KEY FEATURES
CYBER SECURITY AUDITING SOFTWARE
Configuration Auditing with no Network Traffic
Nipper Studio is your cyber security expert in a box. Our industry leading security auditing tool allows you to produce detailed and thorough security audits of your network devices in seconds, at a fraction of the cost of manual testing.
Advanced, Detailed Reporting CVSSv2 Rating Systems Customizable Settings Easy to Action Mitigation Reports Multi-Platform Support Secure Offline Activation
Companies worldwide depend on their computer systems to successfully run their businesses. These systems will often contain classified information, therefore it is imperative that they are secure. However due to time and cost restrictions manual penetration tests may happen only once or twice a year. Nipper Studio not only dramatically reduces the time taken for penetration testing but also helps you to feel secure in the intervals between manual audits. With Nipper Studio you can audit the same set of devices as many times as you like during your subscription period, so you can feel secure and stay secure.
PLUS much more...
With years of experience in the network auditing industry we understand it is important that a security audit highlights all potential threats and doesn’t just review firewall rules. As a result Nipper Studio’s advanced and detailed reporting is used and trusted by global organisations in the financial, telecommunications, defence, government and security sectors and has users in 40 countries worldwide.
NEW FEATURES!
Save Time
Raw Configuration Change Tracking: Nipper Studio reports now include the raw configuration changes from your network device. Nipper Studio highlights the different options within your configuration that have been added or removed since the previous audit.
Security audits are time consuming for both the systems owner and the auditors. A detailed examination of an average sized configuration can take half a day and 2 to 3 weeks to complete the report. Nipper Studio can perform the audit and produce the final report in just a few seconds.
PLUS!..
Save Money
Audit Change Tracking: Now you can include a change comparison within your security audit. The report then highlights the vulnerabilities fixed, the issues still remaining and any new vulnerability that has occurred since your last audit. This allows you to have a clear view of how your system’s security has progressed.
Audit companies typically charge per man day for auditing and reporting. For a 25 device network an audit and report could take up to 3 weeks. An experienced security auditor would typically cost £1,000 per day, so an audit of a small network could cost up to £20,000. A Nipper Studio license for 25 devices costs only £600!
Over 100 Plugins Technical Support and Updates
Multi-Platform Support for...
Windows
Linux
Nipper Studio Supported Devices
Mac
PLUS more...
Titania Limited • County House • St Mary’s Street • Worcester WR1 1HB • UK Telephone: +44 (0)845 652 0621 • Email: enquiries@titania.com • www.titania.com Titania Limited is a company registered in England and Wales. Registered Number: 6870498. VAT Registration Number: 984 3990 61
Dear PenTesters!
Managing Editor: Krzysztof Sikora krzysztof.sikora@software.com.pl Associate Editor: Trajce Dimkov dimkovtrajce@gmail.com 2nd Associate Editor: Aby Rao abyrao@gmail.com Betatesters: Harish Chaudhary, Robert Kriz, Stefanus Natahusada, Emiliano Piscitelli, Aby Rao, Gareth Watters, William Whitney, Steven Wierckx, Andrea Zwirner Proofreaders: Kevin Fuller, Dyana Pearson, Jeff Weaver, Ed Werzyn, Tony Campbell Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are
In this issue, we will focus on SSH Tunneling and we will learn how to bypass anti-virus software or web application firewalls, and how to protect your PC. In the SSH Tunneling section we start with an introduction. Digit Oktavianto states that instead of using telnet, it is advisable to use SSH as your program to communicate between your PC and your remote PC as SSH provides secure encrypted communications.. What is more, Andrea Zwirner, among many other things, will show you how to use SSH tunnels to bypass network and web application firewalls, antiviruses. Alva „Skip” Duckwall focuses on SSH to tunnel traffic in a variety of different ways and their value during a penetration test. You will learn about the differences between a local, a remote, and dynamic port forwarding; usage scenarios for the various methods of port forwarding and how to use “Netcat” mode in SSH. Ben Moore explains how to create an SSH tunnel to your own PC protecting you from man-in-the-middle attacks while using open networks. In the Plus section, we prepared for you three different but great articles. In the first one Colin Renouf makes you familiar with OpenSSL and how its prevalence represents a problem; undermining any efforts in heterogeneity; concentrating on Linux as the base operating system platform. Furthermore, Bart Leppens decided to share his knowledge about WPS and explains why it is a possible vector of attack. The tools: “reaver” and “wash” will help you to check if your devices are vunerable against WPS brute-forcing. The section ends with the article by Tony Campbell. His article looks at the prickly subject of professionalism, certification and training for penetration testers. The Regular section is devoted to the article by Adam Kujawa who makes us aware of the dangers that all Skype users currently face and provides us with a historical look at cyber-crime in social media. We continue with Marc Gartenberg’s section on NISPOM. We focus on chapters 10 through appendices, which introduce us to International Security Requirements. In this issue, we prepared for you the next chapter from John B. Ottman’s book “Save the Database, Save the World!” This time you can read about Database SRC Solutions Value. I hope that you will find this issue worthwhile. Should you have any questions or suggestions concerning topics you want to read about, feel free to contact us at en@pentestmag.com. Thank you all for your great support and invaluable help.
