The Milestone

Vol2 issue 7 . Oct./Dec. 2012

WWW.BLUEKAIZEN.ORG

Cairo Security Camp 2012 , 18-24 Nov. 2012 , Smart Village, Cairo

Liars and Outliers Book Review

HowTo Be A Security Engineer ?

If You Like Our Magazine And Our Activities Help Us To Continue Producing It By Giving An Amount Of Your Liking

T-SHIRTS / CAPS / TOWELS / MUGS

Find Us On Cairo Security Camp 2012

www.bluekaizen.org

contentsMILESTONESecuritykaizen MagazineEditor’s Note03

Editor’sNote

After 2 years of holding CSCAMP, The third version is coming with a slogan of THE MILESTONE. CSCAMP2012 is planned to be a major step in CSCAMP events. This year we increased the activities to include two conference rooms; one of them is only for technical sessions (Security Kaizen Labs room) and the other for different security topics. The CTF Competition is coming back, this year, with more challenges and more fun and more valuable prizes.In CSCAMP2012, we are so keen to make sure all attendees find what they are looking for in the information security field. In addition to the conference tracks, an exhibition area will be available to all attendees. Whether it’s a company looking to promote its services or even looking to announce vacancies, or training centers looking to market for their training courses . The exhibitors’ area is definitely the place to be.Moreover, for the first time in Cairo Security Camp, pre conference training will be conducted by experts in the field. Training is planned to take the view of workshops that will be conducted in Egypt for the first time for example:• Open Source Cyber intelligence by Jeff Bardin• Xtreme android hacking by Aseem Jakhar and Anant Shrivastava• Wifi Hacking by Matias Katz• Exploit Development by Sofiane Talmat• Malware Reverse Engineering by Ehab Hussein

Also, BK will announce the start of Bluekaizen Membership. BK Membership is a start to formalize the community that has been built by bluekaizen in the last couple of years to start affecting in Egypt future.The idea of Bk membership, in summary, is that user will pay a certain amount of money per year, 300 L.E, and in return user will get a package of exclusive benefits that we couldn’t get without having a group of users• Receive the security kaizen magazine issues at your own address • Special Discount on all Bluekaizen Events• Discount on Courses from many training centers in Egypt that we deal with• Possibility to rent physical books from Bk library and share it with others

Another activity that makes CSCAMP2012 a special event is the launch of BK Store. BK store will be available in a special booth in CSCAMP2012 to sell BK printed products like T-shirts, mouse pads and others. The return of selling this products will help us build a more rigid structure to deliver our services in a more fast and professional way.Also, in order to enhance the development of Egyptian security projects, we will allow a full session slot to Egyptian security project owners to announce, describe and share their projects idea with the information security community. This is a small step done by bluekaizen to put a spot on different Egyptian security projects, hoping that one day Egypt will depend totally on its local security products instead of purchasing foreign products from non trusted countries.Finally, Book your calendar on 23, 24 November 2012 to attend CSCAMP2012 because this time event is a one that you shouldn’t miss.

www.bluekaizen.org

It’s back. Cairo security Camp is back. It’s back to

gather all information security professionals in Egypt and MENA Region in one place.

contentsMILESTONE Securitykaizen MagazineContent 04

For Advertisement In Security Kaizen Magazine and www.bluekaizen.org WebsiteMail:info@bluekaizen.org Or Phone: 0100 267 5570

Security Kaizen is issued Every 3 months

Reproduction in Whole or part without written permission is strictly

prohibitedALL COPYRIGHTS ARE

PRESERVED TOWWW.BLUEKAIZEN.ORG

Chairman & Editor-in-ChiefMoataz Salah

EditorsAhmed SaafanAyman Shaban

Amr AminHaitham MohamedMostafa ElmasryAmgad Magdy

Amr AliJoe Sullivan

Vinoth SivasubramanianGanapathy Kannan

Website DevelopmentMariam Samy

Marketing CoordinatorMahitab AhmedMohamed Saeed

Designed & Printed2day Adv.

01000255359

Chairman & Editor-in-ChiefMoataz Salah

EditorsAhmed SaafanAyman Shaban

Amr AminHaitham MohamedMostafa ElmasryAmgad Magdy

Amr AliJoe Sullivan

Vinoth SivasubramanianGanapathy Kannan

Website DevelopmentMariam Samy

Marketing CoordinatorMahitab AhmedMohamed Saeed

Designed & Printed2day Adv.

01000255359

contentsEditor’s

Step By Step

New & News

User To User

Grey HAT

After 2 years of holding CSCAMP, The third version is coming with a slogan of THE MILESTONE. On the 3rd of September 2012, at

the Fairmont hotel Heliopolis, IDC organized a security road show in Cairo.

It was a normal day, doing some security consultant work for a company, I got no Alerts from their corporate Cisco IPS, also nothing from the open source IDS installed inside the network

In the previous article, we analyzed NTFS boot sector and we looked under the hood to understand some of the fields in this data structure. In this article, we are going to go deep into the Master File Table (MFT) data structure.

Email injection is a type of injection attack that hits the PHP built-in mail function, which allows the malicious attacker to inject any type of mail header fields like (BBC, CC, Subject, ...etc) ,

The scope of this article is to discuss the inherent flaws in an SDLC environment that insiders exploit to carry out an insider attack. SDLC process is a development methodology followed by many organizations, and suggests ways of better managing and governing them.

