Titania Limited • County House • St Mary’s Street • Worcester WR1 1HB • UKTelephone: +44 (0)845 652 0621 • Email: enquiries@titania.com • www.titania.com Titania Limited is a company registered in England and Wales. Registered Number: 6870498. VAT Registration Number: 984 3990 61

KEY FEATURES

Configuration Auditing with no Network Traffic

Advanced, Detailed Reporting

CVSSv2 Rating Systems

Customizable Settings

Easy to Action Mitigation Reports

Multi-Platform Support

Secure Offline Activation

Over 100 Plugins

Technical Support and Updates

PLUS much more...

NEW FEATURES!Raw Configuration Change Tracking: Nipper Studio reports now include the raw configuration changes from your network device. Nipper Studio highlights the different options within your configuration that have been added or removed since the previous audit.

PLUS!..Audit Change Tracking: Now you can include a change comparison within your security audit. The report then highlights the vulnerabilities fixed, the issues still remaining and any new vulnerability that has occurred since your last audit. This allows you to have a clear view of how your system’s security has progressed.

Multi-Platform Support for... Windows Linux Mac

Save TimeSecurity audits are time consuming for both the systems owner and the auditors. A detailed examination of an average sized configuration can take half a day and 2 to 3 weeks to complete the report. Nipper Studio can perform the audit and produce the final report in just a few seconds.

Save MoneyAudit companies typically charge per man day for auditing and reporting. For a 25 device network an audit and report could take up to 3 weeks. An experienced security auditor would typically cost £1,000 per day, so an audit of a small network could cost up to £20,000. A Nipper Studio license for 25 devices costs only £600!

CYBER SECURITY AUDITING SOFTWARENipper Studio is your cyber security expert in a box. Our industry leading security auditing tool allows you to produce detailed and thorough security audits of your network devices in seconds, at a fraction of the cost of manual testing.

Companies worldwide depend on their computer systems to successfully run their businesses. These systems will often contain classified information, therefore it is imperative that they are secure. However due to time and cost restrictions manual penetration tests may happen only once or twice a year. Nipper Studio not only dramatically reduces the time taken for penetration testing but also helps you to feel secure in the intervals between manual audits. With Nipper Studio you can audit the same set of devices as many times as you like during your subscription period, so you can feel secure and stay secure.

With years of experience in the network auditing industry we understand it is important that a security audit highlights all potential threats and doesn’t just review firewall rules. As a result Nipper Studio’s advanced and detailed reporting is used and trusted by global organisations in the financial, telecommunications, defence, government and security sectors and has users in 40 countries worldwide.

Nipper Studio Supported Devices

PLUS more...

http://www.damballa.com

Page 4 http://pentestmag.com11/2012 (19) November

Managing Editor: Krzysztof Sikorakrzysztof.sikora@software.com.pl

Associate Editor: Trajce Dimkov dimkovtrajce@gmail.com

2nd Associate Editor: Aby Raoabyrao@gmail.com

Betatesters: Harish Chaudhary, Robert Kriz, Stefanus Natahusada, Emiliano Piscitelli, Aby Rao, Gareth Watters, William Whitney, Steven Wierckx, Andrea Zwirner

Proofreaders: Kevin Fuller, Dyana Pearson, Jeff Weaver, Ed Werzyn, Tony Campbell

Senior Consultant/Publisher: Paweł Marciniak

CEO: Ewa Dudzic ewa.dudzic@software.com.pl

Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.plDTP: Ireneusz Pogroszewski

Production Director: Andrzej Kuca andrzej.kuca@software.com.pl

Publisher: Software Press Sp. z o.o. SK02-682 Warszawa, ul. Bokserska 1Phone: 1 917 338 3631www.pentestmag.com

Whilst every effort has been made to ensure the high quality of

the magazine, the editors make no warranty, express or implied,

concerning the results of content usage.

All trade marks presented in the magazine were used only for

informative purposes.

All rights to trade marks presented in the magazine are

reserved by the companies which own them.

To create graphs and diagrams we used program

by

Mathematical formulas created by Design Science MathType™

DISCLAIMER!The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

Dear PenTesters!In this issue, we will focus on SSH Tunneling and we will learn how to by-pass anti-virus software or web application firewalls, and how to protect your PC.

