New issue of Web App Pentest Magazine

Page 1


�������������������������������������������������� �������������������������� �������������������������

/ ������������������������� / ����������������� / �������������������� / ������������������������� / �������������������������������� / ��������������������� / ������������������ / ��������������� / ����������������

��������������

/ ��������������������������������������������

�������������

/ �������������������������������������������� ����������

��������������

/ ��������������������������������������������� ���������������������������������������������� ��������������������������

Visit digitalforensicsmagazine.com

��������������������������������������� ��������������������������������������� ������������������������������

NEXT ISSUE OUT SOON SUBSCRIBE NOW ������������������������������������������������������������������������� �������������������������������



EDITOR’S NOTE Hello Everyone!

Spring has finally come and let’s hope that the warming will also concern the science world. I don’t know if you have heard, but the library of Harvard University, the wealthiest university in the world can’t afford to buy all desirable publication. What will be its impact on global society? We don’t know. But we do know that Harvard library is spending on this publications unimaginable $3.75M per year. Its council claims that prestigious magazines suppliers are slowing down the speed of global economy growth by winding prices of the newspapers, which they call ‘products’. Let’s hope it will be the beginning of judging book by its content and not cover. In this case, Pentest Magazine will be blooming, as there are tons of information useful to everyone who just wants make some effort and reach for them. We open this month edition with article on Securing Cloud by Ian Moyse, sales director at www.workbooks.com. He writes about threats that appear during cloud computing and he proves positively that you can utilize Cloud, private and public, securely. It creates new security challenges but is still worth using. If we put advantages and disadvantages of that to reasonable mathematical equation, the first will often outnumber the last. Research shows that most common apprehensions are data security and privacy. So how should we secure our data? After reading the Walk in the Clouds you will have better understanding of how to prevent cloud leeks. Next article is devoted to attacking DNS, which may be neuralgic point since many administrators do not secure it properly. As UDP is a connectionless protocol, a denial of service attack is very difficult to trace and block as they are highly spoofable. Aleksander Bratic describes in detail techniques of request flooding, response flooding, recursive request flooding, exploiting the DNS trust model (domain Hijacking), cache poisoning and DNS hijacking. We sacrifice some space to well-known MySQL attacks. It is so popular that we encourage you to check if you are following countermeasures we recommend. Check if you can make safer what you consider safe now. Firewall and well-thought data storage might help the website. The article may be a brief review to experienced users and brilliant lesson for the beginners.

CLOUD SOLUTIONS

06

A walk in the clouds: Securing your Cloud Experience by Ian Moyse

The benefits of cloud computing are resounding, but businesses are still wary of the security implications. How are you assured that your data is as safe on the cloud as it is in your own network? What are the security pros and cons of utilising the cloud? And what steps should you be making to ensure your cloud experiences are not only beneficial to your users, but are secure for your business.

FOCUS

12

How to Successfully Attack DNS? by Aleksandar Bratic

DNS is a very attractive to attack as very often IT administrators forget to implement measures to secure DNS service. DNS listens on port 53 where UDP is used to resolves domain names to IP addresses and vice versa. It can also enlist TCP on the same port for zone transfer of full name record databases. It is estimated that 20% of total Internet traffic amount is DNS traffic.

BASICS

18

Web Application Vulnerability: MySQL Attack on Website Database by Mr. Ooppss

MySQL Attacks are an often used technique to attack databases through a website. This is done by

In the Close Up section we take a closer look at web antiviruses. This is a disclosure on how to successfully trick the web AV by the technique of cloaking, which has been around since the 90s. So maybe it’s time to take care of it. You cannot rely only on your AV. The article is very short but it makes it even more convincing and valid since it is enough space to present the issue of cloaking. And for everyone who wants to relax and have a bit of high-quality fun this summer (no matter how it sounds) we strongly recommend Cyber Styletto chapter 6 as the action enters the higher-level there. Enjoy reading! Wojciech Chrapka & PenTest Team

05/2012(7)

Page 4

http://pentestmag.com


CONTENTS

including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database.

WEB APP

22

Bypassing web antiviruses by Eugene Dokukin aka MustLive

Eugin Dokukin, pentester with 17 years experience, is testing systems for searching of viruses at web sites. He made a short brief on how easy it is to develop effective cloaking method by integrating three elements: User-Agent, IP and DNS.