Best Practice

Securitykaizen MagazineStep By Step05

www.bluekaizen.org

How to be a Security Engineer ?

Securitykaizen MagazineStep By Step 06

senior information security en-gineer and tech lead of Raya IT Security Services Team (RISST).

Digital Forensic Engineer and Information Security Incident Handler at EgCert

Ahmed Safaan

Ayman Shaban

www.bluekaizen.org

Securitykaizen MagazineStep By Step07

www.bluekaizen.org

(Part 2)

Discovering the Master File Table (MFT)

In the previous article, we analyzed NTFS boot sector and we looked under the hood to understand some of the fields in this data structure. In this article, we are going to go deep into the Master File Table (MFT) data structure.

To start digging into the design of NTFS, it should be understood that all data stored on a volume is contained in files including NTFS metadata and administrative data, which makes it easy for the file system to locate and maintain such data.

The MFT is the core of the NTFS volume structure; it is implemented as an array of file records. The size of each MFT record or entry (as some text books used to call it) is fixed at 1 KB, regardless of the cluster size.

Each MFT entry contains of file system metadata files. A schematic diagram of the MFT structure is as the following:

Inside NTFS

We are sorry to inform you that in the previous article and according to editing and printing mistakes, some parts of the article have been dropped. The following was supposed to be mentioned:

- I use a great tool (HxD – HexEditor) to access the hard disk different sectors. You can download it from http://mh-nexus.de/en/, it is free. Once you install the tool, go to “Extras” in the menu, go to “Open Disk…” and choose one of the logical bootable disks. Please make sure that “Open as Readonly” checkbox is checked.

References:1. File System Forensic Analysis, Brian Carrier, 2005, ISBN-10: 0-32-126817-2

Important Note

Step By Step

Securitykaizen MagazineStep By Step 08

www.bluekaizen.org

There are 12 fields combine 42 bytes out of the 1024 allocated for each MFT entry, the remaining 982 bytes are empty and can be allocated to attributes

The following table shows the 12 fields of the NTFS file system meta-data files:

Step By Step

Step By StepSecuritykaizen MagazineStep By Step09

www.bluekaizen.org

The following table lists MFT entry attributes:

Now, let us move on to the interesting part. From the previous article, please recall the following:

Starting cluster Address of MFT = 0x0c7fe9Sectors per cluster = 8

Then, Starting sector address of MFT = 0x0c7fe9 * 8 = 0x63ff48,which is 6553416 in decimal.

Running HxD – Hexeditor, please do the following steps:- Click on “Extras”, “Open Disk…”- Click on the “Logical disks”- Choose “Local Disk”- Make sure that “Open as Readonly” is selected.- Type “6553416” in the “Sector” field to start accessing the MFT data.

Please note that the above mentioned sector number could be different from a machine to another.

Step By StepSecuritykaizen MagazineStep By Step 010

www.bluekaizen.org

Below is a dump of the sector “6553416” which represents the starting sector of the MFT:

The following is an interpretation of some of the fields in the MFT:

- Bytes range 0x14-0x15 represent the offset to the first attribute which is 0x0038. The contents of this byte is 0x10 which means that the attribute header is “$Standard_Information”. Please refer back to the “MFT Entry Attributes” table.

- Bytes range 0x16-0x17 represent the MFT entry flag, if it is 0x0001, the entry is in use, and if it is 0x0002, the entry is for a directory.

- We’ll consider that byte offset 0x38 is the starting offset of “$Standard_Information” attribute in our case, and then we’ll deal with it as byte 0 in the data structure.

- Bytes range 4 – 7 represent the length of the attribute which in this case is 0x00000060

- Byte offset 0x08 has the value of 0x00 which means that the entry is fully resident in MFT. A resident attribute stores its contents in the MFT entry with the attribute header, while a non-resident attribute stores its content in an external cluster in the file system.

Step By StepSecuritykaizen MagazineStep By Step011

www.bluekaizen.org

- Bytes offset range 16-19 represent the size of the attribute content, which is 0x00000048

- Bytes offset range 20-21 represent the offset to content which is 0x0018

- Bytes offset range 24-55 contain the time stamps for file creation, file alteration, MFT change, and file read.

- Bytes offset range 56-69 contain the file attribute which is in this case 0x00000006 (System + Hidden)

Below is a table represents the values of the file attributes:

References:1. File System Forensic Analysis, Brian Carrier, 2005, ISBN-10: 0-32-126817-22. http://technet.microsoft.com/en-us/library/cc976808.aspx3. http://msdn.microsoft.com/en-us/library/bb470038(VS.85).aspx4. HxD – HexEditor) to access the hard disk different sectors. You can download it for free from http://mh-nexus.de/en/5. You can download PhysicalDiskProp.exe from https://dub002.mail.live.com/default.aspx?id=64855&owa=1&owasuffix=owa%2f#!https://skydrive.live.com/?cid=b106de1366bb1ddc!cid=B106DE1366BB1DDC&id=B106DE1366BB1DDC%21227

Chief Architect, IT Compliance, Andromeda Labs

Amr M. Amin

user to userWhy you must

attend CSCAMP2012 ?The biggest gathering for Information Security professionals in Egypt .It is you main place

for learning, networking and training.

