Cyberwar&Cybercrime

Page 1


Global���������������� Management Recruitment ������������������������������������������������������������������� ������������������������������������������������������������������������������������������������������������ �����������������������������������������������������������������������������������������

��������������������������������������������� ��������������������������������������������������������������������������������� ����������Permanent ������������������������������������������������������������������������������������������������������������� ���������������������������������������������������������������������������������������������������������� ����������������������������������������� ��������������������������������������������������������������������������������������������������������������� ����������������� ������ ����������������������������������������������������������������������������������������� ���������������������������������������������� ������ ��������������������������������������������������������� ������������������������������������������������������������������������ ������ �������������������������������������������������������������������������������������������� ��������������������������������������������������� ������������������������������������������� ������ ������������������������� ����������� ������ ������������������ ������ ���������������������������������� ������ ����������������������������������������� �����������������������������������������������������������������������������������������������������������������������������������������

���������������������������������������������������������� ���������������������������������������������������������������������������� �������������������� �������������������������������������������������������������������������������������������������������������������� ��������������������������������������������������������������������������������������������������������� ���������������� �������������������������������������������������������������������������������������������������������������������� ������������ ����������������������������������������������������������������������������������������������������������������� ������������ ������ �������������������������������������������������������������������������������������������������������������� ������������� ������������������������������������������������������������������������������������������������������������������ ��������������������������� ������������������������������������������������������������������������������������������ ������ ������������������������������������������������������������������������������������������������� ������������� ����������������������������������������������������������������������������������������������������������������� �������������� �������������������������������������������������������������������������������������������������������������� ��������������������������������������������������������������������������������������������������� ������ ������������������������������������������������������������������������ �������������������������������������������������������������������������������������������������������������������������������������������������

�������������������� �������������������������� �������������� ��������������

���������� ������������������� ��� ��������������������� ������ �����������������

���������������� �����������������������


Global I.T. Security Training & Consulting

������������������������������������������������������������ ���������������������������������������������������������������� ����������������������������������������������������������� ������������������������������������������������������

IS YOUR NETWORK SECURE?

www.mile2.com ��

mile2 Boot Camps

A Network breach... Could cost your Job! Available Training Formats � � � � �

������������������������� ����������������� ������������������������������������������� ���������������������������������� ����������������������������������������������

������������������������ �������������� �������������������� ������������������ ����������������������������

�������������������

� ������� �������� ������ ������

�� ���� ��� ���� ��� ���� ��������� ��� ����

� � ����������������������������������������� Other New Courses!! ���� ��������������������� �������� � ������������������������������������� �������� ������������������� ��������� � ��������������������������������������� ����������� ���� � � ���������������������� ���������� ��������������������������� �������� � ������������������������������� ��������� ��������������������������� ���������� �������������������������� � � �������������������������� ������� ����������������������������������� ��������� �������������������������������������������������� ��������������� ������� � ������������������������������������������������ ���������

������������������������������ ����������������������������������������

� � ����������������� �������� � �����������������������������������

(ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC.

INFORMATION ASSURANCE SERVICES

����������������� �������������

���������������������������������������� ��� ������������������� ��� ������������������������� ��� ������������������������������������� ��� �������������� ��������������������������������������������

�������������� ���������������

11928 Sheldon Rd Tampa, FL 33626


EDITOR’S NOTE

06/2012 (14) Dear Readers!

TEAM Managing Editor: Malgorzata Skora malgorzata.skora@software.com.pl Associate Editor: Shane MacDougall shane@tacticalintelligence.org 2nd Associate Editor: Aby Rao abyrao@gmail.com Betatesters / Proofreaders: Johan Snyman, Jeff Weaver, Dan Felts, William Whitney, Marcelo Zúniga Torres, Harish Chaudhary, Cleiton Alves, David Kosorok Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes.

All rights to trade marks presented in the magazine are reserved by the companies which own them. To create graphs and diagrams we used program by

Mathematical formulas created by Design Science MathType™

DISCLAIMER!

Is there or is there not cyberwar? There are those who claim that the world we know is going to be torn apart by those who will seize and hold the power through cyber attacks. For others, war rhetoric is not only an exaggeration but also a threat to security. We decided to take up those matters and devote this issue of PenTest to cyberwar and cybercrime topics. The Cyberwar section is composed of two articles that present two contradictory views on cyberwar. Johan Snyman arguing that There Is No Cyberwar engages in polemics with Cecilia Mcguire who writes about Digital Apocalypse.... Whose arguments are more convincing? Read and decide on which side of the barricade you are. Four articles in the section Cybercrime are to portray present situation and problems in the IT Security world and how they can influence a pen tester’s life. Billy Stanley in his article The State of Information Security describes present-day situation, defines the problem, describes the adversaries and proposes solution. If you are not convinced yet, John Strand will try to prove that Penetration Testing Can Save Lives. This time Jon Ringler prepared for you a great article about cyber criminals using Defense in Depth. The author refers to cyberwar and proposes how pen testers can evolve and start winning it. David Cook’s article may especially interest those who are curious about the law issues. We all in our countries have examples of invalid, paradoxical or imprecise laws. In the article entitled Uncertain Law Leaves Penetration Testers in Limbo David reveals meanders of the hacking law. This time we would like to present to you 2nd International Conference on Cybercrime, Security and Digital Forensics. The fight between bad and good guys is always grueling and requires unification of forces. The conference chairman, Dr. Ameer Al-Nemrat, talks about co-operation between many players and other purposes of this big meeting in London. Ironically, thanks to risk and attacks pen testers are needed on the market. To help you find better job opportunities we have for you two great interviews. The first one is with James Foster from Acumin, an international Information Security and Risk Management recruitment company. The second one is with, already known to you, Debbie Christofferson, International Board Director at ISSA, on seeking employment, working as a freelancer and introducing changes at your company. PenTest Regular ends with regular sections PainPill and Read. John B. Ottman presents fourth chapter of his book Save the Database, Save the World. Dean Bushmiller in his article Pen Testing Scope Drift: Everyone gets excited; No one is getting paid convinces how important is to focus on your tasks and not let yourself drift away. I hope that you will find this issue worthwhile. If you have any suggestions for us concerning topics, problems you want to read about or people you would like to know better thanks to PenTest please, feel free to contact us at en@pentestmag.com. Thank you all for your great support and invaluable help. Enjoy reading! Malgorzata Skora & PenTest Team

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

06/2012 (14) June

Page 4

http://pentestmag.com


CONTENTS

CYBERWAR

06

(banner ads, etc.) that users are allowed to access. They flow right by IDPS and Malware Detection Systems through the same type of techniques.

Digital Apocalypse: The Artillery of Cyber War by Cecilia McGuire

Cyberspace is now the digital frontier of choice for executing many combat operations, by extending the medium in which greater levels of power can now be accessed by Machiavelli agents, militants and nation-states.