CLOSE-UP

24

Conferences in 2012

Editor: Wojciech Chrapka wojciech.chrapka@software.com.pl Betatesters: Ankit Prateek, Robert Keeler, Aidan Carty, Kyle Kennedy, Daniel Wood, Johan Snyman

by PenTest Team

Programmer is a constantly undereducated person. Being up to date with the latest trends and solutions often decides if you are seen as a top-shelf coder. We are presenting conferences where all the new trends are mixed and exchanged between groups and individuals in vivid and revitalizing atmosphere. And where you can shine with your knowledge.

CYBER STYLETTO

30

TEAM

Cyber crime novella- Cyber Styletto – Chapter 6

Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl

by Mike Brennan and Richard Stiennon

Marketing Director: Ewa Dudzic ewa.dudzic@software.com.pl

Cyber crime novella- Cyber Styletto – Chapter 6

Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. To create graphs and diagrams we used program by

Mathematical formulas created by Design Science MathType™

DISCLAIMER!

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

05/2012(7)

Page 5

http://pentestmag.com


CLOUD SOLUTIONS

A walk in the Clouds Securing your Cloud Experience

The benefits of cloud computing are resounding, but businesses are still wary of the security implications. How are you assured that your data is as safe on the cloud as it is in your own network? What are the security pros and cons of utilising the cloud? And what steps should you be making to ensure your cloud experiences are not only beneficial to your users, but are secure for your business.

What you will learn

In this article you will learn about the security areas to consider when adopting cloud solutions and some of the questions to ensure you ask.

S

ecurity is one of the most important factors for companies who want to store data and operate using the cloud and it continues to be highlighted as the greatest concern in end user studies. Implementing and utilizing a cloud solution brings great potential benefits, but also introduces challenges around securing content and access control. The cloud offers the promise of large potential savings in infrastructure costs and improved business agility, but concerns about security are a major barrier to implementing cloud initiatives for many organizations. Before transitioning to the cloud, you need to figure out how to implement and enforce an effective security program. Cloud security refers to the computer, network and information security of cloud computing providers and incorporates data protection, infrastructure and governance issues. Security concerns surrounding cloud computing are generally considered to be security and privacy (of the information stored), compliance (with legislation and user company policy) and legal/contractual issues. In end user survey, after survey, the top 2 issues that surface to the top are security (data being the typical lead in this) and reliability 05/2012(7)

What you should know

This article is aimed at those with a fundamental understanding of cloud and security concepts, but is written to be informative for anyone in an IT or business role who is concerned or has read about cloud security issues.

(being availability and accessibility). A good reference point for this being the Cloud Industry Forums 2011 Cloud Adoption and Trends Survey where 64% cited Security as their most significant cloud concern. Another study, carried out by network performance monitoring company Network Instruments, added confirmation that the top cloud challenge is the security of corporate data, with 45% of respondents surveyed reporting it as their key concern. As with other major technology transitions, cloud computing has gained widespread attention and scrutiny in the media. We have seen stories abound around cloud, SaaS (Software as a Service), PaaS (Platform as a Service), etc, both in the consumer (eg. iCloud) and business worlds. Many of the stories have scare mongered, seeing cloud as a pure risk and citing exposures such as Sony and Blackberry as examples of security and reliability in the cloud, of which you could hardly fail to notice. Sony is a good case in point, where the press reported in April 2011 “Two of Sony’s online gaming services, were hacked, compromising confidential data of more than 100 million customers.� under banner headings of being a cloud failure! This

Page 6

http://pentestmag.com


could be better named as an internet issue. Sony wasn’t delivering a service hosting on behalf of customers, more delivering a service accesed over the ‘cloud’ such as Instant Messenger, Amazon or any other online seller or provider of wares. The core issue was that they held customers identities and payment details! This breach could have rung true if hacked for any online E-tailor such as Ebay, Paypal, Amazon or others you may use and yourself trust. The “Cloud’s” generic branding is utilised quickly in such instances, as a useful hyped term and one that covers anything internet based. It is a wide sweeping brush that Sony became the poster child for. The Sony leak was followed on with a report later by an independent security expert that found 67% of the users whose passwords were published on the Sony leak, were still using the same password that was leaked a year prior in the Gawker 2010 breach. Meaning users who knew their password had been leaked previously and knew they used the same password on Sony Online had not believed a need or taken the action to change it! Users responsibility for their part in security remains an issue whether on network or in the cloud of course! Sony of course started paying a its toll however with a flow of share price drops in the weeks following the issue going public, taking it from above $30 down to

