Information gathering from public sources is still one of the best ways to understand your potential target.

I have been reading a great book called "The Big Short". It's a book about the financial crisis of the sub-prime mortgage market in the US. I don't have any financial services training so I didn't quite grasp all the nuances of the financial machinations involved, but one thing is clear: All people that managed to profit during the failure of the subprime mortgage market relied only on publicly available information.



This only goes to show the power that lies in publicly available information, if it is analyzed properly. Always collect as much information as possible, using OSINT tools like collection of financial statements, annual reports, analysis through specific tools like Maltego and IP and DNS registries.

Regardless of whether you need to collect information on a potential competitor, a target of a penetration test, in financial spread betting or derivatives trading, or even in financial research of a company there are several lessons that the "The Big Short" teaches us:

1. Financial statements contain non-financial data - do not run away from the balance sheets, income statements and the like. Most often, these documents have a significant narrative which describes the points of the financial items, and thus explains the operations of the target
   
2. Collect information for the target - grab financial statements, news on sales contracts, news on key personnel that arrived or left the company and their assistants, everything in terms of indexed documents or spreadsheets.
   
3. Collect information for the target’s partners and customers - it is not only the target that needs to be investigated. An excellent information source may always be the partners who may have less stringent information security policies. Also, their financial statements may have useful insights.
   
4. Look at relationships between everyone - who owes money to whom, who is dependent, who has the trust of who. Understanding relationships between people and companies is a great foothold for social engineering.
   
5. Ask the 5 Why- On every fact or relationship, ask yourself why is this done in such a way and try to answer it. Then ask why on the answer, and again and again. If you don’t find a good simple answer, there's a good chance there is a gap there, either some useful information is not available but is important, or there is a gap to be exploited.
   

While "The Big Short" is about making money, the lessons from it are excellent for information security. I would recommend a read for every security guy.

Talkback and comments are most welcome

Related posts
Digging for information with Open Source Intelligence

Internal penetration testing is a comprehensive security test of all systems related directly and indirectly to your business. This is a particularly thorough form of testing, and often goes outside the ambit of what might usually be expected in web application security testing.


Internal penetration testing, explained

This type of testing effectively imitates the methods used by hackers when attempting to penetrate your security system. There are multiple levels of penetration testing, and security consultants need to adapt the tests to match on-site technology.

Internal penetration testing relates to security vulnerabilities within a system. As distinct from external penetration testing, which probes vulnerabilities in relation to accessibility of sensitive systems from the outside, internal penetration testing deals with vulnerabilities between internal systems.



This is no academic process. A weak point in the system can be used to access multiple parts of that system. Full system security is supposed to have internal, as well as external security safeguards. A person accessing your system through an employee interface or similar routine method may be able to access areas which should be off-limits. Because most systems are typically accessed by a large range of people, it is important to ensure that internal security is watertight.

It is absolutely necessary that your internal security is as good as you can make it, because this is a critical security level with direct access to sensitive information.


Internal penetration testing methods

Security testing includes a range of possible forms of internal access to information. It may for example be possible to access information directly from the business database including personal information, account numbers etc. , or indirectly using a "backdoor" approach through another system or application.

One of the primary problems with internal security is that most companies use off-the-shelf systems and software, many of which have known vulnerabilities. These systems are quite easy for hackers to subvert, particularly if the software hasn't been upgraded or their security updated. Many types of software upgrades are also required patches which may or may not be installed, and the un-patched software can also involve significant security vulnerability.

Security consultants must test each aspect of internal security, and do it very thoroughly. Security checks may include such basics as firewalls, passwords and other seemingly simple issues but you should know that vulnerabilities in these areas can be fatal and seriously compromise system security all by themselves.


Ongoing penetration testing issues

While internal penetration testing and other forms of penetration testing do provide comprehensive checks technology changes rapidly, and so do methods of breaking into security systems. Best practice is to conduct penetration testing once every six months which ensures that security consultants can apply current methodologies to their testing.

Perhaps most importantly, engaging a security consultant for penetration testing is also very useful in getting immediate support and advice when you need it. Even the best IT people only have a limited amount of knowledge in this area, and it's always advisable to get expert assistance in these fields.

This is a guest post by Erik Weisz. Erik is an Australian freelance writer and journalist. He writes extensively in Australia , Canada, Europe, and the US. He’s published more than 500 articles about various topics, including Web Application Security and Penetration Testing


Talkback and comments are most welcome

Related posts
Understanding Penetration Testing Methodology
Minimize Impact of Online Intelligence Searches
Digging for information with Open Source Intelligence
5 Ways to fail a Social Engineering Pen-Test
5 biggest mistakes of information security

Seeing that skipfish releases are changing twice a day, Shortinfosec is starting a persistent post to publish the latest versions of skipfish compiled for Windows.

Here you'll find the latest compiled versions, as well as a historical trail of the previous versions

In order to run it, just unzip the archive - it contains the cygwin run-time libraries needed for running skipfish. The compiled code is tested on Windows 7 and Windows XP Pro



Download the latest version of skipfish for windows - skipfish 1.29b

Previous versions

Download skipfish 1.26b for windows
Download skipfish 1.25b for windows
Download skipfish 1.22b for windows
Download skipfish 1.18b for windows
Download skipfish 1.13b for windows
Download skipfish 1.11b for windows


Related posts
Skipfish - New Web Security Tool from Google
Ratproxy - Google Web Security Assessment Tool

Google is continuing it's efforts into the web security area. After ratproxy, which was a passive security tool, here comes skipfish - an active security scanner.

