Pen test 06_2012__teasers

Global��
Management Recruitment
��
��
��

��
��
��Permanent

��
��
��
��
�
��
��
�
��
�
��
�
��
�
��
�
��
�
��
�
��
�
��
��
�
��
�
��
�

��

��
��
��

��
��
��
��
�
��
��
�
��
��
�
��
��
�
��
��
�
��
�
��
��
�
��
��
�
��
�
��
�

��

��
��
��
��

Global I.T. Security Training & Consulting

www.mile2.com

IS YOUR NETWORK SECURE?
��
��
��
��
�� mile2 Boot Camps

A Network breach...
Could cost your Job!

Available Training Formats
��
� � ��
��
��
��
��

��
� � �� Other New Courses!!
��
��
��
� � ��
��
��
� � ��
��
��
��
��
INFORMATION ASSURANCE
�� SERVICES
��
��
��
��
��
��
� � ��
��
(ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of ��
CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC. ��
11928 Sheldon Rd Tampa, FL 33626

EDITOR’S NOTE
06/2012 (14)

Dear Readers!
Is there or is there not cyberwar? There are those who claim that the world we
know is going to be torn apart by those who will seize and hold the power through
cyber attacks. For others, war rhetoric is not only an exaggeration but also a
threat to security. We decided to take up those matters and devote this issue of
PenTest to cyberwar and cybercrime topics.
The Cyberwar section is composed of two articles that present two
contradictory views on cyberwar. Johan Snyman arguing that There Is No
Cyberwar engages in polemics with Cecilia Mcguire who writes about Digital
Apocalypse.... Whose arguments are more convincing? Read and decide on
TEAM which side of the barricade you are.
Managing Editor: Malgorzata Skora
Four articles in the section Cybercrime are to portray present situation and
malgorzata.skora@software.com.pl problems in the IT Security world and how they can influence a pen tester’s life.
Associate Editor: Shane MacDougall Billy Stanley in his article The State of Information Security describes present-day
shane@tacticalintelligence.org situation, defines the problem, describes the adversaries and proposes solution.
2nd Associate Editor: Aby Rao If you are not convinced yet, John Strand will try to prove that Penetration Testing
abyrao@gmail.com Can Save Lives. This time Jon Ringler prepared for you a great article about
Betatesters / Proofreaders: Johan Snyman, Jeff Weaver, cyber criminals using Defense in Depth. The author refers to cyberwar and
Dan Felts, William Whitney, Marcelo Zúniga Torres, proposes how pen testers can evolve and start winning it. David Cook’s article
Harish Chaudhary, Cleiton Alves, David Kosorok
may especially interest those who are curious about the law issues. We all in
Senior Consultant/Publisher: Paweł Marciniak
our countries have examples of invalid, paradoxical or imprecise laws. In the
article entitled Uncertain Law Leaves Penetration Testers in Limbo David reveals
CEO: Ewa Dudzic
ewa.dudzic@software.com.pl
meanders of the hacking law.
This time we would like to present to you 2nd International Conference on
Art Director: Ireneusz Pogroszewski Cybercrime, Security and Digital Forensics. The fight between bad and good
ireneusz.pogroszewski@software.com.pl guys is always grueling and requires unification of forces. The conference
DTP: Ireneusz Pogroszewski
chairman, Dr. Ameer Al-Nemrat, talks about co-operation between many players
Production Director: Andrzej Kuca and other purposes of this big meeting in London.
andrzej.kuca@software.com.pl
Ironically, thanks to risk and attacks pen testers are needed on the market. To
help you find better job opportunities we have for you two great interviews. The
Publisher: Software Press Sp. z o.o. SK
02-682 Warszawa, ul. Bokserska 1 first one is with James Foster from Acumin, an international Information Security
Phone: 1 917 338 3631
www.pentestmag.com
and Risk Management recruitment company. The second one is with, already
known to you, Debbie Christofferson, International Board Director at ISSA, on
Whilst every effort has been made to ensure the high quality of
seeking employment, working as a freelancer and introducing changes at your
the magazine, the editors make no warranty, express or implied, company.
concerning the results of content usage.
All trade marks presented in the magazine were used only for PenTest Regular ends with regular sections PainPill and Read. John B.
informative purposes. Ottman presents fourth chapter of his book Save the Database, Save the World.
Dean Bushmiller in his article Pen Testing Scope Drift: Everyone gets excited;
No one is getting paid convinces how important is to focus on your tasks and not
All rights to trade marks presented in the magazine are let yourself drift away.
reserved by the companies which own them.
To create graphs and diagrams we used program I hope that you will find this issue worthwhile. If you have any suggestions
by for us concerning topics, problems you want to read about or people you
would like to know better thanks to PenTest please, feel free to contact us at
en@pentestmag.com.
Mathematical formulas created by Design Science MathType™

Thank you all for your great support and invaluable help.
DISCLAIMER!
The techniques described in our articles may only Enjoy reading!
be used in private, local networks. The editors Malgorzata Skora
hold no responsibility for misuse of the presented
techniques or consequent data loss. & PenTest Team

