Thursday, April 15, 2010

Not Another Penetration testing course

| Armando Romeo |
Have you ever attended a Penetration testing course?
Have you found it vague/boring? Far from what your clients are asking you?

If your answer is no, you can skip this post.
If your answer is yes, me and other 2 instructors have worked for 1 full year to provide you with a different distance learning training.

We are proud to announce the immediate availability of our Penetration testing course - Professional who features Brett Arion, Vipin & Nitin Kumar and myself as authors of the three knowledge domains covered:

  1. Network attacks
  2. Web application attacks
  3. System security
We are in the field since 2001 with Hackers Center. We have been involved in a lot of ethical hacking training sessions. Times of courses going one mile wide and one inch deep are gone.

Our goal was indeed to go a lot in depth, to explain the how and the why of each technique.
We didn't want you to master just tools, but also to grasp the important aspects related to any security issues that would enable you to provide solutions as an IT Security professional.

We never believed that firing up a couple of tools or a live distro would make you a professional pentration tester. There's a lot more involved.

In years and years of pentests carried out for all kinds of environments we realized that what we were asked to accomplish was each time:

  • Understanding the client's business
  • Provide a detailed remediation plan
  • Provide business-aware solutions
The bottom line of a penetration test is indeed to provide solutions. You certainly have to master the most advanced techniques and best tools available. What about doing this from home?

To reach our goal of providing a great training for both newcomers and professional pentesters we needed experts in each pentesting field and a great distance elearning system that could let us cover the most difficult topics in an interactive fashion.

We come up with 1600 interactive flash slides, self-assessment quizzes, practical exercises,
4 hours of video training and a final certification exam that will evaluate not only your findings but also your final report.

Visit us

Thursday, February 18, 2010

Data Related to Kneber Botnet breach recovered by Netwitness

| Brett D. Arion |
Security researchers at Herndon, Va.-based NetWitness Corp. have unearthed a massive botnet affecting at least 75,000 computers at 2,500 companies and government agencies worldwide.

The Kneber botnet, named for the username linking the affected machines worldwide, has been used to gather login credentials to online financial systems, social networking sites and e-mail systems for the past 18 months, according to NetWitness.

A 75GB cache of stolen data discovered by NetWitness included 68,000 corporate login credentials, login data for user accounts at Facebook, Yahoo and Hotmail, 2,000 SSL certificate files and a large amount of highly detailed "dossier-level" identity information. In addition, systems compromised by the botnet also give attackers remote access inside the compromised network, the company said.

"Disturbingly, the data was only a one-month snapshot of data from a campaign that has been in operation for more than a year," NetWitness said in a statement announcing the discovery of the botnet late yesterday.

NetWitness did not release the names of the companies compromised in the attacks, which it described as being highly targeted and well coordinated. But a story Wednesday in the Wall Street Journal identified pharmaceutical company Merck & Co., Cardinal Health Inc., Paramount Pictures and Juniper Networks Inc. as some of U.S. firms that had been infiltrated. Systems belonging to 10 government agencies were also penetrated in the attacks.

According to the Journal , the attacks started in late 2008 and appeared to originate in Europe and China. Computers in as many as 196 countries have been affected, with many systems compromised after users clicked on phishing e-mails with links to sites containing malicious code. Most of the compromised systems appeared to be in Egypt, Mexico, Saudi Arabia, Turkey and the U.S., the Journal reported, quoting an unnamed source with information on the attacks.

NetWitness, which provides a range of network monitoring and forensics services for companies and government agencies, discovered the botnet in January during a routine engagement with one of its clients. According to the company, the botnet is a variant of the ZeuS botnet, which is known primarily for stealing banking credentials.

More than half of the infected systems in the Kneber botnet also contained the competing Waledac Trojan, probably because those behind the attacks wanted to build some redundancy into their attacks, NetWitness said. "The coexistence of ZeuS and Waledac suggests the goals of resilience and survivability and potential deeper cross-crew collaboration in the criminal underground," the company noted.