Shortinfosec has compiled skipfish v1.11b on windows.

UPDATE: Seeing that skipfish releases are changing twice a day, I am starting a persistent post on my blog to publish the latest versions of skipfish compiled for Windows.

Here is the link to the post for future versions

http://www.shortinfosec.net/2010/03/compiling-latest-skipfish-for-windows.html

You can download compiled skipfish-1.11b for Windows here

Verification sum:

skipfish-1.1b.zip MD5: 6D97FBCB65CAF57A7D74E99C0671AEDA

In order to run it, just unzip the archive - it contains the cygwin run-time libraries needed for running skipfish.

If you wish to compile skipfish yourself, you need to install cygwin and compile it with make. Do not forget to update your path variable to include c:\cygwin\bin.

Quickstart
To run it, start a command line in the directory where skipfish is unzipped/compiled

1. create a report directory (report_outdir)
2. type skipfish -o report_outdir http://target-site
3. after the scan is finished, go to report_outdir and open index.html to view the results
4. you can always break the scan by ctrl-c
   

Skipfish creates a more advanced report then ratproxy, and it is autogenerated, so you don't need a special parser to create the HTML report from the raw results.

Talkback and comments are most welcome

Related posts
Ratproxy - Google Web Security Assessment Tool
Google's Ratproxy Web Security Tool for Windows
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis

In our previous article - Digging for information with Open Source Intelligence we looked at the generic process of information gathering. But what is this process looking for? The answer to this question is important to all parties:

1. to the investigator - for proper focusing of his/hers efforts
   
2. to the possible targets - in order to properly defend against Open Source Intelligence

So here are the items that the investigator is looking for when employing Open Source Intelligence against a potential target, and the methods of minimizing the possibility of someone discovering something:



The final goal of any intelligence action is to obtain information that can be sold or used as competitive advantage. This can be as simple as a password, or as complex as plans for a corporate takeover.

At the information gathering level, this translates into:

1. Content of files indexed by search engines - In the ideal intelligence world, everything is contained in a single page document that can be scanned or downloaded from the internet. Although such documents won't surface on the internet unless someone is utterly dumb, bits and pieces of information can be found from files that have found their way on the web and got indexed by the search engines. In order to make such pieces of info useless, hire a person to perform regular 'Google Hacking' to find such documents. Bear in mind that once documents are on the internet and get indexed, you cannot destroy all publicly available copies. Instead, change the information within your company to render the public information useless or false. .
   
2. Operational or Potential Business Relationships - web sites, news articles, corporate newsletters of partners and providers can contain names and sites of the target company, even forum and support site posts . While these are harmless by themselves, using these names the investigator can establish that there is some relationship between them, even the nature of the relationship. This can be used in a competitive bid, in social engineering or simply leaked to the public. There is no real protection over such information, except of being aware that such information is 'in the wild'
3. Real Person Identities - Publicly available names and contact info of any personnel related to the target are a potential gold mine. With the advent of social networks, once you know some one's name, the investigator can proceed with detailed investigation of such persons, and attempts at breaching of their credentials by trying common password combinations (pet names, birthdates, phone numbers etc). Most companies actually prefer to publish real person's names and contacts in the effort to appear closer to their potential clients and partners, so there is no direct protection. Much like in point 1, youshould hire a person to perform regular analysis of which names are publicly available, and what information is available on such persons, with a combined penetration test on their accounts. You can also institute a policy and awareness trainings for such persons to make them aware of their exposure.
   
4. Relationship Context - this is merely an extrapolation of real identities, business contacts and online communication. It can give the investigator an insight into 'who receives order from whom' or 'who is close to whom'. Such insight is crucial for social engineering attacks. Controlling is actually controlling the previous 3 points.
   

In summary, Open Source Intelligence is going to collect information about you and/or your company. You can do little to prevent it, but you can do much to render such information of very little value to anyone.

Talkback and comments are most welcome

Related posts
Digging for information with Open Source Intelligence
Security Information Gathering - Brief Example
Corporate Security - Are the hackers winning?

Wikipedia defines Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence.

In reality, the methodology used in OSINT is the information gathering phase of every penetration phase. They only stuck a fancy name to the process.

Regardless of the name, OSINT is very useful, and it's results can be very well used even outside of the penetration testing process.