12

There Is No Cyberwar by Johan Snyman

With the growth in cyber-attacks and the large amounts quoted when estimating the costs of these attacks, it has become the norm for mainstream news agencies to carry news on security matters, data breaches and attacks. Unfortunately, what is reported in the media is rarely the full story and the image painted is often the one of imminent disaster, destruction and lawlessness.

CYBERCRIME

16

Uncertain Law Leaves Penetration Testers in Limbo by David Cook

A question that I am often asked is, “How can a penetration tester or ethical hacker be sure that his activities remain lawful?” The reality is that the law regarding cyber crime is fairly ambiguous and I do have sympathy with penetration testers and ethical hackers, given the potential minefield that surrounds them.

20

How Cyber Attackers and Criminals Use Defense in Depth Against Us by Jon Ringler

Cyber attackers are forcing IT Professionals and organizations into an unsustainable stance, exhausting available resources, and adapting advanced techniques to walk right in the front door and strut past the people, process, and technology utilized by Defense in Depth.

24

Penetration Testing Can Save Lives by John Strand

There are a number of ways that a cyber attack can destroy lives. Careers can end, finances can get ruined and companies can cease to be relevant. What is sad is when these tragic side effects of a cyber attack occur and a simple penetration test would have discovered some basic flaws in an organization’s defenses.

28

The State of Information Security by Billy Stanley

Malware authors have figured out how to evade AV by continually tweaking their binaries. They can circumvent content filtering systems by hacking legitimate sites

06/2012 (14) June

CONFERENCE

32

2nd International Conference on Cybercrime, Security and Digital Forensics by Aby Rao

The threat from cybercrime and other security breaches continues unabated and the financial toll is mounting. This is an issue of global importance as new technology has provided a world of opportunity for criminals.

INTERVIEW

34

Looking for a Job – Interview with James Foster from Acumin by PenTest Team

PenTest Team received many questions concerning situation on the job market. Many of our readers is in the process of looking for, changing jobs or starts their own businesses. Since our main aim is to respond to needs of our readers, PenTest features an interview with James Foster from a recruitment company with 14 years of experience.

36

“You must create a plan...” – Interview with Debbie Christofferson by Aby Rao

You must comprehend the core business and be able to understand and communicate security risk in terms of its impact to that business. While technology competence is key, it is not the deciding factor in success – an ability to create and execute to a longer term strategy determines your fate.

PAINPILL

42

Pen Testing Scope Drift: Everyone gets excited; No one is getting paid by Dean Bushmiller

You do love your job, right? You do want to pound a buffer overflow for hours or even days until the system yields. You do want to find that way in, right?

READ

46

Save the Database, Save the World – Chapter 4 by John B. Ottman

“Virus-Like Attack Hits Web Traffic,” was the BBC News World Edition headline. The article declared “An attack by fast-spreading malicious code targeting computer servers has dramatically slowed Internet traffic…

Page 5

http://pentestmag.com


CYBERWAR

Digital Apocalypse The Artillery of Cyber War

Cyberspace is now the digital frontier of choice for executing many combat operations, by extending the medium in which greater levels of power can now be accessed by Machiavelli agents, militants and nation-states. Squads of cyber militants going under the banner of Anonymous and LulzSecare, motivated by the ease in which they can now execute high impact operations whilst avoiding detection, are just a few of the much publicised names synonymous with cyber terrorism.

T

he multi-dimensional characteristics of cyber space have dissolved the boundaries between digital landscape and physical security, facilitating cyber-attacks that produce devastating impacts to critical infrastructure, as well as Corporate and Government assets. Global security experts face the challenge of attempting to develop techniques to deter and prevent these global threats. This challenge is complicated further by the rate at which the digital paradigm continues to evolve at a rate which is often considerably faster than the ability to keep up with these developments. This disparity has, unsurprisingly, created an impression, shared throughout the cyber community, that implementing strategies to control the digital domain has become unachievable. As a result of these challenges and many others, Cyber Warfare is set to be one of the greatest challenges posed to the 21st Century. This article will examine the characteristics of Cyber War operations in order to clarify the ambiguities surrounding these concepts. Such an examination is necessary in order to ensure that the components of Cyber War are not confused with interrelated disciplines such as Information Warfare. Real world examples of Cyber Attacks will then be discussed in order to assess the “nuts and bolts” of cyber-attack operations and to examine whether the world is really prepared for the possibility of a “digital apocalypse”. Throughout the 06/2012 (14) June

analysis this paper aims to emphasise that deterring Cyber War is the key to addressing this challenge.

Cyber Warfare – A Definition

Over the past few decades experts and academics have explored whether the possibility of a Cyber War was in fact a plausible threat. Early pioneers navigating through this new landscape had conjured up postapocalyptic visions of the impact of Cyber War, bearing resemblances to scenes from a science fiction film. Today, Cyber War is no longer being examined from a theoretical perspective, as these dynamic threats have emerged throughout the global systems and networks. Experts are no longer debating the possibility of Cyber War but what can be done to stop these threats. Despite the widespread acknowledgement of Cyber War, the definition of these threats remains under scrutiny. Experts such as Bruce Schneier have stated that many definitions of Cyber War in current circulation are flawed as they confuse a range of other computer security related concepts such as Information Warfare, Hacking and Network Centric Warfare. In order to, clarify ambiguities surrounding Cyber War, for the purpose of this discussion, Cyber War is defined as:

“Internet-based conflict involving politically motivated attacks on information and information systems. Cyber warfare attacks can disable official websites and networks, disrupt

Page 6

http://pentestmag.com


or disable essential services, steal or alter classified data, and cripple financial systems – among many other possibilities.” (Rouse, 2010) For the purpose of this discussion, the focus of Cyber War conflicts will be examined in terms of its impact to the physical realm, in particularly to its impact to critical infrastructures.

The First Warning Shots

Recorded examples of the impact of cyber-attacks on critical infrastructures have been around for over a decade. One of the earliest cyber-attacks on critical infrastructure took place in January 2000, in Queensland, Australia. Where a disgruntled former employee at a manufacturing company hacked into the organisations computer, using privileged knowledge of the system, and took control of the Supervisory Control and Data Acquisition (SCADA) system. The protagonist was able to maliciously attack the system causing physical pumps to release raw sewage, producing a considerable amount of damage. Although this attack is not constituted as cyber warfare, it demonstrated the possibility for a digital attack to create a detrimental financial impact and create havoc on critical infrastructures. Since this time, there have been a number of attacks classed as acts of cyber war, such as the 2007 attacks, launched against the Government of Estonia. In this example, attackers utilised a variety of different attack methods such as Denial of Services (DoS), website defacement and other malware. This was one of the earliest examples demonstrating the increased level of sophistication of cyber-attacks to be launched against a nation-state.

