Security kaizen consumerization

Editor’s Note
April/june 2011 . 2nd Issue
After the release of our first issue, we
Chairman & Editor-in-Chief received a lot of positive feedbacks, a lot
Moataz Salah of improvement ideas and a lot of reviews.
Editors people wanted to help making security kaizen
magazine a better magazine, wanted it to be Egypt | The First Cyber Revolution 4
Fady Osman
Brad Smith one of the top information security magazines
Omar Sherin in the world.
Osama Kamal To be honest, I didn’t expect that we will have
Grey Hat
Amr Thabet that success in such short period, nor did I Types of SQL Injection 10
Ahmed Saafan
Vinoth Sivasubramanian
expect that one day I’ll appear on the Egyptian Phone Owning 12
Paul de Souza TV to talk about our initiate and our Magazine.
Mohamed Enab
So I wanna attribute our success to all my
Language editors readers, anyone contributed with an article or Stuxnet: and the truth shall set you free 16
Salma Hisham even a small comment, everyone criticized our 18
Salma Bakr
A visit to RSA Conference
work, all of you guys were a huge help to us
Lobna Khaled Electronic Voting | Security Challenges 20
I still have a lot of people to thank for their
Graphic Design help in the last couple of months but the An Interview with Clement Dupuis 22
Mohamed Fadly space won’t allow me to do that. so Thanks
everyone, we wouldn’t have made it this far
Web Site Design without you.
Mariam Samy Rootkits: A Deeper Look 26
Security kaizen is issued
As I said we are always kaizenning our Password Crack 30
every 3 months magazine and due to the tons of requests we
received, a new version of the magazine will
Reproduction in whole or part without be released in Arabic to cover more readers Best Practice
written permission is strictly prohibited on the Arabic countries. Also Security kaizen
All copyrights are preserved to magazine was able to get special offers for our A Simplified Approach to Achieve Security in a 34
www.bluekaizen.org
readers in various worldwide conferences; you Consumerized Environment
can check more details about that through the Cyberspace as a War Fighting Domain 38
magazine or on our website.
Finally, this was just a start and we are always
eager to kaizen, improve and reach new
horizons. We still need more volunteers from
all countries. so Join us and be part of our
For Advertisement in security kaizen.
Security Kaizen magazine and
www.bluekaizen.org website:
Mail: Info@bluekiazen.org
Phone: 010 267 5570
2 3

No one, not even Mark Zuckerberg the founder
of Facebook, nor Jack Dorsey the founder
of Twitter had imagined that one day their
websites will help in a country's revolution,
take down a president or change a regime.
Egypt’s well educated youth, whose through the streets, to regroup themselves
sole dream is to see Egypt a better after being distracted by security agents
country, lead peaceful demonstrations either by water, tear gas or real bullets.
on the 25th of January 2011, which is
the National Police Day, against injustice
and freedom suppression. On the 11th
of February 2011, Hosny Mubarak
finally declared his resignation as the
President of the Arab Republic of Egypt.
Just to give you a few examples of
people who joined the revolution: Wael
Ghoneim (EMEA Marketing Manager of
Google) who was arrested by the police
on the third day of demonstrations; Dr.
Ahmed Zewail (Egyptian Nobel Prize
Winner in Chemistry), Dr. Mohamed By the end of the first day of the revolution,
ElBaradei (former Director General of Tuesday 25th of January, Egyptian
the International Atomic Energy Agency), Intelligence banned the access of Twitter
and many Egyptian celebrities. from inside Egypt. They also banned
some online opposition newspapers like
What is unique about this El-Dostor. But that didn’t stop Egyptians
revolution? from accessing Twitter and those websites
using different proxies and in few minutes

EGYPT
It will be recorded in history that Egypt’s a series of proxies and ways to get around
revolution was the first Cyber revolution the ban were shared among Egyptians.
in the World. On the first three days, The Egyptian hackers quickly reacted to
protesters used their smart phones, those actions by attacking the website
Blackberries or iPhones to guide the of El-Ahram (one of the main Egyptian
demonstrations. It all started with Government newspapers) and that of the
Facebook. Then Twitter played a very Ministry of Interior Affairs using DDOS
crucial role in guiding demonstrators (Distributed Denial of Service Attacks).

The First Cyber Revolution We won’t continue talking about the revolution and its political development,
you can get back to the news for more information. We will now concentrate
about the technical part and our view regarding what happened later, with
The Full True Story on How Egypt respect to cutting all means of communications across Egypt.
Shutdown the Internet for 5 whole days
6 5 April/june 2011
www.bluekaizen.org

By the second day, Wednesday 26th of (ADSL, dial-up, etc) The bandwidth of international lines is what is known as POP. The bandwidth is
January, Facebook usage was blocked To summarize the situation, all means of sold to ISPs and companies as requested, then distributed to the home end-users
in some areas, especially in El-Tahrir communication were down, except land and then distributed across Egypt using or companies. Check figure 2 for the
line phones. Telecom Egypt cables, which are the only Internet hierarchy in Egypt.
Square (Liberty Square) where most
cables available! This is done through
protesters gathered. Facebook was
totally banned on the third day (Thursday How was the Internet cut? International
27th of January) of the protests. During ISP1 room ISP2 room Companies
those three days, the situation was a real In order To know how the Internet was
war between the Government and the cut in Egypt, we first need to know the
protesters; on the streets and on the web. Telecom Egypt
physical hierarchy of Internet in Egypt.
On Friday 28th of January, in the early (switching & testing rooms)
We will try to simplify the details as
Telecom Egypt
morning - Friday is the weekend in much as possible so that readers with lines
most Islamic countries - the following no telecommunication background grasp International Cables
communication services were down: how it works easily. In Alexandria
All mobile phone communications SEA-ME-WEA4/Flag
(voice calls, mobile internet, SMS, etc.) Different countries are connected
i.e. Egypt’s three operators were down together using a network of optical fibers,
Core POP1 Core POP2 Core POP3
completely with all their services with very high bandwidth, in seas and
All internet connections by all providers oceans. Check figure 1.
Edge PoP1 Services to users in PoP1

Services to users in PoP1

Figure 2: Internet hierarchy in Egypt
Therefore, in order to cut the Internet according to every ISP’s Network Design,
across Egypt you have more than one but the easiest way is to withdraw their
option: Border Gateway Protocol routes (BGP
● Egyptian Government can disconnect protocol is a protocol used by border
all the lines from the source (here the routers to transfer information between
landing point of international cables is different autonomous systems), and most
Alexandria). But this will disconnect all probably this is what happened with most
the lines connecting Egypt to the outside ISPs
world and that was not the case; only ● If the ISP refused to cut the service (like
88% of the Internet usage in Egypt was in NOUR CASE), the Government can
down and nearly12 % was still working. cut the service by itself through Telecom
So this option was not likely to have been Egypt POPs but in Nour Case which is
used not a residential Provider and most of
Figure 1: Submarine cable disruption map ● Authorities can intimidate the ISPs to its customers are big companies, Egypt
For Egypt, all international lines have two landing points (Alexandria shut down the services to users. This was security agencies accepted or agreed not
and Suez), for example the SEA-ME-WEA4 line is the line which clearly published by Vodafone, that some to cut the internet on Nour Customers,
connects South East Asia-Middle East-Western Europe, and it Egyptian security agencies ordered them but that made TEdata and Linkdot net,
carries telecommunications between Singapore, Malaysia, Thailand, to shutdown all mobile services. Shutting the biggest service providers in Egypt,
Bangladesh, India, Sri Lanka, Pakistan, United Arab Emirates, Saudi- down the Internet from the ISP’s side complained that Nour is still working and
Arabia, Sudan, Egypt, Italy, Algeria and France. can be made by many different ways that may affect their business , that’s
6 7 April/june 2011
www.bluekaizen.org

