Editor's note

Recommendations

Info

When Computer Attacks But before taking any action we have to bring awareness to what this new kind of threat means: the only way to be protected is understanding what this means for the organizations and how it could impact their business. Undoubtedly exceptional circumstances call for exceptional actions. So, maybe it is time to acknowledge that computer attacks do not always happen to others; we need to become aware and to be prepared in advance to minimize risk exposure at this kind of attacks, protecting both our organizations and their leaders. Even if you are not an expert in Information Security, you can infer that in order to attack different targets such as the UN (United Nations); Colombia’s Administrative Department of Security (DAS for its Spanish acronym); Guayaquil City Hall’s Website; thousands of Ecuadorian policemen’s personal data; Latin American political leaders’ Twitter and Facebook accounts; and similar targets in Europe or in the US, significant know-how and coordination levels are required. And all of this calls for resources that exceed the possibilities of enthusiastic university (or college) hackers. Furthermore, Internet-disclosed threats about future attacks on new public and private companies’ sites in the short run should act as a wake-up call to understand that we are facing an unprecedented type of motivation. Please <strong>note</strong> that although Advanced Persistent Threats are the type of attacks perpetrated by some starterkit 02/2011(2) SOCIAL FRAUD don’t always happen to others: Advanced Persistent Threats There is a new type of cyber threat that is catching more victims every day; many people know it is called Advanced Persistent Threats, and there is a trace of high profile victims out there to give us enough. social action and cyber-terrorism groups worldwide (of proven reach in Latin America), rather than categorizing their perpetrators from the philosophical and political standpoints, we should take threats seriously and become aware that globalization of knowledge and information put these techniques at hand for anyone with motivation and time enough to deploy them. The Murder of Ego (…and some other myths as well) So, this kind of attacks present the three main aspects of a crime: motive, means and opportunity; there’s not much we can do to influence on the first one; but we do have plenty of things to do with respect to the remaining two… needless to say that crimes are not feasible without one of these three aspects! In the first place we must destroy the myth of those who so far, have not experienced a massive proportion computer attack. To them information security is not a priority, or directly (in the worst case scenario) it is not a significant issue. Maybe this is a wound for the ego of many security administrators. Though let’s face it: we’d better feel touched by a whitepaper that enables us to be prepared and to prevent, rather than suffering a large scale attack with serious consequences. As a professional, without a doubt this is one of the worst arguments I could possibly hear from those Page 30 http://pentestmag.com
who are responsible for IT service infrastructure management, because (just to mention a few) they ignore the main feature of these next-generation attacks: their sneakiness! 15 years ago, when a virus infected a PC, the worst threat would be the deletion of all hard-disk stored data; then, with the massiveness of Local Area Networks first, and of the Internet later, viruses had the possibility to accelerate their dissemination and erase the hard disks of more PCs, something really very uncomfortable. Nonetheless, we still had an advantage because we certainly knew when the infection had taken place; and once the PC had been reinstalled, infection would be over. Today facts are way too different: the first goal of globally-distributed threats is to avoid generating the kind of disasters made in the past; their main goal is to remain undercover! Underground movements pay off better than hard disk deletions, because they enable ongoing and surreptitious digital crime perpetration for a while longer. An Opportunity To Prevent From Being In The Middle Of An Attack With respect to means and opportunity, we will further provide detailed technical issues regarding APT attacks. However, bear in mind the following key items: • There is no exploit without vulnerability. Every attack is based on vulnerabilities (i.e. actual chances of executing a threat); although there exist some topological or protocol matters very hard (sometimes impossible) of being ducked, in most cases we prove that some vulnerabilities –either in applications, operating systems or configurations- are predictable and therefore preventable. • Closely related with the item above, many of the vulnerabilities in question find their source in deficiencies (or worse, nonexistence) of a process to assure early detection, remediation, and verification. So, to say it as clearly as we possibly can with a real-life example, some organizations have documented and implemented processes to request new office inputs where up to three levels of approval are required. However they have done nothing when it comes to checking an application’s security code before its clearance for production. Ultimately, this is basically a matter of not facilitating the means to become an easy target for computer attacks when we could prevent them. starterkit 02/2011(2) There is nothing we can do to prevent the existence of people with the necessary know-how and motivation to produce this kind of attacks. But there are many other things we can do: • Do everything within our reach to stay away from attackers, or at least attempt to discourage them by turning attacks into something so difficult to accomplish that time investment will not pay off. • Protect our information assets in such a way that although a hacker may access them, it won’t be able to use them, (something similar to some systems installed in high-end vehicles: those cars do not require of an alarm, because although you can open them, without the electronic key the car won’t start!). Ok Now, What Do We Mean When We Say Advanced Persistent Threat (APT) Attack? Let’s deconstruct the three aspects involved in this name to have a thorough idea of what we are facing. Advanced I assume you scare to death when people use the word advanced to refer to an attack! Well, you are right to be scared. The reason why this word is included in the APTs description is because this type of attacks use different techniques to reach their targets; they are considered advanced for the fact that attackers have different techniques at hand and are not limited to a specific issue (as it happens for example with application attacks). Some of the techniques used in global scale APT attacks are the following: • DDoS (distributed denial of service): distributed denial of service attacks. • Botnets • Phishing • Social Engineering • SPAM • Fraudulent applications in social networks • Vulnerability Analysis • Rootkits • Applications vulnerabilities exploit In addition to this, we could say that performance and execution of this kind of techniques require interaction of more than one person; in fact it is almost impossible for individuals to carry out these attacks, not only because of the skills required but because of time and resources involved. Page 31 http://pentestmag.com
Page 3 and 4: EDITOR’S NOTE Starter Kit 02/2011
Page 5 and 6: SOCIAL FRAUD 24 Social Engineering
Page 7 and 8: QRjacking A malicious sticker can b
Page 9 and 10: Figure 4. Botnet operator screen on
Page 11 and 12: Figure 6. Citadel consulting web si
Page 13 and 14: understanding why testing mobile ap
Page 15 and 16: AndroidManifest.xml file. This cent
Page 17 and 18: you need to get stuck in at the tec
Page 19 and 20: password and then end up having to
Page 21 and 22: user has an increased opportunity o
Page 23 and 24: WHAT IS A GOOD FUZZING TOOL? Fuzz t
Page 25 and 26: people into breaking normal securit
Page 27 and 28: that not only are easier, but yield
Page 29: Preventing deer -in-headlights Get
Page 33 and 34: analysis that should not be made by
Page 35 and 36: If we have made an in-depth risk an
Page 37 and 38: several security standards in wides
Page 39 and 40: Resource • http://www.iso.org/iso
Page 41 and 42: etc., and create mayhem. And all of
Page 43 and 44: your business managers do not appro

Editor's note

Create successful ePaper yourself

Delete template?

Save as template?