06/2012 (14) June Page 4 http://pentestmag.com

CONTENTS

CYBERWAR (banner ads, etc.) that users are allowed to access. They
Digital Apocalypse:
06
flow right by IDPS and Malware Detection Systems through
The Artillery of Cyber War the same type of techniques.
by Cecilia McGuire
Cyberspace is now the digital frontier of choice for executing CONFERENCE
2nd International Conference on
32
many combat operations, by extending the medium in which
greater levels of power can now be accessed by Machiavelli Cybercrime, Security and Digital
agents, militants and nation-states. Forensics
by Aby Rao
There Is No Cyberwar
12
The threat from cybercrime and other security breaches
by Johan Snyman continues unabated and the financial toll is mounting. This
With the growth in cyber-attacks and the large amounts is an issue of global importance as new technology has
quoted when estimating the costs of these attacks, it has provided a world of opportunity for criminals.
become the norm for mainstream news agencies to carry
news on security matters, data breaches and attacks. INTERVIEW
Looking for a Job – Interview with
34
Unfortunately, what is reported in the media is rarely the full
story and the image painted is often the one of imminent James Foster from Acumin
disaster, destruction and lawlessness. by PenTest Team
PenTest Team received many questions concerning situation
CYBERCRIME on the job market. Many of our readers is in the process of
Uncertain Law Leaves Penetration
16
looking for, changing jobs or starts their own businesses.
Testers in Limbo Since our main aim is to respond to needs of our readers,
by David Cook PenTest features an interview with James Foster from a
A question that I am often asked is, “How can a penetration recruitment company with 14 years of experience.
tester or ethical hacker be sure that his activities remain
“You must create a plan...” –
36
lawful?” The reality is that the law regarding cyber crime is
fairly ambiguous and I do have sympathy with penetration Interview with Debbie Christofferson
testers and ethical hackers, given the potential minefield by Aby Rao
that surrounds them. You must comprehend the core business and be able to
understand and communicate security risk in terms of its
How Cyber Attackers and Criminals
20
impact to that business. While technology competence is
Use Defense in Depth Against Us key, it is not the deciding factor in success – an ability to
by Jon Ringler create and execute to a longer term strategy determines
Cyber attackers are forcing IT Professionals and your fate.
organizations into an unsustainable stance, exhausting
available resources, and adapting advanced techniques PAINPILL
Pen Testing Scope Drift: Everyone
42
to walk right in the front door and strut past the people,
process, and technology utilized by Defense in Depth. gets excited; No one is getting paid
by Dean Bushmiller
Penetration Testing Can Save Lives
24
You do love your job, right? You do want to pound a buffer
by John Strand overflow for hours or even days until the system yields. You
There are a number of ways that a cyber attack can do want to find that way in, right?
destroy lives. Careers can end, finances can get ruined
and companies can cease to be relevant. What is sad is READ
Save the Database, Save the World
46
when these tragic side effects of a cyber attack occur and a
simple penetration test would have discovered some basic – Chapter 4
flaws in an organization’s defenses. by John B. Ottman
“Virus-Like Attack Hits Web Traffic,” was the BBC News
The State of Information Security
28
World Edition headline. The article declared “An attack by
by Billy Stanley fast-spreading malicious code targeting computer servers
Malware authors have figured out how to evade AV by has dramatically slowed Internet traffic…
continually tweaking their binaries. They can circumvent
content filtering systems by hacking legitimate sites


CYBERWAR

Digital Apocalypse
The Artillery of Cyber War

Cyberspace is now the digital frontier of choice for executing many
combat operations, by extending the medium in which greater levels
of power can now be accessed by Machiavelli agents, militants and
nation-states. Squads of cyber militants going under the banner of
Anonymous and LulzSecare, motivated by the ease in which they can
now execute high impact operations whilst avoiding detection, are just
a few of the much publicised names synonymous with cyber terrorism.

T
he multi-dimensional characteristics of cyber analysis this paper aims to emphasise that deterring
space have dissolved the boundaries between Cyber War is the key to addressing this challenge.
digital landscape and physical security, facilitating
cyber-attacks that produce devastating impacts to critical Cyber Warfare – A Definition
infrastructure, as well as Corporate and Government Over the past few decades experts and academics
assets. have explored whether the possibility of a Cyber War
Global security experts face the challenge of attempting was in fact a plausible threat. Early pioneers navigating
to develop techniques to deter and prevent these global through this new landscape had conjured up post-
threats. This challenge is complicated further by the rate apocalyptic visions of the impact of Cyber War, bearing
at which the digital paradigm continues to evolve at a resemblances to scenes from a science fiction film.
rate which is often considerably faster than the ability to Today, Cyber War is no longer being examined from a
keep up with these developments. This disparity has, theoretical perspective, as these dynamic threats have
unsurprisingly, created an impression, shared throughout emerged throughout the global systems and networks.
the cyber community, that implementing strategies to Experts are no longer debating the possibility of Cyber
control the digital domain has become unachievable. War but what can be done to stop these threats.
As a result of these challenges and many others, Cyber Despite the widespread acknowledgement of Cyber
Warfare is set to be one of the greatest challenges posed War, the definition of these threats remains under
to the 21st Century. scrutiny. Experts such as Bruce Schneier have stated
This article will examine the characteristics of Cyber that many definitions of Cyber War in current circulation
War operations in order to clarify the ambiguities are flawed as they confuse a range of other computer
surrounding these concepts. Such an examination is security related concepts such as Information Warfare,
necessary in order to ensure that the components of Hacking and Network Centric Warfare. In order to, clarify
Cyber War are not confused with interrelated disciplines ambiguities surrounding Cyber War, for the purpose of
such as Information Warfare. Real world examples of this discussion, Cyber War is defined as:
Cyber Attacks will then be discussed in order to assess
the “nuts and bolts” of cyber-attack operations and to “Internet-based conflict involving politically motivated attacks
examine whether the world is really prepared for the on information and information systems. Cyber warfare
possibility of a “digital apocalypse”. Throughout the attacks can disable official websites and networks, disrupt


or disable essential services, steal or alter classified data, and
cripple financial systems – among many other possibilities.”
(Rouse, 2010)

For the purpose of this discussion, the focus of Cyber
War conflicts will be examined in terms of its impact
to the physical realm, in particularly to its impact to
critical infrastructures.

