website Development Mariam Samy Marketing Coordinator Mahitab Ahmed Mohamed Saeed Designed & Printed
2day Adv. 01013126152
Security Kaizen is issued Every 3 months Reproduction in Whole or part without written permission is strictly prohibited ALL COPYRIGHTS ARE PRESERVED TO WWW.BLUEKAIZEN.ORG
For Advertisement In Security Kaizen Magazine and www.bluekaizen.org Website Mail:info@bluekaizen.org Or Phone: 0100 267 5570
True S 05
Securitykaizen Magazine True Story
Catching Anonymous
How Hackers are caught due to their own mistakes? The FBI made many arrests in the last year for many members of the anonymous group, it was quite an achievement in their chasing for the anonymous members, but the funny thing is that these arrests were not made because the FBI started using better techniques; they didn’t even use better technology or advanced forensics. The situation was totally different from that. It was like those anonymous members surrendered to the authorities by themselves, the most of the coming information is from some tips circulating the Internet. we will use it to show how the arrest was done. 1- John Anthony Borell (Kahuna):
• Used ‘anonJB’ as one of his IRC names – JB are his real-life initials • Continued to operate as ‘anonJB’ after being mentioned by his full name in September 2011 (http:// pastie.org/2477266) • Hacked websites using his work IP • Had Facebook, Gmail, Twitter and YouTube accounts www.bluekaizen.org
in his real name. These revealed his Anon sympathies, including a link to an Anonymous educational video (http://www.youtube.com/user/jborell3) • Retweeted Anon accounts from his own real-life Twitter (no crime, but hardly a smart move when you’re also an Anon) • Mentioned on IRC that his dad was a lawyer (the chat log was later leaked) • Accessed the “@ItsKahuna” Twitter account on occasions using his home IP • Tweeted news of his neighbors installing a new WEP router that he was accessing • Tweeted as “@ItsKahuna” to say he was fixing his friend’s computer. The IP address this tweet was posted from matched one of his Facebook friends. • Allowed details concerning his computer host to be revealed on air then he demanded “KSL TV” in a direct message asking for this incriminating evidence to be deleted from later broadcasts. • gave pictures of his face to “@anoncutie”. All of Kahuna’s tweets, Direct Messages and IP logs were later revealed when feds subpoenaed Twitter. • Admitted to “@missarahnicole” the date of his 21st birthday.
Story Securitykaizen Magazine True Story
06
2- HIGINIO OCHOA (W0rmer):
• Posted “CabinCr3w” and “W0rmer” photos of his girlfriend chest complete with his iPhone geo-data that led directly to his home address. • W0rmer’s girlfriend, “@MissAnonFatale”, revealed in a direct message to “@ItsKahuna” that she and “W0rmer” would get married once he’d arranged his passport & visa to Australia. • “W0rmer” posted a screenshot of a botnet he was running, In the background, his Skype and IRC user names are clearly visible in the applications he is running • Signed off on a forum post with the words “Higino Ochoa – AkA wOrmer” << facepalm.jpg. • Broke into Texas Police Department’s website using his neighbor’s wireless – but without trying to mask his IP. • His Facebook account publicly revealed that he was in a relationship with a girl in Australia. This girl could then be linked to him via the EXIF data on the “Cabin Cr3w” photos and by her own Anonymous Twitter account. (Cabin Cr3w was arrested and this data was seized).
A sample of their chat that was logged as evidence
www.bluekaizen.org
True Story 07
Securitykaizen Magazine True Story
3- Jeremy Hammond (sup_g):
• Used various nicknames on IRC, but allowed him to be addressed by all these nicknames in chats, thereby linking him to all his online personas • He regularly admitted on IRC which other nicks he used, when quizzed by others • He gave out personally identifiable info on IRC – such as admitting that he had activist mates who’d been arrested at a specific demonstration. sup_g’s twin brother was one of those arrested. • He also admitted on IRC that he’d been arrested at Republican National Convention in 2004, and confessed to having done time in federal prison.
People tend to talk about their achievements, brag about it whenever it is possible, this is simply a human nature, and while hackers continues to be just humans who make mistakes, law enforcements continue gathering this simple mistakes together until they eventually capture those who did the criminal act.
