Editor's note

Recommendations

Info

CONTENTS Manageing editor: Olga Głowala olga.glowala@software.com.pl starterkit 02/2011(2) TEAM Betatesters / Proofreaders: Massimo Buso, Ankit Prateek, Chris Cager, Rishi Narang, Johnatan Ringler, Iftach Ian Amit, Aby Rao Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Marketing Director: Ewa Dudzic ewa.dudzic@software.com.pl Publisher: Software Media Sp. z o.o. ul. Bokserska 1, 02-682 Warszawa Phone: +48 22 427 36 56 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. To create graphs and diagrams we used program by Mathematical formulas created by Design Science MathType DISCLAIMER! The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss. MOBILE PENTESTING 06 QRbot – iPhone QR botnet by Nir Valtman CONTENTS This article is related to both social engineering and cyber-crime. Why social engineering? Since QR usage is based on interactive actions of mobile users, which might lead to threats on their devices, as will be explained in detail later.Why cyber-crime? The actions taken by criminals not only harm the mobile phone/device users, but also may steal sensitive information or aid in launching massive actions using controlled, Zombiebased networks (Botnets), e.g. DDoS – Distributed Denial of Service attacks.In order to explain the whole process, this article begins from the basics of QR and iPhone Usage. After understanding the basics, we will dive into the actions needed to build a QRbot. Finally, avoidance recommendations will be explained. 12 Mobile Security Testing by Martyn Ruks It is a beginner’s level article, catering to the needs of professionals who which to switch or try hands on the Mobile Security Testing. It covers the 3 major platforms – Android, Windows and iOS. The text starts with a background information on mobiles, tablets and the need for their security testing, and finally drills down to „howto” do the necessary fundamental steps as heads-up. 18 A Mouting a Mobile Masquerade? by Prof. Steven Furnell This article examines the forms of protection that are available to thwart an impostor at the authentication level. Although mobile devices have offered authentication safeguards for many years, it is fair to say that many users have managed to ignore them. The reason here is often that they overlook the value and sensitivity of what they’re carrying around in data terms, and so similarly overlook the need to protect it. While the situation has improved with smartphones, there are still plenty of users whose security practices haven’t caught up with their technology usage. Indeed, if you ask an audience how many of them don’t use a PIN (or similar) to protect their mobile handset, a good number of hands normally go up. Page 4 http://pentestmag.com
SOCIAL FRAUD 24 Social Engineering by Dinesh Sheety The idea of this article is simple and nice, though there are plenty of good resources and books on social engineering (Mitnick’s Art of Deception!) it’s an „informative” kind of article, it lacks real examples, for instance a real example of an attack, for example describe how a pt on an organization has been done (without disclosing sensitive Information). Author has provided a good solid base for someone who doesnt have any clue about social engineering and by the end of the article they will have a decent amount of knowledge to go out and build upon. 30 When Computer Attacks by Gabriel Marcos There is a new type of cyber threat that is catching more victims every day; many people know it is called Advanced Persistent Threats, and there is a trace of high profile victims out there to give us enough. But before taking any action we have to bring awareness to what this new kind of threat means: the only way to be protected is understanding what this means for the organizations and how it could impact their business. Undoubtedly exceptional circumstances call for exceptional actions. So, maybe it is time to acknowledge that computer attacks do not always happen to others; we need to become aware and to be prepared in advance to minimize risk exposure at this kind of attacks, protecting both our organizations and their leaders. SOLUTIONS 36 An Introduction to the NIST Risk Management Framework by Bart Hopper This article will introduce the NIST Risk Management Framework. It will cover the steps of system categorization, the selection of security controls, the implementation of the selected controls, the assessment of control implementation, and the system authorization process. Creating an effective information security program can be a daunting task. If you are lucky, you work for a company with an existing security program, clearly defined security mandates, and support from senior management. But, what do you do if you are given the task of creating a security program for your organization? This article will guide you through the process of creating an effective security program using the NIST risk management framework. Even if you are not directly responsible for creating a security program, you starterkit 02/2011(2) CONTENTS may find it helpful to understand how security programs are created and why certain items are prioritized by auditors. 40 Why is Cyber Security Important? by Thejendra Until a decade ago if you had to rob a bank it was necessary to indulge in an armed invasion, take hostages, spill blood, use getaway cars, etc., along with all the associated risks of botching up the operation. Or you had to indulge in excellent forgery and duplicate paperwork to siphon off funds. But today it is not necessary for you to even visit a bank to loot it without raising any alarms for weeks. So how is it now easy for criminals to loot a bank? The simple answer is the Internet. Today, many aspects of our life like banking, purchases, communications, etc., and even the militaries depend on the internet and worldwide connectivity. While the internet offers several conveniences, it can also ruin your life in an instant with threats like identity thefts, online scams and other threats. Page 5 http://pentestmag.com
Page 3: EDITOR’S NOTE Starter Kit 02/2011
Page 7 and 8: QRjacking A malicious sticker can b
Page 9 and 10: Figure 4. Botnet operator screen on
Page 11 and 12: Figure 6. Citadel consulting web si
Page 13 and 14: understanding why testing mobile ap
Page 15 and 16: AndroidManifest.xml file. This cent
Page 17 and 18: you need to get stuck in at the tec
Page 19 and 20: password and then end up having to
Page 21 and 22: user has an increased opportunity o
Page 23 and 24: WHAT IS A GOOD FUZZING TOOL? Fuzz t
Page 25 and 26: people into breaking normal securit
Page 27 and 28: that not only are easier, but yield
Page 29 and 30: Preventing deer -in-headlights Get
Page 31 and 32: who are responsible for IT service
Page 33 and 34: analysis that should not be made by
Page 35 and 36: If we have made an in-depth risk an
Page 37 and 38: several security standards in wides
Page 39 and 40: Resource • http://www.iso.org/iso
Page 41 and 42: etc., and create mayhem. And all of
Page 43 and 44: your business managers do not appro

Editor's note

Create successful ePaper yourself

Delete template?

Save as template?