The First Warning Shots
Recorded examples of the impact of cyber-attacks
on critical infrastructures have been around for over The Most Comprehensive Exhibition
a decade. One of the earliest cyber-attacks on critical of the Fastest Growing Sectors of recent years
infrastructure took place in January 2000, in Queensland, in the Center of Eurasia
Australia. Where a disgruntled former employee at a
manufacturing company hacked into the organisations
computer, using privileged knowledge of the system,
and took control of the Supervisory Control and Data
Acquisition (SCADA) system. The protagonist was INFORMATION, DATA AND NETWORK SECURITY EXHIBITION

able to maliciously attack the system causing physical
pumps to release raw sewage, producing a considerable
amount of damage. Although this attack is not constituted
OCCUPATIONAL SAFETY AND HEALTH EXHIBITION
as cyber warfare, it demonstrated the possibility for a
digital attack to create a detrimental financial impact and
SMART HOUSES AND BUILDING AUTOMATION EXHIBITION

create havoc on critical infrastructures. Since this time,
there have been a number of attacks classed as acts of
cyber war, such as the 2007 attacks, launched against
the Government of Estonia. In this example, attackers
utilised a variety of different attack methods such as
Denial of Services (DoS), website defacement and 16th INTERNATIONAL SECURITY AND RFID EXHIBITION
16th INTERNATIONAL FIRE,

other malware. This was one of the earliest examples
EMERGENCY RESCUE EXHIBITION

demonstrating the increased level of sophistication of
cyber-attacks to be launched against a nation-state.

The Digital Artillery
The arsenal of a Cyber War attack consists of the usual
suspects, such DoS, attacks on DNS infrastructure,
anti-forensic techniques, and wide-scale use of Worm,
Zombies, Trojan and clichéd methods of electronics
attack. However Cyber War represents much more than
a DoS attack. When assessing state-of-the-art Cyber
War Artillery, one name comes to mind – Stuxnet.

State-of-the-Art: Stuxnet
The ultimate state-of-the-art weapon identified in the
cyber warfare arsenal, so far, is the Stuxnet worm. First
launched in to the digital landscape in June 2009, Stuxnet
SEPTEMBER 20th - 23rd, 2012
has become one of the heavily scrutinised, real world
examples of Cyber Warfare attacks, with global security
IFM ISTANBUL EXPO CENTER (IDTM)
and technology communities still struggling to fully
comprehend the complexities of its design almost two
years on since its initial release. Stuxnet’s international
attention has been achieved from the sheer sophistication

THIS EXHIBITION IS ORGANIZED WITH THE PERMISSIONS OF T.O.B.B.
06/2012 (14) June IN ACCORDANCE WITH THE LAW NUMBER 5174.

CYBERWAR
in design which is composed of a comprehensive array of encrypted configuration blocks. In order to load these
attack exploits and covert methods for avoiding detection. .dll files, Stuxnet has the capability to evade detection
Stuxnet is the magnum opus in the malware hall of fame. of a host intrusion protection programs which monitor
The Stuxnet worm infects computers running any LoadLibrary calls. These .dlls and encrypted
Windows OS, and is initially distributed via USB drives configuration blocks are stored in a wrapper referred
thereby enabling it to gain access to systems logically to as the ‘stub’. Two procedures are then employed
separated from the Internet. Once access has been to call Exported function. Extract .dll is then mapped
gained it then orchestrates a variety of exploits from its into memory module and calls one of the exports from
toolkit designed to specifically target vulnerabilities its mapped .dll. A pointer to the stub is then passed as a
intelligent design is able to identify in the target host. parameter. Stuxnet then proceeds to inject the entire DLL
Stuxnet’s artillery includes uses an array of exploit into another process, once exports are called. Injecting
methods, meticulously designed to circumvent the logical processes can include existing or newly created arbitrary
sequence security measures, one layer at a time. Exploits process or a preselected trusted process.
included Stolen Digital Certificates, Rootkits, Zero-Day
Exploits, methods for evading Anti-Virus detection, The Process of Injection
hooking codes, complex process injections, network Targeted trusted processes are directed at a number of
injection, to name a few. These exploits however do standard Windows processes associated with a range
not affect just any old computer, aside from propagating of security products, including – McAfee (Mcshield.exe);
further. The extraordinarily designed piece of malware has Kaspersky KAV (avp.exe); Symantec (rtvscan.exe);
one solitary target in mind – Industrial Control Systems/ Symantec Common Client (ccSvcHst.exe); Trend
Supervisory Control and Data Acquisition* (ICS/SCADA) PC-cillin (tmpproxy.exe) to name a few. Stuxnet then
and attached computer systems. With a specific ICS/ searches the registry for any indication that McAfee,
SCADA being targeted in Iran, Stuxnet reprograms the Trend PC-cillin or Kaspersky’s KAV (v.6-9) software is
Programmable Logic Controller (PLC), made by Siemens, in operation. If Stuxnet is able to identify any of these
to execute in the manner that the attack designers have technologies it then extracts the version which is used
planned for them to operate within. to target how to process injections or whether it is
* Bruce Schneier argues that Stuxnet only targets ICS and press releases unable to by-pass these security products.
have mis-referenced Stuxnet to also target SCADA “is technically
incorrect”. For further details refer to: http://www.schneier.com/blog/
archives/2010/10/stuxnet.html Elevation of Administrative Access Rights
Another feature of Stuxnet is in its ability to elevate
While experts are still dissecting Stuxnet, it is apparent access rights to run with the highest level of privileges
that the creation is the work of a team of highly skilled possible. Stuxnet detects the level of privileges assigned
professionals. Some estimates have stating that it to it and if these are not Administrative Access Rights it
would have taken a team of 8 – 10 security experts then executes zero-day privilege escalation attacks,
to write over the course of 6 months (Schneier). Many such as MS10-073.
are referring to Stuxnet’s creation as a “marksman’s The attack vector used is based on the operating
job” due to its targeted approach and expert precision. system of the compromised computer. If the operating
Given Stuxnet is considered to be one of the greatest system is Windows Vista, Windows 7, or Windows
malware masterpieces the temptation to examine its Server 2008 R2 the currently undisclosed Task
architecture in greater detail could not be resisted. Scheduler Escalation of Privilege vulnerability is
Symantec’s “W32.Stuxnet Dossier Version 1.4” provides exploited. If the operating system is Windows XP or
a detailed analysis delineating the technical attributes Windows 2000 the Windows Win32k.sys Local Privilege
composed within Stuxnet and this 69 page document Escalation vulnerability (MS10-073) is exploited.
created by members of their Security Response Team
is used as the basis for the following examination. The Load Points
full array of technical features is outside of the scope of Stuxnet loads the driver “MrxCls.sys” which is digitally
this article so a brief overview of Stuxnet’s architectural signed with a compromised Realtek certificate (which
components will be summarised below. Verisign previously revoked). Another version of this
driver was also identified to be using a digital certificate
Breaking Down Stuxnet from JMicron. The aim of the Mrxcls.sys is to inject copies
The Core – .DLL files of Stuxnet into specific processes therefore acting as the
At the core of Stuxnet is a large .dll file containing central load-point for exploits. Targeted processes include
an array of resources, diverse exports as well as – Services.exe; S7tgtopx.exe; CCProjectMgr.exe.