Haitham Mohamed
I’m a Malware Reverse Engineer, SCMRE, C|HFI, C|EH, MCSE+S, MCTS, N+, Security+, ITIL V3 Foundation
www.bluekaizen.org
y
Securitykaizen Magazine True Story
08
www.bluekaizen.org
Book R 09
Securitykaizen Magazine Book Review
Trojan Horse Review It’s two years post-Zero Day, and former government analyst Jeff Aiken is reaping the rewards for crippling al-Qaida’s attack on the computer infrastructure of the Western world. His cyber – security company is flourishing, and his relationship with Daryl Haugen intensifies when she becomes a part of his team. But the West is under the East’s greatest threat yet. The Stuxnet virus that successfully subverted Iran’s nuclear defense program for years is being rapidly identified and defeated, and Stuxnet’s creators are stressed to develop a successor. As Jeff and Daryl struggle to stay together, they’re summoned to disarm the attack of a revolutionary, invisible trojan that alters data without leaving a trace. As the trojan penetrates Western intelligence, the terrifying truth about Iran is revealed, and Jeff and Daryl find themselves running a desperate race against time to reverse it – while the fate of both East and West hangs in the balance. As you may know, “Trojan Horse” is the 2nd novel for Mark Russinovich the author of “Zero day” novel. Jeff & Daryl are facing a new challenge. The Trojan was detected on a machine after causing officeworks to crash while opening a highly classified report from the United Nations on the progress of the Iranian nuclear program. Imagine a Trojan that is able to alter your digitally signed data, your databases or your knowledge base; you won’t be able to trust any documents either created by you or received from your trusted contacts. Starting the investigation with the recipient’s computer in London to the sender’s office in Genève, Jeff and Daryl had very hard moments with trained agents and dead bodies on their journey after the Trojan. In the Novel, we’ll move between London, Genève, Iran, China and Turkey while focusing on the cyber war between USA and China and the growing relation between China and Iran . If you already read Mark’s 1st novel, you’ll find this one much better not only from plot point of view which was well built up but also from the obvious improvement in the author’s style, characters depth and linking his novel with Stuxnet while describing its effect and how it was able to bring the Iranian Nuclear project t o its knees for some time. Mark didn’t ignore mentioning the defects in the Anti-Virus industry and how long it may takes for the Anti-Virus vendors to update their databases with new viruses’ patterns. At the end, I enjoyed reading his novel and I would probably buy his next novel and I recommend it to those in Security field or even casual readers who may be interested in cyber security topics. My previous rate for Zero day was 3, but this time I would rate it with 4 out of 5.
Mohamed Ebrahim
I’m an Information security addict. My first and only hobby is reading
www.bluekaizen.org
Review Securitykaizen Magazine Book Review
14
www.bluekaizen.org
Inter 11
Securitykaizen Magazine Interview
Interview with
Eugene Kaspersky CEO and Founder of Kaspersky Lab www.bluekaizen.org
rview Securitykaizen Magazine Interview
12
Moataz Salah: Kaspersky labs is one of the success stories in Information Security business, can you tell us this story? What brought you the idea? What were the obstacles that faced you at the beginning ?
all. Earnings were still unstable; so much so that sometimes we had to forgo our salaries. We also found ourselves practically living at the office day and night… the cleaning ladies would take pity on us and give us sandwiches!
Eugene Kaspersky: It all started with the Cascade virus, which I discovered in 1989 while still a student. Letters cascaded down the screen, a bit like as in the film The Matrix years later. I analyzed the virus and then developed a disinfection utility for it. Then more and more folks started coming to me for help. Viruses were appearing increasingly frequently, mercilessly causing major havoc with loads of computers. It was clear that they needed protecting and fast.
These difficult years soon turned into unbelievably productive ones: In 1998 we released nine products and overhauled the antivirus engine. Corporate contracts were being signed and we were taking on lots more staff and increasing market share.
In 1991, I led a small team in developing AntiViral Toolkit Pro (AVP). It became the prototype for the first Kaspersky AntiVirus years later. AVP was the first antivirus in the world to separate the software from the antivirus database - the standard for the industry today. We also came up with the idea of giving AVP the world’s first antivirus graphic user interface.
Then, into the 2000s the company started growing geographically around the world, after having opened our first foreign rep office in 1999 - Kaspersky Labs UK, in Cambridge. This was a very important step for the company. The business then developed very quickly - in terms of both complexity and geography: In 2003 for example, we opened one regional office after another all around the world - Germany, France, Spain, Italy, Japan and China. By 2009 we had a presence also in Poland, the Netherlands, Sweden, Romania, the USA, South Korea and Australia. In 2010 we became leader in the retail antivirus market in the USA. In that year we also started sponsoring Ferrari Scuderia, and continue to do so today!
Eugene:
I believe it’s almost impossible to build a startup malware research center these days
AVP kept slowly growing, and in 1995-96, we already had several versions of AVP 1, and several of AVP 2. Besides these products – for the operating system of that time (MS-DOS) – we also released a product that provided protection for Novell servers - AVP for Novell 1.0. Then, on June 26, 1997 we finally registered Kaspersky Lab! We weren’t quite sure what to call ourselves at first, and I didn’t want to use my surname really as, well, actually, I’m not all that much of a show-off! But I was persuaded by the others in the end to capitalize on my name being already rather well-known. Starting over from scratch seemed pointless - and expensive. And talking of money - our finances weren’t all that great early on after setting up the company. When we had just 15 or 20 staff things weren’t easy at
www.bluekaizen.org
Inter 13
Securitykaizen Magazine Interview
Moataz Salah: Do you think politics is involved in the information security business; for example, the USA banned Huwaei and ZTE in the States; Is that affecting Kaspersky, as Russian company, in its sales in the USA? Eugene Kaspersky: But computers are assembled in China. Intel’s processors are made in Israel, Ireland and China as well as the US. Most other chips are manufactured in either Taiwan or China. Microsoft R&D centers are in Israel. The SAP headquarters are in Germany, Sony’s - Japan, Acer’s - Taiwan. Does any of it all matter?
We live in the age of globalization. Kaspersky Lab has R&D centers and virus experts around the world, including Russia, Europe, Japan, China, the United States and Latin America. It’s simply not a question of where you come from any more.
In the early 2000s, when we first entered both the UK and US markets, we were perceived with a somewhat prejudiced attitude. Nobody noticed us. But that slowly but surely changed. And that was because of product superiority. www.bluekaizen.org
rview Securitykaizen Magazine Interview
Moataz Salah: You conducted an amazing report about Red October. Do you have a clue which country initiated such attacks?
