Information Security Short Takes

Accelerating Security Assessment with MS Security Assessment Tool

noreply@blogger.com (Bozidar Spirovski) — Sun, 07 Mar 2010 21:26:00 +0000

When working on a security assessment, it is always helpful to use an automated tool that compares the key elements to the known best practices, and generates an overview result set.
Among other tools which can be used, Microsoft has released a tool titled Microsoft® Security Assessment Tool.

The assessment of this tool strives to identify the business risk of the organization and the security measures deployed to mitigate risk.
The assessment takes the form of a questionnaire, with Yes/No answers that cover the following areas

Infrastructure - Infrastructure security collects information on how the networks function, what business processes (internal or external) it supports, how hosts are built and deployed, and how the network are managed and maintained.
Applications - Applications security reviews applications within the organization and assess them from a security and availability standpoint. It examines technologies used within the environment, and reviews the high level procedures an organization can follow to help mitigate application risk
Operations and People - This section reviews those processes within the enterprise governing corporate security policies, Human Resources processes, and employee security awareness and training. It also focuses on dealing with security as it relates to day-to-day operational assignments and role definitions.

The resulting comparison to best practices generates a summary report, as well as much more useful detailed report with areas which are lacking in comparison to the best practices. The report contains a lot of suggestions and links to related products and best practices published by Microsoft.

The MS Security Assessment Tool and it's report isn't a replacement for a full blown analysis, nor it can be a used as a one stop shop for a realistic security analysis. When performing a real analysis, an in-depth review of process and technology is needed.
MSAT is just a helpful tool to generate a security posture overview and some automated recommendations, so it is a nice start. For everything else, you will need to bring in expert professionals.

Talkback and comments are most welcome

Related posts
WMI Scanning - Excellent Security Tool
Risk Assessment with Microsoft Threat Assessment & Modeling
Google's Ratproxy Web Security Tool for Windows
Analysis of Windows Security Logs with MS Log Parser
How To - Malicious Web SIte Analysis Environment

Man In The Middle Attack - Explained

noreply@blogger.com (Bozidar Spirovski) — Thu, 04 Mar 2010 19:33:00 +0000

"That’s vulnerable to a man in the middle attack!"

You've probably heard this before, but let’s dive into the details of this attack and understand exactly how it works.

Definition
First, a quick definition, a man in the middle (MitM) attack is an attack where the communication which is exchanged between two users is surreptitiously monitored and possibly modified by a third, unauthorized, party. In addition, this third party will be performing this attack in real time (i.e stealing logs or reviewing captured traffic at a later time would not qualify as a MitM)

While a MitM could be performed against any protocol or communication, we will discuss it in relation to HTTP traffic in just a bit.

Requirements for Attack
A MitM attack can be performed in two different ways:

The attacker is in control of a router along the normal point of traffic communication between the victim and the server the victim is communicating with.
The attacker is located on the same broadcast domain (e.g. subnet) as the victim.
The attacker is located on the same broadcast domain (e.g. subnet) as any of the routing devices used by the victim to route traffic.

We will discuss 2. This is a likely attack that can be used against your neighbors or the person sitting next to you at a coffee house.

The Attack
A MitM attack will take advantages of weaknesses in network communication protocols in order to convince a host that traffic should be routed through the attacker instead of through the normal router. In essence, the attacker is advertising that they are the router and the client should update their routing records appropriately. This attack is called ARP spoofing.
The (greatly simplified) purpose of ARP (Address Resolution Protocol) is to enable IP address to MAC address translations for hosts. This is required so that the packet can reach their final destined host.

By design, ARP does not contain authentication. Therefore, any host can reply to an ARP request or send an unsolicited ARP response to a specific host. These ARP response messages are used by the attacker to instruct the victim’s machine that the appropriate MAC address for a given IP address is now the MAC address of the attacker’s machine. More specifically, the attacker is instructing the victim to overwrite their ARP cache for the IP->MAC entry for the router. Now, the IP address for the router will correspond to the MAC address for the attacker’s machine.

What does this mean? Now, all of the victim’s traffic will be routed through the attacker. Of course, we don’t stop here. In order to allow the traffic to reach the Internet, the attacker must configure his system (or attack tool) to also forward this traffic to the original router. In addition, the attacker performs a similar ARP spoofing attack against the router. This way the router knows to send traffic, that was destined for the victim machine, to our attacker instead. The attacker then forwards on the traffic to the victim. This completes the “chain” and places the attacker “in the middle” of the communication.

Impacts on HTTP

At this point, the attacker has the ability to view and modify any TCP traffic sent to or from the victim machine. HTTP traffic is unencrypted and contains no authentication. Therefore, all HTTP traffic can be trivially monitored/modified by the attacker.

What about HTTPS?

Everything we have talked about thus far is related to getting in the middle of the network communications. This enables the attacker to view most exchanged data, but does not enable the attacker to intercept data exchanged of protocols that implement their own authentication and encryption (e.g. SSH, SSL/TLS)
But, this is where the fun starts. The purpose of HTTPS is to create a secure communication over top of HTTP by the use of SSL or TLS. On its own SSL/TLS can be very effective and secure. However, there are significant problems in the implementation of SSL/TLS which effectively renders it useless. In addition, the browsers handling of SSL/TLS can lead to issues when both HTTPS and HTTP sites are visited by the user.

More devious means are needed to perform a MitM against SSL/TLS. At this point the attacker could attempt to intercept HTTPS traffic by using a custom certificate. This would present a certificate warning message in the user’s browser and likely alert the user to the attack. Luckily for the attacker, most users would ignore the warning and continue – thus exposing all of their data.

Alternatively, the attacker could try and use tools such as SSLstrip to leverage poor application design with regards to SSL/TLS. This could also enable the attacker to obtain the victim’s password over clear text HTTP.

How concerned should you be?

The attack scenario described in 2a can be performed by any user on the same broadcast domain as your machine. This means that anyone sitting in the same coffee house on the wireless network could be an attacker. Also, if you connect directly to your Comcast/RoadRunner/ATT/whatever home connection, then many of your neighbors could also perform this attack against you. And if you use a home router instead of directly plugging the connection into your machine - well, then the attack is still possible via 2b (essentially the same attack).

Really the only reason this isn’t a bigger deal is because of the requirement to be on the same subnet. Right now we have so many other issues, such as XSS, SQL injection, etc, which can all be exploited remotely by attackers. The attackers just sit in their remote locations and destroy web sites from a far. However, the point is this, if an attacker wants to steal YOUR specific bank data then all they need to do is sit next to you at a coffee house or sign up for Internet service in your area.

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.

The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
How To - Malicious Web SIte Analysis Environment
Security Information Gathering - Brief Example
DHCP Security - The most overlooked service on the network
Example - Bypassing WiFi MAC Address Restriction

Minimize Impact of Online Intelligence Searches

noreply@blogger.com (Bozidar Spirovski) — Wed, 03 Mar 2010 11:12:00 +0000

In our previous article - Digging for information with Open Source Intelligence we looked at the generic process of information gathering. But what is this process looking for? The answer to this question is important to all parties:

to the investigator - for proper focusing of his/hers efforts
to the possible targets - in order to properly defend against Open Source Intelligence

So here are the items that the investigator is looking for when employing Open Source Intelligence against a potential target, and the methods of minimizing the possibility of someone discovering something:

The final goal of any intelligence action is to obtain information that can be sold or used as competitive advantage. This can be as simple as a password, or as complex as plans for a corporate takeover.