why Nour was also down on Monday by Twitter, Facebook and SMS services. And
Telecom Egypt not by Nour Engineers.So maybe they also knew more than that!
Nour was down for a business reason not Whatever they knew, the decision was Conclusion
for a security reason. taken to cut all communications including
all the Internet and mobile facilities. This story gave us some facts that don’t exist only in Egypt but in most
Why were the Internet and countries that use the Internet:
But unfortunately this was the most stupid Internet traffic is monitored, especially social media networks and this
mobile communication cut? decision, because people who were can be checked in the customers part of www.narus.com where you will
at home, waiting for brothers, sisters, find nearly 1/3 of their customers are countries governments
What happened by the end of Friday
relatives and friends to come back, Today, social media networks are not used only for connecting with
explains why Egyptian Intelligence cut
couldn’t communicate with them. They friends or making business marketing, but they can be used in issues affecting
all communications in the country. This
couldn’t call their friends, couldn’t connect whole countries; revolutions, wars, etc.
day was named: Friday of anger, where
to the Internet to know their latest activities This story also gave us some questions, for which we hope to find answers:
millions of people went out in the streets
on social media, and couldn’t even send On which level do governments have the right to control essential life facilities,
and the highest number of dead people
a single SMS! So, more people went out like communications, electricity and others, to civilians even in cases of
was reported on this day as well.
in the streets, maybe not to protest but to emergency?
merely show their anger at this decision. Will you support a law, if it doesn’t exist in your country, that considers the
Egyptian Intelligence uses a solution
called NarusInsight. The NarusInsight Internet and telecommunication systems as main human needs like electricity
Solution for Intercept, as narus.com says, Was the Internet 100% cut supply, water supply and others, which can’t be cut with such a way?!
delivers unmatched flexibility to intercept across Egypt? Finally Egypt’s story was a real proof that Internet in general and social
IP communications content and identifying media networks in specific can really change the world. Virtual life can cause
information, enabling law enforcement The answer is NO, according to most revolutions, wars, crimes and more. Egypt started the revolution on the virtual
and government organizations around statistics nearly 88% of the Internet network and transferred it to a real story, a real TRUE STORY.
the world to effectively gather evidence connection was down. What about the
of illegal activity in the multifaceted world rest 12%. Well, we have different cases,
of IP communications. for example:
NOUR was the only service provider
Narusinsight can monitor users’ traffic, that kept working for 3 days out of the 5
including recollecting their mails, days (they were down only for 2 days –
chats and other data. Built on the Monday and Tuesday – while the Internet
NarusInsight Traffic Intelligence System, was back across Egypt on Wednesday)
the NarusInsight Solution for Intercept All international MPLS Lines were working
passively monitors multiple links on the fine, so companies who had MPLS Lines
network. It monitors each packet on the through any provider were working in the
network link and analyzes it against a whole 5 days
target list input by the providers or directly One of the solutions was to use the
by a law enforcement agent. If the packet international land line to dial up an
matches the target criteria, it is captured external service provider in France or any
for formatting and delivery to storage, country using a dial up modem, but this
law enforcement or directly to optional costs a lot of much of course
content rendering and analysis tools. Another solution was to have a satellite
connection, this way you won’t pass
Egyptian Intelligence or National Security by Telecom Egypt lines but again this References
knew that a lot of people will gather on solution is so expensive and still not http://www.narus.com
this Friday, and they knew in the last 3 reliable for huge companies but it is better http://www.wikipedia.org/
days how they collect themselves using than nothing
8 9 April/june 2011
All images included in this article are copyrighted to their respected owners. www.bluekaizen.org

GREY HAT The database will simply display the results in the search query as you can see in the
following image.

Types of By Fady Osman

SQL injection
SQL injection is probably the most dangerous
known web attack. Sometimes it could lead
to remote code execution that gives the
hacker a full control of the system.
In this article we will talk about
SQL injection types.

1- Error based SQL injection : The exploitation of the error
In this case the database simply the based SQL injection is fairly straight. For Another thing to notice here is that the database language can be this query:
application sends back the database example the attacker can make an invalid the database version reveals also the
errors directly to the user. Sometimes comparison between an integer and the operating system information which is http://[site]/page.asp?id=1; IF (ASCI
this happens because the developer of data he needs to extract. To make things something that should be disabled by the I(lower(substring((USER),1,1)))>97)
the website didn’t turn off debugging on clear lets see an example (Assuming MS database administrator. WAITFOR DELAY ‘00:00:10’
the server. SQL database).
3- Blind SQL injection : the above query will wait for ten seconds
Injection : or 1=user()-- This is the hacker’s last choice since it only if the first letter of the user name
take a fairly long time. I worked once is not “a” then you have to do this with
Response : Syntax error converting the nvarchar value ‘ahmed’ to a column of with blind SQL injection and to be all other letters of the user name. Then
data type int. honest it wasn’t a pleasant experience you move to the password hashes and
it took me all the night to successfully so on. This makes it obvious that using
exploit this vulnerability. Even with some automated tools or scripts is fundamental
From this example you can see that the 2- Union based SQL injection : tools available like sqlmap, sometimes otherwise it will take you days to retrieve
user name ‘Ahmed’ which is the output of Union based SQL injection as the name you need to write your own scripts to only the basic information.
the user function is sent back in the error suggests abuses the union operator. successfully exploit blind sql injection.
message. The attacker can also retrieve The basic idea is to append the data Now let’s talk about how blind sql About the author: Fady Osman is
other information from the database. that the attacker wants to a table that is injection works. In this case the database an information security professional,
already displayed in the page. See this will not give you any output not even researcher, and author. He focuses
Tip : If you don’t have a good experience example from DVWA (A vulnerable web an error message so you need to find mainly in the areas of exploitation
with databases and what useful functions application created for training hackers another way to retrieve data. This can be ,reverse engineering ,web security
you can go to this website which will give and to be used in educational classes). done by asking database questions like and c programming. His team won
you a cheat-sheet for SQL injection : Inject this code inside the id parameter : “if the first letter of the user name is not the second place in the MIE 2010
http://www.pentestmonkey.com null’ union select @@version,2# an a then wait for 10 seconds” which in competition organized by IEEE Egypt.

GREY HAT 10 11 April/june 2011
www.bluekaizen.org

Let’s pretend we’re a phone
Phone owning Notice in the above example that our Service / Device Class shows we’re a
computer. Notice the Link mode is SLAVE ACCEPT. We want to change all of
By Brad Smith this so we look like another cell phone.

This article will show you how to get started in performing Type this at the command prompt:
penetration testing on cell phones to see if it can be hciconfig -a hci0 class 0x500204
compromised by accessing their data via Bluetooth (BT). hciconfig -a hci0 lm accept, master;
This is an important part of penetration testing as many hciconfig -a hci0 lp rswitch,hold,sniff,park;
bad things can be done to someone’s phone without their hciconfig -a hci0 auth enable
knowledge. If they own your Phone, they own your life. hciconfig -a hci0 encrypt enable
hciconfig -a hci0 name Resume

Now run hciconfig –a again and notice
the differences.
The last command to change the name
This is an advanced article so you need Bluetooth was designed as a serial port is important because that’s what appears
the following base knowledge: replacement. Just like serial ports of old, on the screen. Would you take a call
You need to be able to boot a Backtrack you need to set an IRQ and a Memory from “bt-0” or “Resume” or “ “?
4r2 disk on a compute that has Bluetooth address to interact with other devices.
device installed. You can use other Bluetooth needs a Channel and Memory Notice what the Service / Device Class is now. You’re a Phone!
distros if you like but BackTrack has 32 addresses set to interact with other
tools just for Bluetooth. phones.

Let’s Start Who else is out there?
With Backtrack booted up to the command line and the Bluetooth adapter There are several good tools for scanning on Backtrack, l2ping (that’s an
installed type: hciconfig you should see all the “acceptable” devices. If no L not the number 1), hcitool
device appears on the list and you have scan, sdptools browse and
the device plugged in, well, your device this one BTscanner.
won’t work. Sorry, you need to try a What we’re after is the Address
different device. Not all BT adapters of the device, think MAC
are created equal. address of a network card
and the cannel each service is
If a device appears (hci0) then bring it offered on. When you click on a
up: hciconfig hci0 up, just like it was a device it gives you more information, specifically the cannel of each service
wireless card. offered and memory addresses of the device.

The hciconfig –a command should
return a list of features for all the
Bluetooth adapters on the computer. It
should look like this:

GREY HAT 12 13 April/june 2011
www.bluekaizen.org

What Now?
Let’s start with a simple program that does lots. My favorite is bluebugger
because you can change Option parameters quickly till it works properly.
Notice the different modes that bluebugger offers.
You can do it all from the command line:
~#./bluebugger –m Ron –c 7 –a xx:xx:xx:xx:xx:xx dial 1900badpeople

Lets look at this command, simply add the channel and
connection name (here it’s a blank, I use Resume).
Seems to simple yes? Very true, it doesn’t work on
every phone that has the Bluetooth on so you need
to try lots of different.

I look at a lot of Phones and some brands are easier
to penetrate than others. Which ones? Depends on
model, make and how it’s setup.

