Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

More documents

Recommendations

Info

(NEW) STANDARDSof Hatforce. Before they can see any details aboutthe test, the testers first have to sign the contractwith the client. This contract also includes an NDA(non-disclosure agreement), so that the testersshall not divulge any information about the test tothird parties.Crowd-sourcing seems not so well suitable forwhite-box penetration tests on proprietaryproducts, since the source code cannot be madeavailable in public.The testers are then able to start testing the client’sproduct. During the testing they should fill in a socalled test procedure.The test procedure is basically a description of whatthe tester has done during his test. The client will beable to visualize the descriptions and see what kind ofactions the tester has performed on the product. Thisgives the client the possibility to verify that no illegalhacking attempt has been conducted.3. Once a penetration tester has found avulnerability during a test procedure, he has tosubmit it on the website of hatforce.com. Theclient gets immediately informed about it andshould test it.Figure 2. Example of a test procedure description on Hatforce.com4. The client should be able to easily test thevulnerability by following the description providedby the penetration tester. If no any other tester hasfound the same vulnerability before, the client hasto pay the tester the specified reward.5. If the client approves the vulnerability, he pays theestablished reward to the corresponding tester.The marketNowadays on the IT <strong>Security</strong> market, a penetration testcosts approximately 200$ per hour and can becomemuch more expensive, depending on the experienceof the penetration tester. Usually the client has togive the most of information to the tester about itsproduct, because it is too expensive for a professionalpenetration tester to collect all the information freelyavailable by himself. Consequently, pure black-boxtests are not conducted very often. Unfortunately,exactly these tests represent at best an attack bymalicious persons.On the other side, there is the white-box testing.White-box tests make sense when the penetrationtester is highly skilled and able to analyse source codein order to find vulnerabilities. Crowd-sourcing seemsnot so well suitable for white-box penetration tests onproprietary products, since the source code cannotbe made available in public. Nevertheless, white-boxtests are possible for open source products and couldmaybe prevent people from hiding backdoors withinthem [7].There exist already on the market a couple ofplatforms which also involve crowd-sourcing intheir business model. One example is the ZeroDay Initiative (ZDI) from HP which rewards securityresearchers for the vulnerabilities they find in verypopular IT-products. However, their platform isdifferent than Hatforce.ZDI makes security researchers an offer for submittedvulnerabilities, while on Hatforce a reward for avulnerability is entirely set by the client so that testersknow in advance how much they will be rewarded. Byletting the client to freely define the amount of moneyhe is willing to pay per vulnerability, an evolving openmarket for pentesting is created.<strong>Security</strong> testing is very expensive nowadays andconsequently, private people or even small and middlesized companies usually do not want to invest in thisdomain. However, with the increasing amount ofhacking attempts that have been conducted over thelast couple of months by hacker groups like LulzSec,even the smaller companies will have to take actionand test their products. Therefore, penetration testingshould become accessible to all types of companies05/2011 (5) SeptemberPage 38http://pentestmag.com
and not only to those that have the means to pay largeamounts of money.How does Hatforce makes moneyHatforce connects the clients who want to test theirproducts and the testers interested in being rewardedfor finding vulnerabilities.In order to make the service the most usable forclients, Hatforce offers them consulting services. Theseconsulting services are applied to the vulnerabilitiesfound by the testers. When a tester describes avulnerability description, the client has to verify thevulnerability. If it is a correct vulnerability and it respectsthe testing scope of the test, it will be approved andpaid.Knowledge and time is necessary to verify thetechnical details of a vulnerability. As a consultingservice, Hatforce can test the vulnerability descriptionsand say if the vulnerability has to be approved or not.For an approved vulnerability, Hatforce can advise theclient on how to fix it. Furthermore, once