The Most Comprehensive Exhibition of the Fastest Growing Sectors of recent years

in the Center

of Eurasia

INFORMATION, DATA AND NETWORK SECURITY EXHIBITION

OCCUPATIONAL SAFETY AND HEALTH EXHIBITION SMART HOUSES AND BUILDING AUTOMATION EXHIBITION

16th INTERNATIONAL SECURITY AND RFID EXHIBITION

16th INTERNATIONAL FIRE, EMERGENCY RESCUE EXHIBITION

The Digital Artillery

The arsenal of a Cyber War attack consists of the usual suspects, such DoS, attacks on DNS infrastructure, anti-forensic techniques, and wide-scale use of Worm, Zombies, Trojan and clichéd methods of electronics attack. However Cyber War represents much more than a DoS attack. When assessing state-of-the-art Cyber War Artillery, one name comes to mind – Stuxnet.

State-of-the-Art: Stuxnet

The ultimate state-of-the-art weapon identified in the cyber warfare arsenal, so far, is the Stuxnet worm. First launched in to the digital landscape in June 2009, Stuxnet has become one of the heavily scrutinised, real world examples of Cyber Warfare attacks, with global security and technology communities still struggling to fully comprehend the complexities of its design almost two years on since its initial release. Stuxnet’s international attention has been achieved from the sheer sophistication 06/2012 (14) June

SEPTEMBER 20th - 23rd, 2012 IFM ISTANBUL EXPO CENTER (IDTM)

THIS EXHIBITION IS ORGANIZED WITH THE PERMISSIONS OF T.O.B.B. IN ACCORDANCE WITH THE LAW NUMBER 5174.


CYBERWAR in design which is composed of a comprehensive array of attack exploits and covert methods for avoiding detection. Stuxnet is the magnum opus in the malware hall of fame. The Stuxnet worm infects computers running Windows OS, and is initially distributed via USB drives thereby enabling it to gain access to systems logically separated from the Internet. Once access has been gained it then orchestrates a variety of exploits from its toolkit designed to specifically target vulnerabilities its intelligent design is able to identify in the target host. Stuxnet’s artillery includes uses an array of exploit methods, meticulously designed to circumvent the logical sequence security measures, one layer at a time. Exploits included Stolen Digital Certificates, Rootkits, Zero-Day Exploits, methods for evading Anti-Virus detection, hooking codes, complex process injections, network injection, to name a few. These exploits however do not affect just any old computer, aside from propagating further. The extraordinarily designed piece of malware has one solitary target in mind – Industrial Control Systems/ Supervisory Control and Data Acquisition* (ICS/SCADA) and attached computer systems. With a specific ICS/ SCADA being targeted in Iran, Stuxnet reprograms the Programmable Logic Controller (PLC), made by Siemens, to execute in the manner that the attack designers have planned for them to operate within. * Bruce Schneier argues that Stuxnet only targets ICS and press releases have mis-referenced Stuxnet to also target SCADA “is technically incorrect”. For further details refer to: http://www.schneier.com/blog/ archives/2010/10/stuxnet.html

While experts are still dissecting Stuxnet, it is apparent that the creation is the work of a team of highly skilled professionals. Some estimates have stating that it would have taken a team of 8 – 10 security experts to write over the course of 6 months (Schneier). Many are referring to Stuxnet’s creation as a “marksman’s job” due to its targeted approach and expert precision. Given Stuxnet is considered to be one of the greatest malware masterpieces the temptation to examine its architecture in greater detail could not be resisted. Symantec’s “W32.Stuxnet Dossier Version 1.4” provides a detailed analysis delineating the technical attributes composed within Stuxnet and this 69 page document created by members of their Security Response Team is used as the basis for the following examination. The full array of technical features is outside of the scope of this article so a brief overview of Stuxnet’s architectural components will be summarised below.

Breaking Down Stuxnet The Core – .DLL files At the core of Stuxnet is a large .dll file containing an array of resources, diverse exports as well as 06/2012 (14) June

encrypted configuration blocks. In order to load these .dll files, Stuxnet has the capability to evade detection of a host intrusion protection programs which monitor any LoadLibrary calls. These .dlls and encrypted configuration blocks are stored in a wrapper referred to as the ‘stub’. Two procedures are then employed to call Exported function. Extract .dll is then mapped into memory module and calls one of the exports from mapped .dll. A pointer to the stub is then passed as a parameter. Stuxnet then proceeds to inject the entire DLL into another process, once exports are called. Injecting processes can include existing or newly created arbitrary process or a preselected trusted process. The Process of Injection Targeted trusted processes are directed at a number of standard Windows processes associated with a range of security products, including – McAfee (Mcshield.exe); Kaspersky KAV (avp.exe); Symantec (rtvscan.exe); Symantec Common Client (ccSvcHst.exe); Trend PC-cillin (tmpproxy.exe) to name a few. Stuxnet then searches the registry for any indication that McAfee, Trend PC-cillin or Kaspersky’s KAV (v.6-9) software is in operation. If Stuxnet is able to identify any of these technologies it then extracts the version which is used to target how to process injections or whether it is unable to by-pass these security products. Elevation of Administrative Access Rights Another feature of Stuxnet is in its ability to elevate access rights to run with the highest level of privileges possible. Stuxnet detects the level of privileges assigned to it and if these are not Administrative Access Rights it then executes zero-day privilege escalation attacks, such as MS10-073. The attack vector used is based on the operating system of the compromised computer. If the operating system is Windows Vista, Windows 7, or Windows Server 2008 R2 the currently undisclosed Task Scheduler Escalation of Privilege vulnerability is exploited. If the operating system is Windows XP or Windows 2000 the Windows Win32k.sys Local Privilege Escalation vulnerability (MS10-073) is exploited. Load Points Stuxnet loads the driver “MrxCls.sys” which is digitally signed with a compromised Realtek certificate (which Verisign previously revoked). Another version of this driver was also identified to be using a digital certificate from JMicron. The aim of the Mrxcls.sys is to inject copies of Stuxnet into specific processes therefore acting as the central load-point for exploits. Targeted processes include – Services.exe; S7tgtopx.exe; CCProjectMgr.exe.

Page 8

http://pentestmag.com


The Target: Programmable Logic Controllers We now arrive at Stuxnet’s ultimate goal – infecting Simatic’s Programmable Logic Controller (PLC) devices. Stuxnet accomplishes this by loading blocks of code and data (written in SCL or STL languages) which are then executed by the PLC in order to control industrial processes. In doing so, Stuxnet is able to orchestrate a range of functions such as: • • •

Monitoring Read/Writes PLC blocks Covertly masks that the PLC is compromised Compromise a PLC by implementing its own blocks or infecting original blocks.

The Grand Finale Now that Stuxnet has finally exploited the PLC it has achieved it has reached its final destination. Where Stuxnet is then able to execute its final exploits which is to slow down or speed up frequency motors. For example when the frequency of motor is running between 807Hz and 1210Hz, Stuxnet adjusts the output frequency for shorter periods of time to 1410Hz and subsequently to 2Hz and then back to 1064Hz. These frequencies are typically used by centrifuges in uranium enrichment plants. Ultimately Stuxnet is designed to destabilize ICS/SCADA by changing the speeds in uranium centrifuges to sabotage operations, with the potential for devastating consequences.

