This document discusses hackers and security from the perspective of a penetration tester. It begins by distinguishing between hackers and crackers, noting that hackers are highly skilled individuals seeking knowledge, while crackers seek financial gain or to cause damage. It then discusses common misconceptions around security, noting that security is an architecture rather than appliances or policies. Several examples are given of exploiting popular security products and technologies. The document warns that the UAE is a vulnerable target given weaknesses in infrastructure and disaster recovery plans. It then describes hypothetical penetration tests against several large organizations in the UAE, highlighting vulnerabilities discovered. The document concludes by discussing mobile app security risks and advertising an upcoming security conference exhibition.
4. Wrong Conceptions About Hackers
• Hackers don't break into computer systems to steal information, that's Crackers.
• There’s NO ethical hackers, either you have a hacker or a cyber criminal (Cracker).
• Blackhat, Whitehat and Grayhat hackers are all hackers and they only seek knowledge.
Hackers
They will hack into your computer
systems to learn new things and to
enhance their technical skills, your
sensitive information can get into their
hands but luckily they’re only interested
in the back-end technology and how it
really works, they won’t cause any harm
nor damage to your business and you
won’t notice their presence, a blackhat
hacker won’t report the threat while a
whitehat hacker will do.
Damage: Minimal
Knowledge: Extensive
Crackers
They will hack into your computer
systems to achieve financial gain or to
cause damage to your business for
different kind of reasons, your sensitive
information will get into their hands and
they’re willing to abuse them to the
maximum extend, you won’t notice
their presence and most probably
they’ll back-door your systems to visit
again whenever they want easily and
without duplicating the effort.
Damage: Extensive
Knowledge: Minimal
5. The Truth About Hackers
• Hackers are highly skilled individuals, they’re capable of adapting new technologies in
the matter of hours and they have a sharp attention to details (the devil is in the details).
• Hackers are web designers, web developers, system engineers, infrastructure engineers,
programmers, database engineers and virtualization engineers combined (overqualified).
• Hackers are not engineers, they’re scientists, they achieve the impossible every minute
and they know how your systems really work even better than your best senior engineer.
Hacker
Fast
Adaptive
Knowledgeable
Creative
Persistent
Stealthy
7. Wrong Conceptions About Security
• Investing in Firewalls, Antiviruses, WAFs, IPSs, NACs…etc will not secure your systems.
• Hiring security engineers to maintain your security solutions will not achieve security.
• Complying with international standards and best practices will not grant you security.
Security
is
NOT
Policy
Project
Standard
Training
Appliance
Magic
8. Security Can Easily Let You Down
Exploiting FortiGate Next Generation Firewall
9. Security Can Easily Let You Down
Exploiting McAfee ePolicy Orchestrator (ePO)
11. Security is an Architecture, not an Appliance
Art Wittmann
12. Why UAE is a Vulnerable Target
The economy of the United Arab Emirates is the second largest in the Arab world, with a
gross domestic product (GDP) of $570 billion (AED2.1 trillion) in 2014. 71% of UAE's total
GDP comes from non-oil sectors.
Public Wikipedia
The underlying IT infrastructure for almost every entity in United Arab Emirates is very
weak (for every 10 entities, there’s 9 entities which are heavily vulnerable), the attack
surface is massively increasing with no proper security controls.
Private Research
The disaster recovery plan is absent in 83% of United Arab Emirates' entities, there’s no
proper logging and monitoring of security violations and the response time for a security
breach is critically long with no proper action plan.
Private Research
13. What Security Experts are Saying
According to a survey carried out jointly by Kaspersky Lab and B2B International, 51% of
users in the UAE faced financial cyber-attacks during the past year while only 10% of them
admitted that they were victims - July, 2014.
Kaspersky Lab
According to Cisco Annual Security Report, businesses in the Middle East are facing a
growing risk of cyber-attacks with a sharp rise in sophisticated malware attacks on the oil,
gas, power and utilities sectors - Jan, 2014.
Cisco Systems
According to a survey commissioned by global Application Delivery Networking F5
Networks, 81% of surveyed UAE IT decision-makers believed their organization was more
vulnerable than ever to cyber-attacks - Feb, 2014.
F5 Networks
14. Serious Legal Warning
• All information displayed will be totally obfuscated for privacy reasons.