The information gathering, or OSINT process can be summarized in the following steps:

1. Identify your point of interest - who/what is your target of investigation. Start broad, and then narrow down to the interesting elements. For instance, start with a domain name or an IP address pool for a provider, until you find the contacts and names of actual persons. Then you can start drilling for material left on the Internet by them for further useful clues
   
2. Collect information from multiple sources - consult search engines corporate sites, mailing list servers, even the old and forgotten Usenet might be useful
   
3. Sift through the gathered information to form a useful result- Identify interesting pieces of intelligence for further use
   

The process looks very simple on paper, but bear in mind that most searches generate tons and tons of possible clues and/or false leads. It takes

Here is what you'll have to deal with:

• Irrelevant/false hits on a keyword - URL links or sites that contain the same sequence of words but in totally different context. The more generic the terms that you are searching for, the more of these there will be.
• Fake contacts placed during registration process - looking for that all important 'Who' behind some site or document? Bear in mind that contact information on the web is usually fake to avoid pestering sales persons. And anyone can use your target's name for an alias on a registration.
• Hundreds or thousands of archived messages from forums and mailing lists - much like the previous one, aliases and nearly useless communication can be found and needs to be sifted through. And you cannot be certain that you are looking at something written by your target of investigation
• Documents with irrelevant word matching - a large enough digital book will contain all the words of virtually any phrase

There are a lot of tools that will help you on your quest for information, but I'll sum-up those that I find useful

Google hacking - The title says it all. Choose your keywords and then drill for data on google
Maltego CE - a client side program that drills the Internet for information on the element that you have chosen as source. It will return all kinds of possible information for further drill down. Produces a lot of false positives
Silobreaker - an information correlation and pattern recognition system that returns results as summarized information clusters related to your search query. Not always very accurate, so always use other sources.

Talkback and comments are most welcome

Related posts
Security Information Gathering - Brief Example
Corporate Security - Are the hackers winning?

Part of the vulnerability assessment process must include a vulnerability assessment of your databases.
And the sad reality is that while there are thousands of tools that focus on Web application and network security scanning, there are very few of them which are doing the same for databases.
Today we are comparing the results delivered by Scuba by Imperva - a free tool and NGSSQuirreL for SQL by Next Generation Security Software - a commercial tool.


















The tools comparison table
Here is a side-by-side comparison of functionality and results of both tools


The results
To provide the most impartial evaluation of the results, we have generated detailed reports of both tools as PFD files. You can review them and assess the quality yourself.

• Here you can download and view a SCUBA PDF Database Vulnerability Detailed Scan of a SQL 2008 Express DBMS
• Here you can download and view a NGSSQuirreL PDF Database Vulnerability Detailed Scan of a SQL 2008 Express DBMS

Conclusion
It is evident that the commercial tool beats the free Scuba in every area. But before you jump into a purchase, you need to assess your requirements and expectations.

So it is very advisable to get the free tool, run it in your environment and understand the results, so you can understand what is missing, and extend your search to a better tool


Talkback and comments are most welcome

Related posts
Thrown in the Fire - Database Corruption Investigation
Quick and Basic Security Assessment for Databases
SQL Server Bulk Import - BCP HOW TO

The guest post on IP Spoofing was well visited and caused a lot of interest. One may expect that a lot of visitors actually thought that IP spoofing is a great way to cause a bit of commotion and try out as hackers.

The reality of the internet is actually quite different. First of all, IP spoofing has been around for decades, and has been the cause of a lot of quite nasty attacks to high profile targets.


Most serious ISP's do not want to be related to IP spoofing attacks, and are implementing measures to contain IP Spoofing attacks originating from their networks.

The containment measures are implemented on their firewalls and routers. The basic logic of this protection is this:

• A Firewall is aware of the networks to which it connects so it can control source addresses. For example, a demo firewall has 5 interfaces
  

• A connecting to network 10.1.1.x
• B connecting to network 10.2.1.x
• C connecting to network 10.3.1.x
• D connecting to network 10.4.1.x
• 'outside' connecting to the rest of the world/internet

It is expected that any traffic coming on interface A will have a source address of 10.1.1.x. If it doesn't, it's most probably an IP spoofing attack and will be dropped. The only interface that cannot apply such logic is the 'outside' interface, since it connects the firewall to the rest of the internet. But the outside interface can have another protection, which protects against 'loop' IP Spoofing attacks. That means that the 'outside' interface cannot see incoming packets with source addresses from a network that is on any of the 'inside' interfaces.

• Routers have a bit more complex mechanism, since a router can have traffic from multiple networks arriving on any of it's interfaces. They use uRPF (unicast Reverse Path Forwarding) which analyzes whether the packet's source address comes from a network that is known in the routing domain of the router.

So in reality, most IP spoofing attempts will be destroyed on the ISP's network. But these protection measures are not perfect, and there are networks which are still not controlling IP spoofing. An aspiring hacker can do significant damage at networks such as:

• University networks - apart from the large universities with dedicated IT staff, the netadmins of most universities are the teaching assistants of computer science. And they don't really make much of an effort to control the traffic on the network as long as the university's servers and staff systems are protected. Universities are quite often Autonomous Systems, so an IP Spoofing attack originating from an unprotected network will travel on the Internet backbone.
• Smaller company networks - these networks are usually maintained by the 'one man band' sysadmin, who really has too much on his/her's plate to think about spoofing protection. The silver lining in such environment is that these companies are just a small user of a ISP, who is very capable of blocking the IP Spoofing attack originating from the small company network.
• ISP's in developing countries - much like small company networks, manned by personnel who is not properly trained, understaffed and overworked. And the bad news is that these ISP's are also Autonomous Systems, so IP Spoofing attacks originating there will most probably get out.

Please note that this article is not an invitation to start wreaking havoc on these networks, on the contrary, it should serve as a reminder for their netadmins to implement the available and quite simple protection measures.