Eugene Kaspersky: No particular location stands out from the information; however, the exploits appear to have been created by Chinese hackers, while the Rocra malware modules have been created by Russian-speakers. Also, this doesn’t look like a nation-state sponsored attack. The information stolen by the attackers was highly confidential and sensitive, and included geopolitical data, which can be used by nation states. Such information could be traded on the cyberunderground and sold to the highest bidder, who could be anywhere.
Moataz Salah: Do antivirus companies including yours communicate with different security agencies in different countries . For example intelligence and others ? If yes, can you give us an example of such communication
14
For example, we’ve agreed to work closely with the INTERPOL Global Complex for Innovation (IGCI). I met with Ronald Noble, INTERPOL Secretary General, and Noboru Nakatani, IGCI Executive Director, recently at our office in Moscow. We’ve agreed to send on secondment our top experts to the IGCI once it becomes operational in 2014, and also to provide broad functional support and threat intelligence on an ongoing basis.
Moataz Salah: What are Kaspersky Lab’s plans in the Middle East in 2013?
Eugene:
Eugene Kaspersky: The B2B market is a key strategic growth area for Kaspersky Lab’s development. Our positions in retail are quite strong, and now we’re moving our focus to the corporate and enterprise segments. We’re also concentrating on channel development and will enhance our recruitment activities. Finally, we’ll continue our efforts on cooperation with CERTs in fighting cybercrime.
we have relations with law enforcement agencies in many countries
Eugene Kaspersky: Sure, we have relations with law enforcement agencies - in many countries, not only in Russia, to which we provide expertise. Indeed, all the world’s leading security companies – including Symantec and McAfee/Intel – all collaborate with law enforcement bodies in their own countries and worldwide to help fight cybercrime. CERTs, the FBI, FSB, INTERPOL etc. - it’s our duty is to help them investigate criminal cases.
Law enforcement agencies need the expertise of security professionals. When in their own country they work with their national security firms. When cases cross national borders they need to work with security firms from the countries involved, or, more helpfully, with international security firms.
Moataz Salah: A few days ago, a bug was published in Kaspersky Internet Security 2013 that can lead to a system freeze. Why don't you support different competitions like CTF or pw2own with good rewards, especially for teens, instead of making them go to the black market, and at the same time enhancing your product? Eugene Kaspersky: In the Kaspersky Lab Education Department we have our own educational programs dedicated to the search for young talent; that’s why we’re not really interested in CTF competitions. Our programs are rather academic, e.g., the “CyberSecurity for the Next Generation” student conference. www.bluekaizen.org
rview 15
Securitykaizen Magazine Interview
Eugene: "we’ll continue our efforts on cooperation with CERTs in fighting cybercrime"
Moataz Salah: From your experience, what is needed to build a startup malware research center? Eugene Kaspersky: You need a time machine to take you back in time 20 years ☻☺. I believe it’s almost impossible to build a startup malware research center these days. Many developers have similar bodies. The competition is very tough, so building such a center from the ground up is extremely expensive. Furthermore, there are not all that many sufficiently skilled specialists on the planet; any startup would face the problem of recruitment. These two tasks make the probability of a successful launch minimal.
Moataz Salah: If you would like to give advice to a malware researcher in Middle East who might be interested to join Kaspersky Lab, what would you say to him? Eugene Kaspersky: I’m happy that you’re fighting on the light side, not the dark! Only together can we save the world!
Check this out: www.kaspersky.com/vacancies. We’re always interested in talented professionals, so feel free to drop us a line. www.bluekaizen.org
Mobile: +2 010 208 54994
E-mail: info@bluekaizen.org
New & 17
Securitykaizen Magazine New & News
News
Android Swift Key became key logger The best 3rd party Keyboard App called ‘Swift Key’ turned into a Key logger Trojan by an Android developer, developer said that “anyone pirating Swift key is taking a serious risk” and explained “Cracked copies of PC and iPhone apps can have malware as well of course but on both those platforms most software is compiled to machine code. Android apps are coded in Java and compiled to byte code that is run on the Dalvik VM and this byte code is not that hard to edit and insert back into an APK.”
Iran stopped VPN services Ramezanali Sobhani-Fard, the head of parliament’s information and communications technology committee said, “Within the last few days illegal VPN ports in the country have been blocked. Only legal and registered VPNs can from now on be used.”
Exploited at Pwn2Own Researchers Jon Butler and Nils from MWR Labs said that “By visiting a malicious webpage, it was possible to exploit a vulnerability which allowed us to gain code execution in the context of the sandboxed renderer process. We also used kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges.” for this pwn they received $100,000 as reward. And Also during the competition French vulnerability research and bug selling firm ‘Vupen’ brought down IE10 running on a Windows 8 powered Surface Pro tablet by exploiting a pair of flaws . www.bluekaizen.org
Newas Securitykaizen Magazine New & News
18
Apple App store was Vulnerable
Researcher Elie Bursztein (A Google developer) helps Apple to fix a security flaw in its application store that for years has allowed attackers to steal passwords and install unwanted or extremely expensive applications. The malicious user could take advantage of the unsecure connection to carry out a number of different attacks for example steal a password, force someone to purchase an app by swapping it with a different app that the buyer actually intended to get or by showing fake app updates and etc
Hacking facebook accounts by OAuth vulnerability
White hat Hacker ‘Nir Goldshlager’ reported facebook security team about OAuth Flaw in Facebook, that allow an attacker to hijack any account without victim’s interaction with any Facebook Application, Goldshlager pwn Facebook OAuth mechanism by bypassing all those minor changes done by Facebook Team. He explains the complete Saga of hunting Facebook bug in a blog post.