The Target: Programmable Logic Controllers India and Belgium. This information can then be used
We now arrive at Stuxnet’s ultimate goal – infecting by Duqu’s creators to then launch a premeditated cyber
Simatic’s Programmable Logic Controller (PLC) assault against the designated target. By default Duqu is
devices. Stuxnet accomplishes this by loading blocks designed to operate for a set period of time (either 30 or
of code and data (written in SCL or STL languages) 36 days depending on the configuration). After which the
which are then executed by the PLC in order to control Duqu will automatically remove itself from the system. A
industrial processes. In doing so, Stuxnet is able to comparison of Duqu and Stuxnet demonstrates:
orchestrate a range of functions such as:
• Duqu’s executables were created using the same
• Monitoring Read/Writes PLC blocks source code as Stuxnet.
• Covertly masks that the PLC is compromised • Duqu’s payload resembles no similarity to that of
• Compromise a PLC by implementing its own blocks Stuxnet. Duqu’s payload is written with the intention
or infecting original blocks. of conducting remote access capabilities whereas
Stuxnet’s payload is designed to sabotage an ICS/
The Grand Finale SCADA.
Now that Stuxnet has finally exploited the PLC it has • Duqu’s Payload aims to capture keystrokes and
achieved it has reached its final destination. Where system information rather than modify target
Stuxnet is then able to execute its final exploits which systems.
is to slow down or speed up frequency motors. For • Duqu (being a Trojan) do not contain any self-
example when the frequency of motor is running propagation capabilities as found in worms like
between 807Hz and 1210Hz, Stuxnet adjusts the output Stuxnet.
frequency for shorter periods of time to 1410Hz and • Duqu in one example is distributed by attackers
subsequently to 2Hz and then back to 1064Hz. These using specially crafted email containing a word
frequencies are typically used by centrifuges in uranium document which exploits an unpatched 0-day
enrichment plants. Ultimately Stuxnet is designed to vulnerability to
destabilize ICS/SCADA by changing the speeds in • Like Stuxnet, Duqu’s utilities include stolen signing
uranium centrifuges to sabotage operations, with the certificates for signing drivers stolen from a
potential for devastating consequences. company in Taiwan, with an expiry date of August
2nd 2011. These certificates were later revoked on
Little Brother – Duqu October 14th 2011.
In the September of 2011, researchers at the Budapest
University’s Laboratory for Cryptography and System The resemblances in design of Stuxnet and Duqu
Security (CrySyS) made the alarming discovery of a indicate that they were most likely developed by the
Trojan resembling Stuxnet. Their fears were confirmed same authors. Kaspersky Lab’s Analysts examining
after dissecting this new threat revealed components the source code of both programs state that – “We
were close to being identical to Stuxnet indicating that believe Duqu and Stuxnet were simultaneous projects
the writers were indeed the same authors, or persons supported by the same team of developers”.
with access to the source code of Stuxnet. They
labelled this new threat “Duqu” due to its design in The Launch Pad – Tilded
which it creates file names with the prefix ~DQ. How did Stuxnet and Duqu manage to launch some of
Duqu is a remote access Trojan designed to steal the most effective cyber-attacks on record so far?
information from the victim machine and is designed to The “launch pad” for this cyber artillery goes by the
act as a precursor to a future malware attack, similar to name of Tilded.
the Stuxnet operation. Duqu is designed to act in much The Tilded platform is modular in nature and is
the same way as a reconnaissance agent gathering designed to conceal the activities of malicious software
intelligence from a variety of targets, and like Stuxnet; by employing techniques such as encryption, thereby
Duqu’s primary targets are industrial infrastructure. evading detection by anti-virus solutions. By utilising
Data sources collected by this Trojan include design the Tilded platform developers of cyber weapons can
documents, keystrokes records and other system simply change the payload, encryption techniques
information. Once this intelligence has been gathered by or configuration files in order to launch any number
the Trojan, it is then returned to the command and control of exploits against a range of targets. File naming
servers, over HTTP and HTTPS, positioned across conventions used by Tilded’s developers employed
global locations such as China, Germany, Vietnam, the Tilde symbol and the letter “d” combining the two