At the information gathering level, this translates into:

Content of files indexed by search engines - In the ideal intelligence world, everything is contained in a single page document that can be scanned or downloaded from the internet. Although such documents won't surface on the internet unless someone is utterly dumb, bits and pieces of information can be found from files that have found their way on the web and got indexed by the search engines. In order to make such pieces of info useless, hire a person to perform regular 'Google Hacking' to find such documents. Bear in mind that once documents are on the internet and get indexed, you cannot destroy all publicly available copies. Instead, change the information within your company to render the public information useless or false. .
Operational or Potential Business Relationships - web sites, news articles, corporate newsletters of partners and providers can contain names and sites of the target company, even forum and support site posts . While these are harmless by themselves, using these names the investigator can establish that there is some relationship between them, even the nature of the relationship. This can be used in a competitive bid, in social engineering or simply leaked to the public. There is no real protection over such information, except of being aware that such information is 'in the wild'
Real Person Identities - Publicly available names and contact info of any personnel related to the target are a potential gold mine. With the advent of social networks, once you know some one's name, the investigator can proceed with detailed investigation of such persons, and attempts at breaching of their credentials by trying common password combinations (pet names, birthdates, phone numbers etc). Most companies actually prefer to publish real person's names and contacts in the effort to appear closer to their potential clients and partners, so there is no direct protection. Much like in point 1, youshould hire a person to perform regular analysis of which names are publicly available, and what information is available on such persons, with a combined penetration test on their accounts. You can also institute a policy and awareness trainings for such persons to make them aware of their exposure.
Relationship Context - this is merely an extrapolation of real identities, business contacts and online communication. It can give the investigator an insight into 'who receives order from whom' or 'who is close to whom'. Such insight is crucial for social engineering attacks. Controlling is actually controlling the previous 3 points.

In summary, Open Source Intelligence is going to collect information about you and/or your company. You can do little to prevent it, but you can do much to render such information of very little value to anyone.

Talkback and comments are most welcome

Related posts
Digging for information with Open Source Intelligence
Security Information Gathering - Brief Example
Corporate Security - Are the hackers winning?

Digging for information with Open Source Intelligence

noreply@blogger.com (Bozidar Spirovski) — Mon, 01 Mar 2010 22:05:00 +0000

Wikipedia defines Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence.

In reality, the methodology used in OSINT is the information gathering phase of every penetration phase. They only stuck a fancy name to the process.

Regardless of the name, OSINT is very useful, and it's results can be very well used even outside of the penetration testing process.

The information gathering, or OSINT process can be summarized in the following steps:

Identify your point of interest - who/what is your target of investigation. Start broad, and then narrow down to the interesting elements. For instance, start with a domain name or an IP address pool for a provider, until you find the contacts and names of actual persons. Then you can start drilling for material left on the Internet by them for further useful clues
Collect information from multiple sources - consult search engines corporate sites, mailing list servers, even the old and forgotten Usenet might be useful
Sift through the gathered information to form a useful result- Identify interesting pieces of intelligence for further use

The process looks very simple on paper, but bear in mind that most searches generate tons and tons of possible clues and/or false leads. It takes

Here is what you'll have to deal with:

Irrelevant/false hits on a keyword - URL links or sites that contain the same sequence of words but in totally different context. The more generic the terms that you are searching for, the more of these there will be.
Fake contacts placed during registration process - looking for that all important 'Who' behind some site or document? Bear in mind that contact information on the web is usually fake to avoid pestering sales persons. And anyone can use your target's name for an alias on a registration.
Hundreds or thousands of archived messages from forums and mailing lists - much like the previous one, aliases and nearly useless communication can be found and needs to be sifted through. And you cannot be certain that you are looking at something written by your target of investigation
Documents with irrelevant word matching - a large enough digital book will contain all the words of virtually any phrase

There are a lot of tools that will help you on your quest for information, but I'll sum-up those that I find useful

Google hacking - The title says it all. Choose your keywords and then drill for data on google
Maltego CE - a client side program that drills the Internet for information on the element that you have chosen as source. It will return all kinds of possible information for further drill down. Produces a lot of false positives
Silobreaker - an information correlation and pattern recognition system that returns results as summarized information clusters related to your search query. Not always very accurate, so always use other sources.

Talkback and comments are most welcome

Related posts
Security Information Gathering - Brief Example
Corporate Security - Are the hackers winning?

Telco SLA - parameters and penalties

noreply@blogger.com (Bozidar Spirovski) — Mon, 22 Feb 2010 19:30:00 +0000

Communication links provided by Telco providers are critical to most businesses. And as any network admin will tell you, these links tend to have outages, ranging from small interruptions up to massive breakdowns that can last for days.

When such interruptions occur, businesses suffer, but unless the provider has serious contractual obligations, there is little effort on their side to improve service or correct issues.

That is why businesses need a good Service Level Agreement (SLA). Usually, the preparation of the SLA is dreaded by most, since it is full of numbers and parameters on which the client must decide what is acceptable, and whose values may be difficult to measure.

SLA Parameters
A good SLA is not necessarily loaded with a lot of numbers. You need to work with 2-3 parameters which are important to you. Here are the most frequent SLA parameters, with their acceptable values:

Availability - more then 99% for internet, more then 99.5% for corporate data links
Packet Loss - less then 0.4% for internet, less then 0.2% for corporate data links
Jitter - less then 15ms for internet, less then 5ms for corporate data links

SLA Penalties
And you need penalties which will hurt the provider. Penalties are the big stick in the SLA.
Here are the penalties that you want:

small breach of SLA - 25% to 33% of monthly fee
large breach of SLA - 50% to 100% of monthly fee

Be aware that no provider will create an SLA that will eat much of it's profits. The commited provider can be identified by the type of Service Level Agreement (SLA) that it's prepared to sign without special negotiations.

Here are three different levels of SLA's - not so much by the metrics and parameters, but quite different in terms of penalties

Verizon is offering a very basic SLA, with compensation of the daily charge for each day of SLA breach - http://www.verizonbusiness.com/terms/latam/co/sla/
BT is accepting a more serious approach - a penaltyof a daily charge for each hour of SLA breach, but with a limit of maximum 10 days of charge in penalty http://business.bt.com/assets/pdf/BTnet%20Service%20Level%20Agreement.pdf
Sprint is including some really hard penalties in their SLA, including a 100% of monthly charge in penalties for some parameters. http://www.sprint.com/business/resources/mpls_vpn.pdf

Talkback and comments are most welcome

Related posts

9 Things to watch out for in an SLA
The SLA Lesson: software bug blues
5 SLA Nonsense Examples - Always Read the Fine Print

Geo Location based DDOS can target Mobile Operators

noreply@blogger.com (Bozidar Spirovski) — Wed, 20 Jan 2010 19:03:00 +0000

The sharp rise of smart mobile phones is introducing a new and concerning attack vector - a geo-location based DDOS.

Example Scenario
Imagine a popular mobile application (bejeweled like game) that is downloaded by many.

The app contains a small amount of code to reference the phone's GPS and also check in with a command and control website.
The attacker decides on a city to target and a popular time of day and then updates the command and control website.
The mobie applications all check in with the C&C site and all mobile applications in the city area begin downloading large video files from YouTube.

Result?

A massive sudden spike in high bandwidth usage of the mobile data network in a single metropolitan area.
Most cellular networks run near capacity during the lunch rushes of popular cities. A sudden massive spike such as this would likely push the network over the edge and bring it down entirely.

This is a tough issue to address and I think it warrants a bit of consideration.

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.
The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
GSM Encryption Broken - Cellular Calls At Risk
When Will Your Mobile Phone get Hacked?

Free VS Commercial Database Vulnerability Scanning

noreply@blogger.com (Bozidar Spirovski) — Tue, 19 Jan 2010 15:55:00 +0000

Part of the vulnerability assessment process must include a vulnerability assessment of your databases.
And the sad reality is that while there are thousands of tools that focus on Web application and network security scanning, there are very few of them which are doing the same for databases.
Today we are comparing the results delivered by Scuba by Imperva - a free tool and NGSSQuirreL for SQL by Next Generation Security Software - a commercial tool.

The tools comparison table
Here is a side-by-side comparison of functionality and results of both tools

The results
To provide the most impartial evaluation of the results, we have generated detailed reports of both tools as PFD files. You can review them and assess the quality yourself.

Conclusion
It is evident that the commercial tool beats the free Scuba in every area. But before you jump into a purchase, you need to assess your requirements and expectations.

So it is very advisable to get the free tool, run it in your environment and understand the results, so you can understand what is missing, and extend your search to a better tool

Talkback and comments are most welcome

Related posts
Thrown in the Fire - Database Corruption Investigation
Quick and Basic Security Assessment for Databases
SQL Server Bulk Import - BCP HOW TO

IP Spoofing Attack in the real world

noreply@blogger.com (Bozidar Spirovski) — Wed, 13 Jan 2010 21:53:00 +0000

The guest post on IP Spoofing was well visited and caused a lot of interest. One may expect that a lot of visitors actually thought that IP spoofing is a great way to cause a bit of commotion and try out as hackers.

