Microsoft's site for Cloud training.
Cloud Training
SharePointTraining
Tuesday, March 12, 2013
Friday, February 8, 2013
Sunday, January 20, 2013
Building A Penetration Testing Lab Cluster
Building a penetration testing lab cluster at low-cost with virtualization support, further to be used for research and analysis.If you don’t have access to a pentest environment you should build up your own penetration testing lab.If you need a wide range of hosts you should also use virtualization.So today we show you how to build a virtualization cluster to be further used as a penetration testing lab.
Detecting Web Application Firewalls
Read more...
Wednesday, January 9, 2013
Is social engineering an actual threat?
Here are some brief explanations on why social engineering works. It’s tough to cover everything, because social engineering is a really broad field of information. The points made in the list below is taken from the book I’ve quoted on the bottom of this article:
Being helpful
Usually humans wants to be helpful to each other. We like doing nice things!
I run into the reception at a big corporate office with my papers soaked in coffee. I talk to the receptionist and explain that I have a job interview meeting in 5 minutes, but I just spilled coffee over all my papers. I then ask if the receptionist could be so sweet and print them out again for me with this USB memory stick that I have.This might lead to an actual infection of the receptionist PC and may gain me a foothold within the network.
Using fear
The fear of failing or not doing as ordered:
The company’s director’s (John Smith) facebook page (or whatever other source of information) reveals that he has just left on a cruise for 3 weeks. I call the secretary and with a commanding voice I say “Hi, it’s Chris calling. I just got off the phone with John Smith, hes having a very good time on his cruise with his wife Carla and kids. However we are in the middle of integrating a very important business system and he told me to give you a call so you can help us. He couldn’t call himself because they are going on a safari, but this is really urgent. All you need to do is take the USB stick that is addressed to him in the mail and plug it in, start the computer and we are all done. The project survives!Thank you very much! You have been a great help! I am sure John Smith will recognize you for this act of helpfulness. “
Playing on reciprocation
The tailgate. I hold the entry door for you, and I quickly walk behind you. When you open the next door, which is security enabled, I am heading in the same direction and most people will try and repay the helpful action by holding the door for you again. Thus allowing you into a place where you should not be. Worried about getting caught Nah.. You just say you’re sorry and that you went the wrong way.The target would almost feel obliged to hold the door for you!
Exploiting the curiosity
Try dropping 10 USB sticks around in various locations in your organization. You don’t have to place them in too obvious places. The USB should have a auto-run phone home program so you can see when someone connects the USB stick and should theoretically be exploited.Another version of this is to drop USB sticks with a single PDF document that is i.e. called “John Smith – Norway.pdf”. The PDF document contains a Adobe Acrobat Reader exploit (there is tons of them) and once the user clicks the document he will be owned. Of course you have made sure that the exploit it tailored to the target organizations specific version of Adobe. It will feel natural for most people to open the document so that they can try return the USB stick to its owner.
- Most people have the desire to be polite, especially to strangers.
- Professionals want to appear well informed and intelligent
- If you are praised, you will often talk more and divulge more.
- Most people would not lie for the sake of lying
- Most people respond kindly to people who appear concerned about them
Being helpful
Usually humans wants to be helpful to each other. We like doing nice things!
I run into the reception at a big corporate office with my papers soaked in coffee. I talk to the receptionist and explain that I have a job interview meeting in 5 minutes, but I just spilled coffee over all my papers. I then ask if the receptionist could be so sweet and print them out again for me with this USB memory stick that I have.This might lead to an actual infection of the receptionist PC and may gain me a foothold within the network.
Using fear
The fear of failing or not doing as ordered:
The company’s director’s (John Smith) facebook page (or whatever other source of information) reveals that he has just left on a cruise for 3 weeks. I call the secretary and with a commanding voice I say “Hi, it’s Chris calling. I just got off the phone with John Smith, hes having a very good time on his cruise with his wife Carla and kids. However we are in the middle of integrating a very important business system and he told me to give you a call so you can help us. He couldn’t call himself because they are going on a safari, but this is really urgent. All you need to do is take the USB stick that is addressed to him in the mail and plug it in, start the computer and we are all done. The project survives!Thank you very much! You have been a great help! I am sure John Smith will recognize you for this act of helpfulness. “
Playing on reciprocation
The tailgate. I hold the entry door for you, and I quickly walk behind you. When you open the next door, which is security enabled, I am heading in the same direction and most people will try and repay the helpful action by holding the door for you again. Thus allowing you into a place where you should not be. Worried about getting caught Nah.. You just say you’re sorry and that you went the wrong way.The target would almost feel obliged to hold the door for you!