Intrusion Detection System

Using Cain and Able as an

It was a normal day, doing some security consultant work for a company, I got no Alerts from their corporate Cisco IPS, also nothing from the open source IDS installed inside the network, I was testing for any anomaly on the network so I ran Cain and Able on a mirrored (span) port on the main, as expected I did not find any clear text passwords for corporate services (I’ve followed the usual approval process before running Cain and Able in the network) but then I noticed something strange, I saw the user name of one of company users, beside his user name was the password “123”, I was sure that no service in the company would transport passwords in clear text, so I decided to look deeper, I found also another user name with the same password but from different IP address, then the same users again with password “1234”, all of this was using the pop3 mail protocol, they do not allow the use of pop3, but the service was not closed yet from the server, what was more alerting was the use of e-mail accounts that were already disabled long ago because the users have already left the company, then my doubts hit the roof.I went to the next step, behavioral analysis, which I did it manually, I collected all of the pop3 logins, usernames, passwords and IP sources, what I found was fun, I had four IP sources, all of the pop3 usernames came from these four IPs, timing between each of them is more than 10 seconds, but changing, also the IPs are used interchangeably, I can summarize my finding to be as follows: An attacker who is skilled and extremely very patient

was using a script to change the IPs, he had the list of the email contacts (a lot of them were not in use anymore), he would try a password from an IP, then use the same password to test another account using another IP, this way when he finishes his testing for that password, he will not be detected, also the lockout counter would reset itself because he never tries the wrong password on the same account within the lockout period.I admired his skills, but what I couldn’t understand is his patience, he was using a dictionary attack that would never work in an organization that knows the basics of Information Security, his methods would take months or even years before finding a correct password, I kept watching his attack and I was ready to disconnect him whenever he gets closer. I caught this attack by pure luck, I don’t think any IDS would have raised any alerts for such attacks, I know Malwares use similar attacks but they are usually programmed to exploit a vulnerability not testing e-mail passwords, that’s why I suspect this is a normal ongoing attack.

Step By Step

I’m a Malware Reverse Engineer, SCMRE, C|HFI, C|EH, MCSE+S, MCTS, N+, Security+, ITIL V3 Foundation

Haitham Mohamed

www.bluekaizen.org

user to user012Securitykaizen MagazineUser To User

Book Review013 Securitykaizen MagazineBook Review

www.bluekaizen.org

Liars and Outliers Book ReviewDid you check the ID of the plumber before allowing him into house? Did the plumber validate the authenticity of your money? Did you test the food you bought from the grocery for poison? And, did you scan your neighborhood’s buildings roofs for signs of snipers targeting your head? I don’t really know, but what I know is that Bruce Schneier didn’t! At least that’s what he claims Liars and Outliers: Enabling the Trust that Society Needs to Thrive.

Liars and Outliers, the latest book by the security black-belt Bruce Schneier, proposes a genuine view on security. It is entirely dedicated for the very specific topic of trust, and how it affects the overall functioning of a thriving society.

According to Schneier, “the more trust is in the air, the healthier the society is, and the more it can thrive,” for which he proposes various models and interpretations for how people interact with each other, and with the group (which may be a family, a community, an enterprise or any other sort of collection), considering norms, competing interests, societal pressure, societal dilemmas and various other aspects that formulate trust.

Why trust? Simply, according to the author, because it performs three critical functions:• It makes social life more predictable• It creates a sense of community• And it makes it easier for people to work together

The book is divided into four parts. Part I is about the science of trust. It explores various sciences that feed the existence of trust, not only in humans, but also in other species. Schneier talks about concepts from psychology, sociology, biology, neuroscience, philosophy, systems dynamics, history, cognitive science, behavioral economics, computer security and various others. A notable chapter in this part is the

Book Review014Securitykaizen MagazineBook Review

www.bluekaizen.org

last one about Societal Dilemmas. Which should be prioritized, the person’s, or the group’s interest? A popular example from the game theory is The Prisoner’s Dilemma, which is a generalization of all societal dilemmas. Alice and Bob were arrested for a crime, but without enough evidence for conviction. Each of them is interrogated separately and offered a deal: “If you testify against your partner, you’re free. If you both testify against each other, both of you will get six years of jail. But if you cooperate and remain silent, you’ll only be charged for one year.” So, neither Alice nor Bob is in charge for his own decision. Each of their decisions will affect the other, and the probabilities are blurry. Should I sort for my own interest, or for the group’s interest? And what about the other, what decision shall he make and how will it affect my status? And this is where the model of trust plays a critical role in the decision making.

Part II is where the model formulates. As societies need trust to function, various forms of societal pressures play role to induce cooperation (as a product of trust) in societal dilemmas. These are:• Moral pressures, which comes from inside our own heads• Reputational pressures, which result from how others respond to our actions• Institutional pressures, which are the codified norms and are enforced by the delegate authorities• Security systems, which include everything that prevents defectors from violation such as door locks, antivirus software, audit systems, mitigation plans …etc

Part III lands down to earth and talks about handles real world application of the model. It starts by introducing the actual complexities that result from competing interests from the group’s perspectives. He talks about Organizations, Corporations and Institutions, each in its own chapter.

Part IV is the conclusion talking about the times where societal pressure fail. He talks about change of technology and how it affects societal pressure, and the very particular characteristic of today’s society, the information society, and how it affects the entire model.

Throughout the inquiry, the author maintains a generally scientific approach, but there is one point where he fails. Every now and then, he keeps building

his interpretations on the highly controversial evolution theory, which is commonly denied and refuted by many scientific and religious schools. He deals with the theory as a matter of fact, without presenting (or even referring to) a valid proof for it, or explicitly stating his assumption of its validity. However, this does not obviously affect the overall model proposed by the book, even though it reduces the credibility of the interpretations.