The reality of the internet is actually quite different. First of all, IP spoofing has been around for decades, and has been the cause of a lot of quite nasty attacks to high profile targets.

Most serious ISP's do not want to be related to IP spoofing attacks, and are implementing measures to contain IP Spoofing attacks originating from their networks.

The containment measures are implemented on their firewalls and routers. The basic logic of this protection is this:

A Firewall is aware of the networks to which it connects so it can control source addresses. For example, a demo firewall has 5 interfaces

A connecting to network 10.1.1.x
B connecting to network 10.2.1.x
C connecting to network 10.3.1.x
D connecting to network 10.4.1.x
'outside' connecting to the rest of the world/internet

It is expected that any traffic coming on interface A will have a source address of 10.1.1.x. If it doesn't, it's most probably an IP spoofing attack and will be dropped. The only interface that cannot apply such logic is the 'outside' interface, since it connects the firewall to the rest of the internet. But the outside interface can have another protection, which protects against 'loop' IP Spoofing attacks. That means that the 'outside' interface cannot see incoming packets with source addresses from a network that is on any of the 'inside' interfaces.

Routers have a bit more complex mechanism, since a router can have traffic from multiple networks arriving on any of it's interfaces. They use uRPF (unicast Reverse Path Forwarding) which analyzes whether the packet's source address comes from a network that is known in the routing domain of the router.

So in reality, most IP spoofing attempts will be destroyed on the ISP's network. But these protection measures are not perfect, and there are networks which are still not controlling IP spoofing. An aspiring hacker can do significant damage at networks such as:

University networks - apart from the large universities with dedicated IT staff, the netadmins of most universities are the teaching assistants of computer science. And they don't really make much of an effort to control the traffic on the network as long as the university's servers and staff systems are protected. Universities are quite often Autonomous Systems, so an IP Spoofing attack originating from an unprotected network will travel on the Internet backbone.
Smaller company networks - these networks are usually maintained by the 'one man band' sysadmin, who really has too much on his/her's plate to think about spoofing protection. The silver lining in such environment is that these companies are just a small user of a ISP, who is very capable of blocking the IP Spoofing attack originating from the small company network.
ISP's in developing countries - much like small company networks, manned by personnel who is not properly trained, understaffed and overworked. And the bad news is that these ISP's are also Autonomous Systems, so IP Spoofing attacks originating there will most probably get out.

Please note that this article is not an invitation to start wreaking havoc on these networks, on the contrary, it should serve as a reminder for their netadmins to implement the available and quite simple protection measures.

Talkback and comments are most welcome

Related posts
Summary of IP Spoofing
Corporate Guest WLAN - The best place for Eavesdropping to Interesting Traffic
5 Rules to Home Wi-Fi Security
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction

Protecting from the CCenter Malware and Trojan

noreply@blogger.com (Bozidar Spirovski) — Sat, 09 Jan 2010 06:15:00 +0000

A very common method of distributing malware is disguising it as a useful program. Most common disguises, apart from games are 'malware removal programs'. This is the approach used by CCenter a.k.a. Control Center.

If you find a process with the name ccenter.exe running on your pc means that your pc has possibly been infected with a trojan known as infostealer.lemir.h.
Infostealer.Lemir.H is a Trojan horse program that attempts to steal passwords for the Legend of Mir 2 online game, but can be modified to steal other information.

Apart from installing a trojan, CCenter intimidates people into buying the paid version of this program. Once it’s installed CCenter loads an imitation of system scan every time a computer is started. It also generates large amounts of counterfeit security alerts. All these alerts are designed only to trick people into taking the program as a legitimate and reputable tool. If clicked upon, the pop-ups demand paying for using CCenter.

CCenter has also been seen to redirect the web browser to malicious and fraudulent websites. Depending on version and programmer skill, it may also disable reputable security programs leaving the compromised machine open to future attacks.

Here are the steps to manually remove CCenter

Use "Add or Remove Programs" to remove the installation. However bear in mind that there may be hidden CCenter files, running processes and registries in your computer, so CCenter may recreate all other files after reboot.
Stop and remove CCenter processes:

ccagent.exe
ccmain.exe
uninstall.exe

Find and delete all CCenter files found in %AppData%\CCenter\ccagent.exe

There are other similar Malware programs in the wild. We will cover them in the following articles.

Talkback and comments are most welcome

GSM Encryption Broken - Cellular Calls At Risk

noreply@blogger.com (Bozidar Spirovski) — Fri, 08 Jan 2010 19:37:00 +0000

GSM networks in the US and Europe use the A5/1 stream cipher to ensure cellular calls cannot be listened into by unauthorized parties monitoring radio traffic. However, the guarantee of privacy is no longer ensured. New attack techniques were unveiled at the Hacking at Random conference in The Netherlends which would allow an attacker to decrypt cellular calls made over a GSM network. The attacker only needs the new software and about $500 in radio monitoring equipment. The AS5/1 cipher has been criticized for many years, but this is one of the first publicly available exploits to demonstrate the weaknesses first hand.

The presentation is here.
The A5/1 cracking project homepage is here.

GSM is used by many major cellular providers such as AT&T and T-Mobile (see GSM Coverage Map). The main alternative to GSM network is CDMA which is used by providers such as Verizon, Alltel and US Cellular (see CDMA World Map).

Impacts?
The ability to decrypt A5/1 encryption would enable an attacker to listen in to all cellular communications made over a GSM network. To execute the attack the attacker would need to be close enough to the target to monitor the radio waves emitted from the phone. However, this isn't much of a restriction since the radio waves can be picked up from quite some distance.

This attack should raise serious concerns about the sensitivity of information exchanged over cell phones. An attacker with this equipment situated near a major corporate office or within a large city could easily glean very sensitive data from cellular voice calls.

Regarding data exchanged over cellular phones (e.g. ~~3G or~~ EDGE), this shouldn't really have any impact. All sensitive data should already be configured to use SSL/TLS or VPN for protection during transmission. Therefore, the attacker could break the A5/1 cipher, but they would only see encrypted data being exchanged. However, all data that is exchanged using clear text protocols (HTTP, telnet, ftp, etc) would be visible to the attacker. This is not much of a concern since there should not be any expectation of confidentiality when using a clear text protocol anyway.

About the attack
The attack leverages rainbow tables for a Time-Memory Trade-Off based attack. The A5/1 cracking project is enabling volunteers to help develop the rainbow tables for the A5/1 cipher and distributing the generated tables over bittorrent. Clever adaptations were made to the rainbow table generation to minimize the number of tables that were needed and thus dramatically reduced the required processing efforts.

The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
Google Voice - No Privacy Remains?

Fighting Enterprise Software Vendor Lock-In

noreply@blogger.com (Bozidar Spirovski) — Thu, 07 Jan 2010 09:20:00 +0000

Large enterprises rely on software products. And as everything else in large enterprises, the software products are large, complex, cumbersome and nearly unchangeable. This last attribute is better known as vendor lock-in. Software vendors love vendor lock-in. Here is a definition borrowed from Wikipedia:

Vendor lock-in, also known as proprietary lock-in, or customer lock-in, makes a customer dependent on a vendor for products and services, unable to use another vendor without substantial switching costs

The problem
Vendor lock-in exists in most large enterprise industries like Telco, Healthcare, Finance, Energy. Such industries rely heavily on certain computer systems or software products, usually dubbed Core Systems. Because most of the business transactions, logic and information are stored and processed by these Core Systems, the transition to a different Core System vendor is extremely costly and time consuming.

So most large enterprise companies simply continue to operate with the same Core System vendor, while they suffer:

delays in patch or version delivery
poor quality product versions
inadequate compliance from the Core System to their local law and regulation
ever increasing maintenance costs.

On the other hand, switching to another Core System vendor will result in probably the same end effect, with the added costs of the switchover.

The solution
So is there a way to improve your position? Indeed there is, but with a radical move: there is only one thing that any software vendor reacts to - risk of decrease in earnings from a customer.
To make this risk a reality for the vendor, the customer needs to reach a situation where competitors can successfully bid for software upgrades and new functionality without actually switching the Core System.