In the SSH Tunneling section we start with an introduction. Digit Ok-tavianto states that instead of using telnet, it is advisable to use SSH as your program to communicate between your PC and your remote PC as SSH provides secure encrypted communications.. What is more, Andrea Zwirner, among many other things, will show you how to use SSH tun-nels to bypass network and web application firewalls, antiviruses. Alva „Skip” Duckwall focuses on SSH to tunnel traffic in a variety of different ways and their value during a penetration test. You will learn about the differences between a local, a remote, and dynamic port forwarding; us-age scenarios for the various methods of port forwarding and how to use “Netcat” mode in SSH. Ben Moore explains how to create an SSH tunnel to your own PC protecting you from man-in-the-middle attacks while us-ing open networks.

In the Plus section, we prepared for you three different but great ar-ticles. In the first one Colin Renouf makes you familiar with OpenSSL and how its prevalence represents a problem; undermining any efforts in heterogeneity; concentrating on Linux as the base operating system plat-form. Furthermore, Bart Leppens decided to share his knowledge about WPS and explains why it is a possible vector of attack. The tools: “reaver” and “wash” will help you to check if your devices are vunerable against WPS brute-forcing. The section ends with the article by Tony Campbell. His article looks at the prickly subject of professionalism, certification and training for penetration testers.

The Regular section is devoted to the article by Adam Kujawa who makes us aware of the dangers that all Skype users currently face and provides us with a historical look at cyber-crime in social media.

We continue with Marc Gartenberg’s section on NISPOM. We focus on chapters 10 through appendices, which introduce us to Interna-tional Security Requirements.

In this issue, we prepared for you the next chapter from John B. Ottman’s book “Save the Database, Save the World!” This time you can read about Database SRC Solutions Value.

I hope that you will find this issue worthwhile. Should you have any questions or suggestions concerning topics you want to read about, feel free to contact us at en@pentestmag.com.

Thank you all for your great support and invaluable help.

Enjoy reading!Krzysztof Sikora& PenTest Team

Page 5 http://pentestmag.com11/2012 (19) November

SSH TuNNElINGBasic Concept and Usage of SSH Tunnelby Digit Oktavianto

Do you know telnet? rsh? rlogin? Those are the programs that allow you to connect to remote server whether it is located in a local network, or connect to the remote serv-er across the internet.

SSH Tunnels: How to Attack Their Securityby Andrea Zwirner

You will learn how to use SSH tunnels to bypass network and web application firewalls, antiviruses; how to encap-sulate SSH tunnels to bypass proxies and content in-spection devices; how privilege separation programming pattern enforces local processes security; how to trace SSH daemon activities in order to steal login passwords and sniff SSH tunneled communications catching inter-process communications.

SSH Forwardingby Alva „Skip” Duckwall

Secure Shell, or SSH, is a series of cryptographic net-work protocols which are used as replacements for sev-eral older, unencrypted protocols such as telnet, rlogin, and rsh.

DIY SSH Tunneling: How to Create an SSH Tunnelby Ben Moore

This article will walk you through using free and open-source software to create an SSH tunnel to your own PC protecting you from man-in-the-middle attacks while us-ing open networks. The pieces necessary for creating your own SSH tunnel are: a PC to use as a terminus for the tunnel, an SSH server, a TTY application to establish the tunnel, and a remote session client.

PluSThe Problem with OpenSSLby Colin Renouf

This article will look at OpenSSL and how its prevalence represents a problem; undermining any efforts in hetero-geneity; concentrating on Linux as the base operating system platform.

WPS: Does It Make Our Wireless Networks Really Safer?by Bart Leppens

Often experts criticise wireless networks protected with WEP. But no matter how strong the encryption of a wire-less network is if you are able to extract key, you still get

CONTENTS

in. WPS can be a possible vector of attack. The tools: “reaver” and “wash” will help you to check if your devic-es are vunerable against WPS brute-forcing.

Pen Testing: Nature vs. Nurtureby Tony Campbell

One question many pen testers (or wanna-be pen tes-ters) ask is, what are my career prospects? This ques-tions stems from the fact that pen testing is an extremely parochial and niche skills set and for some, the word pro-fessionalism can conjures up images of consultants in suits and managers with whiteboards, rather than the ste-reotyped shell-coders burning the midnight oil with pizza and xtra strong Java coffee.

COLUMNDial ‘S’ for Scammersby Adam Kujawa

We all live virtual lives, where we share, discuss and dis-cover new things about ourselves and everyone else ev-ery single day. There are many tools we use to accom-plish this, from social networking sites like Facebook, online video games like Runescape and social commu-nication applications like IRC, Windows Live Messenger and the audio/video communication program Skype. As we continue to become more reliant on these devices to keep us connected, cyber-criminals are exploiting that re-liance more and more. There are dangers that all Skype users currently face as well as a historical look at cyber-crime in social media.