With so many Bluetooth tools here are a few all
purpose basic tools to learn: Hciconfig, Bluescan,
l2Ping, SDPTool, hcitool, BTScanner, Bluesnarfer,
Bluebugger, Carwhisper.

Bluetooth devices are growing number daily. Security is poor at best,
coupled with the predicted increase in mobile threats, and NOW is the time
to secure yours and your businesses Bluetooth devices.

Here’s help!
NIST “Guide to Bluetooth Security” 800-121
www.Backtrack-Linux.org
www.soldierx.com/bbs/201001/Bluetooth-hacking-wth-Backtrack-4
www.trifinite.org

About the author: Brad started breaking his toys at a very
early age. When he wrote his first computer buffer overload
in 1972 which totally wrecked the University computer
system, he realized the potential to break much larger
things. Now he spends his time teaching other to break
small things that have large importance, like cell phones.

GREY HAT 14 17 jan/march 2011
www.bluekaizen.org

new & NEWS

new & NEWS “white papers, cleaning tools, contacting
customers, working with top AV vendors,
even magazine interviews”. Isn’t this what
Another statement that also reflects
severe undermining of the terms “due
diligence, and responsibility” is a
they are paid to do? question they highlighted in yellow: “Has
the customer done all he can?“.

Stuxnet:
What is really strange is their genius Imagine a car manufacturing company
conclusion that future infections are that sold you a very expensive car
“unlikely”, and this is due to the fact that equipped with an advanced airbag
the malware pattern is now detected by up system, then someone smashes into
to date anti-virus programs. Eureka !! your car and the airbag doesn’t work,
and the truth shall set you free Yes, future “Stuxnet” infections might while in hospital the car company lawyer
By Omar Sherin be unlikely, but this is certainly not the asks you why didn’t you bring an airbag
end of this type of attacks as long as top from home just in case!
vendors like Siemens still use “hard coded
& publicly available” passwords on critical
What is Stuxnet: it’s the most complicated piece of malware ever
systems in the year 2010 and don’t even
written. Up till now there has been wide speculations that it was
admit that this is the REAL problem.
written by a specific country to attack the Siemens computer control
systems used in the nuclear program of Iran. Security experts
I was able to locate the hard coded (built-
heavily criticized Siemens because the worm exploited, among
in) user names and passwords in Siemens
many things, a “hard coded password” in the Siemens system. The
technical online forums:
Stuxnet worm infected critical energy companies in 125 countries.
login=’WinCCConnect’
password=’2WSXcder’
login=’WinCCAdmin’
password=’2WSXcde
Last month Siemens Internal CERT The slides confirmed that the malware
(Computer Emergency Response Team) is capable of transferring data outside of
released some slides about Stuxnet as a the infected system back to the command
form of “Official Communication” within and control servers, yet nothing has been
their constituents. The slides were taken proven specially that the two C&C servers
offline few hours later. ( • www[.]mypremierfutbol[.]com • www[.] About the author: My name is Omar Sherin and I am the OWASP Egypt chapter chair
todaysfutbol[.]com ) and a member of the OWASP Leaders Board.I have more than 8 years of professional
But as I was reading through the slides I were brought down by Symantec. “I corporate and national level Information security experience plus more years as a security
decided to take a copy just in case they would like to add that both servers where and online privacy advocate. I also hold a diploma from Carnegie Mellon’s Tepper
do just that. In the official slides (Here), located in Germany”. School of Business in entrepreneurship and corporate innovation.I’ve worked for several
Siemens confirmed that Stuxnet was multinational firms in the oil and gas sector, communication, government and professional
services sector, in my spare time I’m an active Information Security blogger and Speaker.
a “targeted” attack by using terms like Then the Siemens slides claim that all
Specialties
“targeting a very specific configuration, known infections are now clean and zero • SCADA Security
certain PLC blocks and specific processes enterprise damages reported. Yet they • Critical Infrastructure Information Protection (CIIP)
or (project)“. These bold statements didn’t specify their definition of “damage”, • Business Continuity and Disaster Recovery
simply means that Stuxnet makers had is it seeing the enterprise up in flames or • Information Security and IT Audit
(one target) in mind, and this should few bytes of data going out? The slides • Risk Assessment , GAP Analysis, Security policies
eliminate any theory out there denying go on listing the great deeds of Siemens • Digital Forensics and web application pen testing
that its a state sponsored malware. since the discovery of the malware:

new & NEWS 16 17 April/june 2011
www.bluekaizen.org

A visit to By Osama Kamal
He showed some videos of the show, with 800 nodes. They have 46K records
scamming people in cafe shops or even daily handled by 5 information security
in casinos that have very tight security analysts. In 2007, they had 4000 nodes,
mechanisms to prevent fraud, and the
message was to highlight the importance
and danger of social engineering attacks.
The video is available on RSA Conference
website; a highly recommended one.

One of the interesting presentations was
about Mature SIEM implementation, by
Bradford Nelson and Ben. It discussed
a real implementation in one of the US
Government entities, where they divided
the SIEM evolution into 3 phases:
Infancy, Growth, and Maturity. In Infancy 2M records/day, and 14 analysts. In 2010,
mode, you need to focus on collection they had 30K nodes, 326M records and
and aggregation. In Growth mode, you 32 analysts. These are pretty insightful
need to focus on real-time monitoring, numbers if you are planning for a SOC.
unsupported sources, and environmental They started with logs like failed logins,
modeling. In mature phase, you start port scans, and AD changes. Later
developing processes, adding external they added IPS, packet capture, and
threat feeds, putting alerts into business packet drops, then apps, users, social
context, aggressive normalization and media, auto ticketing handlers, honeynet
correlation, and adding application/user sensors, and all connections. That is a lot
behaviour analysis. to handle!
RSA conference is by far the biggest by giving an example of an unusual
According to the presenters, you should
commercial event I have attended. It definition. He then asked people to use
start defining your requirements first, then The conference is an excellent chance to
is not just an expo with more than 400 their mobile phones and computers to
do procurement, design, deployment, and get updated with new technologies from
information security companies, but it search for that term on the Internet and
then content delivery. The requirements vendors. It is all about the defence side,
is also a place where you get to meet showed that google search revealed a
definition is very important and should not the offence side such as Blackhat.
information security rock-stars and the top totally wrong definition as he was able
use vendors literature combined with If you in are in security business, this
management officials of big companies. to poison the search results by creating
your own technical and business needs. conference should be your target.
In addition, the event also has a lot of a Wikipedia page and a YouTube video,
You can simply look for use cases to
sessions, mostly panel discussions, with some link building techniques to give
understand more. Things to consider About the author:
where you listen to the people who the wrong definition on top of the search
are: start slowly, you can use NIST 800- An independent security analyst
are shaping the security industry or results.
53, and 800-92 as a start; go for quick with over 13 years of experience
are heavily involved in it in one way or
wins; and do not try to spend lots of time in security operation, design,
another. Hugh Thompson also hosted Alexix
in unsupported logs. Also check your architecture, and incident
Cornan, who runs a show in BBC; the
data collection rates, and build your key handling. Running his own blog
My favourite keynote was the one of Real Hustle. He showed how easy it is to
performance indicators and metrics. www.okamalo.com for almost 2
Hugh Thompson gave about social scam people using “misdirection”, which
years, currently focusing on open
engineering, entitled “People Security”. is one part of a good scam. It does not
They gave some numbers from their source information gathering,
He showed how easy you can mislead matter how smart you are, even security
environment, when they started in 2004 and threat intelligence”.
people through search engine poisoning conscious people can be scammed.
www.bluekaizen.org

Electronic Voting votes. Electronic Voting can be used
in presidential elections, parliament
members’ elections and also inside the
backup so as to maintain confidentiality
and integrity of data. And by having the
backup, availability is guaranteed.