India and Belgium. This information can then be used by Duqu’s creators to then launch a premeditated cyber assault against the designated target. By default Duqu is designed to operate for a set period of time (either 30 or 36 days depending on the configuration). After which the Duqu will automatically remove itself from the system. A comparison of Duqu and Stuxnet demonstrates: • •

• • •

Little Brother – Duqu

In the September of 2011, researchers at the Budapest University’s Laboratory for Cryptography and System Security (CrySyS) made the alarming discovery of a Trojan resembling Stuxnet. Their fears were confirmed after dissecting this new threat revealed components were close to being identical to Stuxnet indicating that the writers were indeed the same authors, or persons with access to the source code of Stuxnet. They labelled this new threat “Duqu” due to its design in which it creates file names with the prefix ~DQ. Duqu is a remote access Trojan designed to steal information from the victim machine and is designed to act as a precursor to a future malware attack, similar to the Stuxnet operation. Duqu is designed to act in much the same way as a reconnaissance agent gathering intelligence from a variety of targets, and like Stuxnet; Duqu’s primary targets are industrial infrastructure. Data sources collected by this Trojan include design documents, keystrokes records and other system information. Once this intelligence has been gathered by the Trojan, it is then returned to the command and control servers, over HTTP and HTTPS, positioned across global locations such as China, Germany, Vietnam, 06/2012 (14) June

Duqu’s executables were created using the same source code as Stuxnet. Duqu’s payload resembles no similarity to that of Stuxnet. Duqu’s payload is written with the intention of conducting remote access capabilities whereas Stuxnet’s payload is designed to sabotage an ICS/ SCADA. Duqu’s Payload aims to capture keystrokes and system information rather than modify target systems. Duqu (being a Trojan) do not contain any selfpropagation capabilities as found in worms like Stuxnet. Duqu in one example is distributed by attackers using specially crafted email containing a word document which exploits an unpatched 0-day vulnerability to Like Stuxnet, Duqu’s utilities include stolen signing certificates for signing drivers stolen from a company in Taiwan, with an expiry date of August 2nd 2011. These certificates were later revoked on October 14th 2011.

The resemblances in design of Stuxnet and Duqu indicate that they were most likely developed by the same authors. Kaspersky Lab’s Analysts examining the source code of both programs state that – “We believe Duqu and Stuxnet were simultaneous projects supported by the same team of developers”.

The Launch Pad – Tilded

How did Stuxnet and Duqu manage to launch some of the most effective cyber-attacks on record so far? The “launch pad” for this cyber artillery goes by the name of Tilded. The Tilded platform is modular in nature and is designed to conceal the activities of malicious software by employing techniques such as encryption, thereby evading detection by anti-virus solutions. By utilising the Tilded platform developers of cyber weapons can simply change the payload, encryption techniques or configuration files in order to launch any number of exploits against a range of targets. File naming conventions used by Tilded’s developers employed the Tilde symbol and the letter “d” combining the two

Page 9

http://pentestmag.com


CYBERWAR References • • • • • • • • • •

Clayton, M. (2012). Alerts say major cyber attack aimed at gas pipeline industry. Retrieved 12th of May 2012 from: http:// www.msnbc.msn.com/id/47310697/ns/technology_and_science-christian_science_monitor/t/alerts-say-major-cyber-attackaimed-gas-pipeline-industry/#.T65jgesti8D Kamluk, V (2011). The Mystery of Duqu: Part Six (The Command and Control servers). Retrieved 12th of May 2012 from: http:// www.securelist.com/en/blog/625/The_Mystery_of_Duqu_Part_Six_The_Command_and_Control_servers Kovacs, E. (2011). Stuxnet, Duqu and Others Created with ‘Tilded’ Platform by the Same Team. Retrieved 12th of May 2012 from: http://news.softpedia.com/news/Stuxnet-Duqu-and-Others-Created-with-Tilded-Platform-by-the-Same-Team-243874.shtml RAND (2009). Cyberdeterrence and Cyberwar. Retrieved 12th of May 2012 from: http://www.rand.org/pubs/monographs/2009/ RAND_MG877.pdf Rouse, M. (2010) Cyberwarfare. Retrieved 12th of May 2012 from: http://searchsecurity.techtarget.com/de�nition/cyberwarfare Schneier, B. (2010) Stuxnet. Retrieved 12th of May 2012 from: http://www.schneier.com/blog/archives/2010/10/stuxnet.html Symantec (February 2011). W32.Stuxnet Dossier Version 1.4. Retrieved 12th of May 2012 from: http://www.symantec.com/ content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf Symantec (November 2011). The precursor to the next Stuxnet W32.Duqu Version 1.4. Retrieved 12th of May 2012 from: http:// www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf Teksouth Corporation (2010). Cyber Warfare in the 21st Century: Guiding Doctrine and an Initial Conceptual Framework. Retrieved 12th of May 2012 from: http://www.slideshare.net/slahanas/cyber-warfare-doctrine Westervelt, R. (2012). Tilded platform responsible for Stuxnet, Duqu evasiveness. Retrieved 12th of May 2012 from: http://searchsecurity.techtarget.com/news/2240113299/Tilded-platform-responsible-for-Stuxnet-Duqu-evasiveness

resulted in adopting the name – Tilded. The Tilded team of developers however still remain unknown. What we do know about Tilded is that it has undergone significant changes since its inception in 2007 with subsequent revisions created through to 2010. The researchers at Kaspersky have been able to confirm that a number of projects were undertaken between this period where programs based on the “Tilded” platform were circulated in cyberspace, Stuxnet and Duqu being two examples. While other researchers have indicated another variant exists, the Stars worm (also targeting ICS/SCADA systems) resembles Stuxnet. How many other programs have also been created but may not yet have been detected remains to be determined. What is clear is that as Tilded and similar programs continue to develop, we will see enhanced prototypes being catapulted into the digital limelight.

Are We Prepared for a Digital Apocalypse?

On the May 6th 2012, the US Department of Homeland Security reported that a major Cyber Attack was being launched against computer systems used for a national gas pipeline company supplying a total of twenty five percent of the United States energy. The cyber strike has been traced back to a single source and many experts believe that this is an early indicator of a highly organised Cyber Warfare operation. Early detection of the warning signs of such an attack has instilled reassurance throughout the wider global community that adequate mechanisms are now in place to ensure, at the minimum, a wide-scale cyber-attack will be detected and deterred prior to it accomplishing any major impact. As discussed, the dynamic and often unpredictable composition of emerging threats reveals the critical need 06/2012 (14) June

for developing new strategies within the Cyber Security community, so that detection of these unconventional threats can be done so with greater accuracy and prior to them developing the capability to orchestrate operations. RAND Corporation has stated that as long as systems have flaws, Cyber-attacks will be possible and “…as long as nations rely on computer networks as a foundation for military and economic power and as long as such computer networks are accessible to the outside, they are at risk”. Deterrence therefore is the key. Despite these challenges, real progress is being made. As the nature of Cyber Warfare becomes better understood, in spite of its complexities, a foundation for understanding these multifaceted threats is now being established. The next challenge being faced is in developing strategies/frameworks to deter the motivational factors leading to the creation of these threats whereby influencing the mindset of cyber militants will be the key defence mechanism available to preventing a digital apocalypse.