a vulnerabilityhas been fixed, Hatforce can perform a retest of theproduct and verify if the problem has been correctlyclosed.As this system would not scale if a lot of clients startusing the platform in the future, Hatforce considerssubsequently involving some of the testers in itsconsulting system. A new category of testers wouldbe created – the certified testers. The certified testerswould agree on providing consulting services forthe security vulnerabilities of a client’s product andthey would also be entitled to approve or disapprovevulnerabilities.Difficulties and their solutionsThere are certainly several difficulties and limits thatcrowd-sourcing brings which are described in thefollowing paragraphs.Is it possible to trust an unknown tester?In order to have access to a test, the tester engageshimself in a contract with the client and accepts itsterms and conditions. This ensures that his testingactivity is entirely legal. Nevertheless, there arealways villains of both sides (clients and testers) thatare not eager to respect any rule. Therefore, Hatforceintroduces an evaluation system for testers and clients.If a tester submits a vulnerability, the client is able toevaluate his work by giving him a +1 or a -1 followedby a compulsory comment that explains his decision.The same procedure is possible in the reverse way– a tester can evaluate in the same way thecompany.Can the tester be sure that the company will pay?It is possible that some clients don’t want to approvevulnerabilities or pay their testers. After the clienthas evaluated one of his submitted vulnerabilities,the tester is able to evaluate the company. If a clientdoes not approve a vulnerability description, he shouldstate why and the tester can then respond with anevaluation.A client should be aware that if he has not enoughpositive evaluations (or too many negatives) thenthe testers will most likely not participate at his testsanymore.The Client will try to contact the testers ofHatforce directlyA client may try to contact directly a penetrationtester without going through the platform of Hatforce.However, it is in the own interest of the client to usethe global knowledge of the community in order tofind security problems. The more testers get to testa product of a client, the better it is for the client. Ifa company engages a tester in private, the costs willbe comparable to a standard expensive penetrationtest and the client loses the benefit of the system ofHatforce.Somebody could request a penetration test for awebsite or server he is not the owner ofHatforce has to make sure that the client is really thegenuine owner of the product he wants to have tested.Therefore, Hatforce will contact the client each time hesends a test request and will validate the ownership.Is a penetration test legal?A penetration test is generally illegal if there exists nospecific agreement between the owner of the productto be tested and the tester. Therefore, a writtencontract is needed between the client and the tester.On Hatforce.com clients can use the classic contractwhich has been checked by a German lawyer or contactHatforce and propose a customized contract.The client should be aware that it is the best for himif he states the most clearly what he is awaiting fromthe testers and if he wants to forbid anything during thetests.Is it practical to request a crowd-sourcingpenetration test on a production system?Google and Facebook are doing it now. Usually ifsomeone finds a XSS vulnerability this does not stopa website from working. If someone tries to trigger aDenial of Service attack on a production system, or triesto exploit a buffer overflow, this might be a more serious05/2011 (5) SeptemberPage 39http://pentestmag.com
Page 2 and 3: EDITOR’S NOTE05/2011 (05)Editor:
Page 4 and 5: POINT OF VIEWIsn’t Social Enginee
Page 6 and 7: POINT OF VIEWTrust Pentesting Team.
Page 8 and 9: FOCUSBreaking Downthe i* {Devices}P
Page 10: FOCUSListing 1. IPhone applications
Page 19 and 20: AndroidManifest.xml. An important p
Page 21 and 22: Smartphone running the version of A
Page 23 and 24: Simplied User ExperienceThe user in
Page 26 and 27: FOCUSAttacking the MobileInfrastruc
Page 28 and 29: FOCUSAt any rate, I think these ent
Page 30 and 31: FOCUSToneLoc and LoadUseful For a P
Page 32 and 33: FOCUSoperate in a degraded state; f
Page 34 and 35: FOCUSInside AndroidApplicationsBy t
Page 36 and 37: (NEW) STANDARDSNew PenetrationTesti
Page 40: (NEW) STANDARDSReferences• [1] So
Page 43 and 44: name, IP address and server locatio
Page 45 and 46: Figure 8. User Agent Switcher Menur
Page 47: Say Hello toRed TeamTesng!Security

Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?