United States Government websites has attacked by Tunisian Cyber Army and Al-Qaeda Electronic Army Attackers have targeted the U.S. customs and Border Protection (cbp.gov) and Office of Personnel Management (OPM.gov).Tunisian Cyber Army team said that “they have compromised information such as username, encrypted passwords, private emails” this attacks is part of the their ongoing operation called as “#OpBlackSummer”, an operation against U.S. So far, they have hacked large number of websites and compromised data. The hacker said their next target is Gas and Petroleum companies.
Indian hacker hacked Pakistani government sites. The Indian hacker “Godzilla” said that “Pakistan Government Switches under control. Pakistan admins please dont disturb us when we are working. Your official website www.pakistan.gov.pk will be up as soon as we finish are work.” And he said also “You tried to use proxy for your security and we used the same proxy to crush you.” , Attack includes a lot of sites, such as Ministry of Information Technology, Ministry of Railways, Ministry of Religious Affair, Ministry of Environment, Ministry of Science and Technology and etc. www.bluekaizen.org
New & 19
Securitykaizen Magazine New & News
Freeze PCs with Kaspersky Internet Security 2013
Marc Heuse (Security Researcher) reported that sending a fragmented IPv6 network packet with multiple extension headers, one of which is unusually long, to a Windows computer with Kaspersky Internet Security 2013 installed will freeze up the machine completely. The Russian security confirmed the flaw, which it has fixed in its software, and although Kaspersky Lab acknowledges the issue, it would like to stress that there was no threat of malicious activity affecting the PCs of any users who may have experienced this rare problem
STC launches Security Control Center in KSA Omer Abdullah Al-Nomany, STC vice president for information technology, said that “Hacking activities that target websites and businesses prompted STC to set up this center. It will operate 24 hours a day for monitoring and operating the Middle East’s largest telecom network in terms of technologies employed for providing services, solutions and security protection.” And although Samir Sidani, country manager, Saudi Arabia at Symantec, said that “Symantec Information Security Operation Centers minimize security threats. STC’s decision to partner with Symantec will help develop STC’s security systems.”
Israel’s infrastructure under control of cyber attacks Tal Pavel, an expert on Internet usage and crimes in the Middle East said that “If nuclear weapons were the ‘judgment day’ weapon of the 20th century, computer infrastructure hacking is the 21st century equivalent,” And he said that “In some ways, the threat of hacking major infrastructure systems is even worse than the nuclear threat,” he told The Times of Israel. “Only governments can afford to purchase and deploy nuclear weapons, so you know who is attacking you and how to deal with them. But anyone can develop or buy their own super-virus, potentially capable of a cyber-attack that could shut down a country for days, create panics or riots, or release dangerous substances, such as gas and sewage that can kill people in the victim country.” Now Israel more worried that Iran will be able to take over the country’s basic infrastructure, wreaking havoc with the gas, water, and electricity systems, as well as the banking system www.bluekaizen.org
Newas Securitykaizen Magazine New & News
20
Lebanese interior ministry’s website was hacked by a Syrian rebel group
A Syrian rebel group who posted a message directed to Interior Minister Marwan Charbel. And message displayed “We ask you to protect the Syrian activists on Lebanese soil from the violations of the security forces and the army, we will hold anyone who treated the Syrian people badly responsible, whether inside Syria or outside.” And they said that “The revolution has started in Syria and will end in Beirut’s southern suburb,”
DW TV Arabic and France 24 feeds Hacked by the Syrian Electronic Army
DW TV Arabic and France 24 Twitter accounts were hacked by online activists loyal to the Syrian regime. The Syrian Electronic Army claimed responsibility for the attacks and FRANCE 24’s social network team said that the hackers also tried to hijack the French and English language twitter feeds by sending requests to re-initialize the accounts’ passwords but DW TV Arabic social network team haven’t any comment about attack till magazine print .
HP LaserJet Professional printers under attacks by remote data access A critical vulnerability discovered by a Germany security expert called Christoph and he said that “the vulnerability could also be used for a denial-of-service attack As long as the printer is not connected to the Internet, this vulnerability should not cause much trouble for the end user,”. Vulnerability can attack 12 printer models including HP LaserJet Pro P1102w, P1102w, P1606dn, M1212nf MFP, M1213nf MFP, M1214nfh MFP, M1216nfh Multifunction Printer, M1217nfw Multifunction Printer and etc. www.bluekaizen.org
User To 21
Securitykaizen Magazine User to User
Vulnerability Reward Program f o r
S e c u r i t y
R e s e a r c h e r s
It’s very interesting to discover vulnerability in famous and high profile website that is used by millions of users every day. And it’s even more interesting to be rewarded for that and get your name listed on the hall of fame for security researchers. That is exactly what happened to me after reporting vulnerability to Google in one of their web applications. Allow me to share the full story with you.