Talkback and comments are most welcome

Related posts
Summary of IP Spoofing
Corporate Guest WLAN - The best place for Eavesdropping to Interesting Traffic
5 Rules to Home Wi-Fi Security
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction

Security of biometric ID's like biometric passports is a very frequent topic of discussion and we all know there are issues. But most of those issues are related to encryption, materials and generally anything that requires a lot of technical knowledge.
Here is an example of the possibility to create a fake Biometric ID with very little technical knowledge. In order to understand this possibility, we need to discuss the 2 biometric elements within the ID:

1. Facial information
Each biometric ID contains a very clear and accurate photo of the owner of the ID. And facial recognition is used in a lot of systems, most frequently in organizations which require non-intrusive identification - like casinos and some border controls. So facial recognition systems are quite common and commercially available.


But facial recognition has an inherent weakness - it cannot be calibrated to 100% accuracy. This is simply because some features of your face can actually change at a daily basis: facial bloating, skin discoloration, acne, minor injuries. So the facial recognition system needs to be flexible - most facial recognition systems are set-up to match at around 70-80%

2. Fingerprints
Fingerprints are also stored in the biometric ID, with most ID's storing only one or two fingerprint - the index finger of the right hand or the fingerprints of both index fingers. It is common knowledge that fingerprint readers can be easily fooled, with very simple and available methods. One simply lifts the fingerprints and creates a copy using photoshop, laser printer and gelatin or wood glue. Here is an example of a simple fingerprint lifting method - the first step in recreating a fingerprint.
So far, these two elements may be fooled, but how can we create a fake biometric ID with such information?

Technically, it is very very difficult to modify a manufactured biometric ID into a fake one, which was the initial idea.
But what if you can alter the input data into the process of creating a new legal biometric ID? The process is quite simple:

1. The seller of fake ID must create the fake ID for a person that has similar facial features to him/her, so the facial recognition software matches the expected 70-80% similarity. To match a seller and a buyer with sufficient similarity, you can use a public web site http://celebrity.myheritage.com/FP/Company/try-face-recognition.php
   
2. The seller will prepare fake fingerprint covers of the buyer and attach them to his/hers fingers.
3. The seller simply enters the appropriate authority and applies for the biometric ID. He/she gets photographed and the fingerprints get scanned on a scanner that is in front of a bulletproof glass (to isolate from the flu). These authorities are staffed by overworked people and there is usually a lot of commotion, so very few people will ever notice your fake fingerprint covers. Oh, and the application software rarely compares the previous fingerprints with the currently scanned ones
   
4. If all goes well, the seller will receive an original ID which contains a face of the seller as well as his/her personal information, but the fingerprints are of another person - the buyer. The buyer can now take that ID and actually pass most control checks.
   
5. For all legal purposes such an ID is very much a fake, and there is no way to prove that the seller faked his/her information - even if the fake fingerprints are found on file, how will you prove that the seller faked his fingerprints?

Easy, isn't it?
What's your opinion? Can this method actually work?

Related posts

If you are using any sort of IP based filtering within your application, then you need to evaluate how IP spoofing attacks affect your security controls. In order to make a fair evaluation you will need a basic understanding of IP spoofing attacks.



Let's look at two different scenarios.

Scenario #1 Attacker wants to spoof an arbitrary IP address and the attacker is not on the same subnet (broadcast domain) as the targeted IP address. Example: attacker is 1.2.3.4 and wishing to spoof 4.5.6.7

Scenario #2 Attacker wants to spoof an IP address of someone on his own subnet (broadcast domain). Example: attacker is 192.168.1.55 and wishing to spoof 192.168.1.58 (assuming subnet of 255.255.255.0)


Scenario #1

The attacker can create forged TCP packets and modifies the source IP address to be any value. One tool that can do this is HPING2.

What can you do:

• Send an initial TCP packet with any source IP address
• Send a series of UDP packets with any source IP address
• Send a series of unrelated TCP packets from the same or varying IP addresses

What can't you do:

• Receive any responses to your forged messages. The responses, if sent, would go to the forged IP address.
• Send a string of related TCP packets (e.g. reconstruct an actual TCP exchange). This is because you can't complete the handshake or guess the necessary information to continue the TCP connection.

Scenario #2

The attacker can perform a variety of attacks to forge or take-over the IP address on the same subnet.

Attack Options:

• Simplest - Statically define your IP address to the target IP address
• Switch your MAC address to the MAC address of the current NIC for the target IP address and attempt to assume control of IP
• Execute man in the middle attack via arp spoofing (see tool Cain & Abel) and then gain control of user's unencrypted transmissions. You could likely modify or redirect traffic to accomplish your original spoofing goal.

What can you do:

• Assume control of the IP address. Note: This means you can send/receive valid data using the targeted IP address as your own. It does not grant you access to existing sessions that the user had with any websites (because you don't have the user's session cookies).
  

What can't you do:

• Intercept encrypted (e.g. SSL/TLS) communication destined for the target IP address without alerting the targeted user in some way (browser warning message for MitM invalid certificate).
  

Hope this is helpful. This is by no means an exhaustive list of attack techniques, but something to consider if your are using IP related controls within an application.


