Editors note Unsecured Mobile Devices
You all knew how dangerous the mobile devices could be and how dangerous they are indeed. The first problem is that they do not have proper support for the enterprise security controls, the second problem is generated by the employees is the employees who use their own phones/smartphones for some sort of corporate use or others. Both are expanding the corporate network beyond standard firewall and standard policy and show how much work need to be done to secure this enlarged network. In this issue of PenTest we gathered very good articles from different sources to give you a deep insight into this matter. Just go to page 8 to read article Mobile Device Security: Why Should You Care? written by Paul T. Ammann. Paul helps you understand the threat posed by unsecured mobile devices and explores the tools available to help secure them. In his article you discover what the impact of smart devices in the enterprise means for maintaining data integrity, network utilization, user productivity, secure communication, device manageability, and compliance capabilities. The next article on Code Mobility and its Security Concerns by Luca Ferrari shows you the main types of code mobility and how different approaches can be exploited in several applications. If you still want to read about mobility, I recommend to see what Richard C. Batka wrote for you. His article on Mobile Penetration Testing Standards & Practices explains what makes a good testing environment, tools commonly used by expert penetration testers, and major areas of a well rounded testing environment. In Rob Somerville's article on Mobile Security – Surfing the paradox? you will read that the portability and accessibility of the devices and the mobile device poses a larger security risk than a humble PC or laptop. This is basis of the paradox – how can a device that is so small, open, technically innovative, tactile, easy to use and readily available – retain cultural and mass-market appeal while at the same time remaining secure? This is the challenge not just from a software or hardware perspective but also from a cultural one. The next article worth reading is about Gaining Trust and Cardholder Data: Pen-testing Techniques for Accessing Data with the Use of Smart Phones by Michael Shirk. It covers the story about our businesses. Small businesses in an effort to make selling products more convenient for customers have started to use alternative methods for taking payments. One of these methods is the use of a small dongle attached to an iPhone or Android device that allows for credit cards to be swiped and authorized. Michael claims that these devices allow for small businesses to bring in additional revenue, but present a number of security issues with the protection of cardholder data. It is hard to describe all articles that were prepared for you by our authors but please read the very good articles in Forensics section: Server’s Data Breach: A Forensics Investigation written by PhD Filippo Novario and WhatsApp Forensics written by Jose Selvi. I must recommend the next two articles: one written by Vatsal Parekh about Honeypots on page 62 and the second one written by Joshua Platz about The Secret of Passwords on page 56. Joshua, in his article, will dive head first into the break-down of different techniques to crack a password and some specialized research into using those methods most effectively. What is more, Joshua shares his scripts with you so that now you can not only read this article but also you try it. Just read and try! Download them together with the magazine. All articles are very interesting and they need to be marked as Need to be Read! As always! Very special thanks to all authors who helped me create this issue. Thanks to the Beta Testers and Proofreaders for their excellent work and dedication to help make this magazine even better. They all work really hard to get magazine out for you to read. Please keep up the great work and send in your articles, tutorials or product reviews, questions, ideas and advises. Enjoy reading! Ewa Dudzic & PenTest EXTRA team
EXTRA 04/2012(8)
Page 4
http://pentestmag.com
High-Tech Bridge Security Research Lab obtains “CVE-Compatible” status CVE-Compatible 2012 High-Tech Bridge is pleased to announce that Security Advisories by High-Tech Bridge Security Research Lab achieved the final stage of MITRE’s formal CVE Compatibility Process and are now officially “CVE-Compatible”. CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration." The MITRE Corporation manages and maintains the CVE List with assistance from the CVE Editorial Board. High-Tech Bridge’s CEO, Mr. Ilia Kolochenko, commented: “At High-Tech Bridge we strongly believe that CVE project has a great importance for the security industry. Being able to coordinate vulnerability research, disclosure and mitigation by CVE identifiers is a key point to make information security efficient. We are going to contribute as much as we can to the CVE project and its values”. "High-Tech Bridge has demonstrated its commitment to providing its customers with a comprehensive security advise by integrating CVE names into their Security Advisories. As security threats increase in number, complexity, and frequency today, organizations require clear and concise direction from security services like High-Tech Bridge's Security Advisories to help them proactively prepare for and respond to these problems," said Robert Martin, the CVE Compatibility Lead at MITRE. "The use of CVE Identifiers in their security advisories will help High-Tech Bridge's customers close the gaps in coverage that often result from using disparate security sources, thereby helping ensure more comprehensive protection against new and emerging vulnerabilities and exposures." High-Tech Bridge Security Advisories (HTB Security Advisories) are provided on a non-profit base, in accordance to High-Tech Bridge’s corporate Social Responsibility, with the aim of helping various software vendors improving their products' security and reliability. More than 160 different software vendors have released security patches and improved security of their products thanks to High-Tech Bridge Security Research Lab, including HP, Sony, SugarCRM, OrangeHRM and many others. In Q1 2012 88% of software vendors affected by HTB Advisories have released security patches. Q2 2012 statistics, which is currently being prepared for publication, will disclose some interesting facts and details about various vendors, such as the most reactive vendor of Q2 2012 – Serendipity that has provided a security patch for SQL injection vulnerability in 23 minutes after notification about the vulnerability.