The story started when I was doing some research for Google Web Services and its Products. I noticed a service called “Doubleclick” which is the subsidiary of Google that develops and provides Internet ad services for marketers and agencies. I followed the link of the service on www.google.com/doubleclick and I started reading more about it , then I used Google search to look for it in depth , from the search results I was able www.bluekaizen.org
to identify a domain called doubleclick.com andsome other sub domains related to it; like “advertisers. doubleclick.net” and “studio.doubleclick.com” then i started running my favorite web penetration testing tool the “Burp Suite”, which helps me to capture all the requests made by the browser. I visited these domains and started to browse the pages of the website while the burp suite is capturing all the
o User requests, and suddenly, in one of the pages I was able to capture an Ajax request made to the link: http://studio.doubleclick.com/ajax/externalpreviewifr ame?h=DGFNAqXtFFxz4P4XUfRQpQ%3D%3D%0D%0 A&height=0&&id=348635&isHTML5Preview=true&prev iewUrl=&studioDomain=.net&view=1ajax/externalprevi ewiframe?view=1&width=0 I opened the link in the browser but wasn’t able to see anything interesting in it, but when I focused on the link parameters I noticed a query string parameter called “previewUrl” which has no value, from the name of the query I was able to identify that it might be used for a URL of some page, then I started thinking why not to try playing with it? I gave it a value for link like http://twitter.com/robots. txt and guess what ? Woow It fetched the robots. txt link and showed it in the page source , so it can include any remote file from any URL ,and print the code in the same page with the same context of the double click domain .
so i tried to include a URL for a file which have a javascript code like: <script>alert(‘Hello’)</script>, and yes it worked smoothly and I can see the alert from the page saying HELLO ! So now I have a remote file inclusion + cross site scripting (XSS), why should I wait? I started directly reporting the vulnerability to Google. And I sent them the proof of concept and demonstration for the vulnerability. After 2 days I got an email from Google
assemble
V
enable
V
design
V
Securitykaizen Magazine User to User
22
ship
security saying “Nice Catch!” and notifying me that they have confirmed the presence of the deficiency, and they are working to fix it. After 5 days I received another mail saying that the vulnerability was eligible for a reward and they would like to list my name on the Google hall of fame. No need to mention that I felt really happy and proud to be able to contribute and help Google security team. My recommendations:
1) Never ignore any web page; have inputs or parameters while you are doing a web penetration testing .because even if the page doesn’t show anything interesting, it still maybe vulnerable. 2) Google Security Team is really fast for responding to the security issues compared to other companies which may reply to your initial report after 2 months. 3) If you discover a bug in a website like Google, never share it with someone else and don’t disclose it before it gets fully patched. Otherwise you will be accused and won’t take a reward from the vendor.
Ahmed Aboul Ela
Information Security Consultant And CEO/Founder of Security4Arabs Community
www.bluekaizen.org
User To 23
Securitykaizen Magazine User to User
Critical vulnerability in twitter mobile app for devices I downloaded the latest version of your app from appworld store http://appworld.blackberry.com/webstore/content/8160/? Then i logged in and i found that all my tweets and private messages are sent in cleat text !
I found that incoming messages and outgoing messages are sent in clear text ( HTTP ) and any one on the same wireless network ( coffee shop or hotel or even restaurant ) can sniff my traffic and read my tweets and my private messages plus cookies are being sent in clear text and anyone can use these cookies to hijack my twitter account . that use the app for blackberry are vulnerable to this attack (MITM) and any attacker on the same wireless network can spy on their private messages and tweets.
Steps to generate the vulnerability:
1. Just open twitter app using any blackberry device. 2. Start wireshark to view the traffic, you will see that the sign in process is sent in https but after that all my tweets and personal messages are sent in clear text (HTTP). 3. You can also use any blackberry emulator instead of blackberry device
Mohamed Ramadan
Security Researcher and Trainer
www.bluekaizen.org
o User Securitykaizen Magazine User to User
24
Reward for Spam & Virus Firewall XSS Vulnerability Barracuda network is one of those companies who have a bug bounty program.
What is a bug bounty program?
Simply, find vulnerability in our applications and we will reward you. But Barracuda firewall is not a free product! So how could I conduct a vulnerability assessment for their products? This is why they’ve created sub-domains with the ability to login as guest account for their applications and conduct what ever the test you want. Domains can be found here: http://www. barracudalabs.com/bugbounty/ So I choose one of the domains, logged-in with guest as a user and password and start the test. What is the first thing to do?? Take this advice very seriously “Always look at the source code” after I logged-in, I viewed the page source code. “CTRL+U” if you are using Firefox. Why? To check for the URL parameters and to see which values are reflected inside the page, if a parameter value is reflected inside a Javascript tags so it will be like 70% vulnerable to XSS! Let’s take an example: http://spam.ptest.cudasvc. com/index.cgi?auth_type=Local&et=1363785031 After viewing the source code I figured out that the value of “auth_type” parameter is reflected inside JavaScript tags in the page source. e.g <script type=”text/javascript”> var currentUser = guest; var currentAuth = Local; </script>
In normal cases you would use vectors with tags such as: “><script>alert(1)</script> to execute a javascript vector, but this will be valid if the value is reflected inside HTML tag. In that case it’s already reflected into JavaScript tags so no need to use tags, it mean that we will use only alert(1) to exploit this vulnerability. We’ve to comment the vector incase there is another codes to be executed after our vector, you remember in SQLI? You use -- to comment right? Here we will use // to comment the vector, and will use ; before the payload to close the code. So the last vector is: ;alert(‘Zigoo’)// URL will be like: http://spam.ptest.cudasvc.com/index.cgi?auth_type= Local;alert(‘Zigoo’)//&et=1363785031 which will be reflected inside the source code as: <script type=”text/javascript”> var currentUser = guest; var currentAuth = Local;alert(‘Zigoo’)//; </script> Bingo no filtering for the symbols so the payload executed as well and alerted Zigoo
Ebrahim Hegazy
An Egyptian security researcher acknowledged by Microsoft,Adobe,Apple.