This is most easily achieved through the Core System's API interface. Most Core Systems have extensive Application Programming Interfaces (API), which can be used to exchange data with the Core System or issue commands to it.

So instead of asking for every possible modification or new functionality from the Core System vendor, just use it as a processing core - move everything else to other developers, which will need to adhere to the Core System API specification.

This way you can outsource the development of a lot of applications to other vendors, achieve better response from everyone and always have healthy competition. Oh, and it will keep the Core System vendor on it's toes!

Talkback and comments are most welcome

Related posts
Software vendor relationship - can you make it better?
3 rules to keep attention to detail in Software Development
Security challenges in software development
Paying for Software Support - When to do it?

HP Racist Webcam - Facial Recognition Far From Perfect

noreply@blogger.com (Bozidar Spirovski) — Wed, 23 Dec 2009 21:35:00 +0000

On the 10th of December a tongue-in-cheek demo of a failure of a HP webcam was published on YouTube. The video shows the failure of a software which is designed to recognize the speakers face and react so it is always centered on the face.

The failure is that the software does not recognize a black persons face, while it clearly identifies the white persons face.

In the meantime several other videos appeared that further analyze this situation. It appears that a person with very dark skin is not recognized unless there are perfect lighting conditions, since the camera cannot distinguish between the facial features.

This only adds oil to the fire on the issue of the facial recognition in biometrics IDs. It is now proven that facial recognition can fail miserably on a nice chunk of the world population.

Does this mean that black people should not use biometric ID's. What do you think?

Related posts
A Simplified Analysis - Can you Forge a Biometric ID?

Hacking Rapidshare Premium Access at Your Own Risk

noreply@blogger.com (Bozidar Spirovski) — Tue, 22 Dec 2009 20:06:00 +0000

A lot of people on the internet have become frustrated by the rapidshare free limitations, and wished that they have a premium account. Well, you actually can have such an account, but it may come at an unexpected cost. Just use a rapidshare premium link generator service.

One of those 'services' is Rapid Premium. To log in just use the public/public credential and go to the download section. In the text box paste the URL of the public access rapidshare link to the file you wish to download. Rapid Premium will use the stolen credentials and create an URL for you that will use a 'borrowed' Rapidshare Premium account.

As a simple test, I logged on to the service from an isolated virtual machine, and downloaded a small text file. The test was performed with a our own file to limit possible malicious code from rapidshare. The file got downloaded faster, and the MD5 hash wasn't changed - so no intrusion from Rapid Premium on thisone.

Is it useful? Probably yes.There are a lot of situations when you need a fast download, or the free download slots on rapidshare are full just when you need something.
Is it legal? Most probably not. Just as a lot of these services do, this one relies on stolen rapidshare credentials. But it's a bit safer then just obtaining such a credential from black hat forums or IRC channels, since you can always claim plausible deniability.
Is it safe? Most Most probably not. Always remember that there is no such thing as free lunch. Services like Rapid Premium are excellent locations for all kinds of hacking attempts at the visitors - browser vulnerabilities, XSS, CSRF or anything else. So before we thinking about 'hacking' rapidshare, just consider is it really that important it really is to get the data a bit earlier

Talkback and comments are most welcome

Related Posts
Ratproxy - Google Web Security Assessment Tool
How To - Malicious Web SIte Analysis Environment

DECAF - Counter Forensics Tool That Must Grow

noreply@blogger.com (Bozidar Spirovski) — Wed, 16 Dec 2009 20:48:00 +0000

After the leak of Microsoft COFFEE into the 'wild' a tool emerges that will supposedly make life very difficult for a forensic investigator using COFFEE.

The tool is titled DECAF and is freely available, although not open source.

The tool does not to be installed, and when configured in 'LockDown Mode' offers a set of Counter-Forensics functions upon detecting a COFFEE process running on the computer. The following options Counter-Forensics functions are available:

Contaminate MAC Addresses - Modify MAC addresses of network adapters to possibly throw investigators off course in the investigation
Kill Processes - Eliminates
Shutdown Computer - Self evident if possible evidence are in memory
Disable network adapters - most forensic tools send their evidence onto a trusted network share - this will stop all external communication
Disable USB ports - the basic blockade step to prevent COFFEE from working properly
Disable Floppy drive - should you use floppy for evidence collection or COFFEE execution
Disable CD-ROM - Same as USB and Floppy
Disable Serial/Printer Ports - Got lost here, unless you have some specific tools or choose to print evidence this is not very useful
Erase Data - Basic Windows delete of folders which you know may incriminate you. Won't do much good though since it can be
Clear Event Viewer - Remove logs from the Event Log
Remove Torrent Clients - nobody wants these found, especially on their company computer
Clear Cache - Remove cookies, cache, and history from everywhere

Since most user's don't have COFFEE copies to test DECAF, it includes a simulator that triggers the reaction as if COFFEE process is active.

According to information from the site, future versions will have text message and email triggers so in case the computer needs to enter into lock down mode the user can do it remotely. Also there is a suggested possibility to run as a windows service.

But DECAF is far from being a magic bullet: In it's present form it has a lot of realistic issues that will prevent it from being successful. Here is my top list of issues

Related to one product and it's current mechanism of operation - DECAF is designed to react to COFFEE, and is built to react to the leaked version of the COFFEE code. In the long run, Microsoft can modify the way COFFEE processes operate which may render DECAF useless. DECAF needs to expand into an automated 'evidence eraser' independent of COFFEE.
Needs to be run under administrator context to be most efficient - You can't erase Event Log not change MAC address unless you are the local administrator. So usual corporate employees need to understand that their protection is limited to what their account is permitted to do.
It doesn't 'live' as a service - you need to run the process for it to be active. And any forensic investigator can see the tray icon and the process in task manager. While DECAF developers announce that it will run as service, as it is now it is as visible as a zit in the middle of a teenagers nose.
Fails on certain platforms - running it on Windows XP (virtual environment test) produced an error and failed the application. While this may not be the case with all WinXP, there is a probability that DECAF will fail on some computers.

Talkback and comments are most welcome

Related posts
New Helix3 Forensic CD - Welcome
Digital Forensics Framework - A Perspective Forensics Tool
Tutorial - Computer Forensics Process for Begginners
Tutorial - Computer Forensics Evidence Collection
Scalpel - File Carving from Partially Wiped Evidence Disk

DefendTheApp - An OWASP AppSensor Project

noreply@blogger.com (Bozidar Spirovski) — Tue, 15 Dec 2009 19:21:00 +0000

DefendTheApp.com is now live. This site provides a fully functioning demonstration application that has implemented an AppSensor detection and response capability. The site also provides easy links to all relevant AppSensor information.

Not familiar with AppSensor? The basic idea is this; currently applications use a variety of secure development techniques to prevent an attacker from being able to break into the application. Secure development is great, however, we can't just stop there.

Consider the defensive strategies used by physical banks, prisons, federal buildings, etc. We do use security controls to prevent attacks (locked doors, ID card to enter) , however, we also use a variety of methods to monitor and detect attackers before they have succeeded in their devious intents (cameras, guards, motion sensors, alarms). And in the real world, we put most of our faith in the ability to detect and catch a criminal, not in the ability to design a system that can withstand a relentless and unrestricted series of attacks.

This is the idea of AppSensor. Implement detection points within the application to discover a malicious user that is probing for vulnerabilities. Once the user is detected and a threshold of malicious activity is reached, report the user as an attacker and lock that user out of the application. If you can detect attackers and lock them out before the attacker finds a vulnerability, then you've significantly enhanced the security of your application.

The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
OWASP Publishes Top 10 Web App Security Risks for 2010
Creating Your Own Web Server
Web Site that is not Easy to hack - Part 2 HOWTO
HTTPS Data Exposure - GET vs POST

A Simplified Analysis - Can you Forge a Biometric ID?

noreply@blogger.com (Bozidar Spirovski) — Mon, 14 Dec 2009 07:45:00 +0000

Security of biometric ID's like biometric passports is a very frequent topic of discussion and we all know there are issues. But most of those issues are related to encryption, materials and generally anything that requires a lot of technical knowledge.
Here is an example of the possibility to create a fake Biometric ID with very little technical knowledge. In order to understand this possibility, we need to discuss the 2 biometric elements within the ID:

1. Facial information
Each biometric ID contains a very clear and accurate photo of the owner of the ID. And facial recognition is used in a lot of systems, most frequently in organizations which require non-intrusive identification - like casinos and some border controls. So facial recognition systems are quite common and commercially available.