reserved by the companies which own them. To create graphs and diagrams we used
Enjoy reading! Krzysztof Sikora & PenTest Team
program
by Mathematical formulas created by Design Science MathType™
DISCLAIMER!
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
11/2012 (19) November
Page
4
http://pentestmag.com
CONTENTS
SSH Tunneling
06
in. WPS can be a possible vector of attack. The tools: “reaver” and “wash” will help you to check if your devices are vunerable against WPS brute-forcing.
Basic Concept and Usage of SSH Tunnel by Digit Oktavianto
Do you know telnet? rsh? rlogin? Those are the programs that allow you to connect to remote server whether it is located in a local network, or connect to the remote server across the internet.
12
SSH Tunnels: How to Attack Their Security by Andrea Zwirner
You will learn how to use SSH tunnels to bypass network and web application firewalls, antiviruses; how to encapsulate SSH tunnels to bypass proxies and content inspection devices; how privilege separation programming pattern enforces local processes security; how to trace SSH daemon activities in order to steal login passwords and sniff SSH tunneled communications catching interprocess communications.
SSH Forwarding
22 by Alva „Skip” Duckwall
Secure Shell, or SSH, is a series of cryptographic network protocols which are used as replacements for several older, unencrypted protocols such as telnet, rlogin, and rsh.
DIY SSH Tunneling: How to Create
26 an SSH Tunnel by Ben Moore
This article will walk you through using free and opensource software to create an SSH tunnel to your own PC protecting you from man-in-the-middle attacks while using open networks. The pieces necessary for creating your own SSH tunnel are: a PC to use as a terminus for the tunnel, an SSH server, a TTY application to establish the tunnel, and a remote session client.
PLUS
The Problem with OpenSSL
32 by Colin Renouf
This article will look at OpenSSL and how its prevalence represents a problem; undermining any efforts in heterogeneity; concentrating on Linux as the base operating system platform.
Pen Testing: Nature vs. Nurture
44 by Tony Campbell
One question many pen testers (or wanna-be pen testers) ask is, what are my career prospects? This questions stems from the fact that pen testing is an extremely parochial and niche skills set and for some, the word professionalism can conjures up images of consultants in suits and managers with whiteboards, rather than the stereotyped shell-coders burning the midnight oil with pizza and xtra strong Java coffee.
COLUMN
Dial ‘S’ for Scammers
54 by Adam Kujawa
We all live virtual lives, where we share, discuss and discover new things about ourselves and everyone else every single day. There are many tools we use to accomplish this, from social networking sites like Facebook, online video games like Runescape and social communication applications like IRC, Windows Live Messenger and the audio/video communication program Skype. As we continue to become more reliant on these devices to keep us connected, cyber-criminals are exploiting that reliance more and more. There are dangers that all Skype users currently face as well as a historical look at cybercrime in social media.
58
The Physical Aspects of Cybersecurity and Their Importance – NISPOM by Marc Gartenberg
For those who just joined, we are analyzing the different aspects behind the central policy document of the US Federal Government and its various Agencies titled NISPOM. The National Industrial Security Program Operating Manual (NISPOM) looking at the strengths and weaknesses of what the United States Department of Defense set out as standards and methods for their contractor base.
Read
Save the Database, Save the World!
