Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

More documents

Recommendations

Info

(NEW) STANDARDSNew PenetrationTesting Business ModelCrowd-sourcing For IT-SecurityToday everybody can become a hacker. The knowledge spreads allover the Internet. A lot of hackers are showing their know-how bysharing the results of their attacks. Why do not use this knowledgethrough crowd-sourcing in order to globally improve the security?Starting from this fundamental idea, a business model has beendeveloped by Hatforce.Almost daily we can see on the news that a newIT system has been attacked by hackers. Even ifit is about Sony [1] or the CIA website [2], theseattacks, harmful in 90% of the cases, show that behindthere lies a competent community who has a highIT security potential. We ask ourselves then: Wheredo these hackers come from? Are they employedprofessionals? Do they act with a well-defined purpose,or are they just smart individuals who don’t know whatelse to do with their knowledge and free time?The beliefs of a hacker may be not easy to understandand gloomy. A hacker’s profile can extend from a roguehigh-school teenager to an experienced professional.While some hackers have the chance to fructify theirknowledge in a legal environment, others gain theirliving following illegal activities. Nevertheless, they allshare a common passion for IT security and they havean important potential.As the modern cybercrime is continuously developingand turning into a financial motivating market, there is astrong need of reinforcements. We should give to everyIT-security talented person the opportunity to show theirskills and use them for a good cause. Why not use theirpassion in order to turn them to the right side.Current situationOver the last couple of years, an interesting trend isvisible in the world of IT: large companies start payingmoney to people who find vulnerabilities within theirproducts. For example, Mozilla has been rewardingpeople who found security weaknesses of their wellknownbrowser [3]. Google is also running a very wellpaid bounty program for their chrome browser and theirwebsites and are ready to pay important amounts ofmoney [4]. Facebook also adopted this new trend andstarted at the end of July 2011 to reward vulnerabilityresearchers [5].A possible explanation for this recent action maybe the fact that companies start to become aware ofthe potential skilfulness that hackers might possess.Consequently, the companies start to cooperate withthe hacker communities, instead of taking legal actionagainst them (like Sony did for example [6]).Considering that the cooperation between hackersand companies can stand while there is enough benefiton both sides, the startup Hatforce came up with anidea.The ideaHatforce.com came up with an idea which can becalled an open market crowd-sourcing platform forpenetration tests. The principle is simple: usingthe worldwide hacker community in order to findvulnerabilities in every IT system possible (websites,servers, software, etc.) and reward them for thevulnerabilities they found.05/2011 (5) SeptemberPage 36http://pentestmag.com
The concept in five steps:1. Clients go on the website hatforce.com and publisha penetration test. At this moment, they specify afixed reward the testers will get if they submit avalid vulnerability.2. Penetration testers select a penetration test theywant to participate to.3. Once they have found a vulnerability in the client’sproduct, the testers submit a detailed description onhatforce.com.4. The client gets the vulnerabilities descriptions andapproves them.5. The client pays then to the testers the specifiedreward for each approved vulnerability.Let’s analyse more in depth the different steps:1. A client is an owner of one or more IT systems (awebsite, server, software, etc.) and can publisha penetration test request for one of his productsFigure 1. Specify a xed reward per vulnerability and how manyvulnerabilities gets rewardedon the website of Hatforce. For each publishedrequest, he has to specify a fixed reward pervulnerability and how many vulnerabilities he wantsto pay. In this way, he is sure about how much hewill pay at maximum and minimum for each test.The principle is simple: using the worldwidehacker community in order to findvulnerabilities in every IT system possible(websites, servers, software, etc.) and rewardthem for the vulnerabilities they found.For example, if the client wants to reward a vulnerabilitywith 100€ and at maximum 3 vulnerabilities, he willpay:• 0 € if no vulnerabilities are found• 100 € if only one vulnerability has been found• 200 € if only two vulnerabilities have been found• 300 € if 3 vulnerabilities have been foundFurthermore, the client is sure not to pay more than300 € because he has specified that he wants to payat maximum 3 vulnerabilities.The scope of a penetration test can be defined fromthe beginning. For example, if the client wants to testits website only for Injection and Cross-Site-Scriptingvulnerabilities, he is able to limit the test by clicking onI define myself the target vulnerabilities and checkingthe check-boxes Injection and Cross-Site Scripting(XSS). Consequently, only the vulnerabilities whichare related to these types of security issues will berewarded.When the client has entered all the necessaryinformation for the test, a contract between the clientand the testers is established. This contract is veryimportant as it legalizes the penetration action. Inmost of the countries a penetration test can only becarried out if the owner of the system agreed uponit. By accepting this contract, the client agrees to letthe penetration testers attack his product within theestablished scope.After the acceptance of the contract, the penetrationtest request will be forwarded to an administrator ofHatforce. The administrator might eventually contactthe client if there are some ambiguities related to histest request and in order to ensure that the client isrequesting a test for a product he really owns. Onceall is clear, the administrator approves the penetrationtest which will be consequently published on thewebsite.2. After being approved by the administrator, thepenetration test is visible to all the registered testers05/2011 (5) SeptemberPage 37http://pentestmag.com
Page 2 and 3: EDITOR’S NOTE05/2011 (05)Editor:
Page 4 and 5: POINT OF VIEWIsn’t Social Enginee
Page 6 and 7: POINT OF VIEWTrust Pentesting Team.
Page 8 and 9: FOCUSBreaking Downthe i* {Devices}P
Page 10: FOCUSListing 1. IPhone applications
Page 19 and 20: AndroidManifest.xml. An important p
Page 21 and 22: Smartphone running the version of A
Page 23 and 24: Simplied User ExperienceThe user in
Page 26 and 27: FOCUSAttacking the MobileInfrastruc
Page 28 and 29: FOCUSAt any rate, I think these ent
Page 30 and 31: FOCUSToneLoc and LoadUseful For a P
Page 32 and 33: FOCUSoperate in a degraded state; f
Page 34 and 35: FOCUSInside AndroidApplicationsBy t
Page 38 and 39: (NEW) STANDARDSof Hatforce. Before
Page 40: (NEW) STANDARDSReferences• [1] So
Page 43 and 44: name, IP address and server locatio
Page 45 and 46: Figure 8. User Agent Switcher Menur
Page 47: Say Hello toRed TeamTesng!Security

Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?