Exploiting the curiosity
Try dropping 10 USB sticks around in various locations in your organization. You don’t have to place them in too obvious places. The USB should have a auto-run phone home program so you can see when someone connects the USB stick and should theoretically be exploited.Another version of this is to drop USB sticks with a single PDF document that is i.e. called “John Smith – Norway.pdf”. The PDF document contains a Adobe Acrobat Reader exploit (there is tons of them) and once the user clicks the document he will be owned. Of course you have made sure that the exploit it tailored to the target organizations specific version of Adobe. It will feel natural for most people to open the document so that they can try return the USB stick to its owner.
Another example of curiosity (maybe another term explains this better) is all these SPAM mails or bad Internet ad’s that you have won something or a Nigerian prince is offering you a whole lot of money if you can help him. I am sure you are familiar of these already, but these are also social engineering attacks, and the reason they are not stopping is that they are still working!
Friday, January 4, 2013
The Weakest Link in Data Center Security
The Weakest Link
Many of the organizations who have been attacked utilize comprehensive security technologies. Yet attackers have found a way to penetrate these defenses. This tells us that existing defenses aren’t working and security is being compromised by its weakest link—users in the enterprise.
1. The Human Factor - Via a variety of bad behaviors like weak passwords, negligence of management applications (RDP, Telnet, SSH), and social media oversharing, employees can compromise data center security without meaning to do so. There is no doubt this human factor in security is a challenge and needs to start with comprehensive and clearly understood security and privacy policies. While end-user education and awareness is important, it is insufficient given the uphill nature of that battle. The solution is to balance this with network security best practices: Do not trust, always verify – All users should always be authenticated, and provided least privilege access. In the data center, adopt a positive enforcement model. Positive enforcement means that you selectively allow what is required for day-to-day business operations as opposed to a negative enforcement approach where you would selectively block everything that is not allowed. This means safely enabling user access to specific applications or sub-application functions while inspecting all content for threats. Management applications like RDP, Telnet and SSH should be limited only to IT administrators.
2. Network segmentation – Network segmentation even in flat layer two networks like Ethernet Fabric architectures is critical. Properly segmenting the user to a segment of the data center helps in various ways. It helps to limit the scope of compliance, limit access to vulnerable servers in the network and limit exfiltration of data if you are compromised. Of course, to do this effectively, you need to have visibility of users, applications and content in every segment.
3. Tackle unknown threats – While addressing known threats is well-understood, addressing targeted, unknown threats is a tougher challenge because they are unlikely to hit honeypots in the wild that can provide comprehensive analysis of the malware and its behavior. Most targeted attacks originate from executable files downloaded onto an end-user device. Therefore, inspecting unknown files in the network in a virtual sandbox is a key strategy adopted by security vendors to weed out targeted, unknown malware. What is critical to complement this inspection is the ability to deliver malware signatures and inline enforcement for any malware that is found.
4. Inspect unknown traffic – In a data center, the amount of unknown traffic should be a very small percentage of all traffic. The ability to categorize and inspect unknowns to determine whether they are threats is a critical part of the data center security strategy.
5. Monitoring and logs - Finally, the monitoring of access by users to key applications in the data center is important to provide valuable information of user activity. It also helps detect critical policy violations and security holes.
Some of these best practices are in fact advocated by Forrester Research’s John Kindervag in his Zero Trust Network architecture, and being adopted by many enterprises worldwide. In summary, while end-users and employees in an organization may form the weakest link when it comes to unknowingly opening up businesses to damaging attacks, the strategy to address this may be to look beyond the users, and complement user awareness and training with network security best practices.
Read more...
Many of the organizations who have been attacked utilize comprehensive security technologies. Yet attackers have found a way to penetrate these defenses. This tells us that existing defenses aren’t working and security is being compromised by its weakest link—users in the enterprise.
1. The Human Factor - Via a variety of bad behaviors like weak passwords, negligence of management applications (RDP, Telnet, SSH), and social media oversharing, employees can compromise data center security without meaning to do so. There is no doubt this human factor in security is a challenge and needs to start with comprehensive and clearly understood security and privacy policies. While end-user education and awareness is important, it is insufficient given the uphill nature of that battle. The solution is to balance this with network security best practices: Do not trust, always verify – All users should always be authenticated, and provided least privilege access. In the data center, adopt a positive enforcement model. Positive enforcement means that you selectively allow what is required for day-to-day business operations as opposed to a negative enforcement approach where you would selectively block everything that is not allowed. This means safely enabling user access to specific applications or sub-application functions while inspecting all content for threats. Management applications like RDP, Telnet and SSH should be limited only to IT administrators.