CYBERWAR

References
• Clayton, M. (2012). Alerts say major cyber attack aimed at gas pipeline industry. Retrieved 12th of May 2012 from: http://
www.msnbc.msn.com/id/47310697/ns/technology_and_science-christian_science_monitor/t/alerts-say-major-cyber-attack-
aimed-gas-pipeline-industry/#.T65jgesti8D
• Kamluk, V (2011). The Mystery of Duqu: Part Six (The Command and Control servers). Retrieved 12th of May 2012 from: http://
www.securelist.com/en/blog/625/The_Mystery_of_Duqu_Part_Six_The_Command_and_Control_servers
• Kovacs, E. (2011). Stuxnet, Duqu and Others Created with ‘Tilded’ Platform by the Same Team. Retrieved 12th of May 2012 from:
http://news.softpedia.com/news/Stuxnet-Duqu-and-Others-Created-with-Tilded-Platform-by-the-Same-Team-243874.shtml
• RAND (2009). Cyberdeterrence and Cyberwar. Retrieved 12th of May 2012 from: http://www.rand.org/pubs/monographs/2009/
RAND_MG877.pdf
• Rouse, M. (2010) Cyberwarfare. Retrieved 12th of May 2012 from: http://searchsecurity.techtarget.com/de�nition/cyberwarfare
• Schneier, B. (2010) Stuxnet. Retrieved 12th of May 2012 from: http://www.schneier.com/blog/archives/2010/10/stuxnet.html
• Symantec (February 2011). W32.Stuxnet Dossier Version 1.4. Retrieved 12th of May 2012 from: http://www.symantec.com/
content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
• Symantec (November 2011). The precursor to the next Stuxnet W32.Duqu Version 1.4. Retrieved 12th of May 2012 from: http://
www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf
• Teksouth Corporation (2010). Cyber Warfare in the 21st Century: Guiding Doctrine and an Initial Conceptual Framework.
Retrieved 12th of May 2012 from: http://www.slideshare.net/slahanas/cyber-warfare-doctrine
• Westervelt, R. (2012). Tilded platform responsible for Stuxnet, Duqu evasiveness. Retrieved 12th of May 2012 from:
http://searchsecurity.techtarget.com/news/2240113299/Tilded-platform-responsible-for-Stuxnet-Duqu-evasiveness

resulted in adopting the name – Tilded. The Tilded team for developing new strategies within the Cyber Security
of developers however still remain unknown. community, so that detection of these unconventional
What we do know about Tilded is that it has undergone threats can be done so with greater accuracy and prior to
significant changes since its inception in 2007 with them developing the capability to orchestrate operations.
subsequent revisions created through to 2010. The RAND Corporation has stated that as long as systems
researchers at Kaspersky have been able to confirm have flaws, Cyber-attacks will be possible and “…as long
that a number of projects were undertaken between this as nations rely on computer networks as a foundation
period where programs based on the “Tilded” platform for military and economic power and as long as such
were circulated in cyberspace, Stuxnet and Duqu being computer networks are accessible to the outside, they
two examples. While other researchers have indicated are at risk”. Deterrence therefore is the key.
another variant exists, the Stars worm (also targeting Despite these challenges, real progress is being
ICS/SCADA systems) resembles Stuxnet. How many made. As the nature of Cyber Warfare becomes better
other programs have also been created but may not yet understood, in spite of its complexities, a foundation
have been detected remains to be determined. What for understanding these multifaceted threats is now
is clear is that as Tilded and similar programs continue being established. The next challenge being faced
to develop, we will see enhanced prototypes being is in developing strategies/frameworks to deter the
catapulted into the digital limelight. motivational factors leading to the creation of these
threats whereby influencing the mindset of cyber
Are We Prepared for a Digital Apocalypse? militants will be the key defence mechanism available
On the May 6th 2012, the US Department of Homeland to preventing a digital apocalypse.
Security reported that a major Cyber Attack was being
launched against computer systems used for a national CECILIA MCGUIRE
gas pipeline company supplying a total of twenty five Cecilia McGuire is a dynamic fresh thinker
percent of the United States energy. The cyber strike has and quiet achiever. Like many Gen-Y’s,
been traced back to a single source and many experts she has spent the past decade living a
believe that this is an early indicator of a highly organised somewhat nomadic existence having
Cyber Warfare operation. Early detection of the warning worked globally, expanding her awareness
signs of such an attack has instilled reassurance of international security requirements
throughout the wider global community that adequate and foresight into upcoming trends. She attributes much
mechanisms are now in place to ensure, at the minimum, of her in�uence to growing up in an unconventional family
a wide-scale cyber-attack will be detected and deterred in rural Australia, amongst a blend of western and eastern
prior to it accomplishing any major impact. philosophical paradigms. In 2010, she completed a Masters of
As discussed, the dynamic and often unpredictable Information Security and now lives in Sydney where she works
composition of emerging threats reveals the critical need as a Security Consultant.


CYBERWAR

There Is No
Cyberwar
With the growth in cyber-attacks and the large amounts quoted
when estimating the costs of these attacks, it has become the
norm for mainstream news agencies to carry news on security
matters, data breaches and attacks. Often this has led to info-sec
professionals being quoted (and misquoted) and interviewed
voicing their opinions and commenting on these issues.

U
nfortunately, what is reported in the media is by John Arquilla and David Ronfeldt. Since then many
rarely the full story and the image painted is more have joined the chorus of voices, warning of the
often the one of imminent disaster, destruction impending doom. Sergey Novikov, head of Kaspersky
and lawlessness. Lab Global Research and Analysis Team is recently
quoted as saying: “The recent spate of targeted attacks
The Hype on major corporations and state organizations all over
Last year, in a speech to service members at US the world, the use of malicious programs as weapons
Strategic Command, US Defense Secretary Leon for waging cyber war and conducting espionage and
Panetta painted a very grim picture of the world we the cutting edge technology of stat-backed malware
live in at the moment: “We’re now in a very different (Stuxnet, Duqu, etc), all herald the beginning of the new
world, where we could face a cyber-attack that could cyber era – the era of cyber warfare” [4].
be the equivalent of Pearl Harbor. I mean, cyber these With the growth in cyber-attacks and the large
days – someone using the Internet can take down our amounts quoted when estimating the costs of these
power grid system, take down our financial systems attacks, it has become the norm for mainstream
in this country, take down our government systems, news agencies to carry news on security matters,
taken down our banking systems. They could virtually data breaches and attacks. Often this has led to info-
paralyze this country” [1]. US Senate Commerce sec professionals being quoted (and misquoted) and
Committee Chairman Jay Rockefeller said recently interviewed voicing their opinions and commenting on
during a senate hearing: “Today’s cyber criminals have these issues. Unfortunately, what is reported in the
the ability to interrupt life-sustaining services, cause media is rarely the full story and the image painted
catastrophic economic damage, or severely degrade is often the one of imminent disaster, destruction and
the networks our defense and intelligence agencies lawlessness.
rely on” [2]. According to the American chairman of the
Joint Chiefs of Staff, Army General Martin E. Dempsey: The Doubters
“A cyber-attack could stop our society in its tracks” [3]. There are a few who do not agree with the war rhetoric,
The belief that cyber-armageddon is upon has been who believe that it is not helping security when the
around for a good few years. In 1993 the world was threats are exaggerated and fear governs our decisions.
warned that “Cyberwar is coming” in a paper authored Thomas Rid and Peter McBurney published an article