The Physical Aspects of Cybersecu-rity and Their Importance – NISPOMby Marc Gartenberg

For those who just joined, we are analyzing the different aspects behind the central policy document of the US Federal Government and its various Agencies titled NI-SPOM. The National Industrial Security Program Operat-ing Manual (NISPOM) looking at the strengths and weak-nesses of what the United States Department of Defense set out as standards and methods for their contractor base.

READSave the Database, Save the World! – Chapter 9by John B. Ottman

06

12

44

58

62

54

22

26

32

38

SSH Tunneling

6 http://pentestmag.comPage11/2012 (19) November

SSH or Secure Shell (SSH) is a cryptograph-ic network protocol for secure data commu-nication, remote shell services or command

execution and other secure network services be-tween two networked computers that connect via a secure channel over an insecure network. SSH is actually a suite of three utilities – slogin, ssh, and scp – which are secure versions of the earlier uNIX utilities, rlogin, rsh, and rcp. SSH commands are encrypted and secure in several ways. Both ends of the client/server connections are authenti-cated using a digital certificate, and no passwords are transmitted without encryption.

Now, what is tunneling? What is ssh tunneling? How does it work? How does it provide a secure communication? What are the differences be-tween ssh tunneling and vpn? How do I configure my computer to use ssh tunneling? let us discuss the above questions one by one.

What is tunneling?Technically speaking, tunneling means the trans-mission of data through a connection that has been established before. Tunneling is also known as an encapsulation protocol, and tunneling protocol is a standardized way to encapsulate packets. Tunnel-ing protocol can encapsulate a packet of the same or lower layer. It is much different with the general

protocol, where the lower layer protocol encapsu-lates packets from the higher level protocol.

What is SSH tunneling? How can it provide a secure communication? In SSH tunneling, the data transmitted over an SSH connection will be encapsulated in the SSH packet, and you can use SSH as a tunneling pro-tocol to secure your communication. SSH tunnel consists of an encrypted tunnel created through a SSH protocol connection. The purpose of SSH tunneling is to add a layer of security that pro-tects each packet from the starting point to the end point. When you use SSH as your tunneling proto-col, everything transmitted between your computer and your remote computer is encrypted within your SSH session.

SSH tunneling is a common technique in security area. It is a technique that can be used as backdoor to bypass the defense line, from firewall, ids to ips.

Besides the packet encapsulation, SSH tunnel-ing also requires port forwarding. Port forwarding or port mapping is essentially the process of inter-cepting traffic bound for a certain IP/port combina-tion and redirecting to a different IP and/or port. Port forwarding is a term given to combined tech-nique of translating the address and/or port num-ber of a packet to the new destination where it’s

Basic Concept and Usage of SSH TunnelDo you know telnet? rsh? rlogin? These are the programs that allow you to connect to a remote server whether it is located in a local network, or connect to a remote server across the Internet. The problem is, when you use a program like telnet, communication between local and remote pc becomes very insecure as telnet sends the password in clear text. Hence, instead of using telnet, it is advisable to use SSH as your program to communicate between your pc and a remote pc. SSH provides secure encrypted communications.

SSH Tunneling

12 http://pentestmag.comPage11/2012 (19) November

We will exploit the privilege separation fea-ture in order to steal login passwords in the SSH daemon inter-process commu-

nication as well as sniff entire user sessions.Secure Shell (SSH) tunnels are very useful tools

that every professional penetration tester should master and be able to use at the best of their ca-pabilities.

An SSH tunnel consists of an encrypted com-munication channel created through the use of the SSH protocol and is mainly used in order to encapsulate traffic of other protocols such as Re-mote Desktop Protocol (RDP), Common Internet File System (CIFS), rsync, etc. in order to benefit from encryption.

SSH tunnels are very useful during penetration testing because they enable the bypass of a number of the security measures commonly implemented by systems administrators to harden their infrastruc-tures, such as: network level anti-virus, network and web application firewalls (WAF), intrusion detection systems (IDS), intrusion prevention systems (IPS) and deep packet inspection (DPI) devices.

Used tools and applicationsAll of the tools and applications used in this article can be installed in any apt or yum based linux dis-tribution simply by running:

apt-get install tool-name

or

yum install tool-name

For each tool used during the article, I suggest to carefully read the entire manual page by using the man command or by looking it up on the Internet.

All of the Windows tools we will use are free-ly distributed by their developers in executable format and can be run from command line from the directory in which they have been download- ed.