About High-Tech Bridge
High-Tech Bridge SA provides multinational companies, financial institutions and international organizations with edge-cutting information security solutions and services. In 2012, Frost & Sullivan has recognized High-Tech Bridge as one of the market leaders and best service providers in the ethical hacking industry.
CONTENTS
Living Securely
38
08
Mobile Device Security: Why Should You Care?
Paul T. Ammann
Mobile device security isn’t a problem that you can just wish away. Employees will do things they shouldn’t, such as pick up malware from a free app they just downloaded to their Android. That leaves you — the IT professional with corporate responsibilities — to be accountable for preventing security breaches where possible and remedying a breach after it happens. Paul in his article helps you understand the threat posed by unsecured mobile devices and explores the tools available to help secure them. In his article, you discover what the impact of smart devices in the enterprise means for maintaining data integrity, network utilization, user productivity, secure communication, device manageability, and compliance capabilities.
Mobile Security
22
Luca Ferrari
Mobile Penetration Testing 32 Standards & Practices Richard C. Batka
Richard, in his article, talks about what makes a good testing environment, tools commonly used by expert penetration testers, and we broke down the major areas of a well rounded testing environment. Lastly we touched upon some excellent programs currently available that offer up important resources that you should consider evaluating- OWASP, and DARPA's CFT PROGRAM.
EXTRA 04/2012(8)
Rob Somerville
Mobile computing, and particularity smartphones is a very different beast from the generation of big iron that laid the foundation for modern IT practices. It is quite ironic that we have come full circle from the days of time-sharing on mainframes to sharing resource in the cloud, and in the process reneging a vital degree of control over our most important asset – information. Rob shows you that the portability and accessibility of the devices and the mobile device poses a larger security risk than the humble PC or indeed laptop. This is basis of the paradox – how can a device that is so small, open, technically innovative, tactile, easy to use and readily available – retain cultural and mass-market appeal while at the same time remaining secure? This is the challenge not just from a software or hardware perspective but also from a cultural one.
44
An Introduction to Code Mobility and its Security Concerns
Code mobility can be expressed as the capability of executing code at different locations; system that support code mobility are often called Mobile Code Systems (MCS). Mobility is important because it is usually simpler and cheaper to move a piece of code than a whole set of data. Luca in his article presents the main types of code mobility and how different approaches can be exploited in several applications. The Mobile Agent approach is the one that better reflects the real-world scenario and therefore is the one that should be investigated more. On one hand, such approach is also the most dangerous to adopt, since code and (part of) data is migrating across the network and therefore traversing possibly untrusted systems. On the other hand, the system that host the agents are exposed to risks too, having to execute possibly malicious data.
Mobile Security – Surfing the Paradox?
Gaining Trust and Cardholder Data: Pen-testing Techniques for Accessing Data with the Use of Smart Phones
Michael Shirk
Small businesses in an effort to make selling products more convenient for customers have started to use alternative methods for taking payments. One of these methods is the use of a small dongle attached to an iPhone or Android device that allows for credit cards to be swiped and authorized. Michael claims that these devices allow for small businesses to bring in additional revenue, but present a number of security issues with the protection of cardholder data.
Forensics
Data Breach: 48 Server’s A Forensics Investigation
PhD Filippo Novario
In his article, Filippo presents the problem of a server’s data breach, in particular the forensics investigation after the illegal act. After an introduction about the concept of data breach, the paper fixes the essential digital elements of forensics analysis. A concrete case of forensics investigation of server’s data breach can permit to understand the problems and the informatics law and forensics solutions: data acquisition, log files analysis, technical analysis for malware and digital code.
Page 6
http://pentestmag.com
52
WhatsApp Forensics Jose Selvi
Mobile Forensics is a rising up field since nowadays most people use smartphones both for personal and corporate purposes. These devices can handle different kind of information such as emails, browsing history, chat conversation, images, and much more.Often, Mobile Forensics focuses on operating system and built-in applications, because they exist in every device. However, the knowledge about other applications can also be useful in order to acquire forensic information. Jose, in his article, is going to describe how WhatsApp works and how you obtain forensic information from it. Check it out, it shall become more powerful than you could possibly imagine.
Supportive Editor: Ewa Dudzic ewa.dudzic@software.com.pl
CliftonLarsonAllen
Product Manager: Małgorzata Skóra malgorzata.skora@pentestmag.com
56
The Secret of Passwords Joshua Platz
What is the secret to cracking passwords? We are moving into an age that our personal computers are becoming insanely fast and cloud computing is on the craze. What metrics can we identify in a password that will help us limit the cracking time from a few years to a few hours? Joshua in his article will dive head first into the break-down of different techniques to crack a password and some specialized research into using those methods most effectively. Special thanks to Joshua for sharing his scripts. Now you can not only read this article but also try it.