But facial recognition has an inherent weakness - it cannot be calibrated to 100% accuracy. This is simply because some features of your face can actually change at a daily basis: facial bloating, skin discoloration, acne, minor injuries. So the facial recognition system needs to be flexible - most facial recognition systems are set-up to match at around 70-80%

2. Fingerprints
Fingerprints are also stored in the biometric ID, with most ID's storing only one or two fingerprint - the index finger of the right hand or the fingerprints of both index fingers. It is common knowledge that fingerprint readers can be easily fooled, with very simple and available methods. One simply lifts the fingerprints and creates a copy using photoshop, laser printer and gelatin or wood glue. Here is an example of a simple fingerprint lifting method - the first step in recreating a fingerprint.
So far, these two elements may be fooled, but how can we create a fake biometric ID with such information?

Technically, it is very very difficult to modify a manufactured biometric ID into a fake one, which was the initial idea.
But what if you can alter the input data into the process of creating a new legal biometric ID? The process is quite simple:

The seller of fake ID must create the fake ID for a person that has similar facial features to him/her, so the facial recognition software matches the expected 70-80% similarity. To match a seller and a buyer with sufficient similarity, you can use a public web site http://celebrity.myheritage.com/FP/Company/try-face-recognition.php
The seller will prepare fake fingerprint covers of the buyer and attach them to his/hers fingers.
The seller simply enters the appropriate authority and applies for the biometric ID. He/she gets photographed and the fingerprints get scanned on a scanner that is in front of a bulletproof glass (to isolate from the flu). These authorities are staffed by overworked people and there is usually a lot of commotion, so very few people will ever notice your fake fingerprint covers. Oh, and the application software rarely compares the previous fingerprints with the currently scanned ones
If all goes well, the seller will receive an original ID which contains a face of the seller as well as his/her personal information, but the fingerprints are of another person - the buyer. The buyer can now take that ID and actually pass most control checks.
For all legal purposes such an ID is very much a fake, and there is no way to prove that the seller faked his/her information - even if the fake fingerprints are found on file, how will you prove that the seller faked his fingerprints?

Easy, isn't it?
What's your opinion? Can this method actually work?

Related posts

Privacy Ignorance - Was Eric Schmidt thinking?

noreply@blogger.com (Bozidar Spirovski) — Sat, 12 Dec 2009 21:02:00 +0000

Eric Schmidt said in a CNBC special recently that “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place!”

And yet the reaction to this flagrant ignorance of basic privacy is met with mixed reactions. Some are criticizing, others are agreeing. Garett Rogers at ZDnet is even brown-nosing at Google's CEO for some reason with a statement I couldn't agree with him more!

It would have been easy to just start ranting about the generic ignorance of Eric Schmidt for anything private. But i wanted to see what will the google engine do with something that I don't want anyone to know, and yet i could't prevent it from happening - ILLNESS

I created a series of e-mails which i exchanged between two gmail accounts. It took 3 e-mails for gmail to suddenly start offering me anti-allergy bracelets, and refer me to doctors in their adsense. Now, google engines know that I have an allergy. Here are the transcripts - word for word of those e-mails

I appologize for not being on time, but i had to visit a doctor
Apparently, i have developed some form of allergy. I will need to be treated with anti-allergy drugs for some time.

They are still investigating which medicine is the best

See you around
---------------------------------------------------------------
Bozidar
I am very sorry about your situation. I have had some rash issues myself some time ago, and I got prescribed Singulair and Alavert. Maybe you should mention those to your doctor as possibilities

Be safe
---------------------------------------------------------------
Alavert is for allergies. So i'll be mentioning it to my doctor

Thanks

All it takes is 3 very short texts for google engines know that you are ill. And those may be e-mails you exchanged with your physician. It is quite obvious that the automated engines use this information - i got relevant commercials.

So I would ask Mr Schmidt:

Nobody chooses to be ill, and information about health is exchanged via e-mail, so now Google knows it. So, please answer - what Google won't do with this information?

And I will ask Mr Brin and Mr Page:

Do you support that the CEO of your company stated that it's our fault that Google knows something that is very private and confidential?

Talkback and comments are most welcome

Related posts
No Privacy - Saw You Cheating on Image Search
Google Voice - No Privacy Remains?

Vulnerability Management from the Cloud - Overview of the services

noreply@blogger.com (Bozidar Spirovski) — Wed, 09 Dec 2009 19:27:00 +0000

Vulnerability and Compliance Management as Software as a Service (SaaS) are springing up like mushrooms. The SaaS model enabled companies which focused on vulnerability management to extend their reach, and offer the services to more and more potential clients.
Most companies in this market name their SaaS service the "on-demand solutions for security risk and compliance management".

The players
Here is the list of potential vendors that you should look at, in no particular order:

Bear in mind that this list does not include all relevant vendors, so you may want to extend your search. But it's a representative sample that will help you to review what is the offering of the competition.

The offering
The services are usually delivered as a dedicated Black Box appliances that are placed within your infrastructure. They perform the scanning or IPS/IDS, but the results are then sent to the 'cloud' where reports are generated. Most companies are offering the usual set of services:

Vulnerability Scanning - the basic offer of vulnerability scanning, with more or less success but definitely comparable to your local vulnerability scanner.
PCI DSS Scanning - Payment Card Industry Data Security Standard (PCI DSS) was the important 'differentiators' of the SaaS vulnerability scanning. PCI DSS requires for a scan that is certified by the PCI group and performed by a certified company. So the SaaS Vulnerability Management companies got certified and created the PCI DSS scans. But for all everyday intents and purposes, your local vulnerability scanners have the same PCI DSS scans - all you need is to commission the scan 4 times a year for the PCI DSS audit
Managed Intrusion Detection/Prevention - much like the vulnerability scanning, this is more or less what your local IPS/IDS does, only the results go out and get analyzed and compared in the cloud.
Reporting and Fix Tracking - this element may be one of the differentiators, but local vulnerability scanners are catching up. In a SaaS solution, all results are kept as reports, and you can easily create comparative baseline reports, or even assign tasks to persons for fixing some vulnerabilities. The system will automatically send reminder e-mails to those persons and re-scan after the configured deadline for fixing.

Vulnerability Management - Local or Managed?
In conclusion, both the local and the managed solutions are living quite well at the moment. And function wise they are comparable. So which one to go for?

The local solution can easily be reconfigured and directed at different targets. It us very flexible and because it is usually installed on a laptop, very portable. It is an excellent choice for anyone that needs to perform scans from different positions in the corporate network. This would include IT security teams, penetration testers, external auditors and consultants .
The managed (SaaS) solution is stationary, fixed and quite cumbersome to move around. It usually lives in the data center as a black box probe, or in the manager service provider as an external scan. It can be configured with the required targets, scheduled to run at regular intervals and perform regular controls. It is a good choice for internal auditors, security officers and compliance officers - no need for maintenance, it is all handled by the managed service provider.
Calculate the optimal price/performance - the SaaS versions are usually as yearly subscription charged per number of IP addresses to scan. This price may be quite significant, and you are fixed to the block of IP addresses. On the other hand, the local scanners require a hardware to run on, and you still pay a subscription for the updates of vulnerabilities. So you need to calculate your optimal cost based on your requirements and expectations.

Talkback and comments are most welcome

Related posts
Nessus vs Retina - Vulnerability Scanning Tools Evaluation
NeXpose Community Edition - Our First Look
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis

Summary of IP Spoofing

noreply@blogger.com (Bozidar Spirovski) — Wed, 09 Dec 2009 18:21:00 +0000

If you are using any sort of IP based filtering within your application, then you need to evaluate how IP spoofing attacks affect your security controls. In order to make a fair evaluation you will need a basic understanding of IP spoofing attacks.

Let's look at two different scenarios.