www.bluekaizen.org
Best Pr 25
Securitykaizen Magazine Best Practice
Fighting spam with pure functions
Like any popular Internet site, Facebook is a target for abuse. Our Site Integrity engineers rely on FXL, a domain-specific language forged in the fires of spam fighting at Facebook, to quash this abuse before it can affect our users. Feature eXtraction Language (FXL) evolved in response to our need for a fast, flexible, safe way to write rules for identifying spam.
www.bluekaizen.org
ractice Securitykaizen Magazine Best Practice
Spam threats to Facebook’s site integrity change on a daily, or even hourly, basis. Attackers peddling a “free iPad 5” scam one day might tempt users with false promises of various gift certificates the next. Fortunately, FXL provides us with the capabilities to keep pace with constantly evolving threats. FXL offers two key advantages: it is simple and easy to write, yet extremely efficient for Facebook-sized workloads.
Do we really need another programming language?
Building your own language is almost always a bad idea. We know this. In actuality, FXL is not a novel language. It’s better described as a narrowlyoptimized implementation of a well-chosen subset of Standard ML (with some customized syntax). We tried hard to tread no new language ground, but instead aggressively optimize FXL for our needs. Specifically, our use case requires that FXL fetch large numbers of data objects across the graph. Detecting and responding to spam attacks requires data from a multitude of sources, and FXL is ruthlessly efficient at fetching this data. This primary purpose gives FXL its name: Feature eXtraction Language. Consider a few contrived spam fighting rules, expressed in FXL, for catching dangerous URLs:
If (Reputation(SharedUrl) < 0) Then [LogRequest] Else [] If (Reputation(SharedUrl) == MALWARE) Then [BlockAction, LogRequest] Else [] If (Average(Map(Reputation, PreviousSharedUrls(User, 5))) < 0) Then [WarnUser, LogRequest] Else [] These rules retrieve the user’s URL sharing history and fetch data from a URL reputation service. While they coherently express business logic for detecting spam, these rules are poor expressions of the optimal data fetching logic. A conventional implementation would evaluate this code top to bottom, left to right.
26
We would fetch data sequentially, conducting an excessive number of network round trips between the machine executing FXL and the reputation service. This is a classic problem of large computer systems: naively mixing business logic with data fetching logic, resulting in pathologically bad performance. A more sophisticated approach would find a way to batch these data fetches in a single network round trip. FXL was designed to do precisely this and automate these data fetches.
Pure functions to the rescue
By making certain assumptions about the state of the environment in which we execute FXL, we are able to treat FXL as a “pure” language with no side effects. Whenever we need to run a set of rules on a piece of content, we assume that the data in our infrastructure does not change during this classification. FXL functions themselves have no side effects and do not update the data in our infrastructure. This has some important consequences:
All features and functions can be safely memoized...
1. F(X) will always be Y, no matter how many times we compute it 2. Random() is not pure, therefore not memoizable (and not allowed inFXL)
or executed lazily... 1. “False && F(X)” can safely skip F(X) 2. “If False Then True Else F(X)” as well
or safely reordered. 1. “G(F(x), F(y), ...)” will give the same result, no matter which F is executed first. 2. “A(x) + B(x) + C(x)” as well We aggressively use these properties to automatically optimize the execution of FXL.
www.bluekaizen.org
Best Pr 27
Securitykaizen Magazine Best Practice
Automatic Batching Let’s take another look at this snippet from our example above: Map (Reputation, PreviousSharedUrls (User, 5))
This snippet will make up to five requests to our fictional URL reputation service. Luckily for us, FXL will batch all five of these requests together and perform them simultaneously. As a result, the time to make all five requests is about the same as the time to make just one request. This is not a special property of the Map() function, as this optimization is performed across all expressions of all rules. FXL is able to batch requests together because the order in which it evaluates these function calls has no bearing on their results (this follows from their lack of side effects). FXL will actually halt the execution of one function, begin executing a second function, and only later return to complete executing the first function.
Memoization
Because all data fetching is delayed as long as possible, it actually becomes quite easy to eliminate duplicate requests for the same data (at least within a given round of data fetching). We actually take this one step further and memoize all common FXL expressions. In other words, if two features contain two identical expressions within them, due to the properties of pure functions, those two expressions will result in an identical answer. We execute that common subexpression only once, sharing the result in both places.
Summary
FXL is a remarkably simple language that allows engineers and analysts alike to write rules to deal with abuse on the site. We crafted FXL to satisfy two constraints: 1) expressively codify the business logic of fighting spam and 2) fetch data as efficiently as possible. The automatic, and aggressive, data fetching optimizations are a direct consequence of the pure execution model.
In the call to Map() above, FXL makes five calls to Reputation(). FXL begins executing the first call to Reputation(), then halts its execution at the point it would need to fetch data from the URL reputation service. FXL then begins executing the second call to Reputation(), halting again before fetching any data.
FXL
repeats this begin-and-halt procedure on the third, fourth, and fifth calls to Reputation() as well. At this point, no functions remain which have not been partially executed. No function can proceed without fetching data, so FXL fetches all the data needed by these functions in a single batch. Having obtained the URL reputation data, it can resume execution of all five calls to Reputation(). We have estimated that FXL’s batched fetching is responsible for a factor of twenty speedup when compared to a naïve execution model that fetches data eagerly.
www.bluekaizen.org
Louis Brandy
I am a Site Integrity Engineer at facebook.com
ractice Securitykaizen Magazine Best Practice
32
www.bluekaizen.org
Best Pr 29
Securitykaizen Magazine Best Practice
EG-CERT REPORT Incidents
This report summarizes the incidents that the team faced during the year 2012.