Will you be interested in this book? If you are a security theorist, a strategic thinker, a sociologist, a prime minister, or even someone who wants to know how security works, you’ll definitely will! It takes our understanding to the bird’s-eye view on how security works in the real life in an exciting sequence, building the entire picture inside your mind piece by piece, until it comes to the now-way-back point where you find yourself shifted to a totally new paradigm about security!

It is definitely a page-turner that once you start reading a chapter of, you can hardly take your eyes off the page until you finish it. It presents a very high level, generic view on trust, as one of the security artifacts, and the necessary conditions for societies to thrive

I am a security researcher, activist and a trainer.

Mostafa El Masry

you must attend CSCAMP2012 ?Because you will miss a lot if you didn›t come.

Why

www.bluekaizen.org

Gry Hat Gry HatSecuritykaizen MagazineGREY HAT015

The main reason for the success of this attack is improper user input validation or that there is no validation and filtration at all. Let’s have a look at the php mail function description from the php manual:

“bool mail ( string $to , string $subject , string $message [, string $additional_headers [, string $additional_parameters ]] )”

As you notice it takes three mandatory parameters (“to , subject and message”) and some other optional parameters and the function returns a bool (True or False). So let’s have a look at a vulnerable code to demonstrate this vulnerability:

<?php $to=”webmaster@website.com”; if (!isset($_POST[“send”])){ // this indicates that the form was not submitted ?> <form method=”POST” action=”<?=$_SERVER[‘PHP_SELF’];?>”> From: <input type=”text” name=”sender”> Subject : <input type=”text” name=”subject”> Message: <textarea name=”message” rows=”10” cols=”60” lines=”20”></textarea> <input type=”submit” name=”send” value=”Send”> </form><?

}else{ // the form has been submitted $from=$_POST[‘sender’]; // send mail : if (mail($to,$_POST[‘subject’],$_POST[‘message’],”From: $from\n”)){ echo “Your mail has been sent successfully”; }else{ ] echo “An error has occurred !”; } } ?>

EmailInjection

Email injection is a type of injection attack that hits the PHP built-in mail function, which allows the malicious attacker to inject any type of mail header fields like (BBC, CC, Subject, ...etc) , allowing the spammer to send out spam from your mail form, this attack is called (Email Injection or mail form spamming)

Ahmed MohamedIs an information security pro-fessional and author. He fo-cuses mainly in the areas of exploitation,reverse engineering and web security. He is a train-ee at RayaCorp. as InformationSecurity engineer , He’s the webmaster of www.ITsec4all.com

Gry Hat Gry Hat

www.bluekaizen.org

Securitykaizen MagazineGREY HAT 016

As you can see in the previous code, specially this line mail( $ t o , $ _ P O S T [ ‘ s u b j e c t ’ ] , $ _POST[‘message’],”From: $from\n”) Mail function takes subject, message and from parameters without filtration and validation. So the malicious attacker can control the values of subject, message and form parameters. Let’s provide these parameters for the mail function as following

mail(“admin@website.com” , “Call me urgent” , “Hi,\nPlease call me ASAP.\nBye” , “From: sender@domain.com\n”)

The row output data looks like the following:To: admin.website.com Subject: Call me urgent From: sender@domain.com Hi, Please call me ASAP Bye From the attacker point of view, there are tons of additional fields that can be injected in the mail header for more information see RFC 822(http://www.ietf.org/rfc/rfc822.txt), for example we can inject into CC or BCC that allows the attacker to add more recipients to the message , but before adding a new argument we have to add a new line feed that separates each field form another, the hexadecimal value for the line feed is “0x0A” So here are some examples:

1- Inject into the CC and BCC after the sender argument From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com So now the message will be sent to recipient and recipient1’s accounts 2- Inject into the To argumentFrom:sender@domain.com%0ATo:attacker@domain.com Now the message will be sent to the original recipient and the attacker’s account 3- Inject into the Subject argument F r o m : s e n d e r @ d o m a i n .com%0ASubject:This’s%20Fake%20Subject The Fake subject will be added to the original subject and in some cases will replace it, it depends on the mail service’s behavior

4- To change the body of the message just inject two line feeds then write your message as following From:sender@domain.com%0A%0AMy%20New%20%0Fake%20Message. The fake message will be added to the original message. Solution: 1- Never trust user input fields, all input should be considered untrusted and potentially malicious. Applications which process untrusted input may become vulnerable to attacks such as Buffer Overflows, SQL Injection, OS Commanding, Denial of Service and mail injection..etc. 2- Use regular expressions to filter user data, for example we can search for (\r or \n) in the input string. 3- Use external components and libraries that provide protection against this problem like zend_mail, PEAR mail and swift mailer 4- Use mod_security, mode_security is also a good chunk of software that can put a stop to BCC injection on the server level.

References and external links 1 - h t t p : / / w w w. s e c u re p h p w i k i . c o m / i n d e x . p h p /Email_Injection 2-http://projects.webappsec.org/w/page/13246933/Improper%20Input%20Handling

3- http://en.wikipedia.org/wiki/Email_injection

Why you must attend CSCAMP2012 ?

It is a carnival for Information Security activities including capture the flag competition, more than

20 sessions by more than 20 speakers, Exhibitions for companies and more.