NetWitness' discovery comes just weeks after Google disclosed that it and several other high-tech firms had been victims of organized cyberattacks originating from China. Both incidents underscore what analysts are calling the Advanced Persistent Threat (APT) faced by a growing number of financial, commercial and government entities .

The term has been used for some time in government and military domains to describe targeted cyberattacks carried out by highly organized state-sponsored groups and organized cybergangs with deep technical skills and computing resources. Such attacks are typically highly targeted, stealthy, customized and persistent. They also often involve intensive surveillance and advanced social engineering.

In many cases, the attacks target highly placed individuals within organizations, who are tricked into visiting malicious sites or downloading malicious software onto their systems.

Tuesday, February 16, 2010

Building security into business processes

| Yash Kadakia |
Earlier today after months of avoiding it, I finally decided to go a few days without my faithful Blackberry and get the camera repaired. As I handed over my Blackberry, the technician returned a zip-lock bag with the battery, back cover and sim card.

This made me wonder, what about the hundreds of stored e-mails, thousands of accessible e-mails via imap, work documents, personal photos, phone records, contact information, etc that still remained on the device.

Of-course, I had the phone wiped clean several times and took my memory card home with me and disabled e-mail delivery from the online blackberry portal. But what was more concerning was the pile of Blackberry and other pda devices lying around the shop for repair or re-sale, most that previously belonged to Executives, IT professionals or Consultants.

This made me think about the need for businesses to build security into their day-to-day processes. Would it be so difficult for the shop to include an additional step / process for their customer's security? Not really.

Formatting a phone or implementing encryption on PDAs takes nothing more than a few minutes these days. Some may argue that not all users maintain regular backups of their phone data. There are several simple solutions:
  • If the user has a memory card, simply create a in-store backup of their device on their memory card and format the phone a few times. This can be done from within the phone it-self. It would take about 3 minutes and would allow the user to walk away knowing that there is no chance of any data loss.
  • If the user does not have a memory card, simply enable the phone encryption / access password option for the device and have the user type in a password.
      Implementing any of the options would not take more than a few minutes and would provide an additional and much appreciated level of concern for their customer's data-security.

      The point of this post isn't about a particular instance or a particular store or even a particular type of business. The point is, about the concept of implementing security into day-to-day processes that we take for granted. Many of these secure processes would require minimal modification, negligible time differences and minimal investment. Consider the following examples of some day-to-day processes where security could be implemented easily.

      • At petrol pumps, most attendants generally walk away with your credit card for several minutes while you're sitting in your car. Are mobile credit card readers really that difficult to implement? No.
      • Same as point number 1, but for restaurants, coffee shops, etc.
      • Almost 90% of hotel/resort reservations in India involve you giving your credit card details over the phone/e-mail. Implementing an online registration system, or even an automated phone system is not very expensive or difficult.
      • Most people/shops throw away credit card or ATM receipts that contain your name, dob, cc number, expiry etc. Investing in a shredder should definitely be a must for businesses and most importantly, they must definitely be available at most ATMs/Banks for customer's to use.
        Day-to-day examples apart, lets think a bit more on the enterprise front:

        • Data security on mobile devices: Almost all organizations have executives that carry around laptops, tablets, pdas etc that contain sensitive information. Would it really be so inconvenient to add a step into their day-to-day processes to implement encryption? No. Full disk encryption would simply add one password prompt to their start-up and a fairly negligible performance difference. Passwords and encryption on Blackberry's and PDAs is also fairly easy to implement. A few clicks and your data's safe.
        • Whiteboards: I cannot count the number of offices I have walked into and found whiteboards filled with username/password information for SSH/RDP/FTP/DB etc. Again, implementing an open-source application like keepsafe will allow your employees to have access to complex username/password details with minimal fuss or interruption.
          I could go on with examples for several pages, but the point to be made is: In most cases security is not so difficult. All it needs is for someone to sit down, make a step by step list of their various processes and how they could make them more secure with minimal interruption or problems to the end-user.