EG-Cert Team Summery of Incidents in the year 2012 Incident Type
No. of incidents
Web site defacement (Accessing the server that hosts the site and changing its data)
97
Mass Defacement (Making defacement in a several sites which are hosted in the same server)
11
Malware (Downloading malware on victim machine while browsing an infected site)
11
DDOS (Stop the service or access to data and make computer resources unavailable)
7
SQL Injection (Retrieving confidential data from database in unauthorized way)
1
Internet outage (Stopping Internet service due to accidents like cables cutting or server damage)
1
Phishing(attempting to acquire information such as usernames, passwords, by masquerading as a trustworthy entity in an electronic communication
9
Others
3
â&#x20AC;˘ Total number of incidents: 140
www.bluekaizen.org
â&#x20AC;˘ Number of solved incidents: 132
â&#x20AC;˘ Number of unsolved incidents: 8
ractice Securitykaizen Magazine Best Practice
30
Demonstrating charts:-
Incidents state 8
132
â&#x20AC;˘ Solved â&#x20AC;˘ Unsolved
www.bluekaizen.org
Best Pr 31
Securitykaizen Magazine Best Practice
Region′s Evolving Threat Landscape Set to Dominate Agenda as IDC’s IT Security Roadshow Returns to Dubai Dubai, March 20, 2013 providing the gathered delegates with detailed insights into what
International Data Corporation (IDC), the premier global provider of market intelligence, advisory services, and events for the information technology, telecommunications, and consumer technology markets, is gearing up for the return to Dubai early next month of its hugely popular IT Security Roadshow. Taking place at the city’s luxurious Mina A’ Salam hotel on April 3, the eighth edition of this pioneering annual conference will bring together around 100 of the emirate’s most senior IT security managers for a series of in-depth discussions on global best practices, next-generation IT security trends, and the major challenges and opportunities posed by both. The arrival of IDC’s IT Security Roadshow 2013 in the UAE serves as a timely reminder of the constantly evolving threats that the wider region is now facing. Indeed, the region has become one of the first ever battlegrounds for all-out ‘cyber warfare’, with Stuxnet and versions of Flamer impacting the energy sector, and Anonymous launching attacks in both Turkey and South Africa. Such instances have undoubtedly helped push IT security firmly to the forefront of the IT decision maker’s agenda. “The past two years have seen an intensification of the threat landscape in the Middle East and Africa as attacks have increased in both frequency and complexity,” says Megha Kumar, IDC’s research manager for software and enterprise solutions in the Middle East, Africa, and Turkey. “Incidents are no longer limited to isolated breaches but have progressed to become large-scale denial-ofservice attacks, identity thefts, and targeted attacks. Even more recently, cyberspace has become a platform for political activism with Web sites being defaced and defamed in direct retaliation against governments.” It is against this backdrop that Ms. Kumar will open the IT Security Roadshow 2013 in Dubai with an indepth assessment of this new reality and the impact it has had on organizations as they strive to pre-empt and contain future attacks. She will also examine the strategies and solutions that they should now be employing to ensure the highest levels of risk mitigation possible. Ray Kafity, FireEye’s regional sales director for the Middle East, Africa, and Turkey, will then take to the stage to explain why targeted attacks such as advanced malware and APTs are experiencing increasing success when it comes to stealing corporate IP and data. He will highlight the deficiencies within existing infrastructure that are fueling this success, and present insights into the new model of IT security that is required in order to remain protected in the face of this evolving threat landscape. Next up will be Nicolai Solling, the director of technology services at helpAG Middle East, who will dissect the machinations of the next-generation firewall, www.bluekaizen.org
sets different vendors apart and what organizations should really expect to gain from its implementation. He will be followed by Ram Narayanan, a security consultant with Check Point Software Technologies, who will offer advice on indentifying the intrusion exploits that organizations are most commonly exposed to and explain how such deficiencies can be remediated once and for all. The day will also feature a revealing case study from Arun Tewary, CIO of Emirates Flight Catering, during which he will detail real-life implementations of cutting-edge technology solutions within his organization and outline the challenges, opportunities, and benefits encountered along the way. He will then take part in an open panel discussion with Hariprasad Chede, senior manager for information security at National Bank of Fujairah, on the day-to-day realities of ensuring IT security in the challenging environs of the modern UAE. The half-day event will then be brought to a close by Amro Al Olaqi, a senior consultant at Verizon, who will present his views on the top 10 critical Web application security issues as defined by the Open Web Application Security Project (OWASP). In order to ensure the very latest technology developments are covered at the IT Security Roadshow 2013 in Dubai, IDC has partnered with a number of cutting-edge software and technology vendors. FireEye, help AG, and Palo Alto Networks will participate as the event’s Gold Partners, while Check Point Software Technologies and Computerlinks will serve as Silver Partners. Security Kaizen Magazine is the roadshow’s official Media Partner for Dubai. IDC’s IT Security Roadshow 2013 began in Ankara on March 5 and is set to visit a total of 12 of the region’s foremost business hubs during its tour of the Middle East, Africa, and Turkey. Next up is Riyadh on April 8, followed by Abu Dhabi (April 17), Doha (April 23), Cairo (April 29), Nairobi (June 5), Johannesburg (August 7), and Casablanca (November 14). For more information about IDC’s IT Security Roadshow 2013 and to learn about the range of flexible partnership opportunities on offer, please contact Ms. Ronita Bhattacharjee, associate vice president for conferences at IDC Middle East, Africa, and Turkey, at rbhattacharjee@idc.com or on +971 4 391 2747. About IDC International Data Corporation (IDC) is the premier global provider of market intelligence, advisory services, and events for the information technology, telecommunications, and consumer technology markets. IDC helps IT professionals, business executives, and the investment community make fact-based decisions on technology purchases and business strategy. More than 1,000 IDC analysts provide global, regional, and local expertise on technology and industry opportunities and trends in over 110 countries worldwide. For more than 48 years, IDC has provided strategic insights to help our clients achieve their key business objectives. IDC is a subsidiary of IDG, the world’s leading technology media, research, and events company. You can learn more about IDC by visiting www.idc.com.