Network Security
62
The Honeypots Part 2 Vatsal Parekh
Choosing the right Honeypot solution for your network is very important. Honeypots are an administrators best friend if tuned properly. Always choose your Honeypots according to your organizational needs. Never forget to install and properly configure monitoring tools on the honeypots. These comes in handy all the time. Vatsal presents how to gather your requirement for your Honeypot, how to choose your Honeypot carefully, and Importance of Maintaining your chosen Honeypot.
TEAM
Betatesters / Proofreaders: William Whitney, Steven Wierckx, Dou Pryeniesy, Jeff Weaver. Dennis Distler, Marek Janáč, Michael Munt, Ankit Prateek, Johan Snyman, Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. program To create graphs and diagrams we used by
Mathematical formulas created by Design Science MathType™
DISCLAIMER!
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
EXTRA 04/2012(8)
Page 7
http://pentestmag.com
Living Securely
Mobile Device Security Why Should You Care? In the present day, employees are king, bringing with them (into the network) not one, not two, but sometimes three or more personal devices that have little or no corporate-approved applications; and yet they connect to the corporate network and chat, e-mail, talk, network socially, and connect to the cloud. It’s a bad horror movie, The Invasion of the Devices, and you’re the hero who’s being overrun.
T
hese devices are highly customizable (unlike enterprise-issued laptops, which typically have a lot of restrictions tied to them in terms of what applications the employee can install). Therefore, the employee has a personal attachment to these devices and swears by them both at work and outside of work. And this phenomenon, which could be brushed off as an anomaly just a few years ago, is fast becoming the norm in enterprises, so you need to take notice. Mobile device security isn’t a problem that you can just wish away. Employees will do things they shouldn’t, such as pick up malware from a free app they just downloaded to their Android. That leaves you – the IT professional with corporate responsibilities – to be accountable for preventing security breaches where possible and remedying a breach after it happens. This article helps you understand the threat posed by unsecured mobile devices and explores the tools available to help secure them. In this article, you discover what the impact of smart devices in the enterprise means for maintaining data integrity, network utilization, user productivity, secure communication, device manageability, and compliance capabilities. And you find out how taking an assessment of security challenges is compounded by the device invasion. And finally, EXTRA 04/2012(8)
you discover what measures you need to put in place to secure the new enterprise mobile environment. To do that, first you must understand the problem that exists and make a case of why you should not quit, but form a plan to assimilate the invading hordes.
Recognizing the Scope of the Threat
If you have been on any planet but Earth, you can be forgiven for not having noticed the smartphone explosion. The rest of us who exist in Earth’s modern, connected society recognize this phenomenon. Smartphones will soon be arriving at your workplace in droves, if they aren’t already there. A smartphone is just one type of mobile device that may show up in the workplace. Employees may also use other mobile devices such as netbooks, tablet computers, or any other form of Internet-connected device on a daily basis. Despite the influx of mobile devices, their mere presence in the enterprise is not the problem. But considering the habits and practices of mobile device users who co-mingle work and personal activities helps you begin to outline the scope of the problem. For example, the devices your company’s employees use to read their work-related e-mail may also be the devices they use to post
Page 8
http://pentestmag.com
Global Information Risk Management Recruitment Information Security & Risk Management | Governance & Compliance Penetration Testing, Forensics & Intrusion Analysis | Technical Security | Business Continuity Management Sales Engineering | Sales & Marketing | Public Sector Security | Executive Management
Network and/or Application Penetration Tester Ref: 14951
Location: UK wide Salary: £25k-£75k base + bonus + package Job Type: Permanent
Multiple opportunities for Penetration Testers. Varying levels of experience will be considered. You will be offered first rate project exposure as well as on-going training, culminating in superb earning potential. Key competencies and experience required: • Use of a variety of network security testing tools and exploits to identify vulnerabilities and recommend corrective action • Manual penetration testing and a deep understanding of IP networking in a security context • Deep knowledge of IP networking protocols • Experience with security testing of Web-based applications • Intimate knowledge of at least one enterprise development framework • Proven ability to explain verbally the output of a penetration test to a non-technical client • Strong inter-personal and communication skills • Report-writing and presentation skills • Must be prepared to travel Desirables: • Code review skills • CHECK, CREST or TIGER qualification • Current UK driving licence Please email your CV to careers@acumin.co.uk quoting the reference above
Web Application Penetration Tester and Security Specialist Ref: RF14803
Location: South East Salary package: £400-£600 per day Job Type: Contract