Trainer

Speakers

www.bluekaizen.org

018Securitykaizen MagazineSpeakers

New & NewasSecuritykaizen MagazineNew & News019

www.bluekaizen.org

On the 3rd of September 2012, at the Fairmont hotel Heliopolis, IDC organized a security road show in Cairo. An average of 120 attendees came to listen to experts in information security field, hear about the latest technologies from Kaspersky labs, blackberry and IBM and others.

team was there to cover IDC road show in Cairo and we had a quick interview with David jacoby, Senior Security Researcher, kaspersky lab.

IDC Security Road ShowCairo, Fairmont Hotel

The event was a mix of keynote addresses, high-impact presentations, plenary sessions , in-depth discussions, real-life case studies and interactive Q&A sessions, the conference provided guidance on how to deal with the wide array of constantly evolving threats currently plaguing the security landscape at a time when IT systems, networks and applications are expanding at a rate never seen before.

New & NewasSecuritykaizen MagazineNew & News 020

www.bluekaizen.org

Following a short break, Nader hanein, security advisory of blackberry and one of the speakers in cscamp2012, allay the nagging concerns about security and privacy in the mobile world that have prevented many organizations from embracing the concept of mobility beyond simple email and calendar functions. At the end of the day, two blackberry devices were granted as a gift for two of the audience from RIM

In summary, the event was a successful one and it was a good chance for all security professionals and IT managers to meet with different vendors and know the recent technologies.

Can you please introduce yourself to security kaizen readers?

Can you tell us more about the history of kaspersky lab?

How do you see this kind of events, especially IDC events?

I am David jacoby, senior Security researcher at kaspersky lab. My job focuses on making internet a better place, starting from making sure our exploit detection is better, sometimes mobile malwares and others. Also, I spent a lot of time talking to people, getting feedback from them. I believe without talking to our users, we won’t be able to make our products better.

It is founded by Eugene kaspersky in Russia; he wrote the first base of kaspersky antivirus, he is not only the founder but also the brain of kaspersky. He first gets infected by a virus in Russia and then he said to himself why don’t I write my own antivirus and now it is known as kaspersky lab antivirus. At that time, he only had the engine of the antivirus not a complete product where he then started to find partners. Today, kaspersky lab has 2000 employees and nearly half of them are working in research and development, finding new viruses and others

I am a common speaker at IDC events; I have been in South Africa few days ago. For me, it is not just selling a product. It is a very good conference to see the managers, to see people who take decisions in their organizations. Also, to find an interesting project for research you need to meet the people out there, I need them to inspire me to come up with different research projects.

New & Newas

www.bluekaizen.org

Securitykaizen MagazineNew & News021

Ha

ck

Samsung Galaxy S3

fix for internet explorer hole

Hacking kit allows you to steal BMWs

Microsoft

A team of security researchers from U.K hacked into a Samsung Galaxy S3 phone running Android 4.0.4 by beaming an exploit via Near Field Communications, The hackers exploited a weakness in the way NFC is implemented in the Galaxy S3 to deliver a malicious file that was automatically opened by the Android document viewer

Microsoft fixed a critical Internet Explorer hole being exploited in attacks until the company releases a cumulative update for IE on 21 September 2012, It will not affect your ability to browse the Web, and it does not require a reboot of your computer, The issue is so severe that the German government and security experts have been advising people to avoid using IE until the hole is patched

On-board diagnostics (OBD) that allow you to steal high-end cars such as BMW, Opel, Renault, Mercedes, Volkswagen, Toyota and Porsche in a matter of seconds, the $30 bypass tools are being shipped from China and Eastern Europe in kit form to unskilled criminals.

by using NFC exploit

News

New & Newas

www.bluekaizen.org

Securitykaizen MagazineNew & News 022

197 security reasons to upgrade to

Apple ID hacking by FBI

Al Jazeera Hacked with DNS attack

Firefox and Thunderbird fix several security vulnerabilities

There are now 197 new reasons for iPhone, iPod Touch, and iPod users to upgrade to iOS 6, with Apple closing the same number of vulnerabilities in its mobile operating system, Vulnerabilities include three different ways of completely bypassing iOS’ pass code lock, and at least 10 different ways of running arbitrary code. The latter types of vulnerabilities are what enable users to jailbreak their devices.

The FBI disputed a computer hacker group’s claim that it stole personal identification data on millions of Apple device owners from an FBI agent’s laptop; the group has released a link to a database of more than 1 million unique identification numbers for Apple devices, which could include iphones and iPods.

Babar Mustafa, a senior software engineer with Al Jazeera, said that “DNS poisoning issues are being resolved by our provider.” ISPs often provide DNS services to their customers. Tampering with DNS settings can be particularly harmful, since users can be redirected to a fake website even though a correct domain name has been typed into a web browser. The type of attack is know as DNS “poisoning.”

The bug fixes close several memory-related critical vulnerabilities that could be exploited by remote attackers to execute arbitrary code on a target system. Both Firefox and Thunderbird were affected by a vulnerability that allowed an attacker to inject code into the web console. This could allow malicious sites to execute arbitrary code when the console is invoked by the user. This problem, rated as high on Mozilla’s scale, more critical vulnerabilities has now been fixed.

Remote maintenance tool turn into Trojan by HackersHackers are using remote maintenance tool NetWire, which can be used to monitor computers running Windows, Mac OS X, Linux and Solaris, as a Trojan. Anti-virus software companies have responded by identifying the program as malware.