$20 a share. However today only a year on how many of the 24 million affected Sony users have deserted the provider, relatively few, but in the scheme of things there was moral outrage, but consumer apathy bore out and the news has passed! As an increasing number of legacy IT Vendors move to offer cloud computing as part of their portfolio, they have played down the concerns around security. However, even with industry heavyweights now committing heavily to the cloud, customers are far from blindly trusting the cloud model. While IT teams may embrace cloud services as a way to achieve cost savings and increased business flexibility, these technologies are introducing new components and environments which change the security challenge once more. Security challenges in the cloud should be familiar to any IT manager – loss of data, threats to the infrastructure, and compliance risks, with focus varying depending on the size of organisation you represent. Cloud security is a complex topic with many considerations ranging from protection of hardware and platform technologies in the data centre through to regulatory compliance and defending cloud access through different end-point devices. Whether you are implementing a private or public cloud or a hybrid model that includes both, security must be a strong component of your solution.

Figure 1. Concerns about adoption of cloud

05/2012(7)

Page 7

http://pentestmag.com


CLOUD SOLUTIONS IT Security in itself, bar cloud, already beholds a great deal of responsibility. It must protect corporate assets from an ever increasing volume and sophistication of attacks, ensure any regulatory compliance is met, monitor and protect the business against internal threats and keep information from leaking through an ever increasing number of mediums including email, the web and social networks. Over the past decade the IT security market has expanded rapidly as vendor solutions to thwart all the attack types have come into being and IT security has become more complex with a need not only to understand basic point solutions, but to correlate together a range of vendor offerings in a coherent manner and ensure they are also configured and updated accurately. Attackers have become more adept at penetrating systems, often still using the user as the weak link, and whereas they used to only care about high-profile or larger targets, they are also now setting their sights on smaller companies to achieve their goals. To this end existing on-site security solutions and infrastructure may not be sufficient or cost effective to protect against the dynamic growing and changing attack landscape. This is not a reason alone to consider a move to the cloud, but cloud security approaches are now recognised as highly effective (in reducing cost and complexity) defence mechanisms, when approached diligently. A 2012 survey commissioned by Microsoft indicated for example that SMBs are gaining significant IT security advantages from cloud computing, with 35% surveyed experiencing “noticeably higher” levels of security since moving to the cloud and 32% spending less time each week managing security than companies not using the cloud. Security, rather than acting as a barrier to cloud adoption in smaller businesses, is in fact one of the key benefits that they can experience by moving to the cloud. The economies of scale and flexibility the cloud brings can be a friend and a foe from a security aspect. The concentration of data presents an attractive target to attackers, but cloud defences can be more robust, scalable and cost-effective than a self-build and manage approach! You must face the reality though that many employees will be using cloud services regardless if this is offered up by the business and IT as official policy. How does security differ with private vs. public clouds? Businesses directly control the security of private clouds whereas with a public cloud rely on the standardised delivery and security of the cloud provider. Doing it yourself can give you control but it also gives you the responsiblity and overheads 05/2012(7)

of delivery, updating, configuring and responding to threats. With a public cloud and carefully chosen vendor the security of the cloud component is done for you, typically with you retaining control over access management and policies through your management portal. There are pro’s and cons of each aproach and do not assume vendors are all equal, doing diligence and asking pertinent questions is key. Also understand that utiliskng a public cloud vendor does not mitigate your security responsibilities as there remains a need to secure your endpoints,user access and user security. Private cloud security has similarities to that of security in the traditional datacentre. Worries remain around network security, authentication, auditing and identity management. However you are no longer are in complete control of the workloads, or even of the operating systems that are running in your datacenter. With private cloud, the consumers of your services can spin up new operating systems and create new applications depending on the service model you make available to your users. Therefore you need to address new areas such as the following: • • • • •

Deciding who has the rights access and consume your cloud services? Do you have controls for the behaviors of the services and operating systems that your private cloud customers will be able to run up? Are you able to identity self service users that may represent potential threats, such as anyone using stolen credentials? Do you have mechanisms to ensure that users cannot migrate their user role into an administration role? Do you have a way to automate security responses to incidents, such as possible denial of service situations?