This blue chip finance organisation is currently developing its internal information security function, and as such has identified a need for a lead security specialist with a particular focus on web application security. Responsibilities • Conduct technical security assessments against strategic initiatives prior to final release in to an operating environment. • Carry out such tests and assessments against internal standards as well as industry standards such as SAS70 and PCI-DSS. • Define and execute penetration tests as part of the review lifecycle for infrastructure, applications, and web applications. • Perform regular vulnerability assessments using scanning tools to ensure the on going security of systems to emerging and known threats. • Provide expertise in to forensics investigations and incident management as required. • Identify and manage required resources, creating reusable documentation, processes, and toolsets. Requirements: • Strong understanding of technical security principles around penetration testing, vulnerability management, and forensics. • Knowledge of current assessment techniques and toolsets such as OWASP guidelines, WebInspect and Fortify. • Prior working experience of industry standards and processes - PCI, ITIL, Prince, COBIT, COSO. • Demonstrable track record of security design, review, and implementation. Please email your CV to careers@acumin.co.uk quoting the reference above
Acumin Consulting Ltd Suite 22, Beautfort Court, Admirals Way, London E14 9XL
Telephone +44 (0)20 7997 3838 Fax +44 (0)20 7987 8243 Email info@acumin.co.uk
www.acumin.co.uk www.acuminconsulting.com
Mobile Security
An Introduction to Code Mobility and its Security Concerns
At the last Qt-Day in Italy, a conference sponsored by Nokia among others, emerged that the trend in the Internet usage is radically changed. Most users have a mobile device as their main access to the network instead of a complex multi purpose computer.
T
his of course opens the discussion about what is mobility and what are the problems with its adoption, in particular with regard to security issues. Today, mobility is often referred to as mobile devices, and therefore mobile security is assumed as a set of techniques to protect smart devices from attackers. Nevertheless, mobility has
its roots at the applications and their executables, and this articles provides a brief introduction to code mobility and its issues.
What is (Code) Mobility?
Code mobility can be expressed as the capability of executing code at different locations; system
Figure 1. The Remote Evaluation Approach EXTRA 04/2012(8)
Page 22
http://pentestmag.com
Mobile Security
Mobile Penetration Testing Standards & Practices Platform Design, Tool Selection, Vectors, and Test Environments Talk to any professional Penetration Tester (PenTester) and they will tell you that the number one challenge is finding the right tool(s) for the job.
T
he problem with building your own tools is that it can be time consuming, expensive (labor costs), and most of the time quality assurance (QA) goes out the window.
the fact that the economics of the individual engagement allow it. In other words, pentesting can be extremely expensive. Regardless- Look into using live environments.
FACT
TIP The key is to always focus on using the right tool for the right job as quickly and efficiently as possible. Make sure that the tool is part of an actively updated and supported software ecosystem.
The cost to have security researchers and pentesters find the right tool and accompanying instructions, blog post, is cost prohibitive at the individual engagement level. One of the reasons software licenses for these types of environments are so expensive is due to
DEFINITIONS
• DARPA – Defense Advanced Research Projects Agency www.darpa.mil • PENTESTER – A person who provides penetration testing services • ROOT DANCE – Physical expression of excitement when owning a device/host/network • QA – Quality Assurance • OPEX – Operational expenditure • CAPEX – Capital expenditure • COMMITTEE – A sub group of a larger group with the power to spend money and take actions • LTS – Long-Term Support • BYOD – An example of a really bad idea aka Bring Your Own Device
EXTRA 04/2012(8)
FACT
When it comes to security, end users are treating mobile devises with the same level of familiarity they use to treat their laptops- which makes the entire Bring Your Own Device BYOD craze even more worrisome to experts.
FACT
BYOD is here to stay. All of this leads the professional pentester to ask the following question- What defines a good mobile security pentest platform? In short- There are several requirements to define a good mobile security/pentest platform: • Multiple boot options. You should be able to boot off a dvd, usb, usb cufflink or virtual machine. Page 32
http://pentestmag.com
Mobile Security
Mobile Security – Surfing the Paradox? As the old adage goes, “If it isn’t nailed down someone will steal it”. Even the father of the Open Source movement, Richard Stallman, had the recent misfortune to have his laptop, money and passport stolen while at the University of Buenos Aires in Argentina [1]. A common enough crime you may think, but this illustrates well the paradox of using the words “mobile and secure” in the same sentence.
M
obile computing, and particularity smartphones is a very different beast from the generation of big iron that laid the foundation for modern IT practices. It is quite ironic that we have come full circle from the days of timesharing on mainframes to sharing resource in the cloud, and in the process reneging a vital degree of control over our most important asset – information. Unfortunately, some of the best practices adopted in the early days of computing seem to have been sacrificed for marketability, cost and convenience including extensive software and firmware analysis, testing and robustness. While it is accepted that the major players in the industry take adequate steps to provide secure quality software, mistakes are still made, errors creep in and this doesn’t take into account 3rd party developers who have little or no regard for security. The platform itself is a hybrid, combining both traditional functionality with the added connectivity via carrier networks, Wifi and bluetooth as well as other proprietary interfaces such as infra-red. Considering the portability and accessibility of the devices and the mobile device poses a larger security risk than the humble PC or indeed laptop. This is basis of the paradox – how can a device that is so small, open, technically innovative, tactile, easy to use EXTRA 04/2012(8)
and readily available – retain cultural and massmarket appeal while at the same time remaining secure? This is the challenge not just from a software or hardware perspective but also from a cultural one.