Security Challenges parliament while voting for legislations
and policies. We need to forget about
the previous “funny” way by which votes
These DRE machines should be
hardened and certified through audits, so
as to ensure security. For sure machines
By Mohamed Enab inside the parliament were handled and
“Cyber Revolution”… a catchy expression lot of factors. If you simply play in the move to E-Voting; the Speaker of the
we use these days! This type of “revolution” voting software by a virus or a bug then People’s Assembly of Egypt used to
is conducted over the Internet using social you might have an undesirable president just check the votes for legislations and
networks, such as Facebook and Twitter, or parliament member for example. policies only by the eye!
and this is the first time in history that Therefore, due to its critical risks and that Let us see how we can implement the
people start a revolution against unfair some countries already had voting fraud Electronic Voting system; usually the
and oppressive government systems by incidents, Electronic Voting needs to be system will machines all over the country
a Cyber Revolution. assessed and analyzed well to check to collect the votes. These machines are
To help maintain the principles of this whether it is can be applied safely in our connected in a secure way to a central
revolution and sustain it to use it anytime country. Basically a voting system has point for analysis and monitoring. So if
we are again confronted by governments four main characteristics;1 we spread our devices over 700 sites
that lack freedom of speech, we should 1. Accuracy: The goal of any voting for example, and then the central point Figure 1 DRE Machine used in Brazil
put some “controls” into our lives to system is to establish the intent of each notices that some suspicious activities
guarantee as much as we do not reinvent individual voter, and translate those then investigations may start and track may differ from one type of election to
the wheel, especially while no political intents into a final tally. To the extent any distrustful activity. But what kind of another, but the concept is the same.
party is in control and there is some sort that a voting system fails to do this, it machines should be used?! Maybe a I believe that in order to have “Cyber
of chaos around a certain country. That is undesirable. This characteristic also PC, but it can be infected by a virus or a Revolution”, we need to implement
is the time to put neutral controls over includes security: it should be impossible worm. Maybe a hardened machine! How systems in our countries which bring
Cyber Revolution. to change someone else’s vote, ballot can these machines be connected to the technology into our daily lives. And since
I said “controls”, right?! Yes, I did. Does stuff, destroy votes, or otherwise affect sites. secure voting is a crucial step in bringing
not this remind us, Security Professionals, the accuracy of the final tally. Usually machines used in E-Voting, in trustworthy entities for the sake of serving
of something we used to use in our daily 2. Anonymity: Secret ballots are countries like Brazil, India, USA, are our people, then special attention should
life when referring to Firewalls, IPS, IDS, fundamental to democracy, and voting Direct-Recording Electronic (DRE)2 voting be paid to deploying “Electronic Voting” in
etc. But what type of controls am I talking systems must be designed to facilitate machines. A DRE machine records votes our countries.
about?! voter anonymity. This also means by means of a ballot display provided
As we all know, the main objectives of confidentiality, in one way or another. with mechanical or electro-optical About the author:
Information Security is to protect the 3. Scalability: Voting systems need to components which can be activated by Five Years of Experience in
confidentiality, integrity and availability be able to handle very large elections. the voter (typically through buttons or a Information Security Consultation
touchscreen). Then data is processed Field & possess deep knowledge and
of our company, our organization and With the increase of population, we need understanding for security threats &
our country. What I see right now is that to invest on something that could sustain by means of a computer program.
Then voting data and ballot images countermeasure, security products
people believe in this revolution and along enough. & technologies, Information security
to help them trust it more and more is 4. Speed: Voting systems should produce are recorded in memory components. management systems, networks
to have a system that makes them feel results quickly. This is particularly After the elections, the DRE machine & operating systems. Having been
secure and safe when they give their important where people expect to learn produces a tabulation of the voting data in Banking Field for 2 years where
votes during elections or referendums. the results of their voting on the same day as a soft copy stored on a removable Money talks and Security is a great
We are talking here about “Electronic it took place, before bedtime or early the memory component and as a hard copy concern there and also in Information
Voting”. day after, and monitor the progress of the as well. The system may also provide a Security Consultation Field giving
I know that the idea is not new, and that it voting process. means for transmitting individual ballots consultation and advisory actions to
has been implemented in lots of countries So, these are the four main features or vote totals to a central location for customers to get the best of the breed
such as the USA, Spain, Australia, and that should characterize Electronic consolidating and reporting the results from security solutions and secure
by precincts at the central point. So data the organizations which have different
the Netherlands - just to name a few - Voting, and if we have a system that concerns & Business Objectives. I
either by Remote E-Voting or Polling can do that electronically then this will can be transferred securely through
encrypted links or flash memories with have right now Security Certifications
Place E-Voting. However, these systems guarantee neutral and falsification free like CISSP, CCSP, SSCP and have a
are not easy as you might think; they good networking/Telecommunication
2 Definition as per Wikipedia
are complex systems that depend on a 1 Adopted from Bruce Scheier Blog - Schneier on Security
background.
www.bluekaizen.org

An Interview with • What made you take the Free Information Sharing Route instead

Clement Dupuis
of selling your knowledge?
As you get past 50 years of age you realize that you do have quite of bit of wisdom
and knowledge that you have acquired over the years. At one point you need to get
someone ready to take over from you and finally retired.
By Moataz Salah
I am from a small lumberjack village in the deep woods of Quebec, Canada. In my
Clement Dupuis is a man that you village people always help each others, skills and knowledge are passed from father
can’t prevent yourself from respecting to son for generations, I taught doing the same on the Information Security side
his thoughts and his principles. could be a very interesting project.
His principles and beliefs were one
It started as a hobby and today the Family of Portals reaches over 150,000 security
of the main reasons to launch our
professionals in more than 120 countries around the world. It does make me feel
magazine, Security Kaizen Magazine. proud when someone sends me a message to thank me and my team for the work
Two years ago, I started quoting we are doing in helping the community.
one of his famous sayings in my
lectures ”Don’t be a leacher, Don’t I was asked many times WHY I do not charge a fee on some of my portals. With the
suck people blood till you get all the number of members we have we could be millionaire if I would have charged $10 per
information you need , share your person. We all need money, however we never have enough, it is a never ending
knowledge even with just a comment“ story. Above money there are people, when I am able to contribute to someone
career and help them progress and reach higher, I feel a lot better than getting $10
Clement Dupuis as a fee. People should always be priority number one.
Founder and Maintainer of
the CCCure Family of Portals
• Can you give us more ideas about your free information
sharing web sites and the free Services you deliver?
• Can you introduce yourself to Security Kaizen Readers?
Our portals contains large collection of Documents, links, forums, mailing lists, cram
Good day to all, study guides, quizzes, and a whole lot more.
My name is Clement Dupuis, I am the founder and maintainer of the CCCure Family The portals are large containers of knowledge that constantly get updated and better
of Portals. Twelve years ago I started to dedicate all of my free time to “Giving Back as more and more people are contributing.
to the community” which has been a way of life since then.

I had the privilege to work for 20 years for the Canadian Department of Defense and • What problems did you face when you started your free
was exposed to radio communication, satellite communication, and finally I got into information sharing web sites?
the computer world.
The first 4 years were very lonely, you spend all of your free time building content,
I was one of the very early pioneer who was attempting to use the Personal Computer answering queries, and you do not see anything being returned to you. Then all of
(PC) in places and in ways it was never, ever attempted before. I had to combine a sudden my site was listed in books and magazines which drove a lot of traffic to it.
modern equipment with outdated radio communication. Often time we had to talk
with the engineer that wrote the software to make things work. There was no better I felt like quitting the whole project many times. There were days when I would get
way to learn the details behind the interfaces that we were using. negative feedback that made me feel like pulling the plug. However, my wife who
is the calm and moderate person behind me would always remind me that for every
Networking, Personal Computers, Server, and making them work together has been negative message I have most likely received 100 positive message. After a while
a hobby of mine for more than 20 years. It is always a privilege to have your hobby you learn to concentrate on the positive and accept that you cannot please 100% of
as your full time job. your visitors.

www.bluekaizen.org

- HITB Magazine
Time has always been my biggest challenge over the past 10 years. Maintaining - (IN)SECURE
portals is VERY time consuming. - MISC Magazine
- Professional Tester
• Which Security Conferences Clement Dupuis must attend every - SecurityActs
year? - Security Kaizen
- The Hackademy Journal
There are a few that I always attempt to attend such as BlackHat, Defcon, - Uninformed
CanSecWest, and Hacker Halted. They are some of the largest and also some of
the best conference that exists out there. • What is your Comment about Security Kaizen Magazine ?
and what is needed to rank it as one of the best magazines in
• You are a big fan of CISSP, why is that ? Information Security field in the world?
There are a lot of misconceptions related to the CISSP certification. It is NOT a Security Kaizen is a very interesting magazine and once I read through the first
technical certification, however it forces a Security Professionals to learn more about edition I know that it is a magazine that will only get better with time. The magazine
domains that he would not get exposed to in his daily tasks. is very young compare to other magazine that exists out there.
The CISSP shows that a Black Box approach to security will not work. You can The success will depend on a few things: Content, Content, and Content
stack 10 security appliances and they will still be ineffective is there is no policies,
procedures, or processes in place. If your provide great content the readers will come to read it. From what I have seen
so far you are on the right path to do so.
People have to realize that only hardware or software is not the answer to security.
You have to have a good mix of policies, people, and process, the 3 P’s. Last but not least, ask for feedback and listen to your readers. Ask them what they
wish to get and provide it to them. All of this will make it a great success.
I was one of the first person to become a CISSP in Canada. I saw that it was a great
package but there was no resource to prepare for it. This is when I decided to create
the CCCure.Org web site. I wanted to help other in becoming certified and by the • From your experience, What is mostly needed in the Middle
some token better understand what security is all about. east and arab countries to help them be an added value in the
information security field instead of just importing technology
• What is your Plan for the next coming years ?
There is already an amazing number of software and hardware company coming
I am now at the point where my portals needs to move to a better platform that will from the Middle east and Arab countries. Unfortunately some are nice players or are
integrate with the viral world of Social Media. This is one of the major project to come. not recognized in their own country.