62 – Chapter 9
by John B. Ottman
WPS: Does It Make Our Wireless
38 Networks Really Safer? by Bart Leppens
Often experts criticise wireless networks protected with WEP. But no matter how strong the encryption of a wireless network is if you are able to extract key, you still get
11/2012 (19) November
Page
5
http://pentestmag.com
SSH Tunneling
Basic Concept and Usage of SSH Tunnel Do you know telnet? rsh? rlogin? These are the programs that allow you to connect to a remote server whether it is located in a local network, or connect to a remote server across the Internet. The problem is, when you use a program like telnet, communication between local and remote pc becomes very insecure as telnet sends the password in clear text. Hence, instead of using telnet, it is advisable to use SSH as your program to communicate between your pc and a remote pc. SSH provides secure encrypted communications.
S
SH or Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that connect via a secure channel over an insecure network. SSH is actually a suite of three utilities – slogin, ssh, and scp – which are secure versions of the earlier UNIX utilities, rlogin, rsh, and rcp. SSH commands are encrypted and secure in several ways. Both ends of the client/server connections are authenticated using a digital certificate, and no passwords are transmitted without encryption. Now, what is tunneling? What is ssh tunneling? How does it work? How does it provide a secure communication? What are the differences between ssh tunneling and vpn? How do I configure my computer to use ssh tunneling? Let us discuss the above questions one by one.
What is tunneling?
Technically speaking, tunneling means the transmission of data through a connection that has been established before. Tunneling is also known as an encapsulation protocol, and tunneling protocol is a standardized way to encapsulate packets. Tunneling protocol can encapsulate a packet of the same or lower layer. It is much different with the general 11/2012 (19) November
protocol, where the lower layer protocol encapsulates packets from the higher level protocol.
What is SSH tunneling? How can it provide a secure communication?
In SSH tunneling, the data transmitted over an SSH connection will be encapsulated in the SSH packet, and you can use SSH as a tunneling protocol to secure your communication. SSH tunnel consists of an encrypted tunnel created through a SSH protocol connection. The purpose of SSH tunneling is to add a layer of security that protects each packet from the starting point to the end point. When you use SSH as your tunneling protocol, everything transmitted between your computer and your remote computer is encrypted within your SSH session. SSH tunneling is a common technique in security area. It is a technique that can be used as backdoor to bypass the defense line, from firewall, ids to ips. Besides the packet encapsulation, SSH tunneling also requires port forwarding. Port forwarding or port mapping is essentially the process of intercepting traffic bound for a certain IP/port combination and redirecting to a different IP and/or port. Port forwarding is a term given to combined technique of translating the address and/or port number of a packet to the new destination where it’s
Page 6
http://pentestmag.com
SSH Tunneling
SSH Tunnels: How to Attack Their Security In this article, we will concentrate our attention on the use of SSH tunnels independent from the protocols we need to use on top of them. We will pay particular attention to how the tunnel works and how it can help us to elude the security controls which have been implemented within the infrastructure we are testing. After that, we will change our point of view and see how to attack SSH.
W
e will exploit the privilege separation feature in order to steal login passwords in the SSH daemon inter-process communication as well as sniff entire user sessions. Secure Shell (SSH) tunnels are very useful tools that every professional penetration tester should master and be able to use at the best of their capabilities. An SSH tunnel consists of an encrypted communication channel created through the use of the SSH protocol and is mainly used in order to encapsulate traffic of other protocols such as Remote Desktop Protocol (RDP), Common Internet File System (CIFS), rsync, etc. in order to benefit from encryption. SSH tunnels are very useful during penetration testing because they enable the bypass of a number of the security measures commonly implemented by systems administrators to harden their infrastructures, such as: network level anti-virus, network and web application firewalls (WAF), intrusion detection systems (IDS), intrusion prevention systems (IPS) and deep packet inspection (DPI) devices.
Used tools and applications
All of the tools and applications used in this article can be installed in any apt or yum based Linux distribution simply by running: 11/2012 (19) November
apt-get install tool-name
or yum install tool-name
For each tool used during the article, I suggest to carefully read the entire manual page by using the man command or by looking it up on the Internet. All of the Windows tools we will use are freely distributed by their developers in executable format and can be run from command line from the directory in which they have been downloaded. Netcat basics Netcat is a very useful network tool, as we can read from its man page: it “is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol�. This tool permits us to open a socket on the local machine, or to connect to one that is already open. As we said, in the examples provided we will not care about the protocol that will be encapsulated over the tunnel but instead will focus on the tunnel itself. In order to be as generic as possible, we will use Netcat in order to open sockets and establish connections.