Evolution
The mobile device has undergone a massive revolution over the years [2] from a collection of dissimilar interfaces and systems (e.g. analogue/ cordless phone, PDA, pagers, calculator etc.) through a process of hybridisation to a single multi-function device that performs a multitude of functions in one package. This is a very different path from the Personal Computer per se, in that very little has changed in the past 25 years, other than possibly the addition of a network card, audio and a DVD writer as standard. Of course the enthusiast could add any multitude of peripherals or add-on cards to their PC, but the trend within the mobile market has been to add value via the interface, 3rd party software and connectivity. This can be seen clearly with the progression from the “analogue brick” to the modern tablet – each successive generation has added more functionality, and as a result increased the exposure footprint. More critically, as these features are hard-wired into the design and the man-
Page 38
http://pentestmag.com
Boundless helps integrate and improve organizational ARC’s – Audit, Risk, and Compliance activities – to safeguard reputation and fiduciary integrity
Expert Training. Entertaining Speaking. Candid Consulting.
For more information call (267) 297-0706. www.boundlessllc.com
Mobile Security
Mobile Credit Card Payments: Vulnerabilities That Could Lead To Potential Credit Card Compromises Small businesses in an effort to make selling products more convenient for customers have started to use alternative methods for taking payments.
O
ne of these methods is the use of a small dongle attached to an iPhone or Android device that allows for credit cards to be swiped and authorized. These devices allow for small businesses to bring in additional revenue, but present a number of security issues with the protection of cardholder data. Any business that accepts credit cards falls under the requirements of the payment card industry data security standard (PCI-DSS), which provides recommendations to protect cardholder data. The standard is accepted by the major credit card companies as a requirement to be implemented wherever the boundaries of cardholder data reside. Though there are no formal laws to enforce compliance, credit card companies can levy fines for any credit card merchant found to not be in compliance with the PCI-DSS when cardholder data is
Components for Requirement 11.3
Consider including all of these penetration-testing techniques (as well as others) in the methodology, such as social engineering and the exploitation of exposed vulnerabilities, access controls on key systems and files, web-facing applications, custom applications, and wireless connections. Source: Information Supplement: Penetration Testing (PCI Security Standards Council, 2008)
EXTRA 04/2012(8)
compromised. One of the requirements (11.3) is for penetration testing to be performed internally and externally to identify vulnerabilities that could lead to disclosure of cardholder data (PCI Security Standards Council, 2008). The following is a quote from the supplemental materials regarding pen-testing components. Social engineering provides an avenue for exploiting some of the recent vulnerabilities that have been found in mobile card reading devices. Without the budget to focus on potential scams or hoaxes, personnel may not be familiar with any potential problems of trusting a person who identifies themselves as a trusted IT worker or credit card payment vendor. In 2011 at Black Hat, researches demonstrated the ability to use the Square card reader to skim credit card numbers (Schwartz, 2011). Essentially, the Square card readers utilize sound to read in the card data and then send it in for payment authorization. Credit cards, as well as other striped cards, are programmed using magnetism to store whatever information is required for the card. In the case of credit cards, there are normally two tracks of data on the magnetic strip which includes the card number and additional information about the cardholder (“Magnetic Stripe Card�). In the case track1 is not able to be read, track2 is used to process the
Page 44
http://pentestmag.com
Intrusion Deception. The Smartest Way to Protect Websites Against Hackers, Fraud and Theft Request a Free 30 day evaluation of Mykonos Web Security
www.mykonossoftware.com 1.877.88WINGS 370 Brannan Street San Francisco, CA 94107 USA
Š 2012 Mykonos Software
Forensics
Server’s Data Breach A Forensics Investigation Business-technical problems, informatics law and forensics solutions The article is about the problem of a server’s data breach, in particular the forensics investigation after the illegal act. After an introduction about the concept of data breach, the paper fixes the essential digital elements of forensics analysis.
A
concrete case of forensics investigation of server’s data breach can permit to understand the problems and the informatics law and forensics solutions: data acquisition, log files analysis, technical analysis for malware and digital code. Conclusions underline the difficulties of the data breach forensic reconstruction compared to the needs of IT security, in order to prevent the illegal act, with concrete and ordinary activities.