I also need to categorize content by geographical location. People loves to know Information Security and it’s associated technologies are still something that is up
what is in their backyard and what resources they have locally. and coming in those regions. Leadership must start at the top at the government
level. Cyber Security should no longer be seen as a luxury but as a necessity to
Adding a few more certifications is also on the menu. Cloud Security and Risk security conduct business in a connected world.
Management comes to mind.
For the first time in history companies have suffered more losses and fraud online
• Can you rate the top 5 magazines in the Security World? than the physical world in 2010. Where there is financial transaction and money
involved there is also crime. The online world is no different than the physical world,
This is a tough one. Some magazines cater to management, some others cater to in fact it is a lot easier to commit crime online than risking being caught in the act
Security Testing, some will be for programmers, as you might have guessed I read a doing a physical crime.
lot of security oriented magazines. On my short list I do have:
- 2600 Quarterly Sharing information, Educating more people about these issues, and create a climate
- Club Hack Magazine favorable to endless learning is one of the most effective tool one can use against
- Hakin9 criminal activities over our networks and systems.
www.bluekaizen.org

Step
By
Step 4. Types of Rootkits:
1. User-mode Rootkits:
modify the system functions or hook I/O
request packets (IRPs), which are sent

Rootkits:
This type of rootkits is simply working in the to the device drivers for the purpose of
user mode and it hooks some functions in modifying the inputs and outputs to this
a specific process, sometimes it loops on device driver.
all processes except the system process- Kernel-mode rootkits can hook all
es. It is done by injecting a code inside processes, including system processes
A Deeper Look the virtual memory of this process, and
then it patches the first instructions of
at once; however, they are harder to
detect and remove.
By Amr Thabet the hooked function to force it to call the The problems of kernel-mode are mainly
injected code. due to it being hard to program and very
1. What is rootkit? of security called rings. Rings are simply
Hence, the injected code modifies the sensitive to the changes of the operating
The rootkit is simply a programme that a set of privileges or restrictions, which
gives you a permanent access to the enable hackers to work on them. input of this function, and then resumes system, and sometimes sensitive to the
“root”, which is the highest privileged user There are four rings and they begin with the hooked function to modify the output changes of devices too.
in UNIX system. ring-0, which is the highest privilege and of the very same function, and at last
The rootkit can easily control the system it is called kernel-mode. Ring-3, that is, returns again to the process. 5. How Rootkits Work?
or modify it on the fly to force it to hide the the lowest privilege and is called user- 2. Kernel-mode Rootkits: First of all, how Windows works should
presence of a specific virus or spyware. mode. All applications run in user-mode On the other hand, kernel-mode, the be understood. Windows is an operating
and have specific privileges which they, second type of rootkits, works inside the system created to become a layer
2. Why rootkits? by all means, cannot exceed. When system. These rootkits are installed as between the hardware devices and the
It gives you a permanent access to the operating system runs in the kernel- device drivers and they have the ability to software applications and users.
the infected machine. For as much as mode, which has the highest privilege, it
hackers’ belief, it is not only enough to can do everything ranging from modifying
penetrate a system or compromise its the memory of the system, modifying the
security defenses, but also the ability to setting of the processor, to sending and Users And Applications
stay hidden in the system to spy or control receiving signals from computer devices.
it for your desired needs is a must. There is a single way to jump from ring-3
Therefore, rootkits are mainly created to to ring-0, which is done by a processor
hide the hacker inside the system from instruction named “Sysenter” - System Operating System
administrators, file monitors and firewalls. Enter, to call a specific function in the
Some of the hiding techniques are hiding operating system.
files in the hard disk, a connection port, 2. Patching and Hooking:
Hardware Devices
some registry keys or a running process Hooking is a term given to the process
in the machine. of intercepting or interrupting a call to a
Furthermore, some other rootkits are system function like zwQueryDirectory
It is created to be non-sensitive of the that do everything like managing files
especially created for other needs, like File. Some examples are query files,
keystroke monitor (keyboard spy), or which either function as modifiers to the hardware changes, to support multiple and directories, internet, connectivity
packet sniffer, which is a program that input (the path to a certain folder whose users and processes (applications), and so on.
monitors all the data that is sent or files need to be queried), or modifiers to and to support system security from In order to understand the tricks of the
received in the computer in order to steal the output (deleting the name of a specific malformed processes and from users to rootkits, the way the interface works
passwords or credit cards. file in order to hide it). users. should be first understood. Thus,
Patching, in like manner, is very similar It supports a static interface between the life cycle of executing an API like
3. Some Definitions: to hooking. Patching means modifying; applications and hardware devices called “FindFirstFileA()” from user-mode to
1. User-mode Vs. Kernel-mode: modifying the first instructions of a specific Application Programming Interface (API). kernel-mode, to the device itself is shown
The computer processor has some type function to hook the inputs or the outputs This interface includes many functions below in this figure.
of this function.

Step By Step 26 27 April/june 2011
www.bluekaizen.org

to change the inputs, as the IRPs were or Packet Sniffers, could communicate to
Execute SYSENTER FindFirstFile() Calls to Call To Function
instruction with Function first received, and have the ability to set a the device directly to receive the pressed
ZwQueryDirectoryFile FindFirstFile()
Number (0x91) function named “IOCompletionRoutine”. keys or send an internet packet by
User Mode
The IoCompletionRoutine is executed passing with this way and software filters
Kernel Mode after completing the request and before or any hooker.
returning to user or the user-mode This part is very sensitive to the changes
Search For Function Send an IRP Request to
Execute fastfat.sys (and All application. of the hardware, which is a very hard task
(0x91) in The System
Service Dispatch Table ntQueryDirectoryFile() Device drivers attached IoCompletionRoutine has the ability to to work on, and
(SSDT) to it) change the outputs of this request in actually it is only used by the elite hackers
order to hide files, for example, or make as most people say.
any other changes.
sending signal to the Attached Devices Drivers Attached Devices could
In a like manner, the rootkits have the Conclusion:
device and gets the could set IoCompletion change the inputs of the ability to filter the inputs and the outputs The rootkit is considered a programme
output /execute the Routine to change The IRP request of any request. or a tool that gives the root privileges
IoCompletion Routines outputs (Preoperation Mode)
and return to user (postoperation mode)
Regarding the last example, the rootkit to be used for the purpose of hiding the
could change the results of this query to presence of a specific virus or spyware.
Each step is explained, in addition to the hooking mechanism that is used by rootkits. hide a file or change its This tool uses the hooking mechanism to
1.User-Mode Part: a pointer to another function (for name in the results of QueryDirectory filter the inputs or outputs of the system
At the user-mode, the applications have the last example NtQueryDirectoryFile()) IRP. functions, either in a user-mode or kernel-
the ability to call a function of hundreds of and then calls to this function and the 4. Communicating With Devices: mode, to hide the malware process. By
functions in the Windows’ interface (APIs), execution in the kernelmode After the device driver gets the IRP, the same token, it can hide files from
and as it is seen in the last example, continues. the device driver communicates with the outputs of any query as if there is no
the application calls to FindFirstFileA(), At this part, the kernel-mode rootkits, the related device, the Hard Desk for malware in the computer.
which calls to another API named as explained above, have the ability to instance, by sending signals to this device Some other rootkits use these privileges
ZwQueryDirectoryFile(), which calls to change the pointer to a function in the or receiving signals from it. to log the key presses or sniff the internet
KiFastSystemCall(), which executes a SSDT array with another function inside After getting the reply from the device, the packets to steal passwords or intrude on
processor instruction “Sysenter” that the kernel-mode rootkit. device driver changes the output to the someone’s privates.
converts you from user-mode to kernel- Additionally, other rootkits prefer to standard shape for windows or converts It is also described above in this article
mode and executes another function in hook these functions by patching its first the output into a more higher level and the life system cycle to execute a system
the system in the kernel-mode named instructions like the usermode then returns to the user-mode application query from the usermode to the kernel-
KiSystemService() rootkits. after calling to IoCompletionRoutine. mode to the hardware devices to reply to
At this part, the user-mode rootkits, as 3. Device Drivers: In this stage, the rootkits cannot hook the someone’s request in a high level reply
previously explained, have the ability to After executing ntQueryDirectoryFile() signals to the devices, but some rootkits with the transparency of the hardware
hook one of these functions by patching function, this function sends to the with another tasks, such as Key Loggers changes.
its first instructions by another which related device driver a request named About the author: I’m Amr Thabet. I’m a Freelancer Malware Researcher and a student at
allows the rootkit to change the inputs or “I/O Request Packet (IRP)” to query on Alexandria University faculty of engineering in the last year.
the outputs of these functions. a specific directory. This packet will be I’m the Author of Pokas x86 Emulator, a speaker in Cairo Security Camp 2010 and invited to
2. SSDT: received by the appreciate device driver become a speaker in Athcon Security Conference 2011 in Athens, Greece.
While executing “Sysenter” instructions, I begin programming in 14. I read many books and researches in the malware, reversing and
and all device drivers attached to it.
antivirus fields and a I’m a reverser from nearby 4 years.
the processor converts you into the Windows allows device drivers to be
kernel-mode (ring-0), and executes attached to any device driver to filter References:
KiSystemService() function which search its input, change its output or complete 1. Addison Wesley Professional Rootkits - Subverting the Windows Kernel
in an array named “System Service the request without the need of the real 2. The Rootkit Arsenal : Escape and Evasion in the Dark Corners of the System, by Reverend
Dispatch Table (SSDT)” with the function device driver itself. Bill Blunden
number as an index in the array and gets These device driver filters have the ability 3. Rootkit - Wikipedia, the free encyclopedia, at this link: http://en.wikipedia.org/wiki/Rootkit
www.bluekaizen.org