Page 12
http://pentestmag.com
SSH Tunneling
SSH Forwarding Secure Shell, or SSH, is a series of cryptographic network protocols which are used as replacements for several older, unencrypted protocols such as telnet, rlogin, and rsh. What originally started out as a way to secure console connections with remote machines has evolved into a robust suite of protocols that allow for file transfers, support for multiple console connections over a single link, the ability to forward X11 communications, as well as the ability to forward traffic in a variety of different ways.
T
he focus of this article is going to be on this last feature, namely using SSH to tunnel traffic in a variety of different ways and their value during a penetration test.
Basic TCP Port Forwarding
The simplest form of tunneling that SSH supports is redirecting a single TCP port from one end of the
connection to the other. This can be either a local port that is redirected on the far end of the connection or a remote port that is redirected locally. Whether it is called a local port forward or a remote port forward depends on which end of the connection is listening and which way the connection is forwarded. I will present scenarios to help clear up any confusion and illustrate their usage during an assessment.
Local Port Forwarding
When we want a local port to be listening and forward connection traffic to a remote port it’s called a local port forward. This type of port forward is commonly used to allow us to connect to remote network services with client software running on our attack machines. Here is a common scenario and a diagram to help illustrate.
Figure 1. Local Port Forward 11/2012 (19) November
Scenario 1 You have been tasked to evaluate the external web presence of ABC Widgets. The client disclosed that they primarily use a LAMP (Linux/Apache/MySQL/ PHP) stack for their web application. During the enumeration phase of your testing you discover that ABC’s firewall has SSH listening on the outside interface. Through further testing you discover that a default username and password (guest/ Page 22
http://pentestmag.com
SSH Tunneling
DIY SSH Tunneling: How to Create an SSH Tunnel
This article will walk you through using free and open-source software to create an SSH tunnel to your own PC protecting you from man-in-the-middle attacks while using open networks.
I
worry about session privacy at public hotspots. I use https on everything that I can and I just don’t use confidential data on any service that doesn’t support https. But you just never know. Firesheep scares me. One of my co-workers uses LogMeIn Pro and does all his “work” on his home PC. That angle interested me but while I use LogMeIn Free for occasional remote access it requires a persistent application running on the target PC. And LogMeIn only uses a userid/password for access security. The pieces necessary for creating your own SSH tunnel are: a PC to use as a terminus for the tunnel, an SSH server, a TTY application to establish the tunnel, and a remote session client. I decided that I wanted my SSH tunnel to terminate on a virtual machine on my home PC. That way I could closely manage what that “PC” has access to on my home network. For the SSH server, I wondered if there wasn’t something that I could do in my router. I discovered that dd-wrt [1] v24 and higher supports SSH tunnels [2]. I found a refurbished router for less than $40 that has a gigabit switch, 802.11N Wi-Fi, and is supported by dd-wrt. To connect to an SSH server you need a TTY application. I wanted my solution to run from my USB 11/2012 (19) November
drive so for the TTY application a friend pointed me to PuTTYPortable [3]. One of the first steps you need to do is to generate a public/private key pair for the SSH session. Puttygen [4] will do this. Notice that you also have to establish a passphrase (similar to WPA) so that even if you lose the USB drive you’re still protected.
Figure 1. PuTTY Key Generator
Page 26
http://pentestmag.com
plus
The Problem with OpenSSL This article will look at OpenSSL and how its prevalence represents a problem; undermining any efforts in heterogeneity; concentrating on Linux as the base operating system platform. It outlines how the principles of defence in depth means that true heterogeneity is required, with use of other SSL/ TLS implementations; and some unusual and “bleeding edge” architectural solutions.