��
��

��
��
��
��

��
��
��

��
��

��
��
��
��

��

CYBERCRIME

Uncertain Law
Leaves Penetration Testers in Limbo

A question that I am often asked is, “How can a penetration tester
or ethical hacker be sure that his activities remain lawful?” The
easy response is that the terms of engagement should be defined
in advance. The law is concerned with unauthorised access to
computer systems, so an IT security consultant should be well
aware of what they are actually authorised to do.

T
he reality, however, is that the law regarding and getting away with it in the majority of cases. The
cyber crime is fairly ambiguous and I do have case that focused Parliament on the necessity for
sympathy with penetration testers and ethical specific hacking laws dates back as far as 1988 to the
hackers, given the potential minefield that surrounds Schifreen and Gold case.
them. British Telecom had introduced a simple computer
The term “ethical hacking” seems like an oxymoron communication system called Prestel, which worked
at first glance, but is clearly the only effective method of by dialling the computers number and then having the
ensuring that a company can be relatively certain that telephone system connect the dialler to the appropriate
its system can withstand certain computer attacks. Prestel centre. A subscriber to this system would then
The Ethical Hacking Council defines the goal of be asked to enter their password and identity number
the ethical hacker as to “help the organisation take in order to access their respective section of the
pre-emptive measures against malicious attacks by database.
attacking the system himself; all the while staying within A man called Robert Schifreen was attending a
the legal limits”. trade show and observed an engineer for Prestel enter
his details in the system – a username of 22222222
Background to Hacking Law and a password of 1234. Presumably, this was an
It is easy to appreciate the difficulties faced by administrator account and Schifreen, along with his
Parliament when drafting statute, but never more so friend Stephen Gold, were then able to thoroughly
than in respect of the laws relating to computer offences. explore the Prestel system. Once in the system, they
The evolution of hardware technology is arguably now changed some data and even managed to gain access
moving more swiftly than consumer demand, but it is in to the personal message box of the Duke of Edinburgh,
the progression of software systems that we are seeing Prince Phillip, leaving the message, “Good afternoon
an absolute sea-change. HRH Duke of Edinburgh” in the process. After these
The Internet has proven to be a societal equaliser – exploits, Schifreen sold his story to the Daily Mail and
armed with only a computer and access to the Internet, even appeared on television to discuss what he had
there is the potential for us all to become hackers. We been a part of.
are now seeing 15 year old hackers targeting large Unfortunately for Schifreen, the Prestel computer
corporate bodies, causing them significant disruption network was more successful and widely used than


CYBERCRIME

How Cyber Attackers
and Criminals Use Defense in Depth Against Us

The concept of Defense in Depth has actually been reverse
engineered and used against the IT Professionals and is now
utilized by attackers using this concept to provide them the
attack vector they require to facilitate a successful attack. Cyber
attackers are forcing IT Professionals and organizations into
an unsustainable stance, exhausting available resources, and
adapting advanced techniques to walk right in the front door and
strut past the people, process, and technology utilized by Defense
in Depth.

C
yber attackers are provoking organizations to Traditional military strategies and ideas can no longer
implement a layered defensive stance that is be applied at the root of their intent when dealing with
complex, far-reaching, unmanageable, extremely Cyber Security as the tactical landscapes of both have
costly, and requires a team of subject matter experts to changed. We need to learn to adapt or continue suffering
run. As Information Technology (IT) professionals, we are the cyber-consequences.
familiar with the concept of Defense in Depth. For those
unfamiliar with the concept, the adaptation for Cyber- Defense in Depth as Designed
security is to layer multiple defense mechanisms to Defense in Depth at its inception was a military strategy
delay (not prevent) a successful attack until appropriate originally defined by the National Security Agency (NSA).
preventative measures are deployed. As IT professionals, The goal of this Defense in Depth strategy was to elongate
we are also familiar with the requirement for us to stay up and delay rather than prevent the success of an attacker
to date on technologies, education, current events, etc. therefore exhausting their resources and causing them
Now that defense in depth has been around for a while to diminish their forces while buying time and keeping
and professed by all organizations, another look at the attackers at bay. Instead of defeating an attacker and
concept, how it is implemented, and if it is still effective defending their territory with a single, strong defensive
against Cyber Warfare and Cyber Crime is worth a look. mechanism, Defense in Depth relied on the tendency

Figure 1. Traditional Defense in Depth


��
� � � � � � � � � �
��
��

��
��
��
��
��
��
��
��
��
��
��

��
��
��
��
��
��
��
��
��
��
��
��
��

��

��
��
��
��
��
��
��
��
��
��
��
��
��
��

CYBERCRIME

Penetration Testing Can
Save Lives
There are a number of ways that a cyber attack can destroy lives.
Careers can end, finances can get ruined and companies can
cease to be relevant. What is sad is when these tragic side effects
of a cyber attack occur and a simple penetration test would have
discovered some basic flaws in an organization’s defenses.