Scenario #1 Attacker wants to spoof an arbitrary IP address and the attacker is not on the same subnet (broadcast domain) as the targeted IP address. Example: attacker is 1.2.3.4 and wishing to spoof 4.5.6.7

Scenario #2 Attacker wants to spoof an IP address of someone on his own subnet (broadcast domain). Example: attacker is 192.168.1.55 and wishing to spoof 192.168.1.58 (assuming subnet of 255.255.255.0)

Scenario #1

The attacker can create forged TCP packets and modifies the source IP address to be any value. One tool that can do this is HPING2.

What can you do:

Send an initial TCP packet with any source IP address
Send a series of UDP packets with any source IP address
Send a series of unrelated TCP packets from the same or varying IP addresses

What can't you do:

Receive any responses to your forged messages. The responses, if sent, would go to the forged IP address.
Send a string of related TCP packets (e.g. reconstruct an actual TCP exchange). This is because you can't complete the handshake or guess the necessary information to continue the TCP connection.

Scenario #2

The attacker can perform a variety of attacks to forge or take-over the IP address on the same subnet.

Attack Options:

Simplest - Statically define your IP address to the target IP address
Switch your MAC address to the MAC address of the current NIC for the target IP address and attempt to assume control of IP
Execute man in the middle attack via arp spoofing (see tool Cain & Abel) and then gain control of user's unencrypted transmissions. You could likely modify or redirect traffic to accomplish your original spoofing goal.

What can you do:

Assume control of the IP address. Note: This means you can send/receive valid data using the targeted IP address as your own. It does not grant you access to existing sessions that the user had with any websites (because you don't have the user's session cookies).

What can't you do:

Intercept encrypted (e.g. SSL/TLS) communication destined for the target IP address without alerting the targeted user in some way (browser warning message for MitM invalid certificate).

Hope this is helpful. This is by no means an exhaustive list of attack techniques, but something to consider if your are using IP related controls within an application.

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.
The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
DHCP Security - The most overlooked service on the network
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction

NeXpose Community Edition - Our First Look

noreply@blogger.com (Bozidar Spirovski) — Tue, 08 Dec 2009 14:58:00 +0000

Rapid7 chose to publish a free version of their NeXpose scanner. The software is available for less then a month, and still has to prove itself to the general community. We are publishing the experiences of our first look on this product. The NeXpose Community integrates with Metasploit, and the integration will be covered in the next article.

Installation The installation is simple enough - just run the installer. It asks for a username/password for the web interface, and then installs itself. There are no errors when installing on Windows 7, XP SP3 and Win2003 Server.

First run
Start up on Windows 7 was not successful. NeXpose Community just threw a lot of access denied error messages. As far as i could understand, the access denied messages are because of an attempt to modify the registry which is protected under Windows 7. Even when using Run As Administrator i got the same results.
The run was successful from the Windows2003 server installation. The first start up was extremely slow, it ran for more then 15 minutes configuring and updating itself. After that, the web interface is available for login at https://serverip:3780

First Scan
In order to scan you need to configure a Site, with target IP's within it. You can add several target IP's within the same site. The scanning options include the following scanning templates:

Full audit : Performs a full network audit of all systems using only safe checks, including network-based vulnerabilities, patch/hotfix checking, and application-layer auditing. Only default ports are scanned, and policy checking is disabled, making this faster than the Exhaustive scan.

Exhaustive : Performs an exhaustive network audit of all systems and services using only safe checks, including patch/hotfix checking, policy compliance checking, and application-layer auditing. Performing an exhaustive audit could take several hours or even days to complete, depending on the number of hosts selected.

Penetration test : Performs an in-depth penetration test of all systems using only safe checks. Host-discovery and network penetration options will be enabled, allowing NeXpose to dynamically discover additional systems in your network to target. In-depth patch/hotfix checking, policy compliance checking, and application-layer auditing will not be performed.

These templates and their behaviour cannot be modified in the NeXpose Community.

You can run the scan at scheduled intervals as well as manually. Once you initiate the scan, the scanning engine is very fast, and usually completes Penetration Test scan within 5-7 minutes on a fast link.

Scan Results
The scan results are presented in a very clear manner, for each site separately. The Penetration Test template on a Damn Vulnerable Linux 1.5 with active HTTP target was scanned in less then 3 minutes, and identified the following vulnerabilities

PHP Multiple Vulnerabilities Fixed in version 4.4.9
PHP Unspecified 'glob' Vulnerability
PHP Crafted UTF-8 Inputs Buffer Overflow
Apache Signals Sent to Arbitrary Processes Denial of Service
PHP session.save_path/error_log Values Not Checked Against open_basedir and safe_mode
Apache mod_imap/mod_imagemap Cross-Site Scripting Vulnerability in imagemap File Menus
HTTP TRACE Method Enabled
ICMP timestamp response

The reporting, although crippled compared to the commercial versions of NeXpose is still very good. You can schedule report generation and sending, and you can configure a baseline for each report - you get comparative results of the changes between the scans. This is very useful for automated scanning and information required by IT Auditors and Information Security Officers.

Conclusions
NeXpose Community is a valuable addition to the free tools that each security professional can use in his/hers work. It is very useful in terms of automated audits, and very interesting that it integrates with the Metasploit Exploit Framework. It still has glitches and issues on some platforms, but all tools are work in progress, so for the time being just add it to your toolset, don't replace any tools with it.

Talkback and comments are most welcome

Related posts
Possible Emerging Player In InfoSec Market?
Nessus vs Retina - Vulnerability Scanning Tools Evaluation
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis
WMI Scanning - Excellent Security Tool

Corporate Guest WLAN - The best place for Eavesdropping to Interesting Traffic

noreply@blogger.com (Bozidar Spirovski) — Mon, 07 Dec 2009 20:36:00 +0000

When pen-testing a corporation, always look for the Guest WLAN. If there is one and you manage to get on it, you are in luck!
Corporate Guest WLANs are a great place to get a lot of interesting and possibly confidential information without much effort. And this is simply because there are a lot of corporate laptops on the same WLAN.

Ofcourse, you'll discuss that the corporate devices have wired access to the internet, which is much more reliable and faster. But also, the wired infrastructure is fully controlled by IT - with web filters, content filters etc. So on the guest WLAN you can easily find the following high-profile targets related to the corporation:

corporate laptop holders - usually employees higher in the hierarchy who just got bored from the restrictions of the corporate Internet filters can easily turn on their wi-fi and check the private e-mail, or just download something.
corporate guests - most visitors to corporations have WLAN enabled devices, ranging from mobile phones/pda, over netbooks to full blown laptops
external contractors - a lot of corporations will isolate external contractors to the guest WLAN for internet access.

The following diagram is an example of hunting for interesting targets in the corporate WLAN

The diagram clearly depicts the high concentration of possible high profile targets - marked in red color.

One can always make the argument that the same attack can be made within a Mall, or even in the home networks of those interesting targets. This argument is completely true, but in a Mall your high profile targets are blended in the multitude of the students, casual freebie surfers and even the mall store clerks with their WLAN devices.

And the home environment is even more difficult, because the high profile targets are dispersed all over the city, and you may not know where they reside. So, sniffing the networks one specific high profile target will bring a lot of costs to the attacker.

The following diagram is an example of the difficulties in sniffing for interesting targets in the home or public places WLAN

So, for my money, I'll always prefer to sniff for traffic in the corporate guest WLAN

Talkback and comments are most welcome

Related posts
5 Rules to Home Wi-Fi Security
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction
DHCP Security - The most overlooked service on the network

5 Ways to fail a Social Engineering Pen-Test

noreply@blogger.com (Bozidar Spirovski) — Sat, 05 Dec 2009 15:59:00 +0000

A lot of penetration testing assignments include the famed Social Engineering test. When reading about it, or looking the social engineering scams on a TV series it looks very straightforward - you come in all nice and smooth-talking and every door opens for you.

The harsh reality is that a lot of social engineering penetration tests fail, which adds up to increased costs and a failed engagement for the consultant. In the extreme situation, you may spend some hours in the offices of corporate security or even the police, until the pen-test authorizations are verified.