W
hilst working in recent PCI remediation scenarios a common issue was found; one that is sadly misunderstood within the industry. Many security and infrastructure professionals look different products and devices without understanding what goes on “under the hood”, so miss something that would otherwise be obvious. What is the problem? Remember defence in depth and the underlying concept of heterogeneity. Many manufacturers look for a quick turnaround to market, and rather than reinvent the wheel base their products on an Open Source core of Linux or FreeBSD, OpenSSL, etc. Some typical examples come from the Apple Mac OS X operating system core called “Darwin”, which is derived from a Mach microkernel with a FreeBSD outer layer, or the Android mobile operating system, which is Linux based; as client operating system examples. For the security and network device examples we have the CheckPoint IPSO firewall OS, which is derived from FreeBSD, or the BigIP F5 Local Transaction Manager (LTM) proxy OS that is derived from Linux. For web servers most vendors derive their core products from the Apache web server (Apache HTTP Server, IBM HTTP Server, Oracle HTTP Server) or the earlier NCSA Http Server code (Netscape/iPlanet/Oracle iPlanet Http Server). Almost all of these in using Open Source technologies at their core use 11/2012 (19) November
the obvious related Open Source SSL technologies, i.e. OpenSSL. The exception to this is the “iPlanet” family – which was released to the Open Source world in an updated version as part of the Oracle Open Solaris Web Stack packages; which have their own SSL engine, Network Security Services (NSS), open sourced by Mozilla. Proprietary OS’s and products also often use the OpenSSL implementation, but fortunately some manufacturers do create their own implementations from scratch, e.g. Cisco and Microsoft. It is in the use of Open SSL that a problem arises, not so much just from a security perspective but also from an infrastructure, and support and maintenance perspective. What happens when a vulnerability is found in Open SSL? One of principles mentioned in the CISSP body of knowledge is that security should consider the benefits of a heterogeneous environment in its holistic implementation of defence in depth protection. Many companies will blindly deploy CheckPoint firewalls, BigIP F5 LTMs, and Apache Http Servers throughout their security zoning model; and when a major OpenSSL vulnerability is found they have a seemingly insurmountable problem. When an OpenSSL vulnerability is found the Open Source community are usually quite responsive and quick to release a patch, once the prob-
Page 32
http://pentestmag.com
SECURITY ARCHITECTS
www.InfoSecSkills.com/Careers
LEAD PRACTITIONER
Allow us to guide your CAREER
SENIOR PRACTITIONER
Are you a security expert with a penchant for teaching? Are you good at working with other people, maybe mentoring your peers? If so, have you ever considered yourself as a professional instructor? InfoSec Skills is looking for dedicated security professionals who want to enhance their career and earnings as a professional tutor, providing the support, infrastructure and remuneration for authors to create world-class e-learning and classroom based courses. If you are interested in learning more, get in touch: contact@infosecskills.com.
PRACTITIONER
plus
WPS: Does it Make our Wireless Networks Really Safer?
Often experts criticise wireless networks protected with WEP, however, it doesn’t matter how strong your encryption is, if an attacker can extract the key, he can still get in. It is just as possible that WPS could be a vector of attack. The tools, reaver and wash will help you to check if your devices are vunerable against WPS brute forcing.
O
ften I hear people say that their WPA2 wireless networks are 100% secure. They claim that because they use a PSK (Preshared key) that is too complex for brute forcing. However, processors are getting faster and faster and ee can even try to break encryption in the cloud; but brute-forcing isn’t the only vector of attack. This article describes some ideas of how you might obtain the PSK to gain access to a “highly secured” wireless network. Often wireless SOHO AP/routers ship with WPS. WPS stands for Wireless Protected Setup and is a protocol created by the Wi-Fi Alliance, which should help people with little know-how of wireless security to easily create a secure WiFi network infrastructure. Whilst I’ll talk about several ways to obtain the wireless key, the methods described here are by no means exhaustive and the main focus of this is WPS.