New & NewasSecuritykaizen MagazineNew & News023

www.bluekaizen.org

Hacked, Millions of Sites and emails DownMillions of websites hosted by Go Daddy due to a DNS service outage, which one alleged Anonymous leader is claiming as his handiwork, Last December anonymous sent out a message through YouTube to Go Daddy warning it to stop supporting the Stop Online Piracy Act (SOPA), which the company did shortly thereafter. AnonymousOwn3r claims that the attack against Go Daddy is not because he is “anti-Go Daddy”, but that his motives will become apparent in time.

Hack on Saudi Aramco hit 30,000 workstationsSaudi Aramco has restored all its main internal network services that were impacted on August 15, 2012, by a malicious virus (Shamoon) that originated from external sources and affected about 30,000 workstations. The workstations have since been cleaned and restored to service

‘Dirty USSD’ Hack Wipes Samsung Phones. Is Yours Vulnerable?On Tuesday, researcher Ravi Borgaonkar demonstrated how he wiped out a Samsung Galaxy SIII simply by opening a website containing an HTML tag for a call function, and replacing the telephone number with the USSD code for a factory reset. USSD codes are commands that are executed by entering them in your keypad—for instance if you dial #*#INFO”*” you can access certain menu settings. For every Samsung phone running Touchwiz, there’s a unique set of USSD codes that performs various commands.

Charlie Miller hires security team Charlie Miller, the security expert who made his name exposing major security flaws in Apple’s (AAPL) iOS mobile operating system, has been hired by Twitter to make sure his fellow hackers don’t uncover similar gaping flaws in its own social networking site.

mobile customers emails, names hacked in ChinaJapan’s Sony Corp said hackers have accessed the email addresses and names of as many as 400 of its mobile unit’s customers in China and Taiwan held on servers owned by a third-party vendor. Sony does not yet know the source of the attack, company spokesman George Boyd said in Tokyo

New & NewasSecuritykaizen MagazineNew & News 024

www.bluekaizen.org

Traditional host intrusion detection systems usually bring an attack to an operator’s attention, but this asynchronous attack response paradigm may not be sufficient to stop an attack before it can do damage to a system. The solution, Amr Ali and Zach Dexter explain, is

reactive security, or shutting down attacks in real-time, via collaborative attack vector closure.

SentryHQ’sReactive Security

The New Host-Based Intrusion Detection Paradigm

IntroductionThere are two problems with traditional host intrusion detection systems (HIDS). First, the attack may not be detected, because traditional HIDS may not pick up on sophisticated attacks or attacks that use new vectors. Second, even if an attack is detected, damage may occur before an operator can respond. To solve the first problem, we propose an open-source reposito-ry of attack detectors. To solve the second problem, we propose a system to respond to attacks in real-time, including an open-source repository of attack responses.

Traditional host intrusion detection systems can abstractly detect attacks that are either identical to previous attacks or similar to previous attacks. The former can be detected using signature databases, and the latter by machine learning algorithms.

Pattern recognition is an inductive approach to intrusion detection: The HIDS infers that an attack is taking place when an event shares characteristics of a prior attack. But what if we know nothing about an attack? What if an attack uses a new vector? Traditional host intrusion detection systems solve this problem by letting the attack happen and notify an operator, or partially sever access to the system while being indifferent to the nature of the attack or the operations of the system itself.

A traditional HIDS will update a rule database or exclude the just-discovered attack vector from a training set of data on what constitutes the normal behavior of a system. The problem with the traditional HIDS approach is that it seeks to stop poorly-executed or non-coordinated attacks that look like previous attacks or otherwise fail to fool a system.

To stop sophisticated or new attacks, we must get the HIDS to deduce that an attack is occurring, even if the HIDS has no knowledge whatsoever of the attack vector, and even if an attack is clever enough to appear to machine-learning algorithms as normal behavior.

A deductive security system would specify a set of invariants. If even one of those invariants changes, a system is said to be compromised. But how can any HIDS specify a set of invariants large enough to provide meaningful coverage of attack vectors? How can a deductive HIDS know how invariants might change across deployments to different machines? And what does it mean to close an attack vector that the deductive HIDS doesn’t even know is open?

The answer is collaborative attack vector closure, an easy-to-understand adaptation of open-source software engineering principles. A community of attack detector authors contributes to an open-source repository of invariants.

New & NewasSecuritykaizen MagazineNew & News025

www.bluekaizen.org

Let us call an invariant expressed via a programming language a detector. Contributors generalize the invariants so that members of the community may clone any detector, provide parameters relevant to their implementations, and store the customized detectors in a private repository. After testing the customized detectors in the field, community members may commit patches and merge them upstream to the main repository of detectors.

We propose to grow this open-source platform with a good number of invariants for most pieces of software running on today’s systems. Attackers will have little opportunity to avoid detection, as the attack vectors that the HIDS doesn’t even know about are now closed.

Once an attack is detected, a pre-configured response executes as a countermeasure with the intention to either eliminate the threat or act as means of damage control.

Threat Detection & ResponseThere are predominantly two methodologies to address threats; either develop detection methods for the specificities of different threats, or detect anomalies in the behavior of the system and treat them as possible threats.

The approach of which a detection method is developed to identify a particular threat works well if and only if we know intrinsic details of the threat we are trying to address. Since the possibilities of threats and their mutations are theoretically infinite, this approach is ultimately a never ending cat-mouse chase. However, this approach also comes with the advantage of facing less false-positives because through it we know how the threat exactly behaves and how we could respond to it.