I
n this article we will discuss some recent high-profile impact. Even more important is the necessity of all
attacks and we will look at ways a penetration test penetration tests to have a human analyze data and
should have discovered these vulnerabilities well focus on business logic with a clear focus on business
before the attackers did. However, it is important for risk. This is something automated tools will never be
us to first try to understand exactly what a penetration able to do, but they can help the process. And the
test is. Currently there is a great debate in the back companies we will focus on clearly were impacted.
corners of various hacker and security conferences The following incidents will highlight why penetration
around the world on the topic. Many people have testing is essential and they will each highlight a key
specific aspects they feel validates their view of what security weakness that a penetration test would have
a penetration test is or is not. For the purposes of this uncovered.
article let’s say a penetration test would be crystal-
box and could include scanning with automated tools. RSA – One Size Testing Does Not Fit All
Granted, there are people who would argue that using The RSA attack appears to have been launched via a
any sort of automated scanning tool is not part of spear-phishing attempt to two different groups within
a penetration test. Let’s also assume those people RSA over a couple of days. The malicious emails
are trolls and they will shortly be back under their contained an Excel spreadsheet that was entitled “2011
various bridges. A penetration test can be a number Recruitment Plan” and contained a Flash 0-day that
of things. For many organizations a penetration test triggered when the attachment was opened.
will require automated tools for scanning existing When news that RSA was compromised hit the
vulnerabilities, which will lead to possible exploits. Internet it sent shockwaves through the industry.
For some more advanced organizations a full black- It was not just an issue of a major company being
box test may be required. This will be based on how compromised, it was that so many other organizations’
mature an organization it in its security lifecycle. security support structures were based on SecureID.
Some organizations will require simple scans to get The very .asc and .xml files that seed the crypto in our
them going in the right directions. Others companies, secure key fobs were exposed.
which are more mature, will require more rigorous There are a couple of lessons to be learned from
testing. However, a common theme that should exist this breach. The first, is how intrinsically intertwined
in any penetration test is a solid focus on business our security is with other companies. But there is


CYBERCRIME

The State of Information
Security
Malware authors have figured out how to evade AV by continually
tweaking their binaries. They can circumvent content filtering
systems by hacking legitimate sites (banner ads, etc.) that users are
allowed to access. They flow right by IDPS and Malware Detection
Systems through the same type of techniques.

F
irewalls offer good protection for inbound more and more momentum. One of the more recent
connection attempts, though the threat vector attacks to be publicized was the state-sponsored
now consists of an attacker riding back in on Stuxnet worm which targeted centrifuge equipment
legitimate outbound connections. at Iran’s nuclear facilities.
While information security is much better today than • Terrorism – Over the years, hacking has been
it has ever been before; it is far from being in a position observed to both advance terrorist agendas in
to adequately deal with modern-day threats. In order to addition to launching full-fledged attacks.
address the gap, we must dive deeper in to the problem • Financial – This is the largest motivating factor
and develop an embraceable strategy for success. It behind hacking activities today. The black market
is only when we understand who our adversaries are for selling unethical and/or illegal activities is very
and what their motivations and tactics are will we be in lucrative for those that have a marketable service.
a position to address the problem. Let’s have a closer
look. Attack Vectors
Common attack vectors have certainly changed with
The Adversary time; indicating that we are dealing with a versatile
Enemies in this type of fight are some of the toughest enemy. As we have learned their techniques and
to identify and virtually impossible to stop. Some are deployed our defenses; they have been able to adapt
too young to drive a vehicle; while others are your quiet their offensive strategy in relatively short order. A few
next door neighbor, a college student half-way around examples are as follows:
the world, an eco-terrorist upset with your company’s
policies or a religious extremist defiant to be heard. • Network-based and noisy – Referring back to
While the motivation varies, the common themes tend the slew of Microsoft RPC and SMB-related
to revolve around the following: vulnerabilities; ultimately resulting in self-propagating
malware
• Personal / Pride – Though more of a vintage • Web-based/Drive-by – This vector is one of the
motivation for launching an attack, this still happens most popular in use today and one of the toughest
to a lesser degree within the hacking communities. to defend against. Attackers have learned how
• Geo-Political – A considerable force that is gaining to bypass vendor validation processes when


CONFERENCE

A voice to be added to
the voices called to ...
fight against cybercrime
Dr. Ameer Al-Nemrat, Chairman of the 2nd
International Conference on Cybercrime, Security and
Digital Forensics
The threat from cybercrime and other security breaches
continues unabated and the financial toll is mounting.
This is an issue of global importance as new technology
has provided a world of opportunity for criminals.
Therefore, reducing the opportunities for cybercrime is
not a simple task but requires co-operation between many
players, computer security specialists, legal professionals,
academia, public citizens, and law enforcement agencies,
and fundamental changes in common attitudes and practices.

Aby Rao: Please, tell us about the purpose of
Cyber Forensics conference. Dr. Ameer Al-Nemrat
Ameer Al-Nemrat: The threat from cybercrime and Dr. Ameer Al-Nemrat is a Senior Lecturer at the School
of Architecture, Computing and Engineering (ACE) at
other security breaches continues unabated and
the University of East London (UEL). Dr Al-Nemrat is the
the financial toll is mounting. This is an issue of programme leader for the MSc Information Security and
global importance as new technology has provided Computer Forensics, and MSc Cyber Crime. Dr Al-Nemrat
a world of opportunity for criminals. Therefore, Phd was the �rst PhD in Cybercrime Victimisation in the UK
reducing the opportunities for cybercrime is not in 2009 and has published number of Journals, Conferences
a simple task but requires co-operation between papers, book chapters, and one of the editors of the book “
Issues in Cybercrime, Security, and Digital Forensics”. Dr Al-
many players, computer security specialists, legal Nemrat has worked closely on cybercrime–related projects
professionals, academia, public citizens, and law with law enforcement agencies. A Cybercrime Programme
enforcement agencies, and fundamental changes project Led by Dr Al-Nemrat won a Good practice Award
in common attitudes and practices. Computer and from The European Commission under the Leonardo da
network security are often key factors that determine Vinci scheme which focuses on the teaching and training
needs of those involved in vocational education and
the likelihood of cybercrime, while digital forensics
training.
focuses on the detection, evidence gathering and
prosecution of offenders.