CECILIA MCGUIRE Cecilia McGuire is a dynamic fresh thinker and quiet achiever. Like many Gen-Y’s, she has spent the past decade living a somewhat nomadic existence having worked globally, expanding her awareness of international security requirements and foresight into upcoming trends. She attributes much of her in�uence to growing up in an unconventional family in rural Australia, amongst a blend of western and eastern philosophical paradigms. In 2010, she completed a Masters of Information Security and now lives in Sydney where she works as a Security Consultant.

Page 10

http://pentestmag.com



CYBERWAR

There Is No Cyberwar With the growth in cyber-attacks and the large amounts quoted when estimating the costs of these attacks, it has become the norm for mainstream news agencies to carry news on security matters, data breaches and attacks. Often this has led to info-sec professionals being quoted (and misquoted) and interviewed voicing their opinions and commenting on these issues.

U

nfortunately, what is reported in the media is rarely the full story and the image painted is often the one of imminent disaster, destruction and lawlessness.

The Hype

Last year, in a speech to service members at US Strategic Command, US Defense Secretary Leon Panetta painted a very grim picture of the world we live in at the moment: “We’re now in a very different world, where we could face a cyber-attack that could be the equivalent of Pearl Harbor. I mean, cyber these days – someone using the Internet can take down our power grid system, take down our financial systems in this country, take down our government systems, taken down our banking systems. They could virtually paralyze this country” [1]. US Senate Commerce Committee Chairman Jay Rockefeller said recently during a senate hearing: “Today’s cyber criminals have the ability to interrupt life-sustaining services, cause catastrophic economic damage, or severely degrade the networks our defense and intelligence agencies rely on” [2]. According to the American chairman of the Joint Chiefs of Staff, Army General Martin E. Dempsey: “A cyber-attack could stop our society in its tracks” [3]. The belief that cyber-armageddon is upon has been around for a good few years. In 1993 the world was warned that “Cyberwar is coming” in a paper authored 06/2012 (14) June

by John Arquilla and David Ronfeldt. Since then many more have joined the chorus of voices, warning of the impending doom. Sergey Novikov, head of Kaspersky Lab Global Research and Analysis Team is recently quoted as saying: “The recent spate of targeted attacks on major corporations and state organizations all over the world, the use of malicious programs as weapons for waging cyber war and conducting espionage and the cutting edge technology of stat-backed malware (Stuxnet, Duqu, etc), all herald the beginning of the new cyber era – the era of cyber warfare” [4]. With the growth in cyber-attacks and the large amounts quoted when estimating the costs of these attacks, it has become the norm for mainstream news agencies to carry news on security matters, data breaches and attacks. Often this has led to infosec professionals being quoted (and misquoted) and interviewed voicing their opinions and commenting on these issues. Unfortunately, what is reported in the media is rarely the full story and the image painted is often the one of imminent disaster, destruction and lawlessness.

The Doubters

There are a few who do not agree with the war rhetoric, who believe that it is not helping security when the threats are exaggerated and fear governs our decisions. Thomas Rid and Peter McBurney published an article

Page 12

http://pentestmag.com


������������ �������

����������������������������������������������������� ���������������������������������������������������� �������������������������������������������������� ��������������������������������� ��������������������������������������������������� ��������������������������������������������������������� ������������ ���������������������������������������������������� ������������������������������������������������������

�����������������������������

�������������

�������������������������������������� ������������������������

���������������


CYBERCRIME

Uncertain Law Leaves Penetration Testers in Limbo

A question that I am often asked is, “How can a penetration tester or ethical hacker be sure that his activities remain lawful?” The easy response is that the terms of engagement should be defined in advance. The law is concerned with unauthorised access to computer systems, so an IT security consultant should be well aware of what they are actually authorised to do.

T

he reality, however, is that the law regarding cyber crime is fairly ambiguous and I do have sympathy with penetration testers and ethical hackers, given the potential minefield that surrounds them. The term “ethical hacking” seems like an oxymoron at first glance, but is clearly the only effective method of ensuring that a company can be relatively certain that its system can withstand certain computer attacks. The Ethical Hacking Council defines the goal of the ethical hacker as to “help the organisation take pre-emptive measures against malicious attacks by attacking the system himself; all the while staying within the legal limits”.

Background to Hacking Law

It is easy to appreciate the difficulties faced by Parliament when drafting statute, but never more so than in respect of the laws relating to computer offences. The evolution of hardware technology is arguably now moving more swiftly than consumer demand, but it is in the progression of software systems that we are seeing an absolute sea-change. The Internet has proven to be a societal equaliser – armed with only a computer and access to the Internet, there is the potential for us all to become hackers. We are now seeing 15 year old hackers targeting large corporate bodies, causing them significant disruption 06/2012 (14) June

and getting away with it in the majority of cases. The case that focused Parliament on the necessity for specific hacking laws dates back as far as 1988 to the Schifreen and Gold case. British Telecom had introduced a simple computer communication system called Prestel, which worked by dialling the computers number and then having the telephone system connect the dialler to the appropriate Prestel centre. A subscriber to this system would then be asked to enter their password and identity number in order to access their respective section of the database. A man called Robert Schifreen was attending a trade show and observed an engineer for Prestel enter his details in the system – a username of 22222222 and a password of 1234. Presumably, this was an administrator account and Schifreen, along with his friend Stephen Gold, were then able to thoroughly explore the Prestel system. Once in the system, they changed some data and even managed to gain access to the personal message box of the Duke of Edinburgh, Prince Phillip, leaving the message, “Good afternoon HRH Duke of Edinburgh” in the process. After these exploits, Schifreen sold his story to the Daily Mail and even appeared on television to discuss what he had been a part of. Unfortunately for Schifreen, the Prestel computer network was more successful and widely used than

Page 16

http://pentestmag.com


CYBERCRIME

How Cyber Attackers and Criminals Use Defense in Depth Against Us The concept of Defense in Depth has actually been reverse engineered and used against the IT Professionals and is now utilized by attackers using this concept to provide them the attack vector they require to facilitate a successful attack. Cyber attackers are forcing IT Professionals and organizations into an unsustainable stance, exhausting available resources, and adapting advanced techniques to walk right in the front door and strut past the people, process, and technology utilized by Defense in Depth.