Netcat basicsNetcat is a very useful network tool, as we can read from its man page: it “is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol”. This tool permits us to open a socket on the local machine, or to connect to one that is already open.

As we said, in the examples provided we will not care about the protocol that will be encapsulated over the tunnel but instead will focus on the tunnel itself. In order to be as generic as possible, we will use Netcat in order to open sockets and establish connections.

SSH Tunnels: How to attack Their SecurityIn this article, we will concentrate our attention on the use of SSH tunnels independent from the protocols we need to use on top of them. We will pay particular attention to how the tunnel works and how it can help us to elude the security controls which have been implemented within the infrastructure we are testing. After that, we will change our point of view and see how to attack SSH.

SSH Tunneling

22 http://pentestmag.comPage11/2012 (19) November

The focus of this article is going to be on this last feature, namely using SSH to tunnel traffic in a variety of different ways and their

value during a penetration test.

Basic TCP Port ForwardingThe simplest form of tunneling that SSH supports is redirecting a single TCP port from one end of the

connection to the other. This can be either a local port that is redirected on the far end of the con-nection or a remote port that is redirected locally. Whether it is called a local port forward or a remote port forward depends on which end of the connec-tion is listening and which way the connection is forwarded. I will present scenarios to help clear up any confusion and illustrate their usage during an assessment.

Local Port ForwardingWhen we want a local port to be listening and for-ward connection traffic to a remote port it’s called a local port forward. This type of port forward is com-monly used to allow us to connect to remote net-work services with client software running on our attack machines. Here is a common scenario and a diagram to help illustrate.

Scenario 1You have been tasked to evaluate the external web presence of ABC Widgets. The client disclosed that they primarily use a LAMP (Linux/Apache/MySQL/PHP) stack for their web application. During the enumeration phase of your testing you discover that ABC’s firewall has SSH listening on the out-side interface. Through further testing you discov-er that a default username and password (guest/

SSH ForwardingSecure Shell, or SSH, is a series of cryptographic network protocols which are used as replacements for several older, unencrypted protocols such as telnet, rlogin, and rsh. What originally started out as a way to secure console connections with remote machines has evolved into a robust suite of protocols that allow for file transfers, support for multiple console connections over a single link, the ability to forward X11 communications, as well as the ability to forward traffic in a variety of different ways.

Figure 1. Local Port Forward

SSH Tunneling

26 http://pentestmag.comPage11/2012 (19) November

DIY SSH Tunneling: How to Create an SSH Tunnel

This article will walk you through using free and open-source software to create an SSH tunnel to your own PC protecting you from man-in-the-middle attacks while using open networks.

I worry about session privacy at public hotspots. I use https on everything that I can and I just don’t use confidential data on any service that doesn’t

support https. But you just never know. Firesheep scares me.

One of my co-workers uses LogMeIn Pro and does all his “work” on his home PC. That angle in-terested me but while I use LogMeIn Free for oc-casional remote access it requires a persistent ap-plication running on the target PC. And LogMeIn only uses a userid/password for access security.

The pieces necessary for creating your own SSH tunnel are: a PC to use as a terminus for the tun-nel, an SSH server, a TTY application to establish the tunnel, and a remote session client.

I decided that I wanted my SSH tunnel to termi-nate on a virtual machine on my home PC. That way I could closely manage what that “PC” has ac-cess to on my home network.

For the SSH server, I wondered if there wasn’t something that I could do in my router. I discov-ered that dd-wrt [1] v24 and higher supports SSH tunnels [2].

I found a refurbished router for less than $40 that has a gigabit switch, 802.11N Wi-Fi, and is sup-ported by dd-wrt.

To connect to an SSH server you need a TTY ap-plication. I wanted my solution to run from my uSB

drive so for the TTY application a friend pointed me to PuTTYPortable [3].

One of the first steps you need to do is to gener-ate a public/private key pair for the SSH session. Puttygen [4] will do this. Notice that you also have to establish a passphrase (similar to WPA) so that even if you lose the uSB drive you’re still protected.

Figure 1. PuTTY Key Generator

http://www.malwarebytes.org/

plus

32 http://pentestmag.comPage11/2012 (19) November

Whilst working in recent PCI remediation scenarios a common issue was found; one that is sadly misunderstood within

the industry. Many security and infrastructure pro-fessionals look different products and devices with-out understanding what goes on “under the hood”, so miss something that would otherwise be obvi-ous. What is the problem? Remember defence in depth and the underlying concept of heterogeneity.