This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.
The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
DHCP Security - The most overlooked service on the network
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction

Rapid7 chose to publish a free version of their NeXpose scanner. The software is available for less then a month, and still has to prove itself to the general community. We are publishing the experiences of our first look on this product. The NeXpose Community integrates with Metasploit, and the integration will be covered in the next article.


Installation The installation is simple enough - just run the installer. It asks for a username/password for the web interface, and then installs itself. There are no errors when installing on Windows 7, XP SP3 and Win2003 Server.

First run
Start up on Windows 7 was not successful. NeXpose Community just threw a lot of access denied error messages. As far as i could understand, the access denied messages are because of an attempt to modify the registry which is protected under Windows 7. Even when using Run As Administrator i got the same results.
The run was successful from the Windows2003 server installation. The first start up was extremely slow, it ran for more then 15 minutes configuring and updating itself. After that, the web interface is available for login at https://serverip:3780

First Scan
In order to scan you need to configure a Site, with target IP's within it. You can add several target IP's within the same site. The scanning options include the following scanning templates:

• Full audit : Performs a full network audit of all systems using only safe checks, including network-based vulnerabilities, patch/hotfix checking, and application-layer auditing. Only default ports are scanned, and policy checking is disabled, making this faster than the Exhaustive scan.

• Exhaustive : Performs an exhaustive network audit of all systems and services using only safe checks, including patch/hotfix checking, policy compliance checking, and application-layer auditing. Performing an exhaustive audit could take several hours or even days to complete, depending on the number of hosts selected.

• Penetration test : Performs an in-depth penetration test of all systems using only safe checks. Host-discovery and network penetration options will be enabled, allowing NeXpose to dynamically discover additional systems in your network to target. In-depth patch/hotfix checking, policy compliance checking, and application-layer auditing will not be performed.

These templates and their behaviour cannot be modified in the NeXpose Community.

You can run the scan at scheduled intervals as well as manually. Once you initiate the scan, the scanning engine is very fast, and usually completes Penetration Test scan within 5-7 minutes on a fast link.

Scan Results
The scan results are presented in a very clear manner, for each site separately. The Penetration Test template on a Damn Vulnerable Linux 1.5 with active HTTP target was scanned in less then 3 minutes, and identified the following vulnerabilities

• PHP Multiple Vulnerabilities Fixed in version 4.4.9
• PHP Unspecified 'glob' Vulnerability
• PHP Crafted UTF-8 Inputs Buffer Overflow
• Apache Signals Sent to Arbitrary Processes Denial of Service
• PHP session.save_path/error_log Values Not Checked Against open_basedir and safe_mode
• Apache mod_imap/mod_imagemap Cross-Site Scripting Vulnerability in imagemap File Menus
• HTTP TRACE Method Enabled
• ICMP timestamp response

The reporting, although crippled compared to the commercial versions of NeXpose is still very good. You can schedule report generation and sending, and you can configure a baseline for each report - you get comparative results of the changes between the scans. This is very useful for automated scanning and information required by IT Auditors and Information Security Officers.

Conclusions
NeXpose Community is a valuable addition to the free tools that each security professional can use in his/hers work. It is very useful in terms of automated audits, and very interesting that it integrates with the Metasploit Exploit Framework. It still has glitches and issues on some platforms, but all tools are work in progress, so for the time being just add it to your toolset, don't replace any tools with it.

Talkback and comments are most welcome

Related posts
Possible Emerging Player In InfoSec Market?
Nessus vs Retina - Vulnerability Scanning Tools Evaluation
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis
WMI Scanning - Excellent Security Tool

When pen-testing a corporation, always look for the Guest WLAN. If there is one and you manage to get on it, you are in luck!
Corporate Guest WLANs are a great place to get a lot of interesting and possibly confidential information without much effort. And this is simply because there are a lot of corporate laptops on the same WLAN.

Ofcourse, you'll discuss that the corporate devices have wired access to the internet, which is much more reliable and faster. But also, the wired infrastructure is fully controlled by IT - with web filters, content filters etc. So on the guest WLAN you can easily find the following high-profile targets related to the corporation:

1. corporate laptop holders - usually employees higher in the hierarchy who just got bored from the restrictions of the corporate Internet filters can easily turn on their wi-fi and check the private e-mail, or just download something.
2. corporate guests - most visitors to corporations have WLAN enabled devices, ranging from mobile phones/pda, over netbooks to full blown laptops
3. external contractors - a lot of corporations will isolate external contractors to the guest WLAN for internet access.
   

The following diagram is an example of hunting for interesting targets in the corporate WLAN

The diagram clearly depicts the high concentration of possible high profile targets - marked in red color.

One can always make the argument that the same attack can be made within a Mall, or even in the home networks of those interesting targets. This argument is completely true, but in a Mall your high profile targets are blended in the multitude of the students, casual freebie surfers and even the mall store clerks with their WLAN devices.

And the home environment is even more difficult, because the high profile targets are dispersed all over the city, and you may not know where they reside. So, sniffing the networks one specific high profile target will bring a lot of costs to the attacker.