Public cloud is going to require that you do your diligence on the cloud provider. For example asking where they host, who with, where your data is located, who has access to it, what security policies do they operate, what access do you have to apply your own security policies (access control for example). Is your data striped across multi-location datacentre’s? Do they apply data mingling where your data is in the same host and database as other customers’ or are you allocated a separate and discrete data store in the service? Very few, if any, companies will move completely to the cloud in the short term, there are too many legacy systems to maintain that are cloud unfriendly.

Page 8

http://pentestmag.com


Regulation will also play a part in areas which delay or restrict cloud being a viable solution (for now). Cloud brings great advantage to mobile users and with estimates from Gartner that by 2014 around 80% of professionals will use at least two personal devices to access corporate systems and data, the two are likely to become more entwined. The growth of mobile access and BYOD (Bring Your Own Device) cultures is moving the security perimeter out past the organisations infrastructure to bold new areas. The cloud has delivered an expectation of applications that are free from the constraints of legacy desktop tied clients and that can be accessed anywhere from pretty much any device. Cloud combined with mobile/ BYOD can deliver major benefits to productivity and flexibility of an organisations workforce, but introduces a new range of security concerns. IDC recently stated “Mobility will present the greatest security challenge in the next five years.” Security experts have highlighted how BYOD can put an organization’s network at risk because workers could inadvertently transfer a virus-infected file into the network or gain access and ownership over restricted organisational data by downloading it on to a non-work owned and secured device. With Cloud of course the user is increasingly likely to want to use a mobile device and with a mobile device the user is likely to demand more access to cloud like applications. The fact is that Perimeterless Security is harder.

Off the back of cloud and mobile devices comes authentication. How does a user authenticate securely to the cloud service (private or public)? Do they login via a browser on the mobile device or have a mobile client that pre-authenticates that device? If a client login how will the user remember an ever increasing number of passwords? (which in most user domains is already an issue despite the promises of Single Sign On and Directory Systems). Also cloud services like web sites tend to use different user ID and password formats, some being email address, some first name surname and some employee number and with varying password lengths and rules around characters to be utilised. All of this is a security aspect that needs to be considered. How will you secure users outside your directory and with systems accessible from any device? With cloud applications the user credentials become even more valuable as the login is often no longer tied to a VPN connection or device, so ensuring that the user (person) side of password protection doesn’t slip up is essential in the cloud world, as if it wasn’t already! (sic). Data governance and security has headline visibility whenever cloud is mentioned and is a top concern for adoption. Under new guidance from the National Institute of Standards and Technology, users and not providers have ultimate responsibility for the security and privacy of data stored on the public cloud. Guidance co-author and NIST Computer Scientist Tim Grance commented “accountability for security and privacy in public cloud deployments cannot be delegated to a cloud provider and remains an obligation for the organization to fulfil.” This is a good thing and to be expected. Utilising cloud does not and should not totally devolve you of security responsibility for your users behaviour. In pursuing public cloud services, the guidelines recommend that organisations: • • • •

Figure 2. Which of these was the primary reason for adopting cloud-based services?

05/2012(7)

Carefully plan the security and privacy aspects of cloud computing solutions before implementing them. Understand the public cloud computing environment offered by the cloud provider. Ensure that a cloud computing solution of cloud resources and cloud applications satisfies organisational security and privacy requirements. Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.

A simple question that often gets asked of a cloud vendor “is where is your datacentre located?”. Page 9

http://pentestmag.com


CLOUD SOLUTIONS Advised questions would also include “and is that where my data will be held?” and “Where is your backup data center?”. Further questions have arisen from recent reports highlighting that simply looking to keep data in the EU is not enough for European firms. In June 2011, the managing director of Microsoft UK admitted that it would comply with the Patriot Act as its headquarters are based in the US and that it would try to inform its customers of any data request as it happened, but that it would not guarantee this! Meaning that if you do business with a UK subsidiary of a US-based cloud operator, you can choose to specify that English law applies and ensure they offer you a EU based data center operating under EU data protection laws, but your data is till open to US access if your vendor is US owned. If this is of concern, you need to ensure that your provider is European owned and legislated. Of course this would limit you from many mainstream providers such as Amazon, Google and Microsoft so there are always balances and measures to apply in your decisions. Gartner believes all cloud customers should have some basic rights to protect their interests and defined six of these as being:

of influencing your strategy, start educating now on the various forms of cloud and how to secure them in you environment. Resistance and ignorance will deliver only a short term strategy to cloud in the ever competitive business world. Can you utilise Cloud, private and public securely? Yes. Does it pose new security challenges? Another Yes. Do Cloud Security questions give you a reason to ignore cloud and maintain the status quo of on network deployments? In places of course you will decide that a specific application or requirement is best served on network, but it is not an encompassing no for sure! Cloud offers a lot of benefits, varying by organisation and application and the security aspects can be overcome as others have been in the past. Educate, learn, adapt and adopt, as cloud is here to stay in its varying form factors, there are too many success stories and businesses doing well utilizing cloud for security to be a pure play excuse any longer.

• • •

• • • • •

The right to retain ownership, use and control one’s own data, The right to SLAs that address liabilities, remediation and business outcomes, The right to notification and choice about changes that affect the service consumer’s business processes, The right to understand the technical limitations or requirements of the service up front, The right to know what security processes the provider follows, The responsibility to understand and adhere to software license requirements.

In addition to security approaches, more education is also needed in cloud across all sectors to enable businesses to understand and utilize this important new technology option to its advantage in a secure manner and this need for understanding stretches past simply the border of the IT department. CompTIA’s Cloud Essentials certification is an example option that enables employees of varying roles to validate their cloud knowledge, take online training and exam condition testing. Expect to see more cloud courses and exams providing the market with the required validations in this new cloudy world. Lack of knowledge breeds concern and risk. If you are in IT or a position 05/2012(7)

Worth seeing

Those wishing to learn more and participate in the cloud can also find some great vendor independent resources such as: http://www.cloudindustryforum.org/ https://cloudsecurityalliance.org/ http://www.eurocloud.org/ u

IAN MOYSE Ian Moyse has over 25 years of experience in the IT Sector, with nine of these specialising in security For the last 8 years he has been focused in Cloud Computing and has become a thought leader in this arena. He now holds the role of Sales Director at Cloud CRM provider Workbooks.com. He also sits on the board of Eurocloud UK and the Governance Board of the Cloud Industry Forum (CIF) and in early 2012 was appointed to the advisory board of SaaSMax. He was named by TalkinCloud as one of the global top 200 cloud channel experts in 2011 and in early 2012 Ian was the �rst in the UK to pass the CompTIA Cloud Essentials specialty certi�cation exam. Sales Director www.workbooks.com, Eurocloud UK Board Member & Cloud Industry Forum Governance Board Member.

Page 10

http://pentestmag.com


Global I.T. Security Training & Consulting

������������������������������������������������������������ ���������������������������������������������������������������� ����������������������������������������������������������� ������������������������������������������������������

IS YOUR NETWORK SECURE?

www.mile2.com ��

mile2 Boot Camps

A Network breach... Could cost your Job! Available Training Formats � � � � �

������������������������� ����������������� ������������������������������������������� ���������������������������������� ����������������������������������������������

������������������������ �������������� �������������������� ������������������ ����������������������������

�������������������

� ������� �������� ������ ������

�� ���� ��� ���� ��� ���� ��������� ��� ����

� � ����������������������������������������� Other New Courses!! ���� ��������������������� �������� � ������������������������������������� �������� ������������������� ��������� � ��������������������������������������� ����������� ���� � � ���������������������� ���������� ��������������������������� �������� � ������������������������������� ��������� ��������������������������� ���������� �������������������������� � � �������������������������� ������� ����������������������������������� ��������� �������������������������������������������������� ��������������� ������� � ������������������������������������������������ ���������

������������������������������ ����������������������������������������

� � ����������������� �������� � �����������������������������������

(ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC.

INFORMATION ASSURANCE SERVICES

����������������� �������������

���������������������������������������� ��� ������������������� ��� ������������������������� ��� ������������������������������������� ��� �������������� ��������������������������������������������

�������������� ���������������

11928 Sheldon Rd Tampa, FL 33626


FOCUS

How to Successfully Attack DNS? DNS is a very attractive to attack as very often IT administrators forget to implement measures to secure DNS service. DNS listens on port 53 where UDP is used to resolves domain names to IP addresses and vice versa. It can also enlist TCP on the same port for zone transfer of full name record databases. It is estimated that 20% of total Internet traffic amount is DNS traffic.