          Originally from: Yash Kadakia's Blog - Information Security in India

          Thursday, February 11, 2010

          Spy Eye tool kit goes after Zeus botnet

          | Brett D. Arion |
          Spy Eye tool kit goes after Zeus botnet: "Peter Coogan at Symantec put up a very interesting blog post yesterday about a crimeware kit called SpyEye v1.0.7 (on sale now on Russian sites -- $500) that has a module that will kill a Zeus bot infection on a victim’s computer so the bot created by SpyEye can take it over.

          In September, Computer Weekly reported the Swedish telco Telia Sonera shut down the Internet connections of Latvian company Real Host after it was linked to the Zeus botnet. At the time, researchers said they believed Real Host's servers had captured about 3.6 million PCs for the Zeus botnet.

          They linked Zeus to a Russian gang named Rock Phish which is believed responsible for a massive amount of the phishing attacks aimed at stealing credit card and banking information.

          The Zeus network took the hit and recovered, however, sending out massive malicious spam campaigns to infect more machines. One campaign carried an income tax topic in September and another had H1N1 as a lure in December.

          Coogan said the SpyEye kit can also create crimeware with:
          • keyloggers
          • credit card modules
          • daily email backup
          • encrypted config files
          • Ftp protocol grabbers
          • Pop3 grabbers
          • Http basic access authorization grabber

          “If the use of SpyEye takes off, it could dent Zeus bot herds and lead to retaliation from the creators of the Zeus crimeware toolkit. This, in turn, could lead to another bot war such as we have seen in the past with Beagle, Netsky, and Mydoom.” he wrote.

          He credits Mario Ballano Barcena with the analysis.

          Symantec blog post “SpyEye Bot versus Zeus Bot” here.

          Wednesday, February 3, 2010

          Black Hat: Researcher claims hack of chip used to secure computers, smartcards

          | Brett D. Arion |

          A researcher with expertise in hacking hardware Tuesday detailed at the Black Hat DC conference how it's possible to subvert the security of a processor used to protect computers, smartcards and even Microsoft's Xbox 360 gaming system.

          Christopher Tarnovsky, a researcher at Flylogic Engineering, said he has hacked an Infineon SLE 66 CL PC processor that is also used with Trusted Platform Module (TPM) chips. He emphasized that his research shows TPM, which was developed as an industry specification for hardware-based computer security by the Trusted Computing Group and has been implemented in hardware by Infineon and other manufacturers, is not as secure as presumed. TPM can be used for a wide variety of purposes, including storage of encryption keys and is used with Microsoft's BitLocker encryption technology.

          "The TPM 1.2 chip is not as secure as the vendor tries to tell you it is," Tarnovsky said. "I can recover all your secrets inside this chip. Your keys to the Xbox 360, the licensing chip," plus the RSA cryptoengine, if it's used. "There's nothing in this device I can't see."

          Tarnovsky's method, as he described it, entailed jumping the wire into the internal circuitry of the Infineon chips to create a bypass into the core. Tarnovsky acknowledged it took him six months to figure out how to effectively penetrate it, which required bypassing circuitry on chips he purchased inexpensively from Chinese manufacturers.

          Tarnovsky's examination process involved subtle use of hardware-based liquid chemical and gas technologies in a lab setting to probe with specialized needles to build tungsten bridges. "Once I'm physically through the device, I have to eavesdrop on the databus," he said, adding "I can sit in the databus and listen." At this point, it now takes him about six hours to break the licensing keys to the XBox 360.

          Tarnovsky, with the excruciating detail of a surgeon discussing a heart bypass operation, said he had shared his findings with Infineon. But he said that over the past month the company appeared to have dropped contact with him after he informed Infineon how he had hacked TPM, even though he had shared source code with them to prove what progress he had made in subverting the Infineon smartcard processor.

          Speaking with reporters, Tarnovsky said Infineon had claimed the type of exploit he did wasn't really possible. But the fact that it can be done raises serious questions about security in TPM modules that should be addressed by the industry, he pointed out, adding two other manufacturers make TPM modules and he may be examining their products next. He acknowledged his hardware-hacking methods are probably not easy to duplicate and he doesn't plan to share them widely

          Free Security Magazines