C

yber attackers are provoking organizations to implement a layered defensive stance that is complex, far-reaching, unmanageable, extremely costly, and requires a team of subject matter experts to run. As Information Technology (IT) professionals, we are familiar with the concept of Defense in Depth. For those unfamiliar with the concept, the adaptation for Cybersecurity is to layer multiple defense mechanisms to delay (not prevent) a successful attack until appropriate preventative measures are deployed. As IT professionals, we are also familiar with the requirement for us to stay up to date on technologies, education, current events, etc. Now that defense in depth has been around for a while and professed by all organizations, another look at the concept, how it is implemented, and if it is still effective against Cyber Warfare and Cyber Crime is worth a look.

Traditional military strategies and ideas can no longer be applied at the root of their intent when dealing with Cyber Security as the tactical landscapes of both have changed. We need to learn to adapt or continue suffering the cyber-consequences.

Defense in Depth as Designed

Defense in Depth at its inception was a military strategy originally defined by the National Security Agency (NSA). The goal of this Defense in Depth strategy was to elongate and delay rather than prevent the success of an attacker therefore exhausting their resources and causing them to diminish their forces while buying time and keeping attackers at bay. Instead of defeating an attacker and defending their territory with a single, strong defensive mechanism, Defense in Depth relied on the tendency

Figure 1. Traditional Defense in Depth

06/2012 (14) June

Page 20

http://pentestmag.com


������������������� � � � � � � � � � � ��������������������������� �����������������������������������

��������������������������������� ��������������������������������������������� �������������������������������������������� �������������������������������������������������� ���������������������������������������������������� ���������������������������������������������������� ���������������������������������

����������� ��������������������������������������� �������������������������������������������� ����������������������������������������������� ������������������������������������������ ����������������������������������������� �������������������������������������������� ������������������������������������������� ��������������������������

������ �������������������������������������������������� ������ ����������������������������������������������� ������ ����������������������������������������������� ������ ������������������������������������������������

�����������

������ ����������������������������������������������������������� ������ �������������������������������������������������������������� ������ ����������������������������������������������������������� �����������������������

������ ��������������������������������������������� ������ ����������������������������

�������������������������������� ��������������������������������� �������������������������������� ����������������������������� ��������������������������������� ������������������������������� �������������������������������� �������������������������������� ������������������������������������� ���������������������������

���������������������������������������������� ������������������������������������������������������������� ��������������������������������������������������������������� ������������������������������������������������������������������ �������������������������������������������������������������������� ���������������������������������������������������������������������� ��������������������������������������������������������������������� ������������������������������������������������������������������� �������������������������������������������������������

��������������������������������� ��������������������� ���������������������������������

�������������������������������������������������������� �������������������������� ��������������������������

������������������

�����������������

����������������

�����������������

�������������������

������������������


CYBERCRIME

Penetration Testing Can Save Lives There are a number of ways that a cyber attack can destroy lives. Careers can end, finances can get ruined and companies can cease to be relevant. What is sad is when these tragic side effects of a cyber attack occur and a simple penetration test would have discovered some basic flaws in an organization’s defenses.

I

n this article we will discuss some recent high-profile attacks and we will look at ways a penetration test should have discovered these vulnerabilities well before the attackers did. However, it is important for us to first try to understand exactly what a penetration test is. Currently there is a great debate in the back corners of various hacker and security conferences around the world on the topic. Many people have specific aspects they feel validates their view of what a penetration test is or is not. For the purposes of this article let’s say a penetration test would be crystalbox and could include scanning with automated tools. Granted, there are people who would argue that using any sort of automated scanning tool is not part of a penetration test. Let’s also assume those people are trolls and they will shortly be back under their various bridges. A penetration test can be a number of things. For many organizations a penetration test will require automated tools for scanning existing vulnerabilities, which will lead to possible exploits. For some more advanced organizations a full blackbox test may be required. This will be based on how mature an organization it in its security lifecycle. Some organizations will require simple scans to get them going in the right directions. Others companies, which are more mature, will require more rigorous testing. However, a common theme that should exist in any penetration test is a solid focus on business 06/2012 (14) June

impact. Even more important is the necessity of all penetration tests to have a human analyze data and focus on business logic with a clear focus on business risk. This is something automated tools will never be able to do, but they can help the process. And the companies we will focus on clearly were impacted. The following incidents will highlight why penetration testing is essential and they will each highlight a key security weakness that a penetration test would have uncovered.

RSA – One Size Testing Does Not Fit All

The RSA attack appears to have been launched via a spear-phishing attempt to two different groups within RSA over a couple of days. The malicious emails contained an Excel spreadsheet that was entitled “2011 Recruitment Plan” and contained a Flash 0-day that triggered when the attachment was opened. When news that RSA was compromised hit the Internet it sent shockwaves through the industry. It was not just an issue of a major company being compromised, it was that so many other organizations’ security support structures were based on SecureID. The very .asc and .xml files that seed the crypto in our secure key fobs were exposed. There are a couple of lessons to be learned from this breach. The first, is how intrinsically intertwined our security is with other companies. But there is

Page 24

http://pentestmag.com


CYBERCRIME

The State of Information Security Malware authors have figured out how to evade AV by continually tweaking their binaries. They can circumvent content filtering systems by hacking legitimate sites (banner ads, etc.) that users are allowed to access. They flow right by IDPS and Malware Detection Systems through the same type of techniques.

F

irewalls offer good protection for inbound connection attempts, though the threat vector now consists of an attacker riding back in on legitimate outbound connections. While information security is much better today than it has ever been before; it is far from being in a position to adequately deal with modern-day threats. In order to address the gap, we must dive deeper in to the problem and develop an embraceable strategy for success. It is only when we understand who our adversaries are and what their motivations and tactics are will we be in a position to address the problem. Let’s have a closer look.

The Adversary

Enemies in this type of fight are some of the toughest to identify and virtually impossible to stop. Some are too young to drive a vehicle; while others are your quiet next door neighbor, a college student half-way around the world, an eco-terrorist upset with your company’s policies or a religious extremist defiant to be heard. While the motivation varies, the common themes tend to revolve around the following: • •

Personal / Pride – Though more of a vintage motivation for launching an attack, this still happens to a lesser degree within the hacking communities. Geo-Political – A considerable force that is gaining 06/2012 (14) June

• •

more and more momentum. One of the more recent attacks to be publicized was the state-sponsored Stuxnet worm which targeted centrifuge equipment at Iran’s nuclear facilities. Terrorism – Over the years, hacking has been observed to both advance terrorist agendas in addition to launching full-fledged attacks. Financial – This is the largest motivating factor behind hacking activities today. The black market for selling unethical and/or illegal activities is very lucrative for those that have a marketable service.