D

NS was proposed by Paul Mockapetris in 1983 (in RFC’s 882 and 883), as a distributed and dynamic database – as opposed to the single table on a single host that was used by the earlier version of the internet, ARPAnet. Together with Jon Postel, he is considered the inventor of DNS.

Structure of a DNS packet

ID – A 16 bit identifier assigned by the program that generates any kind of query. This identifier is copied to the corresponding reply and can be used by the requester to match up replies to outstanding queries.

Figure 1. Domain name system

05/2012(7)

QR – A one bit field that specifies whether this message is a query (0), or a response (1). OPCODE – A four bit field that specifies kind of query in this message. AA Authoritative Answer – this bit is only meaningful in responses, and specifies that the responding name server is an authority for the domain name in question. This bit is used to report whether or not the response you receive is authoritative. TC TrunCation – specifies that this message was truncated. RD Recursion Desired – this bit directs the name server to pursue the query recursively. Use 1 to demand recursion. RA Recursion Available – this be is set or cleared in a response, and denotes whether recursive query support is available in the name server. Recursive query support is optional. Z – Reserved for future use. RCODE Response code – this 4 bit field is set as part of responses. The values have the following interpretation: 0 – No error condition 1 – Format error – The name server was unable to interpret the query. 2 – Server failure – The name server was unable to process this query due to a problem with the name server.

Page 12

http://pentestmag.com


smart security interface© the multiplatform security connector integrated with all major PKI applications and TMS platforms; it fully supports all wide spread smart cards and architectures for government, corporate and bank projects; it also interfaces with smart phones, pre-boot systems and TPM

iEnigma® the software application that turns your smart phone into a PKI smart card; unparalleled convenience for digital identity management; unbeatable security thanks to the support of NFC chips and micro SD cards

plug´n´crypt® the product line for logical and physical access control covering different form factors: USB token, smart card, micro SD card, soft token, also in combination ����������������������������������������������������������������

CSTC® PKI made simple and accessible to SMB: card initialization, management of ������������������������������������������������������������������������������ TMS infrastructure

contact: team@charismathics.com www.charismathics.com


BASICS

Web Application Vulnerability: MySQL Attack on Website Database MySQL Attacks are an often used technique to attack databases through a website. This is done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database.

S

QL stands for Structured Query Language. SQL is used to communicate with a database. It is the standard language for relational database management systems. SQL statements are used to perform tasks such as update data on a database, or retrieve data from a database. Some common relational database management systems that use SQL are: Oracle, Sybase, Microsoft SQL Server, Access, etc. Most database systems use SQL, most of them also have their own additional proprietary extensions that

are usually only used on their system. The standard SQL commands such as Select, Insert, Update, Delete, Create, and Drop can be used to accomplish almost everything that one needs to do with a database.

What are tables?

Within a SQL database there are tables which store information. Tables can store any information on a website, ranging from usernames, passwords, and addresses, to text displayed on a web page, such as a

Figure 1. SQL tables view

05/2012(7)

Page 18

http://pentestmag.com


WEB APP

Bypassing Web Antiviruses At beginning of April 2010 I’ve made the testing of systems for searching of viruses at web sites [1]. In my research I have examined different systems for searching of viruses at web sites, as standalone, as built-in the search engines – these systems can be called as web antiviruses. And later I have presented my results of testing of web antiviruses on conference UISG and ISACA Kiev Chapter #6 [2].

I

’ve examined the next web antiviruses: Web Virus Detection System, Google, Yahoo, Yandex, Norton Safe Web, McAfee SiteAdvisor, StopBadware. And every web antivirus can face with malware’s attempts to hide from it (so malware will left undetected and continue to infect visitors of web sites). In this article I’ll describe methods of bypassing of web antiviruses, which developers of such system need to take into account to prevent possibilities of malware to hide from them.