Many manufacturers look for a quick turnaround to market, and rather than reinvent the wheel base their products on an Open Source core of linux or FreeBSD, OpenSSl, etc. Some typical examples come from the Apple Mac OS X operating sys-tem core called “Darwin”, which is derived from a Mach microkernel with a FreeBSD outer layer, or the Android mobile operating system, which is linux based; as client operating system examples. For the security and network device examples we have the CheckPoint IPSO firewall OS, which is derived from FreeBSD, or the BigIP F5 Local Transaction Man-ager (LTM) proxy OS that is derived from Linux. For web servers most vendors derive their core prod-ucts from the Apache web server (Apache HTTP Server, IBM HTTP Server, Oracle HTTP Server) or the earlier NCSA Http Server code (Netscape/iPlan-et/Oracle iPlanet Http Server). Almost all of these in using Open Source technologies at their core use

the obvious related Open Source SSl technologies, i.e. OpenSSl. The exception to this is the “iPlanet” family – which was released to the Open Source world in an updated version as part of the Oracle Open Solaris Web Stack packages; which have their own SSl engine, Network Security Services (NSS), open sourced by Mozilla. Proprietary OS’s and products also often use the OpenSSl imple-mentation, but fortunately some manufacturers do create their own implementations from scratch, e.g. Cisco and Microsoft.

It is in the use of Open SSl that a problem aris-es, not so much just from a security perspective but also from an infrastructure, and support and maintenance perspective. What happens when a vulnerability is found in Open SSl? One of prin-ciples mentioned in the CISSP body of knowledge is that security should consider the benefits of a heterogeneous environment in its holistic imple-mentation of defence in depth protection. Many companies will blindly deploy CheckPoint firewalls, BigIP F5 LTMs, and Apache Http Servers through-out their security zoning model; and when a major OpenSSl vulnerability is found they have a seem-ingly insurmountable problem.

When an OpenSSl vulnerability is found the Open Source community are usually quite respon-sive and quick to release a patch, once the prob-

The Problem with OpenSSLThis article will look at OpenSSL and how its prevalence represents a problem; undermining any efforts in heterogeneity; concentrating on Linux as the base operating system platform. It outlines how the principles of defence in depth means that true heterogeneity is required, with use of other SSL/TLS implementations; and some unusual and “bleeding edge” architectural solutions.

Allowus to

guideyour

CAREER

www.InfoSecSkills.com/Careers

Are you a security expert with a penchant for teaching?

Are you good at working with other people, maybe mentoring your peers?

If so, have you ever considered yourself as a professional instructor?

IInfoSec Skills is looking for dedicated security professionals who want to enhance their career and earnings as a professional tutor, providing the support, infrastructure and remuneration for authors to create world-class e-learning and classroom based courses.

If you are interested in learning more, get in touch:ccontact@infosecskills.com.

PRACTITIONER

SENIORPRACTITIONER

LEADPRACTITIONER

SE

CU

RIT

Y A

RC

HIT

EC

TS

plus

38 http://pentestmag.comPage11/2012 (19) November

Often I hear people say that their WPA2 wireless networks are 100% secure. They claim that because they use a PSK (Pre-

shared key) that is too complex for brute forc-ing. However, processors are getting faster and faster and ee can even try to break encryption in the cloud; but brute-forcing isn’t the only vec-tor of attack. This article describes some ideas of how you might obtain the PSK to gain access to a “highly secured” wireless network. Often wireless SOHO AP/routers ship with WPS. WPS stands for Wireless Protected Setup and is a protocol created by the Wi-Fi Alliance, which should help people with little know-how of wireless security to easily create a secure WiFi network infrastruc-ture. Whilst I’ll talk about several ways to obtain the wireless key, the methods described here are by no means exhaustive and the main focus of this is WPS.

WiFi knows a history of security related problemsEncryption systems used by wireless routers have a long history of security problems. In 1997 WiFi networks used the Wired Equivalent Privacy (WEP) system, yet within only a few years it was cracked. Nowadays, security experts know WEP gives us no protection at all. Its successors, WPA

(Wireless Protected Access) and WPA2 (Wireless Protected Access v2) with a PSK (Pre Shared Key), can be subject to dictionary attacks, etc. In my personal experience, I can recommend Vivek Ramachandran’s book ‘BackTrack 5 – Wireless Penetration Testing – Beginner’s Guide.’ It’s an excellent beginners’ guide that I still use a lot as a reference for wireless auditing. But, in my opin-ion, this book misses one basic item which is an important vector of attack – namely, WPS (Wire-less Protected Setup). Wireless networks are al-ways an interesting target for attackers because when they get in they usually have access to the complete internal network. What’s even more in-teresting is that the attack can be performed from a distance. With directional antennas, such as Yaggi’s, the attack can be performed from miles away. For an active attack (not only listening, but sending packets as well), like WPS brute-forcing, the link quality must be good. Without a good con-nection an attack is not possible, or will be ex-tremely slow, as many packets will get lost along the way..