The following diagram is an example of the difficulties in sniffing for interesting targets in the home or public places WLAN



So, for my money, I'll always prefer to sniff for traffic in the corporate guest WLAN

Talkback and comments are most welcome

Related posts
5 Rules to Home Wi-Fi Security
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction
DHCP Security - The most overlooked service on the network

A lot of penetration testing assignments include the famed Social Engineering test. When reading about it, or looking the social engineering scams on a TV series it looks very straightforward - you come in all nice and smooth-talking and every door opens for you.

The harsh reality is that a lot of social engineering penetration tests fail, which adds up to increased costs and a failed engagement for the consultant. In the extreme situation, you may spend some hours in the offices of corporate security or even the police, until the pen-test authorizations are verified.

Here are the most common ways to fail a Social Engineering Penetration Test

1. Come unprepared - Just walking into a company and asking for confidential documents sounds stupid. But trying to perform a social engineering attack on your first visit is even more stupid. Until you do proper amount of recon and research you have no idea what the company relationships are, who is in charge of what and what exceptions or processes may be used to succeed in a social engineering attack.
   
2. Just Wing It - Wake up call- you are not Frank Abagnale from "Catch Me if You Can" and you are not Danny Blue from the TV series "Hustle". During a social engineering attack you need to think on your feet and being creative always counts. But not preparing a background story supported by a nice set of evidence is a great way to fail a social engineering pen-test
3. Be outright aggressive or arrogant - Nobody likes people who are bossy and arrogant. While having an air of authority helps during a social engineering attack, you don't want to start from position of authority with an aggressive approach. That is the best way to get people to close up in the cocoon of procedures and regulations, or they'll simply call your bluff - in both ways you fail. Instead, you need to be friendly, courteous and polite. Maintain your air of authority, but never overuse it.
   
4. Choose the wrong person for the job - Social engineering is achieved through appealing to the people's urge to help others. But certain profiles of targets tend to be more helpful to different persons. For instance, a target group of young men will be very helpful to a nice looking woman of their approximate age or just a bit older - to maintain the advantage of implied authority through the age difference. But this same woman is considered a threat by target groups of young women, so for them you need to choose a different attacker. The same principle applies to phone based social engineering attacks.
   
5. Dress for failure - In social engineering, always remember that clothes make the man. If you perform a social engineering attack on a bank, you don't want to appear in jeans and sneakers. But if you are performing a social engineering on a software development company, you may actually miss by a mile by wearing suit and tie. Go back to point 1 about preparation :)
   

Have any more ways to fail, or good examples? Share in the comments!

Related posts
3 Things no book about hacking will ever tell you
5 biggest mistakes of information security
3 rules to keep attention to detail in Software Development
5 Rules to Home Wi-Fi Security

After the Rapid7 acquisition of Metasploit, things are beginning to shift in the Vulnerability Scanning and Penetration Testing market. The basic trend is one of merging the small independent players into larger organizations with a product portfolio covering a wider area.

Rapid7 published the NeXpose Community edition, which pairs with Metasploit. At this moment it still has some early adoption issues - like problems with working on Windows 7, but these will be resolved.

The NeXpose Community may prove to be a strong adversary to Nessus in the free tools market, and by presenting the possibilities of NeXpose to a wider community it will enter the minds of more potential commercial users.

But apparently the competition is not sleeping either. For around a year, there is a joint discount offer on a set of products by Tenable Networks Security, Immunity Inc and DSquare Security. This set creates a great overall product:

1. Nessus being the vulnerability scanner
2. Immunity CANVAS being one of the commercial leaders in penetration testing frameworks and
   
3. DSquare enriching the set with additional exploit packs for CANVAS

While this joint offer is not new, with the current moves from Rapid7, it may be quite possible for the other players to join forces for a stronger approach to the market.

What do you think? Is the merger of Tenable and Immunity possible? Will it provide a better product and will the users benefit?

Related posts
Nessus vs Retina - Vulnerability Scanning Tools Evaluation
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis

Last night the OWASP project published the 2010 issue of their Top 10 Web Application Security Risks. The list is still in Release Candidate status, so it may change. The difference from the previous lists according to the statement by OWASP

A significant change for this update will be that the OWASP Top 10 will be focused on the Top 10 Risks to Web Applications, not just the most common vulnerabilities. At the conference will be the debut of the release candidate of the new Top 10, which will open up a 60 day comment period.

As a summary, the top 10 risks to your Web Apps are:

1. Injection flaws
2. Cross Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Failure to Restrict URL Access
8. Unvalidated Redirects and Forwards
9. Insecure Cryptographic Storage
10. Insufficient Transport Layer Protection

It is evident that OWASP hasn't invented the wheel all over again, and that this list has already been discussed for years. Yet it still falls on deaf ear for many developers - even large development companies.

You can download the full list document here, with detailed explanation of each risk.

Talkback and comments are most welcome

Related posts
SANS Announced Top 25 Programming Errors

We have mentioned our favorite vulnerability scanning tools in this blog. But a lot of time has passed since, so it is time to put these tools against each other and evaluate the quality of the results received when scanning the same target.
UPDATE: After the constructive input from Michael A. in the comments, we have reworked the test for Nessus, to achieve more comparable results.


The Test Environment
The tested vulnerability scanning tools were installed on a Windows 7 Pro PC.