On the other hand we could compile a set of invariants of a system which we know how it behaves so that

Is systems development expert and a security expert with 13 years of experience in the field.

Amr Ali

New & NewasSecuritykaizen MagazineNew & News 026

we abstractly normalize its operations and be able to detect a threat through sensing anomalies in its behavior. This method comes with the disadvantage of being abstract and thus prone to false-positives due to a legitimate change of an operation or an unforeseeable logical branch in a well behaving set of instructions.

There is no one concrete solution to addressing threats but a combination of variants of methodologies. Since humans are the cornerstone of the reason security as a philosophy exists, we propose that people engage in catering the different security approaches to their unique needs by allowing the community a platform which offers the tools necessary to descriptively define their systems’ operations and at the same time be able to define anticipated threats and how to respond to them.

SentryHQ’s the platform that allows the community to develop detectors for unbounded number of operating systems and applications, detectors that are synchronously combined with responses that are not only catered to the underlying operating system but also to the applications running on-top of it. The locally synchronized combination of a detector and response acts as a first layer of defense against any threat.

Real-Time Attack MitigationWe believe that the only way to stop an attack is to prepare an automatic, immediate response before the attack happens. Too often, an attack is over, and the attacker has made off with valuable data, before the attack is noticed. Even if a traditional Host Intrusion Detection System notices the attack, often nothing is done until an operator responds. SentryHQ bolsters the operator’s capabilities by allowing her to configure immediate attack responses.

Attack detectors pick up on abnormal behavior, either by specifying invariant conditions or by looking for signs of an attack. When a detector picks up on an attack, it does more than simply notify the machine’s operator.

The detector fires any number of attack responses on any number of machines. If there is an attack response listening on the compromised machine, the response can shut the attacker out of that machine. If

responses on other machines are also listening on the detector, those responses will fire, too. Such flexibility allows the security context to not only be bound to a single machine but an entire network of machines that can realize an attack and respond to it in unanimity.

Collaborative Attack Vector ClosureWork together to achieve maximum attack vector coverage. Community members tag attack detection and attack response code to place it in the public repository. Any member of the community can clone these items, upgrade them, and publish the code back to the public repository. Users can leave code with modifications specific to their machines unpublished.

Over time, SentryHQ will severely restrict the number of vectors still open to attackers. For each detector made available to the community, an attack vector is closed. And each response available in the public repository gives community members more power to stop attacks before they result in damage.

Why SentryHQ?No one likes nor have the time to dive into endless amount of configuration files and foreign syntaxes to be able to run a HIDS that only reports back a compromise. Beyond initial configuration of your account; SentryHQ components are entirely configurable through our intuitive hosted web interface.

In cyberspace the first “O” of Boyd’s OODA (Observe, Orient, Decide, Act) loop is always impaired; with SentryHQ we’ve managed to enable your entire network to be able to observe an elaborated attack and respond to it on many levels and in dynamic configurations through the detectors and responses deployed on any number of machines you have.

SentryHQ utilizes a custom implementation of SSHv2 protocol for all of its communication, be it internal or external. We’ve taken great care to account for the worst situations a system can be into including ours.

With SentryHQ you can benefit from and participate in an ever-growing community that constantly supplies the public repository with new detectors and responses that addresses threats that target most applications and their underlying operating systems.

www.bluekaizen.org

Securitykaizen MagazineBest Practice027

www.bluekaizen.org

How to report phishing websites on

Earlier this summer Facebook launched phish@fb.com, an email address available to the public to report phishing attempts against Facebook. Phishing is any attempt to acquire personal information, such as username, password, or financial information via impersonation or spoofing. By providing Facebook with reports, we can investigate and request for browser blacklisting and site takedowns where appropriate. We will then work with our eCrime team to ensure we hold bad actors accountable. Additionally, in some cases, we’ll be able to identify victims, and secure their accounts. You might ask yourself how to spot suspected phishing emails. Our partners at the Anti-Phishing Working Group have put together some helpful tips to avoid being deceived by these messages:1. Be suspicious of any email with urgent requests for login or financial information, and remember, unless the email is digitally signed, you can’t be sure it wasn’t forged or ‘spoofed’2. Don’t use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don’t trust the sender, instead navigate to the website directlyThis reporting channel will compliment internal systems we have in place to detect phishing sites attempting to steal Facebook user login information. The internal systems notify our team, so we can gather information on the attack, take the phishing sites offline, and notify users. Affected users will be prompted to change their password and provided education to better protect themselves in the future. While rare, we hope that you forward us any phishing attempts you encounter. Together we can help keep these sites off the web and hold the bad guys responsible. As a reminder, you can visit www.facebook.com/hacked if you think your account may be compromised. You can find out more about phishing in our Help Center. You can also forward phishing emails to any of the following: APWG (reportphishing@antiphishing.org), the FTC (spam@uce.gov), and the Internet Crime Compliant Center (www.ic3.gov).

I am the chief security officer of faceebook.com, i manage a few of the teams at facebook focused on mak-ing sure that people who use facebook have a safe and positive experience

Joe Sullivan

• Receive the security kaizen magazine issues at your own address. • Special Discount on all Bluekaizen Events.• Discount on Courses from many training centers in Egypt that we deal with.• Possibility to rent physical books from Bk library and share it with others.