Some vectors for attacking a “highly” secured wireless networkMost SOHO-routers come with a web interface, which is normally only accessible from your inter-

WPS: Does it Make our Wireless Networks Really Safer?

Often experts criticise wireless networks protected with WEP, however, it doesn’t matter how strong your encryption is, if an attacker can extract the key, he can still get in. It is just as possible that WPS could be a vector of attack. The tools, reaver and wash will help you to check if your devices are vunerable against WPS brute forcing.

http://www.pentestify.com

plus

44 http://pentestmag.comPage11/2012 (19) November

This article looks at the prickly subject of professionalism, certification and training for penetration testers, especially in con-

trast with an industry that is predominantly staffed with self-taught, driven, Olympic-medalist comput-er specialists, who happen to have landed their dream job doing what they love the most – to crack stuff open to see how it works.

We all know what pen tester are: system security testers who have risen from the technical proving ground of programming, system administration, or networking, to professional testing of customers’ security vulnerabilities. And what’s apparent from talking to them – they almost always, without ex-ception, love doing what they do.

Most of today’s pen testers started out as script-kiddie teenagers, beavering away on their home computers, absorbing the secrets of the Internet through bulletin boards and IRC chatrooms, ac-companied by all the sense of wonder and ad-venture portrayed in Hollywood movies and cyber punk comics. However, when that teen hacker eventually leaves home, goes to college, gets a job, and moves into the real world as a parent, role model, mentor and professional, they need to consider how they keep the money rolling in. This is where our story begins. As a pen tester (or pro-spective pen tester) you have progressed from

your fascinating hobby of hacking on your home computer system to a super cool job profession-al hacker, paid for helping customer secure their systems. However, what kind of career path can you plan for yourself in this game? At first glance (and maybe for the first few years), you have landed the job of your dreams, doing what you love day-in and day-out, working with like-minded individuals on projects to break the most secure and secret computer systems on the planet. How-ever, there will come a time when you might start wondering where you can go from here. That is what this article is all about: career paths for pen testers and whether they are necessary. Starting at the beginning, how do you get into this field? How do you get promoted? What certifications are available? Is certification worthwhile and should it be mandated? What about education and train-ing? Is it worthwhile or necessary?

let us start by looking at the industry as a whole. The organization responsible for the baseline se-curity qualification known as CISSP (Certificate In-formation Systems Security Professional), (ISC)2, estimated this year that there are approximate-ly 2.2 million people employed in the information security sector. By the year 2015, (ISC)2 predicts that number to have risen to 4.25 million security professionals, assuming enough people have en-

Pen Testing: Nature vs. NurtureOne question many pen testers (or wanna-be pen testers) ask is, “what are my career prospects?” This questions stems from the fact that pen testing is an extremely parochial and niche skills set and for some, the word professionalism can conjures up images of consultants in suits and managers with whiteboards, rather than the stereotyped shell-coders burning the midnight oil with pizza and extra strong Java coffee.

Keep up to date on the latest developments in the world of digital forensics

/ Training and Certfication/ Management issues/ Tools and Techniques/ eDiscovery/eInvestigation/ Incident Response/First Response/ Hardware and Software/ Network Forensics / Cyber Forensics/ and much more...

Visit digitalforensicsmagazine.comfor the latest news and views from the digitalforensic community with special

articles for registered users.

NEXT ISSUE OUT SOON

Prospective authors should contact editorial@digitalforensicsmagazine.com for information on submissions.

SUBSCRIBE NOW

Read Feature Articles on:

Apple Autopsy:/ A Digital Forensics look at all things Apple

From the Lab:/ In depth technical articles on products and techniques

Legal Section:/ In-depth articles on legal matters affecting Digital Forensics along with the latest legal news from around the world

DFM_flyer_2012.indd 1 03/05/2012 12:37

column

54 http://pentestmag.comPage11/2012 (19) November

Skype is a communication application that al-lows users to communicate over text, voice and/or video. It is wildly popular and very

useful in our modern world of constant communi-cation, no matter where you are in the world. In ad-dition to the free service, customers can also pay a small fee to forward all Skype calls to a landline or cell phone. Therefore, it provides the perfect av-enue for social engineering and exploitation.