WiFi knows a history of security related problems
Encryption systems used by wireless routers have a long history of security problems. In 1997 WiFi networks used the Wired Equivalent Privacy (WEP) system, yet within only a few years it was cracked. Nowadays, security experts know WEP gives us no protection at all. Its successors, WPA 11/2012 (19) November
(Wireless Protected Access) and WPA2 (Wireless Protected Access v2) with a PSK (Pre Shared Key), can be subject to dictionary attacks, etc. In my personal experience, I can recommend Vivek Ramachandran’s book ‘BackTrack 5 – Wireless Penetration Testing – Beginner’s Guide.’ It’s an excellent beginners’ guide that I still use a lot as a reference for wireless auditing. But, in my opinion, this book misses one basic item which is an important vector of attack – namely, WPS (Wireless Protected Setup). Wireless networks are always an interesting target for attackers because when they get in they usually have access to the complete internal network. What’s even more interesting is that the attack can be performed from a distance. With directional antennas, such as Yaggi’s, the attack can be performed from miles away. For an active attack (not only listening, but sending packets as well), like WPS brute-forcing, the link quality must be good. Without a good connection an attack is not possible, or will be extremely slow, as many packets will get lost along the way..
Some vectors for attacking a “highly” secured wireless network
Most SOHO-routers come with a web interface, which is normally only accessible from your inter-
Page 38
http://pentestmag.com
plus
Pen Testing: Nature vs. Nurture One question many pen testers (or wanna-be pen testers) ask is, “what are my career prospects?” This questions stems from the fact that pen testing is an extremely parochial and niche skills set and for some, the word professionalism can conjures up images of consultants in suits and managers with whiteboards, rather than the stereotyped shell-coders burning the midnight oil with pizza and extra strong Java coffee.
T
his article looks at the prickly subject of professionalism, certification and training for penetration testers, especially in contrast with an industry that is predominantly staffed with self-taught, driven, Olympic-medalist computer specialists, who happen to have landed their dream job doing what they love the most – to crack stuff open to see how it works. We all know what pen tester are: system security testers who have risen from the technical proving ground of programming, system administration, or networking, to professional testing of customers’ security vulnerabilities. And what’s apparent from talking to them – they almost always, without exception, love doing what they do. Most of today’s pen testers started out as scriptkiddie teenagers, beavering away on their home computers, absorbing the secrets of the Internet through bulletin boards and IRC chatrooms, accompanied by all the sense of wonder and adventure portrayed in Hollywood movies and cyber punk comics. However, when that teen hacker eventually leaves home, goes to college, gets a job, and moves into the real world as a parent, role model, mentor and professional, they need to consider how they keep the money rolling in. This is where our story begins. As a pen tester (or prospective pen tester) you have progressed from 11/2012 (19) November
your fascinating hobby of hacking on your home computer system to a super cool job professional hacker, paid for helping customer secure their systems. However, what kind of career path can you plan for yourself in this game? At first glance (and maybe for the first few years), you have landed the job of your dreams, doing what you love day-in and day-out, working with like-minded individuals on projects to break the most secure and secret computer systems on the planet. However, there will come a time when you might start wondering where you can go from here. That is what this article is all about: career paths for pen testers and whether they are necessary. Starting at the beginning, how do you get into this field? How do you get promoted? What certifications are available? Is certification worthwhile and should it be mandated? What about education and training? Is it worthwhile or necessary? Let us start by looking at the industry as a whole. The organization responsible for the baseline security qualification known as CISSP (Certificate Information Systems Security Professional), (ISC)2, estimated this year that there are approximately 2.2 million people employed in the information security sector. By the year 2015, (ISC)2 predicts that number to have risen to 4.25 million security professionals, assuming enough people have en-
Page 44
http://pentestmag.com
Keep up to date on the latest developments in the world of digital forensics Read Feature Articles on:
/ Training and Certfication / Management issues / Tools and Techniques / eDiscovery/eInvestigation / Incident Response/First Response / Hardware and Software / Network Forensics / Cyber Forensics / and much more...
Apple Autopsy:
/ A Digital Forensics look at all things Apple
From the Lab:
/ In depth technical articles on products and techniques
Legal Section:
/ In-depth articles on legal matters affecting Digital Forensics along with the latest legal news from around the world
Visit digitalforensicsmagazine.com
for the latest news and views from the digitalforensic community with special articles for registered users.
NEXT ISSUE OUT SOON SUBSCRIBE NOW Prospective authors should contact editorial@digitalforensicsmagazine.com for information on submissions.
column
Dial ‘S’ for Scammers We all live virtual lives where we share, discuss, and discover new things about ourselves and everyone else every single day. The tools we use to accomplish this are many, from social networking sites like Facebook, online video games like Runescape, social communication applications like IRC or MSN Messenger, and the audio/video communication program Skype. As we continue to become more reliant on these devices to keep us connected, cyber-criminals are exploiting that reliance more and more.