is a common human nature to choose dictionary words. However, a relationship
understandable words for the password. exists between those passwords and
This, unfortunately, eliminates a big dictionary words. There are several
search space of the non-readable hybrid optimisations that take advantage
character combinations, and simplifies the of this human vulnerability in order to
mission for crackers. A dictionary attacks produce a better password guessing
against a password exploits this human schema. Xieve technology is devised
By Ahmed Saafan vulnerability by using dictionary words as by Passware to predict possible human
the main source of the key space. This readable alterations of dictionary words
Since a long time, passwords have been the most popular way for attack can be done on either the original [5]. It uses an algorithm that mutates and
authentication and proving identity. Some new biometric techniques have hash or the authentication mechanism, in combines dictionary words to produce a
evolved recently and have proven great accuracy and security. However, case the hash is not available. slightly bigger enhanced key space which
they are not used except in very sensitive places due to their high cost. are still orders of magnitude smaller than
Hence, passwords are the main method of authentication used in networks. Thanks to electronic social media; the the original full key space, but way more
This article is about password cracking techniques, optimisations, and tools. overall security awareness is in a state capable of finding the correct password.

A
the hash, the process will try all different of continuous improvement. It is getting
ccording to the information base
possibilities and combinations of the harder for crackers to guess passwords, GPU Optimizations: Another orthogonal
that the cracker has, password
password until the hash of the attempted because people are starting to use more aspect for password cracking optimisation
cracking may be classified
trial matches the original hash value. complex words. Despite being complex, is the hardware dimension. Modern
into two types: informed cracking and
Otherwise, in an uninformed cracking, the the words are still readable. Hence, a few Graphical Processing Unites (GPUs) can
uninformed cracking. In informed
regular authentication procedure has to optimisations are devised by crackers to be used to optimise password cracking
cracking methods, the cracker has prior
be used in trying all different possibilities improve dictionary attacks: methods due to its vectorisation. They
knowledge about the password. This
knowledge could be the password key along with a way to identify the successful support complex vector processors that
log in attempt. Customized Dictionaries: are capable of bulk vector computations.
space (i.e. the possible combinations of
Typically, people choose passwords Typically, this is used for graphical
the password), the password structure
The obvious time limitation is what relevant to their context. A slew of tools processing. However, it is also very
(for example, the fist character must be
makes this attack almost unfeasible in are out that analyse human profiles handy in password cracking due to its
a number and the following characters
its original form, given that the password (Facebook accounts, blogs, Websites high parallelism. Crackers use GPU
must be at least 6 alpha-numeric), or the
is cryptographically secure enough. ...etc) to generate a word list of password frameworks to boost password cracking
cryptographic hash (i.e. The output of
However, there are several variations candidates. This word list is later used by arranging password key space values
a non-revisable mathematical function
to this attack discussed later that might as the key space for brute forcing. This into vectors with the maximum size that
applied on the password). On the other
be feasible to use in cracking complex technique has been proven to be one of the GPU processor can handle at once,
hand, in uninformed cracking, the cracker
passwords. the most effective methods in penetration and process those combinations in bulks
has ultimately no information about the
testing. Common password list generator as a single trial. Obviously, the more
password. It is noteworthy to mention that
A very common programme for multi- tools include (CUPP, CeWL, and Crunch). powerful the GPU is, the more speed-up
password cracking in this context means
passing through the authentication threaded (parallel) password brute gain is achieved; one GPU processing
forcing is THC Hydra, which has been Hybrid Optimisations: cycle trial could include more than 10
challenge successfully regardless of
updated recently to support advanced Another password choosing habit that key trials. According to Elcomesoft, a
knowing the original password.
CPU optimisation techniques [1]. can be abused is when a user slightly security research company specialised
modifies a dictionary word to be a non- in password cracking; the speedup can
Brute Force
Dictionaries dictionary, and uses it as a password. reach 50000% [8]. The chart below (by
Brute forcing is the most basic method
A natural enhancement to the brute Words such as (pa$$w0rd, koolB0y, ElcomeSoft) shows the possible speed-
for cracking a password. It can be used
force approach is trying to narrow down applepie ...etc) are technically not up gain for different GPUs.
regardless of the cracker possession of
the original hash value. If the cracker has the possible password key space. It

www.bluekaizen.org

challenges such as the windows net-bios which is able to crack any WPA password
file sharing protocol. A common tool used in less than 20 minutes [9].
for pass-the-hash attack is Pass-The-
Hash Toolkit from security-database [7]. Conclusion
Also, the notorious Metasploit Framework It is very clear that black hats are moving
has pass-the-hash capabilities. towards more convoluted techniques
to crack passwords. A highly technical
The Cloud cracker now would try to pass the hash,
Cloud computing is “the trend” nowadays. create a profile for the target user to
Unless you have been hiding under a infer a password key space, optimize
rock for the last two years, you must have and enhance the key space using
heard about cloud computing. Amazon mutation algorithms, and at the end,
Rainbow Tables a secure password, can be cracked in Elastic Cloud Computing (EC2), and buy some rainbow tables online, or
In informed cracking, when the cracker 160 seconds [4]. You can get the pre- Microsoft Azure are popular examples. rent an on-demand cluster from a cloud
has a hold of the password hash, the computed rainbow tables for most known With such gigantic infrastructure available infrastructure service, and that’s it…
original password cannot be inferred algorithms from a number of commercial on-demand, crackers are leaning your password is cracked! Even worse,
due to the inherent non-reversibility websites, such as rainbowcrack [2] and towards using it for evil. Distributed a bot-master who controls a herd of
of password hashes. So, it is a matter ophcrack [3]. computing systems can be used to divide zombies (botnet) through Trojan horses
of trial and error. Password cracking the password trials among the working can use the botnet capabilities to crack
using rainbow tables is typical in such Pass-the-hash cluster, since the password cracking passwords pretty much the same way it
scenarios. It is an example of the classic If the cracker already has the password process is naturally divisible where each would be done using cloud computing,
time-memory trade-off. In the original hash, and the server uses the password node in the cluster would try a subset of only for free!. Therefore, one should be
brute force method, the cracker must hash only to prove the users identity (e.g. the key space. very vigilant when choosing a password,
try to hash all possible passwords to windows network authentication), the because no one knows what is lurking in
compare it with the original hash each cracker then can create a custom script You can start a 100 node high computing the dark hallway.
time a cracking procedure is in place. that just sends the saved hash to the cluster with high end GPU capabilities and About the author: Ahmed Saafan is
Rainbow tables, on the other hand, server when requested without knowing use it in parallel to crack Ultra complex a senior information security analyst
utilise pre-computed look-up tables for the original password. Since the server passwords in a matter of minutes! A and the technical team lead of Raya
all the key space required to brute force. does not know if this hash is generated on German hacker recently cracked a SHA- IT Security Services Team (RISST).
And when a given hash is required to be the fly or cached, it will authenticate the 1 hash for 2$ according to the register Saafan, the founder of RISST’s
cracked, the problem is transformed to a cracker as a benign user [6]. The figure security magazine [9]. Also, a security application security division, is
search problem where the cracker is only below shows a typical authentication white hat, Moxie Marlinspike, created a specialized in software security and
going to look up the correct hash value in scenario for a user trying to access a cloud WPA cracker for 17$/password, advanced penetration testing.
the pre-computed tables. resource on a file server. Now, what
if someone tapped the line, captured References
Rainbow tables cracking typically reduce the sent password hash in step 6, and http://freeworld.thc.org/thc-hydra/
the complexity of finding the correct replayed it later on without knowing the http://project-rainbowcrack.com
password to orders of magnitude of its password? He will be granted access http://ophcrack.sourceforge.net
rival brute force methods. According (under certain conditions). http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html
to a security researcher at “the coding http://www.lostpassword.com/attacks.htm#xieve
horror” security blog, the password Pass-the-hash is very effective in cases http://www.sans.org/reading_room/whitepapers/testing/crack-pass-hash_33219
http://www.security-database.com/toolswatch/Pass-The-Hash-Toolkit-v-1-4.html
“Fgpyyih804423”, which is considered of repeated or static server authentication http://www.elcomsoft.com/eprb.html#gpu
http://www.theregister.co.uk/2010/11/18/amazon_cloud_sha_password_hack/
www.bluekaizen.org