When Skype is Drafted by evilOver the last few weeks, Skype has been in the media a fair amount due to it being abused by ma-licious actors who were using it to swindle people into infecting themselves with malware. It has been discovered that cyber-criminals are using Skype to spread appealing messages to users that include a link to a ZIP file holding an executable that is dis-

guised as an image. The Skype message is “lol is this your new profile pic? <Link>” and it is clearly effective since it has been able to spread like wild-fire.

The MethodAt its core, you can compare this type of attack to something like e-mail phishing, where a user is tricked into believing that a link is legitimate based upon who the e-mail comes from and/or what it is concerning. using hijacked Skype accounts is a great way to throw people off because large por-tions of people trust social networking tools – and their friends.

When a message comes from your friend rather than a stranger, you are more prone to believe it is legitimate. In addition, the wording used for the attack is designed to exploit the human concern

Dial ‘S’ for ScammersWe all live virtual lives where we share, discuss, and discover new things about ourselves and everyone else every single day. The tools we use to accomplish this are many, from social networking sites like Facebook, online video games like Runescape, social communication applications like IRC or MSN Messenger, and the audio/video communication program Skype. As we continue to become more reliant on these devices to keep us connected, cyber-criminals are exploiting that reliance more and more.

Organised by

Cyber Sec Forum Asia Unique Benefits:

Don’t Miss Presentations from Our Esteemed Speaking Panel:

•Explorethemostup-to-dateinformationforgovernmentandindustryprofessionals

•Network with100delegatesfromSingapore,Asiaandtherestoftheworld

•Visit theindustry-leadingexhibitionwhereyouwillseethelatestproducts,technologiesandsolutionsfortheCyberSecuritycommunity

•Gain aglobalperspectiveduringcasestudiesfrommilitary,government,academicandindustryspeakersfromSingapore,Asia,AustraliaandEurope

•Exchange youropinionswithkeyinfluencersanddecisionmakersduringtheendofdayonenetworkingdrinksreceptionopentoalloftheattendees

One Day Conference and Exhibition, 3rd December:

High-level speaker programme and industry exhibition. End of day one networking drinks

reception at the Mandarin Orchard Singapore.

Half-day workshop, 4th December:

Half-day training focused workshop led by Argent Consulting examining the Territorial Issues in

Cyber and Group Debate: National Cyber Security Approach to Critical Infrastructure

2 Day Agenda Snapshot:The Cyber Security Forum Asia Conference and half-day training focused workshop willaddress the cyber challenges facing Critical National Information Infrastructure; this is abusinessstrategyeventthatwillbeattendedbykeydecision-makersacrosstheCNIarena.Itwillfocusonthepracticalaspectsofsecureinformationinfrastructuredeliveryandtheneedfortheradicalimprovementofresilience.

• DrCarolynPatteson,ExecutiveDirector,CERT Australia

• GunSukLing,DirectorCorporateSalesAPAC,KasperskyLabs

• ProfessorPaulineReich,Director,Asia-PacificCyberlaw,Cybercrime and Internet Security Institute, Japan

• ZahriYunos,CEO, CyberSecurity Malaysia

• NoboruNakatani,Director,InformationSystemsandTechnology(IS),Interpol (pendingfinalconfirmation)

• AmarJaffri,ChiefExecutive,Pakistan Information Security Association (PISA)

• BenjaminHoTzeErn,AssociateResearchFellow,CentreforMultilateralismStudies,S.RajaratnamSchoolofInternationalStudies(RSIS),Singapore

• SeniorRepresentative,StrategicDefenceAgenda,Brussels

• DonEijndhoven,CEO,Argent Consulting

Sponsored by:

Venue Partner:Held In: Supported by:Official Support:

Cyber Security Forum Asia3-4 December 2012, Singapore

The Non-Conventional Threat

Mandarin Orchard Singapore

www.ibcevents.com

column

58 http://pentestmag.comPage11/2012 (19) November

For those who just joined, we are analyzing the different aspects behind the central poli-cy document of the uS Federal Government

and its various Agencies titled NISPOM. The Na-tional Industrial Security Program Operating Man-ual (NISPOM) looking at the strengths and weak-nesses of what the united States Department of Defense set out as standards and methods for their contractor base.