Data breach: informatics law concept
Data breach in Information Technology is a theft of company and personal data located in informatics systems: computer, server or database, through IT technologies, by people inside or outside the company. From a statistic point of view, the latest research carried out by the Verizon Risk Team, in collaboration with Australian Federal Police, Dutch National High Tech Crime, Irish Reporting & Information Security Service, Police Central e-Crime Unit and the United States Secret Service, downloadable at www.verizonbusiness.com/resources/reports/ rp_data-breach-investigations-report-2012_en_ xg.pdf, shows how the unlawful phenomenon has sharply increased in the last ten years. Violations committed by people outside the company have EXTRA 04/2012(8)
risen to a total of 98% and violations involving workers on the inside have drastically decreased by 4%. In particular, attacks from hacktivists have increased by a total of 58%. Regarding the techniques of systems violation, hacking techniques account for more than 31% of illegal activities and malware technologies account for more than 20%. Physical attacks, social engineering and improper use of user privileges instead, have drastically decreased. In 96% of the cases, the technology used to carry out the attacks are not complex, even though the principal objects are company servers in 94% of cases. From a criminological point of view, the dynamics of carrying out these unlawful acts consist in a rapid succession of violations committed and the subtraction of data associated with a generally long period of time even in terms of years. The company then discovers the violations, frequently through reports from third parties affected by these crimes. The motives for the violations and finding out who are the third parties damaged, don’t regard the size of the business but its public profile, its visibility in the cyberspace, and the possession of valuable asset, commercial or financial transactions data. According to Verizon specialists, 97% of violations could be warded off through specific interme-
Page48
http://pentestmag.com
Forensics
WhatsApp Forensics Are you a smartphone user? Who’s not? Nowadays, people widely use smartphones that handle a big amount of personal and corporate information. Some of this information is not stored by the operating system itself. Applications running in the mobile phone, such as WhatsApp, can store really important information as well.
I
n this article we are going to describe how WhatsApp works and how we obtain forensic information from it. Check it out, it shall become more powerful than you could possibly imagine. Mobile Forensics is a rising up field since nowadays most people use smartphones both for personal and corporate purposes. These devices can handle different kind of information such as emails, browsing history, chat conversation, images, and much more. Often, Mobile Forensics focuses on operating system and built-in applications, because they exist in every device. However, the knowledge about other applications can also be useful in order to acquire forensic information.
Whatsapp Overview
WhatsApp is an Instant Messaging (IM) application pretending to be a step up from traditional short messages (SMS). It is available for nearly all modern smartphone platforms such as Android, iPhone, BlackBerry, Nokia and Windows Phone. The only one pre-requisite is that it needs Internet connection in order to send these messages for free. Due to it is cheap, easy to use and cross-platform; installing WhatsApp is now almost a must. Nearly everybody use WhatsApp daily as a free EXTRA 04/2012(8)
alternative to SMS. In fact, regarding Android Market statistics, WhatsApp is the most installed free application. From a forensic point of view, it is interesting to know what kind of information WhatsApp handles and stores internally, since we are going to find it in most of devices. All provided information has been tested at time of writing. WhatsApp is in continuous evolution, so perhaps you can find that some functionalities have changed. Anyway, I hope this article will be a good first look on it. Let’s start with WhatsApp!
Whatsapp Acquisition
WhatsApp is a cross-platform application so its acquisition process can be very different from one platform to each other. We are going to focus on Android and iPhone as the most used platforms. In Android, WhatsApp files can be found in /data/data/com.whatsapp directory. The preferences directory (shared_prefs) contains some xml files and one of them is an interesting one. RegisterPhone.xml stores the number registered for using WhatsApp, that can be the same used in the phone, but can also be a different one. When you register a WhatsApp number, a pre-shared key is created and stored in the mobile phone. If a per-
Page52
http://pentestmag.com
CliftonLarsonAllen
The Secret of Passwords When preparing a penetration report, we would like to be able to claim the finding of “Weak or Easy to Crack Passwords” as often as possible. Every time I take on a new client I would love to see the client exhibiting best practices and doing well for the audit, but I also would love to find all of the weaknesses in the client’s infrastructure.