Social Social networks serve as fertile grounds for
  
Networks information leakage, malware and crime ware.
Personally
Personal laptops/mobiles may lead to malware/virus/
owned
A Simplified Approach to
  
information leakage.
Devices
Newly introduced devices in the marketplace may

Achieve Security in a New Devices    have potential threats; malware/virus/information
leakage.

Consumerized Environment
New tools introduced into the environment by users,
New Tools    such as a new mail client. Their potential threat is
malware/virus/information leakage.
By Vinoth Sivasubramanian
Classify Data: 3. Mandatory health checks of laptops
Abstract: This paper looks at simple ways that can be Information security professionals should connecting to the corporate network
adopted by anyone into their IT environment. Without a doubt, be highly aware of which kind of data via network access protection to be
those ways greatly help Information Security personnel to needs to be secured. They must assess performed to ensure that the laptops
strike the right chord between security and consumerism. which information is valuable and which adhere to the security standards of the
is not, and be able to strike the balance company
Introduction: Consumerization is the on it. Capitalising the movement means between protecting custodial data, secret 4. Mandatory encryption of commu-
latest catch phrase in the workplace. With boosting productivity by facilitating it with data and usual business data. According nications in transit between employees
the growing penetration of broadband new ways of connecting and sharing, to a 2010 Forrester research study, owned devices and the company
and mobile technologies, the tools used staying competitive as an innovative security teams need to focus more on network via VPN
in the workplace are changing rapidly. company and a workplace, and of course protecting secret data that provides long- 5. Enforce sync parsing to control
Earlier equipments and technologies delivering IT flexibly while managing term competitive advantages such as which data types can be synchronized
used to be released in enterprises and security. mergers and acquisitions product plans, between mobiles and the computer of
then in marketplaces, but this trend is These are various methods on how earning forecasts and trade secrets, and the organisation
highly reversing nowadays. They are the security personnel can go about to
other data that damage their reputation 6. Enable the biometric technology on
introduced first in the marketplace, and achieve the right balance between IT
rather than protecting usual business data. company owned mobiles
then, they make their own way into security and consumerization.
Example earning reports of many public
enterprises. Facebook, iPhone and
Google Android are typical examples. Know your Threats: listed companies are posted into their White List Consumer Software:
A recent Unisys study, conducted by Knowing and documenting the source websites which need not be protected at Consumer software are those that
IDC[1], exposes a troubling gap between of threats is the first basic step. A simple all. can be used on the computers of the
the activities and expectations of new documentation template is shown below. organisation, such as Skype, iTunes,
generations of iworkers, and their The purpose of this template is to serve Establish Sound Security Policies: etc, and then they are easily published
employer’s readiness to manage secure as an example and it is intended for it not At the minimum, an information security on the organisational portal. In addition,
rand support this movement and capitalise to be complete. policy revolving around consumerisation this list is circulated through other
must contain the following. internal communication mechanisms of
Threat Source C I A
Description of source and their potential threats. 1. Mandatory encryption of any company the organization. Any other consumer
Web 2.0 Applications, such as Wikis, and RSS feed owned secret/custodial data on their software that needs to be used will be
can embed malicious links, which can induce the personally owned mobiles/devices incorporated into this white list only
Web 2.0
   user to enter into malicious sites/download malware/ 2. Mobile devices that are used for after getting the go ahead from the “IT
Applications
zero day threats to their computers that destroy the business must have the potential to have Security Team”.
CIA of the organization. their data remotely wiped
34 35 April/june 2011
www.bluekaizen.org

Information Security Awareness personnel can monitor in real-time very well happen in a consumerised IT CMDB:
Campaigns: the location of employees and limit or environment; so having a mature incident Benchmarking all consumer software,
Reigning in a comprehensive information disable their ability to access sensitive management system in place is vital to tools, devices and equipment as per
security awareness campaign will information, and they can go on isolate the incident and to ensure the good security practices, and having a
measure the awareness level through conducting sensitive transactions in availability of systems, which will both configuration management database for
frequent and infrequent quizzes and areas, such as coffee pubs, etc. The use lead to the continuity of the business. all tools/devices will ensure that any new
tests. Thinking of various methodologies of advanced technologies such as these Change Management Methodology: devices, that fall under this category, will
on how best to reach out to all employees will also enable security professionals to Employing robust change management match to these new standards. Creating
within the organization, and involving track employee’s activity when he/she is methodologies is important to ensure awareness to everyone using internal
all employees of the organization right deploying overseas. that all new tools/devices which are to be communication mechanisms is a must.
from senior management to contract used in accessing data from the corporate
employees are two things to be taken into Deploy Virtualized Desktops: network will need to go through a change Deploy Integrated End Point Solutions:
consideration. When virtualised desktops are deployed, management process. This helps to make Deploying integrated end point manage-
employees can access information on sure that all consumer items are evaluated ment solutions with a centralised man-
Enforce Policy Monitoring Tools: their personal devices; but the core properly before they are released into the agement console is required to ease
Once policies are understood and infrastructure and data remain on corporate environment. the administration effort required from
accepted, then comes the need to corporate servers behind the firewall. security administrators.
enforce policies and monitoring tools just
to ensure compliance to the same. This is Separate Networks Based on Data
where technology comes to our rescue. Access:
The usage of technological tools, such Creating separate VLANs for data Conclusion: While consumerisation is a healthy phenomenon, the security threat
as VigilEnt Policy Center, will ensure the accessed from home and other locations brought about is real. Security administrators can take simple proactive steps such
levels to which policies are being followed will ensure that the core corporate network as these to address threats brought about by consumerisation. By using the right mix
in addition to reporting deviations on a is available in the event of an incident of processes, procedures, awareness and tools, they can always ensure security and
real time basis. occurring due to malware/spyware, etc. consumerisation which are in sync with each other.
Moreover, creating separate VLANs
Restrict Mobiles in Designated Areas: for accessing corporate data using References:
The usage of mobile equipment in personally owned devices ensures that [1]: http://www.unisys.com/unisys/ri/topic/researchtopicdetail.jsp?id=700004.
sensitive areas such as the data center rogue equipment do not get directly
should be restricted, and monitoring connected to the corporate network
the data center 24/7 through a CCTV without the help of an insider.
camera is essential. Certain steps like
About the Author: I am currently working with UAE
maintaining the records of the CCTV Deploy NAC/NAP: Exchange Center LLC as Manager – IT Audit. I have
camera for at least a period of 3 months Implementing Network Access Control/ around 7+ years of experience in information security
is recommended. This can be securely Network Access Protection ensures that in various domains such as finance, telecommunication
disposed off or archived with necessary personally owned devices and mobiles and consulting. My great passion towards information
security is the secret of my success. I am also a member
approvals. that connect to the corporate network of International Cyber Ethics, and an ISSA educational
have met the security standards of the advisory committee member. You can contact me on the
Employ Location Based Technology: company in reference to antivirus/latest following email-address:
This is a new trend in technology which patches and so on. vinoth.sivasubramanian@gmail.com
uses Global Positioning Systems. Incident Management System: In spite
Information security managers and of best efforts, a security incident can

www.bluekaizen.org

Cyberspace as a
than the other domains. One of the globally operated
classic shared components is the human Unclear boundaries
interface with the domain and how the Fairly deregulated
private sector can influence and shape Friend and foe traversing the same virtual
the cyber battlefield much like the role of space
non-combatants in the terrestrial domain. Many unsupervised points of entry
Much like the US, many nations are Lacks attribution