Bypassing of systems for searching viruses at web sites

In May 2010 I’ve published the article to The Web Security Mailing List Archives [3] about bypassing systems for searching of viruses at web sites. This concerns all systems for searching of viruses at web sites, including search engines with built-in antiviruses, which have no counter-measures against it. Bypassing systems for searching of viruses at web sites is possible with using of cloaking (which is known from 90s and is used for hiding from search engines bots for SEO purposes). When User Agent is analyzing and if it’s a search engine, then malicious code is not shown, if it’s a browser – then shown. So the same cloaking which used for SEO, can be used for malware spreading and hiding from systems for searching of viruses at web sites. Particularly from search engines 05/2012(7)

with built-in antivirus systems, because they are using bots of search engines with known user agents. I saw the using of cloaking method in malicious scripts many times during my researches since 2008. Particularly I saw checking of Referer (and similar approach can be used for User-Agent). And these method of protection of malicious code from systems for searching of viruses create serious challenge for these systems. Antivirus companies and other security researchers are also sometimes finding cases of using cloaking against search engines with built-in antiviruses. Example: in May 2010 many web sites on sharedhosting at DreamHost and other hosting providers were hacked and infected with malicious code, and the code for distributing of malware was using a cloaking for hiding itself from built-in antiviruses in search engines Google and Yahoo.

Effective use of cloaking against web antiviruses

In the end of August 2011 I’ve found that Google started using User-Agent spoofing for its bots. Which can be concerned with the desire to improve their system for searching viruses at web sites – so with using of cloaking (UA spoofing is type of it) to decloak viruses at web sites. But it uses spoofing ineffectively and with considered use of cloaking the malware can effectively hide from

Page 22

http://pentestmag.com


CLOSE-UP

Conferences in 2012 Programmer is a constantly undereducated person. Being up to date with the latest trends and solutions often decides if you are seen as a top-shelf coder. We are presenting conferences where all the new trends are mixed and exchanged between groups and individuals in vivid and revitalizing atmosphere. And where you can shine with your knowledge.

June 3 – 6, 2012, Techno Security 2012 & Mobile Forensics 2012 VIP Invitation for PenTest Magazine readers [FREE VIP registration]

data: June 3 – 6, 2012 title: Techno Security & Mobile Forensic (two events) organizer: TheTrainingCo. keywords: mobile devices investigations, multiple trainings

forensic,

digital

place: Myrtle Beach, SC, USA description: This will be the 14th year for Techno Security and the 5th year for Mobile Forensics. Frequent attendees are some of the top practitioners in the world in the fields of Information Security, eDiscovery, Mobile Forensics, Digital Forensics and Technical Business Continuity Planning. Last year, there were over 1,000 people registered. Techno Security 2012 will include several sessions as well as preconference and post-conference events. You may choose between courses concentrated inter alia on Smart Devices, issues of Flasher Box and JTAG, Python Scripting with UFED Physical Analyzer and other trainings addressed to both advanced and inexperianced users. For full range you mast visit website.

Figure 1. Golf tournament at this golf course is an additional option

05/2012(7)

official page: www.techsec.com if from pentest: free VIP registration wojciech.chrapka@software.com.pl Page 24

http://pentestmag.com


�������������������������� ����������������������

CloudPassage Halo is the award-winning cloud server security platform with all the security functions you need to safely deploy servers in public and hybrid clouds. Halo is FREE for up to 25 servers. cloudpassage.com/pen


CYBER STYLETTO

Cyber Styletto 7 a.m., Sunday, San Francisco International Airport

S ��

tokes turned right, down a cramped aisle into the coach section of Air Asia charter flight 711, ���������� ��������� �������� ������� ��� �� �������� a non-stop to Macau packed with people eager ����������� ������� ��� ����������� ������� ���� ������� ��� to try their luck at the MGM. Yvonne smirked as he ���������������������������������������������������������������� ��� ��he’d ����������� �� ����������� shook his ������� head ���� over�������� the seat been���� assigned, in the ����������������������������������������������������� middle of the last row. He wouldn’t even be able to lean ���� �������� ���� ������� ������� ������ �������� ���� back during the ten-hour flight with ��������� the bulkhead behind ����������� ��� �������� ���� ����������� him. He turned to������������������������������������������������ make sure she was following him, and saw she was not. ��������������������������������������������

������������� ��� ������������ ��� ���� ����� ������ ��������� �������� ����� ����� �������������� “Where are you going?” he asked. ����� ���� ���� ����� �� ��������� ��� ������� ���������������������������������������������� �������� �� ����� ��������� ���� ��������� She smiled. “First class, of course.”Buck, Woody ������ ���� ������ ������������ ���� ����� and the others all headed left, holding in their laughter. ���� ������������� ������� ����� ������� �� “Them too?” Stokes said.������������������������������������ ������ ��� �������� ���������� ��� ����������

“We always fly up front.”