Here are the most common ways to fail a Social Engineering Penetration Test

Come unprepared - Just walking into a company and asking for confidential documents sounds stupid. But trying to perform a social engineering attack on your first visit is even more stupid. Until you do proper amount of recon and research you have no idea what the company relationships are, who is in charge of what and what exceptions or processes may be used to succeed in a social engineering attack.
Just Wing It - Wake up call- you are not Frank Abagnale from "Catch Me if You Can" and you are not Danny Blue from the TV series "Hustle". During a social engineering attack you need to think on your feet and being creative always counts. But not preparing a background story supported by a nice set of evidence is a great way to fail a social engineering pen-test
Be outright aggressive or arrogant - Nobody likes people who are bossy and arrogant. While having an air of authority helps during a social engineering attack, you don't want to start from position of authority with an aggressive approach. That is the best way to get people to close up in the cocoon of procedures and regulations, or they'll simply call your bluff - in both ways you fail. Instead, you need to be friendly, courteous and polite. Maintain your air of authority, but never overuse it.
Choose the wrong person for the job - Social engineering is achieved through appealing to the people's urge to help others. But certain profiles of targets tend to be more helpful to different persons. For instance, a target group of young men will be very helpful to a nice looking woman of their approximate age or just a bit older - to maintain the advantage of implied authority through the age difference. But this same woman is considered a threat by target groups of young women, so for them you need to choose a different attacker. The same principle applies to phone based social engineering attacks.
Dress for failure - In social engineering, always remember that clothes make the man. If you perform a social engineering attack on a bank, you don't want to appear in jeans and sneakers. But if you are performing a social engineering on a software development company, you may actually miss by a mile by wearing suit and tie. Go back to point 1 about preparation :)

Have any more ways to fail, or good examples? Share in the comments!

Related posts
3 Things no book about hacking will ever tell you
5 biggest mistakes of information security
3 rules to keep attention to detail in Software Development
5 Rules to Home Wi-Fi Security

Possible Emerging Player In InfoSec Market?

noreply@blogger.com (Bozidar Spirovski) — Fri, 04 Dec 2009 08:43:00 +0000

After the Rapid7 acquisition of Metasploit, things are beginning to shift in the Vulnerability Scanning and Penetration Testing market. The basic trend is one of merging the small independent players into larger organizations with a product portfolio covering a wider area.

Rapid7 published the NeXpose Community edition, which pairs with Metasploit. At this moment it still has some early adoption issues - like problems with working on Windows 7, but these will be resolved.

The NeXpose Community may prove to be a strong adversary to Nessus in the free tools market, and by presenting the possibilities of NeXpose to a wider community it will enter the minds of more potential commercial users.

But apparently the competition is not sleeping either. For around a year, there is a joint discount offer on a set of products by Tenable Networks Security, Immunity Inc and DSquare Security. This set creates a great overall product:

Nessus being the vulnerability scanner
Immunity CANVAS being one of the commercial leaders in penetration testing frameworks and
DSquare enriching the set with additional exploit packs for CANVAS

While this joint offer is not new, with the current moves from Rapid7, it may be quite possible for the other players to join forces for a stronger approach to the market.

What do you think? Is the merger of Tenable and Immunity possible? Will it provide a better product and will the users benefit?

Related posts
Nessus vs Retina - Vulnerability Scanning Tools Evaluation
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis

Tutorial - Alternate Data Streams: The Forgotten Art of Information Hiding

noreply@blogger.com (Bozidar Spirovski) — Wed, 02 Dec 2009 14:43:00 +0000

Alternate Data Streams is a feature of the NTFS filesystem. In essence they were created to provide compatibility with HFS, or the old Macintosh Hierarchical File System. The way that the Macintosh's file system works is that they will use both data and resource forks to store their contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details.

How do you create an ADS? Wonderfully easy: All you need to do is have the two files, and then send the file to be hidden to the ADS of the host file with a simple type command:

type file_to_be_hidden> host_file:name_of_file_to_be_hidden

The most frequent use of ADS for malicious purposes is to conceal the executable of a trojan/rootkit as an Alternate Data Stream (ADS) to a perfectly safe file. For instance, once an attacker penetrates a Windows system, he can easily hide the malicious payload for further access into an executable which is fairly frequently used - like Calculator.

Alternate Data Streams may also be interesting as a mechanism to hide and transport information out of an organization:
Once you include an ADS into a file, there is no visible change in filesize of the host file, only the modified date is changed. This makes it quite difficult to detect the Alternate Streamed file. Also, the ADS file does not change the MD5 hash of the original file, which may prevent systems which control file modification through hashing from detecting the hidden file. Here is an example:

C:\Users\user\Desktop>md5sum test.txt
d41d8cd98f00b204e9800998ecf8427e *test.txt

C:\Users\user\Desktop>type image.jpg>test.txt:image.jpg

C:\Users\user\Desktop>md5sum test.txt
d41d8cd98f00b204e9800998ecf8427e *test.txt

One would think that this method of information hiding is great to transfer any amount of information with an inconspicuous carrier file being sent over a network. But there is a catch: most data carriers will ignore the Alternate Data Stream, and here is the summary list:

Zip, RAR or ARJ will simply compress the host file and disregard the ADS
MIME and Base64 encoding (e-mail) will ignore the ADS entirely
FAT32 (mostly used on USB flash drives) will loose the ADS since it's not supported.
Steganography programs will read the bytes of the host file and stop at the EOF
FTP and HTTP transfer ignores ADS entirely
Recording the

But all is not lost. There are still ways to transfer data with ADS:

Transferring the host file over SMB network to an NTFS target retains the ADS hidden file
Copying the host file to an NTFS file system transfers the ADS hidden file

So the information theft scenario with ADS is mostly available to employees or trusted persons:

The malicious user will create a legal host file and ADS a file with information to be stolen.
He will convince the manager to take the legal file home to work on over the weekend.
Upon the manager's request, even if USB drives are restricted, IT will copy the file over SMB and onto the employee's USB - which is sparkling clean and conveniently formatted with NTFS.
All logs of the transfer will contain the transfer of the original approved file to the USB

What will you do in such a scenario? Talkback is most welcome!

Related posts
Be Aware of Security Risks of USB Flash Drives
5 biggest mistakes of information security

Interview with GenApple founder

noreply@blogger.com (Bozidar Spirovski) — Mon, 30 Nov 2009 12:25:00 +0000

After the first article on the GenApple site - which promotes itself as the first information brokerage, Shortinfosec secured an interview with the founder of GenApple - Mr. Mark Hanson.

In a summary, the service will need polishing, and GenApple will need to tweak procedures and operating rules as they go along.

There may be security and privacy concerns - we are sure that the law enforcement agencies will be very interested to peek into the information being traded, as well as who is trading it. Also, on the other side of the coin - the information brokerage may be a place where illegal information is traded, so GenApple will have to be very careful to walk the thin line between trading of illegal material and the pressure of law enforcement to know everything.

Read the full interview with Mark Hanson - GenApple's founder. For Shortinfosec, the interview was done by Bozidar Spirovski

Bozidar: Let's start with the person behind the idea - As I saw from your linkedin profile, you are just 4 years out of university. Is this your first venture?
Mark John Hanson: Yes. This is my first start-up venture. But I had the idea for this site about a year and a half ago, and have been developing it since then. We're very excited about it: The team has been working very hard and we hope to deliver a quality service that people can use, enjoy and learn.

Bozidar: Could you describe the concept a bit more, of course in layman's terms - at first glance it sounds like e-bay but for bits and bytes
Mark John Hanson: Sure: what we aspire to be is a place where people simply can buy and sell information and knowledge. At first glance, why would people pay for information or knowledge? The Internet is filled with free information, from search engines, to answer portals, to e-learning portals. However, something is missing - every person throughout their years acquire a lot of knowledge, some of it has little to no value. But every person has knowledge that they possess that another person may want---in real life to gain this knowledge there might have to be a personal relation. But with our site; we seek to create a marketplace where people for the first time can sell knowledge and information that another party may want and pay for.