Attack Vectors

Common attack vectors have certainly changed with time; indicating that we are dealing with a versatile enemy. As we have learned their techniques and deployed our defenses; they have been able to adapt their offensive strategy in relatively short order. A few examples are as follows: •

Page 28

Network-based and noisy – Referring back to the slew of Microsoft RPC and SMB-related vulnerabilities; ultimately resulting in self-propagating malware Web-based/Drive-by – This vector is one of the most popular in use today and one of the toughest to defend against. Attackers have learned how to bypass vendor validation processes when http://pentestmag.com



CONFERENCE

A voice to be added to the voices called to ... fight against cybercrime Dr. Ameer Al-Nemrat, Chairman of the 2nd International Conference on Cybercrime, Security and Digital Forensics The threat from cybercrime and other security breaches continues unabated and the financial toll is mounting. This is an issue of global importance as new technology has provided a world of opportunity for criminals. Therefore, reducing the opportunities for cybercrime is not a simple task but requires co-operation between many players, computer security specialists, legal professionals, academia, public citizens, and law enforcement agencies, and fundamental changes in common attitudes and practices. Aby Rao: Please, tell us about the purpose of Cyber Forensics conference.

Dr. Ameer Al-Nemrat

Ameer Al-Nemrat: The threat from cybercrime and other security breaches continues unabated and the financial toll is mounting. This is an issue of global importance as new technology has provided a world of opportunity for criminals. Therefore, reducing the opportunities for cybercrime is not a simple task but requires co-operation between many players, computer security specialists, legal professionals, academia, public citizens, and law enforcement agencies, and fundamental changes in common attitudes and practices. Computer and network security are often key factors that determine the likelihood of cybercrime, while digital forensics focuses on the detection, evidence gathering and prosecution of offenders. 06/2012 (14) June

Page 32

Dr. Ameer Al-Nemrat is a Senior Lecturer at the School of Architecture, Computing and Engineering (ACE) at the University of East London (UEL). Dr Al-Nemrat is the programme leader for the MSc Information Security and Computer Forensics, and MSc Cyber Crime. Dr Al-Nemrat Phd was the �rst PhD in Cybercrime Victimisation in the UK in 2009 and has published number of Journals, Conferences papers, book chapters, and one of the editors of the book “ Issues in Cybercrime, Security, and Digital Forensics”. Dr AlNemrat has worked closely on cybercrime–related projects with law enforcement agencies. A Cybercrime Programme project Led by Dr Al-Nemrat won a Good practice Award from The European Commission under the Leonardo da Vinci scheme which focuses on the teaching and training needs of those involved in vocational education and training.

http://pentestmag.com


INTERVIEW

Looking for a Job Interview with James Foster from Acumin, an International Information Security and Risk Management Recruitment Company PenTest Team received many questions concerning situation on the job market. Many of our readers is in the process of looking for, changing jobs or starts their own businesses. Since our main aim is to respond to needs of our readers, PenTest features an interview with James Foster from a recruitment company with 14 years of experience. From this conversation you will learn, among others, about demand for penetration testers, expectations of employers but also employees and pros and cons of being a freelancer. PenTest: James, Acumin is an international Information Security and Risk Management recruitment company. Please, tell us which professions are the most desirable within the IT Security market?

James Foster: Acumin have a vast network within the IT Security space having worked solely in this area for the last 14 years servicing Information Security Vendors, Consultancies, System Integrators, and End Users. Our extensive End User client base provides us the access to Information Security Managers and CISO’s in a variety of sectors which in turn provides invaluable knowledge of the challenges they face within an ever evolving Information Security landscape. These End User challenges fundamentally feed the demand for innovative technology and services from Information Security Vendors and Consultancies, and these challenges are regularly surveyed by Acumin and have formed a current snap shot of in demand professions: • • • •

Penetration Tester (particularly CREST or CHECK certified) Application Security Consultant / Architect Data Loss Prevention Consultant Governance, Risk and Compliance (GRC) Consultant 06/2012 (14) June

PT: How is the current demand for pentesters?

JF: Pen Testers have grown in demand over the last 4-5 years due to the importance and increased awareness for organisations to understand potential vulnerabilities in their technical landscape, and as a result their value in the market has increased.

PT: In which country would a pentester most likely find a good job? JF: Pen Testers are in demand globally.

PT: Could you describe the expectations of employers towards employees?

JF: The expectation of an employer towards a Penetration Tester depends on the employer.If the hiring manager works within an End User organization then the requirement of the Pen Testing employee is to ensure the ongoing testing of Infrastructures and/or Applications to highlight and report potential security vulnerabilities in order for remediation work to be conducted. As an employer running a team of Pen Testers within a Consultancy, a key expectation they will have aside from the obvious technical capabilities is a willingness to travel. It’s imperative that as a Penetration Tester you are prepared to travel a lot to different client sites. The

Page 34

http://pentestmag.com


INTERVIEW

“You must create a plan...” Debbie Christofferson, International Board Director at ISSA, on seeking employment, working as a freelancer and introducing changes at your company. You must comprehend the core business and be able to understand and communicate security risk in terms of its impact to that business. While technology competence is key, it is not the deciding factor in success – an ability to create and execute to a longer term strategy determines your fate. Communication skills are critical, orally and in writing, and an ability to build relationships and influence others across business units, and possibly across the globe if that’s where you operate. You must stay engaged in the business, and keep current on your skills in IT, and risks within your own structure. Aby Rao: Can you tell us what convinced you to become a security specialist?

Debbie Christofferson: During my Intel position as an IT Operations Supervisor, the manager who originally hired me was chartered to start up a Corporate Information Security function. This supported the uprising of distributed computing, UNIX, firewalls, and a new breed of hacking experts. I knew then I wanted to be part of that team, for my previous manager and in this new field. It required you to create something out of nothing, to be comfortable with ambiguity, to be good at working across people and platforms, and to be a good advisor to the organization. I began sowing the seeds and plotting my course on how to get there.

opportunity to reroute or eliminate your headcount as unnecessary.

AR: What are some of the core competencies of a security consultant?

DC: You must comprehend the core business and be able to understand and communciate security risk in terms of its impact to that business. While technology competence is key, it is not the deciding factor in success – an ability to create and execute to a longer term strategy determines your fate. Communication

AR: What was the most difficult for you at the beginning of your career?

DC: Lack of structure and support. Automated tools didn’t exist then – except unix scripts – and staffing was minimal. Security had no credibility initially. You were expected to know everything yet you were also universally ignored, and often seen as others as an 06/2012 (14) June

Page 36

Debra Christofferson

Debra Christofferson, CISSP, CIPP/IT, CISM serves ISSA as an International Board Director and was recognized in 2011 as a Distinguished Fellow. She’s an experienced security manager and consultant with global Fortune 500 experience, who is seeking a permanent strategic role in a large progressive organization. For a no-fee copy of her 7-page Security Risk Management Plan, send email with a subject line of “PenTest Risk Plan” to: DebbieChristofferson at earthlink dot net.

http://pentestmag.com


Get prepared. We are Expanding Security, a Pen Testing and Training Company. We’ve been preventing deer-in-headlights look since 2006. We offer Pen Testing services plus our Live On Line training classes for ISSMP, ISSAP, CISSP, and Certified Ethical Hacker. We give you online access to materials wherever you are.

You need to keep your job secure, your business strong, and your staff on top of the game. See how good and fun training can be. Our courses are current to changing technology, and our training is the fastest, easiest way to master the relevant data you need NOW.