He took the crumpled boarding pass and waved it at her. “Then what am I doing with this?” ����������������� “Rohan, darling. I tried. But by the time I knew you �������� ���������� �������� ��� you a first class seat,” were coming it������ was��������� too late to ��� get ��������� ��� �� ������ ��������� ������� ��� ������ ����������� she��������������������������������������������� said. ����������������������������������������������� ����� ���� �������� ������ ��������� ���� ����� ����� �� ��������

He turned to go back to the gulag of the last row, then ������������������������������������������������� �������� ������� ���� ��������� ������� ������ ����� ���� stopped. ������������������������������������������������� “Wait a minute,” he said. “When I showed up, you hadn’t even made your plans for this trip. You just did this to spite me.” The queue of passengers loading up behind Stokes as he blocked the aisle began to get restless. An old woman pushed her carryon into his leg. She blurted something in Chinese. He didn’t know the words, but Yvonne could see he understood her meaning as he dropped his head and started walking back. In Macao the group had to wait almost a half hour for Stokes to disembark, since literally everyone else on board was in front of him. 05/2012(7)

Yvonne had considered leaving for the hotel without him, but he’d only track her down through her cochlear implant, and she was getting tired of that. He came up the tunnel looking as though he’d been flying in a laundry hamper – his jacket and shirt were wrinkled, and one pant leg had risen high enough to show a stretch of bare shin above his sock, and was held in place by static cling.

Page 30

http://pentestmag.com


In the upcoming issue of the

Web Application Devices Available to download on June 22th

If you would like to contact PenTest team, just send an email to maciej.kozuszek@software.com.pl or ewa.dudzic@software.com.pl . We will reply a.s.a.p. PenTest Magazine has a rights to change the content of the next Magazine Edition.


Security Services :

$50,000 Firewall ruined by a lack of cents! • • • •

SERVICES AVAILABLE $250,000 $50,000 $300,000 $400,000

Intrusion Detection System Redundant Firewalls Salaries for IT Security Personnel Gee Whiz Computer Defense Shield

A UDI T S U P P O R T Strategic and Technical assessments for audit firms, audit, and IT departments:

Hacked because someone used password123 as a “temporary” password…….

Apologies for the above marketing gimmick, but it was necessary to grab your attention. We could tell you that we offer superior information security services followed by a highly biased list of reasons, quotes of industry sources, and facts to support our assertions. However, we both know that you know that game, so let’s change the rules and let the truth in our advertisement speak for our work, and maybe you’ll give us the opportunity to let our work speak instead. For the same reasons that clever marketing can sell an inferior product; your entire network can be hacked, starting with one little email. Interested, or shall you skip to the next page? As a proof in concept, the soft copy version of this document contains custom embedded software control codes designed to gain control over your computer, then masquerading as you, manipulate stock prices using information contained on your system. Buy buy! Sell Sell!. Sound farfetched? Maybe 5 years ago, but that is today’s new paradigm. Forgive the fear tactics, but the point is that skillful social manipulation in conjunction with “embedded software control codes” are the methods used by malicious parties to compromise (gain control of) modern networks. This challenge can only be met with intelligence.

• • • •

Penetration Testing Security Assessments Disaster Recovery Special Projects

PE E R B A SE D E VA L U A TI O N

Ongoing comparison against peers of key IT security metrics and controls. Periodic reporting of key metrics. S TA TI S TI C A L PE N E TR A TI O N

Periodic rotation of professional penetration testers against your network via a custom portal complete with the ability to limit the scope and depth of testing according to client needs. U SE R E D UC A TI O N

Custom security training We combine software engineering, security know how, and data exercises for your organization analysis to offer real world peer based metrics of your security issues including use of penetration as well as deep dive technical assessments ranging from penetration / tests as a way of providing users an unforgettable technical assessments to strategic reviews. experience.

Sleep better with our D3tangler™ technology! Our new patent pending D3tangler technology helps you win the evolving Contact: game of IT security. The technology solves all your security problems by Shohn Trojacek - trojacek@p2sol.com MAIN BRYAN, TX 77803 pressing a button! Don’t be fooled 120 byN.cheap competitor’s products! Tel 939.393.9081

www.p2sol.com securityservices @ p2sol dot com


���������������� “We help protect critical infrastructure one byte at a time”

• ���� Checklists, tools & guidance •���� Local chapters • ������ builders, breakers and defenders • ���������� ������������������������������������������������� and more.. ��������������������������������


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.