• We condone cracking and any computer mis-use or unauthorized access.
• All our PT activities are carried out based on a strict Rule of Engagement.
• Any security vulnerabilities discovered are reported back to TRA aeCERT.
• Our aim is to raise information security awareness through the work we do.
Please don’t get too excited and try this at home or work
DTS Offensive Division
15. Gigantic Construction Entity
Security Controls in Place:
• FortiGate Next Generation Firewalls with IPS enabled.
• BIG-IP F5 Load Balancer with no direct IP access nor ping.
• McAfee ePolicy Orchestrator (ePO) with HIPS enabled.
• IBM QRadar (SIEM) centralized monitoring and logging server.
• Imperva Incapsula cloud security and content delivery network.
Attack Exposure and Technique:
External Black-Box Penetration Testing with Zero knowledge of the underlying technologies.
Activity Goal and Deliverables:
Gaining full administrative access to the internal network through the DMZ without getting
caught by security controls in place nor getting logged by the SIEM solution (QRadar).
Challenge Accepted
19. Major Transportation Authority
Security Controls in Place:
• Juniper Next Generation Firewalls with IPS and UTM enabled.
• Barracuda Web Application Firewall with no direct IP access nor ping.
• Kaspersky Endpoint Security for Business with application control enabled.
• Basic monitoring and logging for the entire infrastructure activated.
• ISO 27001 Certified with good security awareness and regular trainings.
Attack Exposure and Technique:
External Black-Box Penetration Testing with Zero knowledge of the underlying technologies.
Activity Goal and Deliverables:
Gaining full administrative access to the fleet management system without getting caught by
security controls in place nor getting logged.
Challenge Accepted
22. Sensitive Governmental Entity
Security Controls in Place:
Censored
Attack Exposure and Technique:
External Black-Box Penetration Testing with Zero knowledge of the underlying technologies.
Activity Goal and Deliverables:
Gaining full administrative access to the back-end database without getting caught by security
controls in place nor getting spotted by security agents.
Challenge Accepted
26. Massive Financial Market
Security Controls in Place:
Censored
Attack Exposure and Technique:
External Black-Box Penetration Testing with Zero knowledge of the underlying technologies.
Activity Goal and Deliverables:
Gaining full administrative access to the primary web application without getting caught by security
controls in place nor getting spotted by the SOC team.
Challenge Accepted
29. Sensitive Governmental Entity
Security Controls in Place:
Censored
Attack Exposure and Technique:
External Black-Box Penetration Testing with Zero knowledge of the underlying technologies.
Activity Goal and Deliverables:
Gaining full administrative access to the ERP application without getting caught by security controls
in place nor getting spotted by the SIEM Solution.
Challenge Accepted
30. 30
By March 2015 – 3298 SAP Security Notes
Vulnerabilities in ERP (SAP and Oracle)
1 1 13 10 10 27 14 77 130
833
731
641
363 389
0 0 0 0 0 0 0
0
0
0
0
0
0 0
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
0
100
200
300
400
500
600
2007 2008 2009 2010 2011 2012 2013 2014
Oracle vulnerabilities per year
Only one vulnerability is enough to get access to ALL your business critical data
31. Threat Modelling
– Attacks between systems
– Attacks on systems
– Overall security status
• Misconfiguration status
• Vulnerability status
• SAP Notes status
Understand which system can be attacked, how SAP is connected
with other enterprise apps and how crackers can escalate privileges
Threat Modelling and Map
33. TOP 10 Mobile Application in UAE
1- Salik recharge
2-RTA Dubai
3-Dubai mParking
4-DUBAI POLICE
5-mPay
6-DHA & Sehaty
7- HbMPSG
8- Carrefour UAE
9- DEWA
10- Cinema UAE
34. M1 - Weak Server Side Controls
Mobile App
Attacker
Backend Server
Internet
SQL Injection
35. Very Popular Mobile Application in UAE :(
Backend Database Vulnerable to SQLInjection
36. Vulnerable! Lead to full Data Leakage
Very Popular Mobile Application in UAE :(
37. Vulnerable! Lead to full Data Leakage
Very Popular Mobile Application in UAE :(
Public Profile
Full Name
Password
User ID
Email
Emirates ID >>>> Used Everywhere and Needed by Everyone <<< Increase Security Risk