War Fighting
viewing cyberspace as a war fighting Interdependent (domino effect)
domain, and thus, many countries have Not resilient or secure enough
been working around the clock to create Some of the shared physical domain
cyber commands in the hopes of being components are:
able to carry out both defensive and Human interaction
offensive cyber operations. While this Political influence

Domain
seems to be the natural course of action, Similar command and control
the lack of doctrinal substance, proper Similar mission sets
strategy and operational know-how by Areas of effect
some nations could destabilize the cyber
By Paul de Souza domain and create economic, political As the Internet innovates and our world
and military tension. Proper education moves into a more dependent cyber
CSFI mission: and training in the area of cyber warfare reality, we must also defend our cyber
“To provide Cyber Warfare awareness, guidance, and is one of the key elements to help nations freedoms and the ability to exist as
security solutions through collaboration, education, volunteer properly develop their defenses businesses and as sovereign nations in
work, and training to assist the US Government, US Military, responsibly and be able to fully cyberspace. Every cyber citizen should
Commercial Interests, and International Partners.” comprehend cyberspace as a war fighting have the right to operate responsibly in
domain without compromising the cyberspace and maintain the integrity of
freedoms of other state actors. his or her activities in the virtual world.
One of the big challenges that most cyber however, much of the warfare strategies,
Some of the unique characteristics of the The militarization of some elements of the
commanders have, or for that matter tactics, doctrines and policies used in the
cyber war fighting domain are: internet along with collaboration efforts
anyone who is responsible for protecting physical domain can be applied to the
between the private and public sectors
cyber systems, is to make the connection cyber domain without the need to reinvent
Decentralized become a necessity for one’s survival.
between cyber operations and kinetic the wheel. Our cyber community should
Privately owned (85% of the Internet) and
warfare. The virtual battlefield has many leverage these analogies more often.
of the elements found in the physical One of the major changes in thinking
domains of land, air, space, and sea. coming from the USAF is the
Deputy Defense Secretary William J. acknowledgment that unplugging the About the author: Paul de Souza is the
Founder/President/Director of CSFI (Cyber
Lynn, III said, “Information technology Internet due to cyber-attacks is NOT an Security Forum Initiative) and its divisions CSFI-
provides us with critical advantages in all option and that our cyber commanders CWD (Cyber Warfare Division) and CSFI-LPD
of our warfighting domains, so we need must fight through the attacks and (Law and Policy Division). CSFI is a non-profit
to protect cyberspace to enable those continue to be operational regardless organization with headquarters in Omaha, NE
advantages.” One of the discussions of the intensity and sophistication of with an office in ashington DC. Paul has over
taking place around the world revolves cyberattacks. 11 years of cyber security experience and has
around the fact that the cyber domain is worked as a Chief Security Engineer for AT&T
Mission assurance became a key
where he designed and approved secure
a unique one. There is wisdom is this component of any cyber operation. networks for MSS. Paul has also consulted
thought process as cyber demands However, in the cyber domain, it remains for several governments, military and private
unique skills sets and capabilities; true that the reaction time is much faster institutions on best network security practices.

www.bluekaizen.org

HANDS ON TECHNICAL TRAINING SESSIONS
17TH - 18TH MAY
TECH TRAINING 1 - HUNTING WEB ATTACKERS
The goal of this innovative training is to help white-hats improve their skills in the on-going cyber war against web
attackers. Attendees will learn how to detect web intruders, and then how to strike-back so that they can better identify
the assailants or neutralize their actions. This technical hunt will be based on hands-on exercises launched with the help
of the instructor on a dedicated LAN. Students will have the opportunity to apply those special techniques in a real world
environment.

TECH TRAINING 2 - THE EXPLOIT LABORATORY: BLACK BELT
The Exploit Laboratory Black Belt is a new and advanced class continuing from where The Exploit Laboratory left off.
This class is for those curious to dig deeper into the art and craft of software exploitation and begins with a quick
overview of concepts covered in The Exploit Laboratory, namely stack overflows, abusing exception handlers, heap
overflows, memory overwrites, and other core concepts. We shall then focus on topics which involve breaking exploit
prevention techniques like non executable stack, DEP, ASLR, etc.

TECH TRAINING 3 - WINDOWS PHYSICAL MEMORY ACQUISITION &
ANALYSIS
The aim this intensive two-day course is to convert computer science and forensics professionals into fully operational
live memory analysts for the Corporate, Law enforcement and Government environments. In this technical course,
attendees will learn how to use software-based acquisition methods (with MoonSols utilities such as win32dd and
win64dd, and even Windows itself) and the clockwork of different full memory dump file format. The audience will also
learn the difference between hardware and software acquisition methods and how to do advanced analysis on these
dumps.
TECH TRAINING 4 - WEB HACKING 2.0
The course is designed by the author of “Web Hacking: Attacks and Defense”, “Hacking Web Services” and “Web 2.0
Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of
curriculum to address new challenges for pen-testers, consultants, auditors and QA teams. Web Hacking 2.0 is
extensively hands-on class with real life challenges and lab exercises. Participants would be methodically exposed to
various different attack vectors and exploits. The learning sessions feature real life cases, hands one exercises, new
scanning tools and exploits.

OTHER CONFERENCE HIGHLIGHTS
19TH - 20TH MAY
HITB LABS & HITB SIGINT
First introduced in 2008, the HITB Labs form the third track in our quad-track line up. Catering for only 60 attendees,
these sessions are intensive, hands-on presentations that require audience interaction so please bring your own
laptops if you intend to attend. Seats are given out on a first come first serve basis so be sure to be at the room at least
10 minutes before the session commences.

The HITB SIGINT (Signal Intelligence/Interrupt) sessions are designed to provide a quick 15 minute overview for
material and research that’s up and coming – stuff that isn’t quite ready for the mainstream tracks of the conference but
deserve a mention nonetheless. These session are not only for seasoned security professionals but is also open to all
final year students based in The Netherlands or around Europe who want to present their projects to industry experts
and the security community.

Lock Picking Village by TOOOL.nl
Set up and run by members from the The Open Organization of Lockpickers (TOOOL Netherlands), attendees to this
year’s event will get a chance to try their hand at picking, shimming, bumping, safecracking, and other physical security
attacks. It has always been customary for TOOOL-sponsored physical security sessions to offer some degree of
audience interaction and hands-on training. Sometimes this has taken the form of publicly-submitted locks being given
on the spot security analysis, other times members of the general public with no lock-picking experience have been
invited to attempt a bypass in order to demonstrate its ease.
Capture The Flag - World Domination
Capture The Flag – World Domination is an attack only competition set up and run for the very first time by the HITB.nl
CTF Crew! The game mimics real world scenarios and events, bringing the technical attack fun of hacking into the
competition. For the first time ever, the CTF introduces a new section, hardware hacking and lock picking! Whether it is
to lock pick a simple lock to get a flag, to exploit a certain binary or a need to bypass the encryption on a embedded
system, this game will make even the most elite “hackers” sweat. There are over 30+ flags to capture and flag points
decrease after each submission. Fastest player to submit a flag gets more points compared to the next player. The
winner is determined by who ever has the most points.
Hackerspaces Village & Technology Showcase
Free and open to public, attendees to the Hackerspaces Village will get an inside look at hackerspaces, their community,
projects and even get their hardware hack-on! In the village you will find representatives from the various .EU and
Netherlands based hackerspaces who will be on site showcasing their projects. Each hackerspace will also present in
the HITB SIGINT session highlighting the details of their current projects or developments. Alongside the hackerspaces,
CTF and Lock Picking Village, there will also be a technology showcase of next generation network security technology,
products and solutions.

Security kaizen consumerization

More Related Content

Similar to Security kaizen consumerization (20)

More from Vinoth Sivasubramanan (8)

Recently uploaded (20)

Security kaizen consumerization