• Nessus server and client were installed and updated to the latest plugins.
• Retina 5.10.18.2135 Evaluation version was downloaded and installed. The Evaluation version does not allow updates, so we used what updates are included in the build.

The target was Damn Vulnerable Linux (DVL) version 1.5 installed as a VMWARE host with bridged networking on the same host PC as the vulnerability scanning tools. The network of the DVL target was bridged, and all firewalls (both of the host OS and the guest OS) were disabled. The DVL was started with the following services, with default settings and content as included in the distro.

• MySQL
• HTTP
• IPP Printer sharing which was active by default
  

The Scanning Process
Both scanners were started with setting on full port scan, with disabled safety of scanning, and all available plugins were activated. NOTE: Since Retina does not have WebApplication Analysis, Nessus was run twice, once with WebApplications disabled, and once with WebApplication enabled in order to do a meaningful performance comparison.
Performance

• The Nessus scanner without WebApplication scan took 8 minutes to complete the scan
• The Nessus scanner with WebApplication scan took 67 minutes to complete the scan
• The Retina scanner took 38 minutes to complete the scan

Results

• Both scanners failed to identify the target operating system
  

• The Nessus scanner identified the expected open ports, concluded that MySQL does not accept connections from unauthorized IP's. On a repeat scan, it regenerated the same results.
  
• You can download the full report of the Nessus Scan Here
  
• The Retina scanner identified HTTP and TCP port 631 (IPP Printer Sharing). It did not identify the MySQL port as open. On the Web server, it identified a significant number of vulnerabilites, but did not collect any information from the HTTP server. On a repeat scan it missed the HTTP port and only identified the MySQL port.
  
• You can download the full report of the Retina Scan Here
• The Nessus Scanner running the WebApplication Scanning repeated the previous results and additionally it identified a significant number of WebApp vulnerabilites, and collected information from HTTP through web mirroring.
• You can download the full report of the Nessus Scan with WebApplication Scanning Here

Conclusions
Both scanners performed a very well vulnerability identification but missed the OS identification. Also, both manifested flaws:

1. Nessus missed the IPP port every time
2. Retina manifested erroneous scan results, identifying different ports and vulnerabilities during different sessions - while no configuration changes were made to the test environment.

In terms of speed, without WebApplication Scan Nessus performed much faster then Retina. On the other hand, with active WebApplication Scan, Nessus was much slower then Retina.
In terms of scan depth, Nessus has a small advantage, since it includes a web mirroring tool that is very helpful in HTTP.

It can be clearly concluded that these tools cannot be used as the sole source of information when performing a vulnerability test. One must also utilize network mapping (NMAP, LanGuard), OS identification (NMAP) and specific application vulnerability scanners (ParosProxy, WebScarab for Web) for maximum effect.

In a direct comparison, Nessus wins because

1. Retina manifested erroneous results on repeat scans,
   
2. The Nessus package includes a WebApplication scanning module, which in eEye products needs to be purchased as a separate application

Talkback and comments are most welcome

Related posts
System Hardening Process Checklist
Web Site that is not Easy to hack - Part 2 HOWTO - the web site attacks
Checking web site security - the quick approach

Does your information security implementation suffer from mistakes in approach? Everyone is focused on information security, and security is a constant addition into every corporate mission statement. And yet in nearly every security implementation there is a recurring range of mistakes in information security. Here are the most common five

1. Focusing primarily on perimeter security - Put in firewalls and other firewalls behind those firewalls, and some IPS in the middle, and set them all up to defend the Internet link of the corporation. And that's it, no need to do anything else. Sounds familiar? Defending the perimeter is important, but it's not the only point of security strengthening. A successful attack does not try to punch a hole through the thickest wall - it finds a way to bypass such walls. Security needs to be layered and focused at properly protecting information storing and processing resources.
2. Relying on hard coded elements - whether it be a hostname, an IP address or a username/password pair, hard coded elements in a file open a gaping hole in security. Anyone managing to read or disassemble the file has access to a nice set of information very useful to attack. Always rely on user input elements or single sign-on instead of hard coded elements.
   
3. Trusting people - Any casino owner will tell you the grim truth - 30% of employees are out to steal from you. This is true in any industry, and by the way, you can never know which are included in the 30%. Therefore, implicit trust and saying "he/she can never do us harm, the loyalty is too great" will only land you in trouble. Always enforce security rules and policies for every process and employee.
   
4. Relying on an issue being fixed in the "other element" - "This will be fixed in the program", or "This will be fixed in the database". Finding an issue and hoping that someone else will fix it is stupid to say the least. Address the issue immediately, for noone else will!
   
5. Improper discarding of documentation - Hundreds of thousands of confidential documents are thrown into the garbage every day - even whole laptops which are for some reason not functioning properly. This act of simple neglect of unnecessary information is the nicest (and most legal) way of information and identity theft. Institute simple procedures for information destruction, ranging from paper up to malfunctioning hard drives. The technical resources needed for this are inexpensive and plentiful!

Do you have an example of mistakes? Add it in the comments!!!
Talkback and comments are most welcome

Related posts
3 Things no book about hacking will ever tell you
5 SLA Nonsense Examples - Always Read the Fine Print

There are tons of books which 'teach' you on how to become a hacker. Some boast to make you a hacker in XX number of days, or brag about being authored by the greatest experts in the field, or some other commercial mumbo-jumbo.