S
kype is a communication application that allows users to communicate over text, voice and/or video. It is wildly popular and very useful in our modern world of constant communication, no matter where you are in the world. In addition to the free service, customers can also pay a small fee to forward all Skype calls to a landline or cell phone. Therefore, it provides the perfect avenue for social engineering and exploitation.
When Skype is Drafted by Evil
Over the last few weeks, Skype has been in the media a fair amount due to it being abused by malicious actors who were using it to swindle people into infecting themselves with malware. It has been discovered that cyber-criminals are using Skype to spread appealing messages to users that include a link to a ZIP file holding an executable that is dis-
11/2012 (19) November
guised as an image. The Skype message is “lol is this your new profile pic? <Link>” and it is clearly effective since it has been able to spread like wildfire.
The Method
At its core, you can compare this type of attack to something like e-mail phishing, where a user is tricked into believing that a link is legitimate based upon who the e-mail comes from and/or what it is concerning. Using hijacked Skype accounts is a great way to throw people off because large portions of people trust social networking tools – and their friends. When a message comes from your friend rather than a stranger, you are more prone to believe it is legitimate. In addition, the wording used for the attack is designed to exploit the human concern
Page 54
http://pentestmag.com
Organised by
The Non-Conventional Threat
Cyber Security Forum Asia 3-4 December 2012, Singapore Mandarin Orchard Singapore 2 Day Agenda Snapshot: One Day Conference and Exhibition, 3rd December: High-level speaker programme and industry exhibition. End of day one networking drinks reception at the Mandarin Orchard Singapore. Half-day workshop, 4th December: Half-day training focused workshop led by Argent Consulting examining the Territorial Issues in Cyber and Group Debate: National Cyber Security Approach to Critical Infrastructure
The Cyber Security Forum Asia Conference and half-day training focused workshop will address the cyber challenges facing Critical National Information Infrastructure; this is a business strategy event that will be attended by key decision-makers across the CNI arena. It will focus on the practical aspects of secure information infrastructure delivery and the need for the radical improvement of resilience.
Don’t Miss Presentations from Our Esteemed Speaking Panel: • Dr Carolyn Patteson, Executive Director, CERT Australia • Gun Suk Ling, Director Corporate Sales APAC, Kaspersky Labs
Cyber Sec Forum Asia Unique Benefits: • Explore the most up-to-date information for government and industry professionals • Network with 100 delegates from Singapore, Asia and the rest of the world • Visit the industry-leading exhibition where you will see the latest products, technologies and solutions for the Cyber Security community • Gain a global perspective during case studies from military, government, academic and industry speakers from Singapore, Asia, Australia and Europe • Exchange your opinions with key influencers and decision makers during the end of day one networking drinks reception open to all of the attendees
www.ibcevents.com
• Professor Pauline Reich, Director, Asia-Pacific Cyberlaw, Cybercrime and Internet Security Institute, Japan • Zahri Yunos, CEO, CyberSecurity Malaysia • Noboru Nakatani, Director, Information Systems and Technology (IS), Interpol (pending final confirmation) • Amar Jaffri, Chief Executive, Pakistan Information Security Association (PISA) • Benjamin Ho Tze Ern, Associate Research Fellow, Centre for Multilateralism Studies, S. Rajaratnam School of International Studies (RSIS), Singapore • Senior Representative, Strategic Defence Agenda, Brussels • Don Eijndhoven, CEO, Argent Consulting
Sponsored by:
Official Support:
Held In:
Venue Partner:
Supported by:
column
The Physical Aspects of Cybersecurity and Their Importance – NISPOM Executive Summary In this last installment we’ll take a look at Chapters 10 through Appendices, which detail the requirements for International Security Requirements, Miscellaneous Information such as TEMPEST, Defense Technical Information Center (DTIC) an Independent Research and Development (IR&D) Efforts, and the Appendices. We’ll review these from a high-level in order to present a broad view of the landscape and the aspects that the NISPOM provides policy, and conclude with some recommendations based on information either lacking at the time of writing the document, or the more recent changes in threat landscape.