F
or this reason, whenever I do a penetration test I don’t only try for Domain Admin, but I also try to locate as many findings as possible. Handing the client a list of their users’ passwords, whether they are obtained via phishing or cracking, is much more satisfying then handing them a hash. The clients do not immediately understand what we can do with a hash using PSEXEC, but they immediately understand what a blank password means It is this “wow” factor that gets your company back to the table next year with the client. It’s going the extra step and being able to say, “Not only did we get Domain Admin on your network, but we also managed to get the passwords of a quarter of your users.” What is the secret to cracking passwords? We are moving into an age that our personal computers are becoming insanely fast and cloud computing is on the craze. What metrics can we identify in a password that will help us limit the cracking time from a few years to a few hours? This article will dive head first into the breakdown of different techniques to crack a password and some specialized research into using those methods most effectively. One of the most common questions I ask myself when I’m preparing to write a report for a client after I’ve just stolen some hashes is, “What makes a EXTRA 04/2012(8)
password strong?” I commonly report on what we deem as weak passwords to the client, but what is the underlining criterion that makes it weak or strong? Is it the number of characters? Is it the obscurity? One thing is for sure; if I can crack your password during the week that I am at your site performing the penetration test, the password is weak. When I underwent research into finding the most effective way to crack passwords, I found that there were 2 main areas of thought: GPU cracking or Rainbow Tables. Each has its benefits depending on the type of hash you would like to crack and how much time you wish to devote towards the cracking. If we cannot crack the password hashes within 1 to 3 days, they are worthless to us. We want to crack those hashes and then throw them back into the client’s production environment to gain deeper access. At my company we often found that explaining the “so-what” is not as effective as showing it by handing the client exposed credit card numbers and asking them to delete the domain administrator account we created. You as the reader will now be able to reap the benefits of my research without spending a few weeks digging up the information on your own. Perhaps you know everything in this article and you are already efficiently cracking “weak” pass-
Page56
http://pentestmag.com
Network Security
The HONEYPOTS – Part-2 Gather your Requirements for Honeypots Honeypots as we saw in my last issue are a very important component for all network types. Be it a SME to a Large Enterprise, honeypots play a very vital role in every organization ir-respective of industry.
T
o gather the requirements for your honeypots, one must first be very clear in his/her mind as to what and how will you use the honeypot and where is it required the most. I would suggest the following requirements for honeypots:
Requirement Number – 1: The Hardware
Any computer either old or new can be turned in to a honeypot these days. But, here is where peo-
ple make mistakes. They think they can simply use any computer, but they are wrong. For honeypots to function correctly and effeciently an organization must use the proper hardware with the proper configuration. This also depends upon the organization’s size. The Larger, the size of the organization, the more powerful your honeypot hardware should be. Let’s look at an example here. Let us consider a FINANCIAL ORGANIZATION like a BANK with billions of dollars of turn-over per day. One fine day, the bank’s database and server got hacked and billions of dollars in transactions were ruined. Now, the bank calls in the Security Experts Group to come and solve the problem. The group recommends a honeypot or a set of honeypots to be installed on the bank’s network. The group installs the honeypots with machines that are of very low graded hardware and old systems. Again these honeypots are deployed on the network and after 5 months, again the bank’s server gets hacked and this time as well, losses were more than expected. Then the bank, finally hires a better Security Group who recommends a stronger honeypot solution to be installed on a server with the latest hardwareand software.
End Result Figure 1. The Hardware EXTRA 04/2012(8)
Now, these new honeypots are deployed on the network for the bank. The final verdict, after five Page62
http://pentestmag.com
months is, the bank’s servers are secure, the honeypots are working perfectly. So you see, the stronger the hardware of your honeypot, the stronger is it’s defence mechanism.
Requirement Number – 2: The Operating System
After hardware, the software or the Operating System (OS) is also equally important to ensure a strong honeypot. As we all know that without the proper software, the hardware is worthless. We need something to run the hardware according to our specific programming. So, we see here that a excellent Operating System is necessary. The first, best, and the strongest OS that I would recommend, would be LINUX, just because of it’s flexibility, faster loading time, robustness, capability to withstand several dangerous attacks, etc. My second preference as a strong OS would be Windows. Though not equal to LINUX,Windows sometimes does the trick in luring an attacker.
Requirement Number – 3: How Many Honepots To Use?
This is a very important factor to consider. You need to know your network’s size, topology, ans capacity to intake machines, server load, load balancing in your network, IDS to be deployed, etc. There are a lot of mathematical calculations involved in installing honeypots on your network. For example, let us again reflect back to the bank’s network, as we all know, banks have a tremendously large networks and large databases to secure. There are different types of systems, OS, peripherals, etc installed on a sin-
gle network. We also know that not one network alone is robust enough to handle all of the bank’s transactions. There can be enormous amounts. So for these types of organizations, where honeypots are extremely essential to be included;, we, as Security Experts need to count and decide as to how many honeypots to use and how many to keep in stand-by mode, in case any mishappenings occurs.
Requirement Number – 4: Types Of Network Services
Yes, this is the most important requirement of all the above. Network services. Which to be enabled, which to be disabled, etc. There are many network services such as: • • • • • • •
FTP SMTP PPTP POP3 IMAP Telnet SSL
Honeypots need to be let loose on the network. For letting them loose, we as administrators and security experts need to understand and recommend which services should be enabled on each Honeypot.
Requirement Number – 5: The Dcd Or So Called The Data Control Devices
This is to catch the RATS (Attacker). Just by simply installing a honeypot with latest hardware and
Figure 2. Session ID EXTRA 04/2012(8)
Page63
http://pentestmag.com
Network Security
Figure 3. Problem solution
the best OS will not catch an attacker. It is said by various Hunters that “If you want to catch your animal………. You need to have the right tools”. So the DCD or Data Control Devices are the tools to catch an attacker. There are many types of data control devices, namely: • • • • •
Monitoring tools like Wire Shark Firewall Logs Operating System Logs Third Party Monitoring tools like Tripwire Key Stroke logs, etc.