ractice
Best Pr 33
Securitykaizen Magazine Best Practice
Professional
Development
Choosing the Right Track Training, professional development, learning, etc. are all terms that has caused much controversy in the various domains but specifically in the information security domain. All of these terms serve a specific purpose and aim to provide one with the necessities to perform in the domain, progress in their career and simply earn more. I would like you to bear with me the introduction I will serve now as it is necessary to analyze and understand the reasons for choosing a specific training program, a conference to attend or a certain career path.
www.bluekaizen.org
ractice Securitykaizen Magazine Best Practice
Educational activities were identified back in 1956 by Bloom to fall into one of three domains; Cognitive (Knowledge), Psychomotor (Skills) and Affective (Attitude) also known as KSA. The US federal government job openings require candidates to provide a series of narrative statements to determine the best fit for a job that also matches the KSA. Only in this case KSA is slightly different and refers to Knowledge, Skills and Abilities. Professional development (not career development) in my view point depends on the type and amount of Knowledge, Skills and Abilities you possess. Generally speaking, the mainstream for knowledge acquisition is training courses and reading. Whereas the mainstream for skills acquisition would be the hands-on labs, shadowing others or the trial and error efforts you exert while performing certain tasks on the job. The tricky part is usually the ability. I believe that you cannot provide someone with an ability he does not have. It’s simply a gift by the creator! However, you can easily develop someone’s existing abilities. Take for example the ability to memorize. If one has a good memory, you can help her/him develop that in a more organized manner to allow him to memorize more. On the other hand, you cannot simply inject, for example, analytical abilities into someone who doesn’t simply have it.
34
about depth and breadth. By depth I mean how many levels I have to go through to complete a certain training track. Though going through fewer courses or levels (ex. fundamental, intermediate or advanced) might be tempting to a trainee, it does not necessarily means that you are served the right “value for money”.
The type of education you ought to aspire to should provide you with the right knowledge and skills. While knowledge might seem, more or less, to be standard across several training providers, it is not in fact. To evaluate that, lookup the authors of the training materials and how frequently it is updated. Authors’ experience and exposure means that more of the practical information will be included in the courses. The frequency of update is a “double edged sword”. While the less frequently the material is updated means that knowledge is outdated, training material that is updated all the time means that the training you just attended a couple of months ago will soon
Now let us move on to the practical application of the above in the information security domain. I believe that picking the correct career path and accordingly the relevant training domain should be based on the abilities you possess. For example if you have the ability to come up with “what if” scenarios you might pick a career in the Governance, Risk & compliance domains in information security. On the other hand, if your outstanding ability is in the analytical domain, then forensics might be your best domain of choice. Choosing your career path eliminates a set of professional development paths that does not fit with your aspirations. Now let us come to the hard part; choosing the right training course and the right provider. One of the main criterion I consider when choosing the right training provider is how comprehensive the training curriculum this provider offers? When considering comprehensiveness, you ought to think www.bluekaizen.org
ractice 35
Securitykaizen Magazine Best Practice
lose its market value. I would always tend to the more frequently updated choice in the advanced courses while opt for the less frequently updated in the fundamental courses that rather provide the learner with concepts and basics. Coming back to the issue of breadth, I am here referring to the number of knowledge domains the covered by the training tracks the vendor offers. For example, it is common for an incident handling professional to emerge into a
forensics analyst. It is also common for a penetration tester to want to expand his knowledge into specific security issues related to virtualization and cloud security. Training providers that offer a breadth of information security training are generally better. This is because it is much easier for you to get used to a model for training and certification and continue with that model. Trainer certification methods are among the criteria you should consider. The more aggressive the approach of the training vendor in certifying trainers, the better the quality of the trainer who will be delivering to you. In fact the aggressiveness of the training provider in qualifying trainers is part of the overall certification aggressiveness. As much as this might make the professional development harder, the more aggressive the certification process is, the more recognized the certificate would be in the job market afterwards. It is also worth noting that all the previous qualities does not really come for free. You will commonly pay much more for higher quality training and certification. Accordingly, financials on the short term are sometimes a major hurdle that prevents you from attending the actual training you aspire to.
Given the years of experience the author of these words have had in the training domain, I can safely say that although 50% of the success of any professional development depends on the curriculum, the training provider and the trainer, the remaining 50% depends on the trainee choosing the right focus, motivation to learn and ability. My advice would simply be choose wisely, focus on a career path, think in terms of knowledge and skills while considering your abilities, and finally consider the value of the certification you earn.
Ahmed Elashmawy
Principle Consultant at securemisr
www.bluekaizen.org
e