F
or those who just joined, we are analyzing the different aspects behind the central policy document of the US Federal Government and its various Agencies titled NISPOM. The National Industrial Security Program Operating Manual (NISPOM) looking at the strengths and weaknesses of what the United States Department of Defense set out as standards and methods for their contractor base.
The Physical Reality
To refresh, the Chapters we’ll be discussing in this series of articles are from NISPOM as follows: • General Provisions and Requirements • Chapter 2 – Security Clearances • Section 1 – Facility Clearances • Section 2 – Personnel Security Clearances • Section 3 – Foreign Ownership, Control, or Influence (FOCI) [1] • Chapter 3 – Security Training and Briefings • Chapter 4 – Classification and Marking • Chapter 5 – Safeguarding Classified Information • Chapter 6 – Visits and Meetings 11/2012 (19) November
• Chapter 7 – Subcontracting • Chapter 8 – Information System Security • Chapter 9 – Special Requirements • Section 1 – RD and FRD • Section 2 – DoD Critical Nuclear Weapon Design Information (CNWDI) • Section 3 – Intelligence Information • Section 4 – Communication Security (COMSEC) • Chapter 10 – International Security Requirements • Chapter 11 – Miscellaneous Information • Section 1 – TEMPEST [2] • Section 2 – Defense Technical Information Center (DTIC) • Section 3 – Independent Research and Development (IR&D) Efforts • Appendices [3]
International Security Requirements
In the ever-changing international landscape, today’s friend may very well be tomorrow’s foe. So naturally the question is how can we trust anyone or nation? The short answer is trust but verify, and only
Page 58
http://pentestmag.com
read
Save The Database, Save The World! Chapter 9 DATABASE SRC SOLUTION VALUE “Some projects will always feel like a trip to the dentist, but the good news is that having your teeth cleaned never paid off so well.”
P
rior to the adoption of a database SRC program, organizations must gain consensus and alignment between the business leadership and the rest of the IT team. Conflicting priorities are always a challenge, especially when budgets are tight, so a clear value proposition and a compelling business case must be developed to move the database SRC program forward. The scope, objectives, and approach of the project must be well defined, and the business case must be crystal clear. Even more importantly, success metrics such as performance levels and internal rate of return must be evident in order for the business case to be accepted and a successful transformation to occur. Security, risk, and compliance projects have historically enjoyed relative immunity from the high level of prioritization and scrutiny received by many other IT initiatives. Often considered a “must have” requirement, database SRC initiatives have been viewed as a form of insurance similar to catastrophic health care. But as organizations gain a broader understanding into the range of solutions available, a sense of conflicting priorities can emerge. Defense in depth suggests layers of protection must be deployed at the network, operating system, and database level. Intuitively, data must be protected in the database where it lives, but compelling arguments exist for other priorities as well. So, why should organizations decide that database SRC is the number one priority versus many other compelling alternatives? 11/2012 (19) November
Page 62
http://pentestmag.com
In the Upcoming Issue of PenTest Regular...
Android as a Pentesting Platform Available to download on December 3th More topics in PenTest Magazine: Information Security Governance, Hacking an Isolated Network, Phishing, Spoofing, BeEF, Business Application Change Control, Recoinnaissance & Network Mapping, DNS & ARP, Intrusion Detection Systems, Sandbox ... and more
If you would like to contact PenTest team, just send an email to krzysztof.sikora@software.com.pl or ewa.dudzic@software.com.pl . We will reply a.s.a.p. PenTest Magazine has a rights to change the content of the next Magazine Edition.
[ GEEKED AT BIRTH. ]
[ IT'S IN YOUR PULSE. ] LEARN: Advancing Computer Science Artificial Life Programming Digital Media Digital Video Enterprise Software Development Game Art and Animation Game Design Game Programming Human-Computer Interaction Network Engineering
Network Security Open Source Technologies Robotics and Embedded Systems Serious Game and Simulation Strategic Technology Development Technology Forensics Technology Product Design Technology Studies Virtual Modeling and Design Web and Social Media Technologies
You can talk the talk. Can you walk the walk?
www.uat.edu > 877.UAT.GEEK PLEASE SEE WWW.UAT.EDU/FASTFACTS FOR THE LATEST INFORMATION ABOUT DEGREE PROGRAM PERFORMANCE, PLACEMENT AND COSTS.