Bozidar: So what you are promoting is compensation for knowledge that someone has and others require?
Mark John Hanson: exactly---right now there's lots of knowledge that is not being disclosed on the Internet because people feel it has value. For instance, there are things you are willing to blog about for free---you write about security issues. However, you're a businessman and there are many other things that you have acquired over the course of your life that you know that has real value. We seek a place where you can sell such knowledge, both privately, if you want and securely.
Yes there are many answer site, forums, etc and for many many questions, a free answer forum is good enough. However, we're not just an answer forum, we hope to be a place where a broad amount of knowledge is shared

Bozidar: You touch an excellent subject with the forums - There are commercial forums that offer some form of expert knowledge when you subscribe. These are usually quite technical and with specific target groups in mind. What is your target group?
Mark John Hanson: at the end---we hope to be the destination for any or all type of knowledge; however, starting out, we'll focus on three verticals and expand from there
(1) stock tips and financial knowledge, we want to have a monetary focus when we start so people who have knowledge or advice about investment strategies can share. Because of US securities regulation, we'll active monitor these listings to make sure that inside information is not disclosed or sold
(2) news freelance --- because of the nature of journalism in the US there are many reporters who are currently unemployed or underemployed. What we want is for people who are journalists, citizen journalists and so on to have a place where they can sell news stories that they'll write and the news organ
(3) celebrity gossip and information---we wanted to have a fun and interesting vertical so people will check our site out and follow what is being disclosed on our launch.

Bozidar: The exchange of information will go through GenApple. I'll try to summarize the process as I understood it:
The seller offers a commodity (information) on the exchange
The seller deposits the commodity in the information vault
The buyer and seller agree on a price and transfer funds
The buyer pulls the commodity out of the vault
The buyer receives the funds after a cool down period for disputes

Mark John Hanson: Exactly: there's obviously more detail and I'll be happy to provide you with our animation intro that explains this, users can also view our "how it works" area. You are concerned with security, and this is utterly important for a business like this. Thus our website has been developed that each information vault is protected from hackers and people with bad intent. We are certified by McAfee---we also use a SSL certificate from Verisign, so immediately when people are on our site, all transactions, from a simple search are secure.
We feel that as an "information brokerage" we should treat our customers as if they're dealing with a bank or financial institution---information and knowledge is valuable. Moreover, when people sell information, they want to keep their identity private because of the nature of transaction---to us privacy is a form of security. We want people to know that if they use this site, their identity is kept safe and will not be disclose to anyone, period.

Bozidar: You use a very strong statement there "protected from hackers". In the world in which I live, something hasn't been hacked only because a hacker still hasn't found the vulnerability to exploit or the interest in exploiting it. So for argument's sake, let's say that a hacker manages to break in and he/she/they steal information or redirect funds. Do you accept any responsibility for the damages caused to the parties involved?
Mark John Hanson: I do have confidence in our site's security and McAfee secure---we will do our utmost to protect the information that people have disclosed from us---as to your question, our user agreement discloses precisely what responsibilities each party undertakes.
Bozidar: So on this particular site it is very wise to read the agreement, not just click the I Agree button?
Mark John Hanson: What we want is for every use to read the user agreement and privacy policy before they sign up---we have links to these agreements in the registration page. The reason for this is that the user knows what to expect from us and also what we expect from every user. This marketplace depends on GenApple to create a safe, easy, secure place to do a transaction.

Bozidar: In your first target group vertical you mention US regulation. On my attempt to register I saw that the registration address can only be a US address. Does this mean that every user of GenApple needs to be under US jurisdiction?
Mark John Hanson: For right now we're limiting it to the United States; however probably very soon we'll open it up to many different countries---this is party based on how we pay - we have two payment methods to pay sellers (1) PayPal and (2) a bank check mailed directly to a user's home. PayPal is not available to every country and a bank check is limited to North America.

Bozidar: Not quite - google mails checks all over the planet
Mark John Hanson: Google as a business does this---I'm not aware of a payment service that they have; however we prefer to use a Bank so our users are confident that the check they receive will be cashed. In the future---we could mail checks to users around the globe---if we reach that point, we'll be happy to provide that service

Bozidar: Let's talk a bit about the actual commodity - information what type of physical information can be stored in the data vault - text files, excel spreadsheets, images, encrypted files etc..is there a limitation? and of course, to what size?
Mark John Hanson: No limitation as to the type of files---we are looking at limitation right now---we also provide a textual entry area for people to disclose their information if it's just a short sentence. So we're still trying to set a balance and when we launch, we'll note file size limitation within the information vault.

Bozidar: Well, since basically the actual information can be any type of file, you may be faced with a very unpleasant situation - the buyer agrees with the seller, transfers the funds and receives nothing useful so he disputes - or a far worse scenario: the buyer got what he requested, but he/she still wants to cheat and disputes nevertheless. How are you planning on coping with 'fraudsters' on both the selling and the buying side
Mark John Hanson: Very good point---hence our business model: as we note up front, we are an "information brokerage" --- we are dealing with the intangible unlike eBay or many site that sell tangible products---it's much harder to police fraud when dealing with the intangible. The buyer wants to know that he or she is getting what he or she is paying for and the seller want to know they're getting paid. Hence as a brokerage, we assist in every transaction, as the user agreement says, we are not a part of a transaction, but we do the following:
(1) in every listing, potential buyers can ask the seller questions directly before they buy
2) the buyer can look at the seller's feedback rating and take that into consideration--with more positive feedback being good
(3) besides the summary, there is the veracity statement, which is where the seller can state how he or she came to acquire such information or knowledge
Mark John Hanson: So up front, we want to give the buyer as many opportunities as possible to make an informed purchase. However, we go to your point--what if the seller's information is bad or the buyer unfairly disputes a transaction, hence our dispute system, which is noted in our user agreement---we take a look at the positions of the buyer and seller---and we make the final decision for them. This is a high standard, which we use to discourage buyer who unfairly file disputes. We want to protect our buyer's as much as possible, and if it seems that fraud exists, then we'll issue a full refund. Each dispute is a case by case basis---but each party agrees not to appeal GenApple's final decision.

Bozidar: A bit more on the content of information - if it is encrypted, then you may be facilitating transactions involving exchange of illegal information: like access passwords, or industrial secrets, plans to make bombs.
Mark John Hanson: yes---all valid points---this goes into our privacy policy, You certainly know the concept of a safety deposit box. We treat every information vault as a safety deposit box. If we as a service look into those vaults, then seller's may feel insecure from the get go, when people deposit into a safety deposit box, they want privacy. To combat possible illegal activities our best courage of action is thus to be diligent---any listing that we see that's suspicious (sp) will be deleted. We have on every listing page a report listing function, which any user can immediately file a report if such listing looks bad. If there is a dispute or an illegal transaction, as per the user agreement, we'll comply with governmental authorities

Bozidar: So I'll speak the lingering question on every body's mind on your launch: Will the law enforcement and intelligence agencies get full access to all information vaults? I know that your policy states that you'll supply law enforcement with information in case of investigation; But what about the broad view?
Mark John Hanson: What we're trying to do a strike a balance, which could change as the site matures. As per our user agreement, all vault are secure from us and the public unless there is a dispute or request from a law enforcement agency. We will not under any circumstance turn over private information or information vault unless forced to do so---we can only promise to take each instance as a case, and that's all I can say at this point that's not already disclosed in our user agreement, but you have a balance, seller's must be confident in a privacy transaction.

Bozidar: You gave a good argument that you as an information broker actually cannot know what all transactions are - thus you are not responsible for any wrongdoing of the users. But still, the similar argument applied to Napster and the Pirate Bay - and yet, they got sued for facilitating illegal exchange of information.
Mark John Hanson: We'll in our user agreement, if someone does do something illegal, they are liable for our defence costs. But you are correct, there might be people who do illegal things. We'll do our very best to create the best marketplace possible.

Bozidar: Are you actually worried that it may come to GenApple being sued for situations similar to Pirate Bay? They did claim plausible deniability but are now in prison.
Mark John Hanson: All I can say is that we drafted our user agreement with your question(s) in mind, but I cannot speculate what'll happen in the future---no one knows

Bozidar: Mark, i want to thank you for all the information we got on this interview. One last question - what does GenApple stand for?
Mark John Hanson: Yes--hehe--every Internet company needs a name that's short and memorable--the root "Apple" comes from the fruit of the tree of knowledge of good and evil. I was looking for adjectives because obviously Apple is taken. I did find the "gen" is British slang for information, hence the word genapple.

Do you like this product? What security concerns might you have on GenApple? Please add your 2 cents in the comments.

Related posts
GenApple - First Glance at the First Information Brokerage