But is there any great wisdom in those books? No, and they are not even good at teaching technology.


Here is what hacking books will NEVER tell you:

• Being a hacker requires a HUGE amount of learning - All hacking books tell you that you need a lot programming knowledge, a lot of TCP/IP knowledge, and some of them will try to cover the basics. So look around you, these guys are usually the 'gurus' at this and that company, and have a much nicer title - usually it's infrastructure architect, chief designer or something along those lines. And these guys became that by working overtime, nighttime, at home, over weekends, missed vacations and built systems from the ground up. It took a lot of dedication and a whole lot of time to reach that kind of knowledge.
• Being a hacker is very rarely (if ever) a glamorous thing - Most hacking activities are not legal, therefore the prominent or established hacker has to watch his/hers back, remain undercover and rarely trust anyone. Even if you employ your skills for patriotic or political goals, you'll be a hero somewhere, but an enemy elsewhere. Oh, and noone will ever make a movie of your achievements and exploits!!!
• There are few people which earn a legal salary as hackers - hackers are usually hired to do 'dirty' jobs, or at least jobs of questionable legality. So apart from earning money, these jobs leave the hacker always looking over his/her shoulder for investigators or the police. If you are thinking about penetration testing, think again - hackers are not hired outright for such jobs since penetration testing consent requires an enormous amount of trust in the pen-tester. These jobs are mostly landed by 'white-hat' pen-testers with excellent public track record.
  

On the other hand, if you maintain your learining and studying to be a hacker, you will build excellent technical expertise. Focusing your skills not as a hacker, but as a technical expert will bring you a good name, a lot of conferences where you'll do presentations and a lot of contacts in the expert field of IT.

Talkback and comments are most welcome

Related posts

Portrait of Hackers

Hunting for hackers - Google fraud style

BackTrack4 is an excellent Penetration Testing Distro, but in the LiveCD version it is quite crippled:

• There is no possibility to install additional software
• There is no possibility to create custom scripts
• All attacks need to start from scratch

In order to alleviate this issue, there are several options. My most flexible solution is to create a VMware virtual machine with the installation. Since BackTrack4 has no installer included, here is a brief tutorial with the scripts included.

Preparation
Create a Virtual Machine as Custom Linux, and Choose Ubuntu as the assumed Host Operating System
Choose a SCSI Hard Disk of at least 5GB (We recommend 8GB)
Boot the Virtual Machine from the BackTrack DVD

Creation of Partitions
After booting, log-on and partition the SCSI Hard Drive (/dev/sda)
Create 2 primary partitions, one for BackTrack, Linux - type 83 with at least 4 GB space, and one Linux Swap - type 82 of 512MB

fdisk /dev/sda

After creating the partition table, format the BackTrack partition

mkfs /dev/sda1

After formatting, mount the partition

mkdir /mnt/sda1
mount /dev/sda1 /mnt/sda1/

Copy the BackTrack Data
Create the copying script in the root's home directory

cd
vi create_bt_disk

Paste the following text in the VI editor and save it

list=`cd /;ls -l|awk {'print $8'}`
for i in $list
do
if [ "$i" = 'mnt' -o "$i" = 'proc' -o "$i" = 'sys' ];then i='root';fi
echo $i
cp -pR /$i /mnt/sda1
done
mkdir /mnt/sda1/sys
mkdir /mnt/sda1/proc
mkdir /mnt/sda1/mnt
echo 'Done'

Make the script executable and run it

chmod 755 create_bt_disk
./create_bt_disk

Finishing Touches
After the script finishes, change the root directory to the disk drive in order to make the disk bootable

mount --bind /dev/ /mnt/sda1/dev/
mount -t proc proc /mnt/sda1/proc/
chroot /mnt/sda1

Run LILO to write info to the MBR of /dev/sda. NOTE: The default lilo.conf works with disk /dev/sda and partition /dev/sda1. If you have a different disk configuration, you need to change the /etc/lilo.conf appropriately before running LILO

lilo -v

All done. Just reboot and remove the BackTrack DVD

reboot

We hope that this tutorial eases your use of the BackTrack suite.

Talkback and comments are most welcome

Related posts
BackTrack 4 Penetration Test Distro - First Glance

We received the reply from the editor of BlogTipz.

From the info, it seems that the hack on BlogTipz is merely a target of opportunity.

The hack method is probably not related to error of WordPress, but the editor of BlogTipz does not reveal the actual attack method.

At any rate, blog masters everywhere need to maintain blog security high on their list of priorities

Here is the reply in full

Yes, I was going to possibly write a post on the blog, because I was not aware of it (it could have been up for 12+ hours). They simply changed the login name and password and injected in a new index (main) page, so it was rather simple to recover (within an hour).

I will be securing WordPress even more form this day forward to prevent it form happening on other sites. I was using a current version of WordPress. The attacker was called "North-Africa Security Team" and appears to be one of the most popular hackers in terms of results (~14 million).

If you need any further information, please inform me. I will be informing readers about this soon.

And, thanks for informing your readers about this.

Talkback and comments are most welcome

Related posts
Blogtipz Hacked