Sign up for our free weekly PainPill and come to a free class. http://www.expandingsecurity.com/PainPill …with Freedom, Responsibility, and Security for All ™ www.ExpandingSecurity.com


PAINPILL

Pen Testing Scope Drift Everyone gets excited; No one is getting paid

You do love your job, right? You do want to pound a buffer overflow for hours or even days until the system yields. You do want to find that way in, right? How long are you willing to spend? Last week I had someone ask me to “join their team.” That is a euphemism for taking a pay cut so they can make money off me. The question is out there: Would I do more work for less money? Would you? Would you do it if there was no pay? Would you do it for less pay?

P

eople ask me what I do. I tell them I break into networks for a living. Oh so you are a hacker? Please, tell me all the juicy details. Uh, no. The details would bore you to death. Do you really want to hear how cool an RPC DCOM exploit is when you get shell? Do you even remember Blaster or Nachi? No one, I mean NO ONE but pen testers are thrilled by finding these flaws and exploiting them. You and I love it. You do love your job, right? You do want to pound a buffer overflow for hours or even days until the system yields. You do want to find that way in, right? How long are you willing to spend? Last week I had someone ask me to “join their team”. That is a euphemism for taking a pay cut so they can make money off me. The question is out there: Would I do more work for less money? Would you? Would you do it if there was no pay? Would you do it for less pay? I hope you love what you do, but wait just a minute here. Penetration testing is a job. The job comes with all the other baggage of a job like: paperwork, expense reports, legal issues, learning some weird one-off application that you will never see again.

Does this have anything to do with scope drift?

Yes, it has everything to do with scope drift. You are paid to do a job; when you are less efficient or waste time, you do not get paid for it. When the project scope dictates you do this, but then you do this and that, you do not get paid 06/2012 (14) June

for that. If you are changing the scope you might cause problems. If the client is changing scope, you should be getting paid. We need to look at how we abuse the scope and how the client does the same. The combination of the two can lead to dissatisfaction on both sides. Let us explore the boundaries of scope drift. The contract for pen testing by its very nature is vague. If the client is very specific, you are lucky. Each client has an expectation of dynamic interactions on the penetration testing project. Just like any customer or part-time boss, some prefer to micro-manage. Other clients set the expectations and wait for the outcome. You have your own preferences. Sometimes you end up pushing the client along so that you can get the current job done and move on to the next. You might need a day to collect more data. You might need to manage the scope itself to fill those hours you are billing, but I doubt it. There is never enough time to do the job we really want to do. Learning an obscure implementation takes a few more hours than we thought. Just when it gets exciting, we are out of time or life gets in the way. For example: The wife has left my dinner in the oven for so long it has gone past dried out and moved on to dehydrated. I cannot tell you how many times I have said, I promise honey this will only take twenty minutes more. Just when we get into a rhythm of pivoting and exploiting, the kids come in and ask us to take them to school. Is it really the next day already?

Page 42

http://pentestmag.com


Now Hiring Teamwork Innovation Quality Integrity Passion

Sense of Security

Compliance, Protection and

Sense of Security is an Australian based information security and risk management consulting practice. From our offices in Sydney and Melbourne we deliver industry leading services and research to our clients locally, nationally and internationally. Since our inception in 2002, our company has performed tremendously well. We thrive on team work, service excellence and leadership through research and innovation. We are seeking talented people to join our team. If you are an experienced security consultant with a thorough understanding of Networking, Operation Systems and Application Security, please apply with a resume to careers@senseofsecurity.com.au and quote reference PTM-TS-12.

info@senseofsecurity.com.au www.senseofsecurity.com.au


READ

Save The Database, Save The World! Chapter 4 ENEMY TACTICS

“Eighty-five percent of attacks [in 2009] were not considered highly difficult.”

V

irus-Like Attack Hits Web Traffic, was the BBC News World Edition headline. The article declared “An attack by fast-spreading malicious code targeting computer servers has dramatically slowed Internet traffic…In South Korea Internet services were shut down nationwide for hours on Saturday… The nationwide Internet shutdown was triggered by ‘apparent cyber terror committed by hackers,’ the country’s Yonhap news agency reported.” On January 25, 2003 the world experienced one of the largest Denial of Service (DoS) attacks in history as the SQL Slammer Worm was unleashed. The attack spread at light speed, and in as little as ten minutes infected as many as 75,000 database servers, slowing down Internet traffic worldwide. While commonly known as the “SQL Slammer Worm,” this virus was not a SQL injection attack, and it did not even use the SQL language. Named after Microsoft SQL Server, the database platform against which it was targeted, the SQL Slammer Worm exploited a known bug in MS SQL Server for which a patch had been released six months earlier. While some companies surely had updated their MS SQL Server databases when the patch was released from Microsoft, many others had not. Regardless, the denial of service that followed impacted the entire Internet. Like the tsunami following an earthquake, the ensuing denial of service impact was far more devastating than the original worm attack. The SQL Slammer Worm took advantage of a common software bug called a buffer overflow. When instructions are read into memory without the length of the string being checked by 06/2012 (14) June

Page 46

http://pentestmag.com


smart security interface© the multiplatform security connector integrated with all major PKI applications and TMS platforms; it fully supports all wide spread smart cards and architectures for government, corporate and bank projects; it also interfaces with smart phones, pre-boot systems and TPM

iEnigma® the software application that turns your smart phone into a PKI smart card; unparalleled convenience for digital identity management; unbeatable security thanks to the support of NFC chips and micro SD cards

plug´n´crypt® the product line for logical and physical access control covering different form factors: USB token, smart card, micro SD card, soft token, also in combination ����������������������������������������������������������������

CSTC® PKI made simple and accessible to SMB: card initialization, management of ������������������������������������������������������������������������������ TMS infrastructure

contact: team@charismathics.com www.charismathics.com


In the Upcoming Issue of

Physical Pentesting Available to download on July 2nd

If you would like to contact PenTest team, just send an email to maciej.kozuszek@software.com.pl or ewa.dudzic@software.com.pl. We will reply a.s.a.p. PenTest Magazine has a rights to change the content of the next Magazine Edition.


�������������������������������������������������� �������������������������� �������������������������

/ ������������������������� / ����������������� / �������������������� / ������������������������� / �������������������������������� / ��������������������� / ������������������ / ��������������� / ����������������

��������������

/ ��������������������������������������������

�������������

/ �������������������������������������������� ����������

��������������

/ ��������������������������������������������� ���������������������������������������������� ��������������������������

Visit digitalforensicsmagazine.com

��������������������������������������� ��������������������������������������� ������������������������������

NEXT ISSUE OUT SOON SUBSCRIBE NOW ������������������������������������������������������������������������� �������������������������������


���������������� “We help protect critical infrastructure one byte at a time”

• ���� Checklists, tools & guidance •���� Local chapters • ������ builders, breakers and defenders • ���������� ������������������������������������������������� and more.. ��������������������������������


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.