Securitykaizen MagazineBest Practice029

www.bluekaizen.org

Risk Based Approach To Mitigating Insider Threats In

The SDLCThe scope of this article is to discuss the inherent flaws in an SDLC environment that insiders exploit to carry out an insider attack. SDLC process is a development methodology followed by many organizations, and suggests ways of better managing and governing them.Who is an Insider? An insider is a person who already rests on the trusted radar of the organization, meaning he is already in the trusted network of the organization and has access to information and data which is given to him based on his job roles and responsibilities. A malicious insider on the other hand is a current or former employee, contractor or other business partner who has / had authorized access to an organization’s systems, networks and / or information which he intentionally exceeds / misuses in a manner that negatively affects the confidentiality, integrity and availability of the organization’s information or information systems.

Best Practice

Best PracticeSecuritykaizen MagazineBest Practice 030

www.bluekaizen.org

Real life incidents of insider SDLC threats 1. Ration cards created and sold by a desk clerk at the food control office in one country; when the clerk discovers he can actually create one and print them out, a factor overlooked during the requirement analysis. This incident had great potential for turning out into a national security.2. An employee uses the backdoor that he inserted into his code to gain access to his former company network, alter applications and put them out of business subsequently.

What is SDLC? The Systems Development Life Cycle is a conceptual model used in project management. In general the SDLC process is divided into the following phases and they are :1. Preliminary analysis2. Systems analysis and requirements definition3. Systems design4. Development 5. Integration and testing6. Acceptance, installation, deployment7. MaintenanceThe picture attached below describes the above mentioned stages of the systems development life cycle that are divided into ten steps from definition to creation and modification to information systems.

The Exploitable Phases Though multiple risks prevail in all the phases of SDLC, the requirements definition phase, the system design phase, the system implementation phase ,the system deployment phase and the system maintenance phase are the most overlooked ones that are routinely exploited by malicious insiders causing damage. We shall now look into how to strengthen each of the phases using a risk-based approach thereby engineering reasonable level of assurance into the SDLC process.

Systems Development Life Cycle ( SDLC)Life-Cyle Phases

Securitykaizen MagazineBest Practice031

Risk based requirements definition Ensure information security team is an integral part of requirements definition phase and define requirements based on a risk based methodology and record the risks identified. The following table describes some of the common threats and vulnerabilities captured during the requirements definition phase. Note: The tables listed here for enumerating the threats, vulnerabilities and risks are intended not to be complete.

System Design Oversights As per statistical data, insufficient attention to automated workflow processes and authorized system overrides, are the most commonly used methodologies insiders use for circumventing rules. Implement suitable controls relating to your organization by performing a risk assessment on the system design phase.Risks in Implementation Phase/Maintenance phase Probably the two most exploited phases of the SDLC and require greater attention than the above phases. Record the risk related to implementation and maintenance, prioritize and establish timelines to close them off. We illustrate some of the most common threats, vulnerabilities, risks and controls that are applicable to these two phases. Recording efforts and benefits of closing off the risks would help in adding greater value.

S.No Threats Vulnerabilities Risks

S.No Threats Vulnerabilities Risks Risks

1 Unauthorized Access

Role based access not defined

Loss of confidentiality leading to financial suits.

1 Backdoors No code review Loss of confidentiality, integrity and availability leading to closure of business.

Implement code review mechanisms

4 Code Modification

Test and production systems are not separated

Loss of availability, integrity and confidentiality.

Implement VLAN based segregation and rights management system.

2 No audit trails

Logging of activity not enabled

Regulatory fines, no evidence of tracing back the incident.

2 Code Crash Too many rights with one person

Loss of availability, integrity and confidentiality.

Source code integrity checking tools.

3 Unauthorized activity

No proper segregation of du-ties.

Lead to loss of integrity/availability of information leading to financial and reputational damages.

3 Emergency Implementations

No procedures for managing emergency implementations or changes

Could affect the availability and integrity of business applications

No Proper change control mechanisms

5 Code Resilience

No backup procedures

Loss of availability Implement proper backup procedures to restore the code back.

www.bluekaizen.org

Best Practice

Securitykaizen MagazineBest Practice 032Best PracticeBest Practices: The following points described in a nutshell, describe the best practices that can be

implemented in an SDLC to minimize the exploit surface.1. Enforce strict separation of duties and least privileges in all the phases.2. Log, monitor and audit all employees’ activities, monitoring privileged users’ activities must be done more closely.3. Use layered approval process mechanisms for implementing and managing source code in production systems.4. Implement secure backup and recovery procedures.5. White-list application behavior and monitor suspicious behavior.6. Educate and continually train employees on secure software coding practices and methodologies.7. Implement strict password and account management policies.8. Implement code integrity monitoring tools.9. Perform continual risk assessments on SDLC.10. Ensure Infosec team is an integral part in all the SDLC phases.

Conclusion: Insider exploits are real and need to be managed effectively to reduce the business risks and ensure stakeholders’ interest. It is therefore imperative that organizations of all sizes implement and practice a risk based approach to software development to better strengthen the SDLC program. Last but not least managing insider risks requires executive support, a steady but patient and dedicated approach to effectively mitigate them.

References : www.cert.org

A passionate Infosec professional striving to reach the doors of excellence in information security, audit and governance.

Vinoth Sivasubramanian

Currently working with In space technolo-gies as a system administrator, Kannan is equally passionate on information se-curity and is working towards his CISSP.

Ganapathy Kannan

www.bluekaizen.org

Why you must attend CSCAMP2012 ?This is the third version of Cairo Security Camp. This year›s slogan is The Milestone, This is the place where knowledge is mixed with fun.