The Physical RealityTo refresh, the Chapters we’ll be discussing in this series of articles are from NISPOM as follows:

• General Provisions and Requirements• Chapter 2 – Security Clearances

• Section 1 – Facility Clearances• Section 2 – Personnel Security Clearances• Section 3 – Foreign Ownership, Control, or

Influence (FOCI) [1]• Chapter 3 – Security Training and Briefings• Chapter 4 – Classification and Marking• Chapter 5 – Safeguarding Classified Information• Chapter 6 – Visits and Meetings

• Chapter 7 – Subcontracting• Chapter 8 – Information System Security• Chapter 9 – Special Requirements

• Section 1 – RD and FRD• Section 2 – DoD Critical Nuclear Weapon

Design Information (CNWDI)• Section 3 – Intelligence Information• Section 4 – Communication Security (COM-

SEC)• Chapter 10 – International Security Require-

ments• Chapter 11 – Miscellaneous Information

• Section 1 – TEMPEST [2]• Section 2 – Defense Technical Information

Center (DTIC)• Section 3 – Independent Research and De-

velopment (IR&D) Efforts• Appendices [3]

International Security RequirementsIn the ever-changing international landscape, today’s friend may very well be tomorrow’s foe. So natural-ly the question is how can we trust anyone or na-tion? The short answer is trust but verify, and only

The Physical aspects of Cybersecurity and Their Importance – NISPOM

executive SummaryIn this last installment we’ll take a look at Chapters 10 through Appendices, which detail the requirements for International Security Requirements, Miscellaneous Information such as TEMPEST, Defense Technical Information Center (DTIC) an Independent Research and Development (IR&D) Efforts, and the Appendices. We’ll review these from a high-level in order to present a broad view of the landscape and the aspects that the NISPOM provides policy, and conclude with some recommendations based on information either lacking at the time of writing the document, or the more recent changes in threat landscape.

read

62 http://pentestmag.comPage11/2012 (19) November

Prior to the adoption of a database SRC program, organizations must gain consensus and align-ment between the business leadership and the

rest of the IT team. Conflicting priorities are always a challenge, especially when budgets are tight, so a clear value proposition and a compelling business case must be developed to move the database SRC program for-ward. The scope, objectives, and approach of the proj-ect must be well defined, and the business case must be crystal clear. Even more importantly, success met-rics such as performance levels and internal rate of re-turn must be evident in order for the business case to be accepted and a successful transformation to occur. Security, risk, and compliance projects have historically enjoyed relative immunity from the high level of prioriti-zation and scrutiny received by many other IT initiatives. Often considered a “must have” requirement, database SRC initiatives have been viewed as a form of insurance similar to catastrophic health care. But as organizations gain a broader understanding into the range of solutions available, a sense of conflicting priorities can emerge. Defense in depth suggests layers of protection must be deployed at the network, operating system, and data-base level. Intuitively, data must be protected in the da-tabase where it lives, but compelling arguments exist for other priorities as well. So, why should organizations de-cide that database SRC is the number one priority ver-sus many other compelling alternatives?

Save The Database, Save The World!

Chapter 9 DaTaBaSe SRC SOLUTION VaLUe

“Some projects will always feel like a trip to the dentist, but the good

news is that having your teeth cleaned never paid off so well.”

http://www.biometricsinstitute.org/events.php/389/8th-biometrics-institute-technology-showcase-exhibition

In the Upcoming Issue of PenTest Regular...

If you would like to contact PenTest team, just send an email to krzysztof.sikora@software.com.pl or ewa.dudzic@software.com.pl . We will reply a.s.a.p.

PenTest Magazine has a rights to change the content of the next Magazine Edition.

Android as a Pentesting Platform

Available to download on December 3th

More topics in PenTest Magazine: Information Security Governance, Hacking an Isolated Network, Phishing, Spoofing,

BeEF, Business Application Change Control, Recoinnaissance & Network Mapping,

DNS & ARP, Intrusion Detection Systems, Sandbox

... and more

PLEASE SEE WWW.UAT.EDU/FASTFACTS FOR THE LATEST INFORMATION ABOUT DEGREE PROGRAM PERFORMANCE, PLACEMENT AND COSTS.

[ GEEKED AT BIRTH. ]

www.uat.edu > 877.UAT.GEEK

LEARN:Advancing Computer ScienceArtificial Life ProgrammingDigital MediaDigital VideoEnterprise Software Development Game Art and AnimationGame DesignGame ProgrammingHuman-Computer InteractionNetwork Engineering

[ IT'S IN YOUR PULSE. ]

You can talk the talk.Can you walk the walk?

Network SecurityOpen Source TechnologiesRobotics and Embedded SystemsSerious Game and SimulationStrategic Technology DevelopmentTechnology ForensicsTechnology Product DesignTechnology StudiesVirtual Modeling and DesignWeb and Social Media Technologies