So friends, as you see from above, there are 5 basic requirements for your honeypots.
How To Choose Your Honeypots Carefully?
Honeypots are chosen according to three main criterias, namely: • Organization type • Level of confidentiality • Price EXTRA 04/2012(8)
Honeypots are to be chosen based on the organization size and type. Some Organizations may require Low Interaction Honeypots, and some may require High Interaction Honeypots. Even the level of confidential data is an important factor in choosing your honeypots for your network. Another parameter is the PRICE of the honeypots. Though price cannot be compromised over the quality of the honeypots, but it is a considerable factor when it comes to finances.
Importance of Maintaining Your Chosen Honeypots
Any physical device, whether, a server, computers, peripherals, etc., requires maintenance after a certain period of service. It’s very similar to how we maintain our car regularly so that it does not stop in the middle of the road. Similiarly, honeypots require maintenance depending upon the size and type that you have chosen for functioning over your network. The most important aspects of maintaining your Honeypots are:
Page64
http://pentestmag.com
Information On the Web
http://en.wikipedia.org/wiki/Honeypot_(computing) – This link consists of basic information about Honeypots.
Glossary
NO GLOSSARY. ALL TERMS ARE MADE SIMPLE AND UNDERSTANDABLE FOR THE READERS.
• Maintain the hardware of your Honeypot • Regularly upgrade the operating system and patches on your honeypot OS • Maintain regular checks of the event logs on the honeypot • Upgrade your monitoring tools and key stroke software to the latest versions • Check your network for any signs of intrusions
The Most Comprehensive Exhibition of the Fastest Growing Sectors of recent years
in the Center
of Eurasia
Summary
Choosing the right Honeypot solution for your network is very important. Honeypots are an administrators best friend if tuned properly. Always choose your Honeypots according to your organizational needs. Never forget to install and properly configure monitoring tools on the honeypots. These comes in handy all the time.
INFORMATION, DATA AND NETWORK SECURITY EXHIBITION
OCCUPATIONAL SAFETY AND HEALTH EXHIBITION SMART HOUSES AND BUILDING AUTOMATION EXHIBITION
Vatsal Parekh
The Author of this article is Mr. Vatsal Parekh, a Technopreneur, and a Professional Information Security Expert working on various types of projects like BlackBerry Enterprise Server Management, Testing and Securing Web-applications & Mobile-applications, Designing highprofile Computer Networks and providing them cost effective solutions. As a hobby, he loves to design Websites and have designed about 30+ websites which includes E-commerce, Corporates, Membership sites, etc. His primary goal is to become one of the best Information Security Expert. He has done his Bachelor’s Degree in Computer Applications, a Master’s Degree in Crisis Management with specialization in Information Technology, and Certified Ethical Hacker. Currently the Author is in pursuit of CISA Security Certification from ISACA.org. His total years of experience in the Information Security field itself is 5 years. He is extremely passionate about traveling, music, food, and loves nature. The Author can be contacted on the following given contact informations: Direct Cell Number: +91-9712941776 E-mail Address: janaminfosystem@gmail.com Skype: janaminfosystem EXTRA 04/2012(8)
Page
16th INTERNATIONAL SECURITY AND RFID EXHIBITION
16th INTERNATIONAL FIRE, EMERGENCY RESCUE EXHIBITION
SEPTEMBER 20th - 23rd, 2012 IFM ISTANBUL EXPO CENTER (IDTM)
THIS EXHIBITION IS ORGANIZED WITH THE PERMISSIONS OF T.O.B.B. IN ACCORDANCE WITH THE LAW NUMBER 5174.
In the next issue of
DDoS Attacks Available to download on August 20th Soon in PenTest! PCI-DSS, SQL Injection, Stuxnet, Pentesting Facebook, Security Scanner, Pentester’s Tools, Security Policy, Data Protection Act, Standards and Certificates, Biometrics, E-discovery, Identity Management, Exploitation Framework, Backtrack Guide, Mobile Security
If you would like to contact PenTest team, just send an email to en@pentestmag.com. We will reply a.s.a.p. PenTest Magazine has a rights to change the content of the next Magazine Edition.
CYBER CRIME LAWYERS
Pannone are one of the first UK firms to recognise the need for specialist cyber crime advice. We can both defend and prosecute matters on behalf of private individuals and corporate bodies. We are able to examine material or secure evidence in-situ and will then represent your needs at every step of the way. Our team has a wealth of experience in this growing area and are able to give discrete, specialist advice.
Please contact David Cook on
0161 909 3000
for a discussion in confidence or email david.cook@pannone.co.uk
www.pannone.com