INTERVIEW

Looking for a Job
Interview with James Foster from Acumin, an International
Information Security and Risk Management Recruitment
Company
PenTest Team received many questions concerning situation on
the job market. Many of our readers is in the process of looking for,
changing jobs or starts their own businesses. Since our main aim is
to respond to needs of our readers, PenTest features an interview
with James Foster from a recruitment company with 14 years of
experience. From this conversation you will learn, among others,
about demand for penetration testers, expectations of employers
but also employees and pros and cons of being a freelancer.

PenTest: James, Acumin is an international PT: How is the current demand for
Information Security and Risk Management pentesters?
recruitment company. Please, tell us which JF: Pen Testers have grown in demand over the last 4-5
professions are the most desirable within the years due to the importance and increased awareness
IT Security market? for organisations to understand potential vulnerabilities
James Foster: Acumin have a vast network within the in their technical landscape, and as a result their value
IT Security space having worked solely in this area for in the market has increased.
the last 14 years servicing Information Security Vendors,
Consultancies, System Integrators, and End Users. PT: In which country would a pentester most
Our extensive End User client base provides us the likely find a good job?
access to Information Security Managers and CISO’s JF: Pen Testers are in demand globally.
in a variety of sectors which in turn provides invaluable
knowledge of the challenges they face within an ever PT: Could you describe the expectations of
evolving Information Security landscape. employers towards employees?
These End User challenges fundamentally feed the JF: The expectation of an employer towards a
demand for innovative technology and services from Penetration Tester depends on the employer.If the
Information Security Vendors and Consultancies, and hiring manager works within an End User organization
these challenges are regularly surveyed by Acumin then the requirement of the Pen Testing employee is
and have formed a current snap shot of in demand to ensure the ongoing testing of Infrastructures and/or
professions: Applications to highlight and report potential security
vulnerabilities in order for remediation work to be
• Penetration Tester (particularly CREST or CHECK conducted. As an employer running a team of Pen
certified) Testers within a Consultancy, a key expectation they
• Application Security Consultant / Architect will have aside from the obvious technical capabilities is
• Data Loss Prevention Consultant a willingness to travel.
• Governance, Risk and Compliance (GRC) It’s imperative that as a Penetration Tester you are
Consultant prepared to travel a lot to different client sites. The


INTERVIEW

“You must create a plan...”
Debbie Christofferson, International Board Director at
ISSA, on seeking employment, working as a freelancer and
introducing changes at your company.
You must comprehend the core business and be able to
understand and communicate security risk in terms of its
impact to that business. While technology competence is
key, it is not the deciding factor in success – an ability to
create and execute to a longer term strategy determines
your fate. Communication skills are critical, orally and in
writing, and an ability to build relationships and influence
others across business units, and possibly across the globe
if that’s where you operate. You must stay engaged in the
business, and keep current on your skills in IT, and risks
within your own structure.

Aby Rao: Can you tell us what convinced you opportunity to reroute or eliminate your headcount as
to become a security specialist? unnecessary.
Debbie Christofferson: During my Intel position as an
IT Operations Supervisor, the manager who originally AR: What are some of the core competencies
hired me was chartered to start up a Corporate of a security consultant?
Information Security function. This supported the DC: You must comprehend the core business and be
uprising of distributed computing, UNIX, firewalls, and able to understand and communciate security risk in
a new breed of hacking experts. I knew then I wanted terms of its impact to that business. While technology
to be part of that team, for my previous manager and in competence is key, it is not the deciding factor in
this new field. It required you to create something out of success – an ability to create and execute to a longer
nothing, to be comfortable with ambiguity, to be good at term strategy determines your fate. Communication
working across people and platforms, and to be a good
advisor to the organization. I began sowing the seeds
and plotting my course on how to get there. Debra Christofferson
Debra Christofferson, CISSP, CIPP/IT, CISM serves ISSA
as an International Board Director and was recognized
AR: What was the most difficult for you at the in 2011 as a Distinguished Fellow. She’s an experienced
beginning of your career? security manager and consultant with global Fortune 500
DC: Lack of structure and support. Automated tools experience, who is seeking a permanent strategic role in
didn’t exist then – except unix scripts – and staffing a large progressive organization. For a no-fee copy of her
7-page Security Risk Management Plan, send email with a
was minimal. Security had no credibility initially. You
subject line of “PenTest Risk Plan” to: DebbieChristofferson
were expected to know everything yet you were also at earthlink dot net.
universally ignored, and often seen as others as an


Get prepared.
We are Expanding Security, a Pen Testing and Training Company. We’ve been
preventing deer-in-headlights look since 2006. We offer Pen Testing services plus
our Live On Line training classes for ISSMP, ISSAP, CISSP, and Certified Ethical
Hacker. We give you online access to materials wherever you are.

You need to keep your job secure, your business
strong, and your staff on top of the game. See how
good and fun training can be. Our courses are
current to changing technology, and our training is
the fastest, easiest way to master the relevant
data you need NOW.

Sign up for our free weekly PainPill and come to a free class.
http://www.expandingsecurity.com/PainPill

…with Freedom, Responsibility, and Security for All ™
www.ExpandingSecurity.com

Pen test 06_2012__teasers

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Pen test 06_2012__teasers

Ähnlich wie Pen test 06_2012__teasers (20)

Pen test 06_2012__teasers