2. Network segmentation – Network segmentation even in flat layer two networks like Ethernet Fabric architectures is critical. Properly segmenting the user to a segment of the data center helps in various ways. It helps to limit the scope of compliance, limit access to vulnerable servers in the network and limit exfiltration of data if you are compromised. Of course, to do this effectively, you need to have visibility of users, applications and content in every segment.
3. Tackle unknown threats – While addressing known threats is well-understood, addressing targeted, unknown threats is a tougher challenge because they are unlikely to hit honeypots in the wild that can provide comprehensive analysis of the malware and its behavior. Most targeted attacks originate from executable files downloaded onto an end-user device. Therefore, inspecting unknown files in the network in a virtual sandbox is a key strategy adopted by security vendors to weed out targeted, unknown malware. What is critical to complement this inspection is the ability to deliver malware signatures and inline enforcement for any malware that is found.
4. Inspect unknown traffic – In a data center, the amount of unknown traffic should be a very small percentage of all traffic. The ability to categorize and inspect unknowns to determine whether they are threats is a critical part of the data center security strategy.
5. Monitoring and logs - Finally, the monitoring of access by users to key applications in the data center is important to provide valuable information of user activity. It also helps detect critical policy violations and security holes.
Some of these best practices are in fact advocated by Forrester Research’s John Kindervag in his Zero Trust Network architecture, and being adopted by many enterprises worldwide. In summary, while end-users and employees in an organization may form the weakest link when it comes to unknowingly opening up businesses to damaging attacks, the strategy to address this may be to look beyond the users, and complement user awareness and training with network security best practices.
Read more...
DDoS Toolkit Being Used in Synchronized Attacks Against Banking, Hosting and Energy Firms
The denial-of-service toolkit used against financial institutions late last year has also been used against hosting and energy companies, DDoS protection firm Prolexic said in an advisory Thursday.
The “itsoknoproblembro” toolkit was behind the distributed denial-of-service attacks that dogged several banks in the United States last fall. The attacks against the banks were massive, with some peaking at 70 Gbps and more than 30 million pps. The toolkit has a two-tier command mode that can launch multiple high-bandwidth attack types simultaneously and has been used in coordinated campaigns against the energy, hosting provider, and banking industries, Scott Hammack, CEO of Prolexic, said in a statement.
Read more...
The “itsoknoproblembro” toolkit was behind the distributed denial-of-service attacks that dogged several banks in the United States last fall. The attacks against the banks were massive, with some peaking at 70 Gbps and more than 30 million pps. The toolkit has a two-tier command mode that can launch multiple high-bandwidth attack types simultaneously and has been used in coordinated campaigns against the energy, hosting provider, and banking industries, Scott Hammack, CEO of Prolexic, said in a statement.
Read more...
Friday, December 21, 2012
Security is Inconvenient, Deal With It!
Here are my arguments for why I think it's laziness: First, This is Samsung we're talking about here. This error was should have been caught in code review or QA. Second, according to the first post the primary users of /dev/exynos-mem is
graphic usage like camera, graphic memory allocation, hdmi. By activating pid display in kmsg, surfaceflinger do mmap on the device (via one of the three shared libraries above ?? I have not see reference in binary to these libraires).
Ideal Skill Set For the Penetration Testing
Based on questions I’ve gotten over the years and specifically in class, I’ve decided that we need to address some basic skills that every penetration tester should have. While we can’t realistically expect everyone to have the exact same skill set, there are some commonalities.
1. Mastery of an operating system. I can’t stress how important it is. So many people want to become hackers or systems security experts, without actually knowing the systems they’re supposed to be hacking or securing. It’s common knowledge that once you’re on a target/victim, you need to somewhat put on the hat of a sysadmin. After all, having root means nothing if you don’t know what to do with root. How can you cover your tracks if you don’t even know where you’ve left tracks? If you don’t know the OS in detail, how can you possibly know everywhere things are logged?
2. Good knowledge of networking and network protocols. Being able to list the OSI model DOES NOT qualify as knowing networking and network protocols. You must know TCP in and out. Not just that it stands for Transmission Control Protocol, but actually know that structure of the packet, know what’s in it, know how it works in detail. A good place to start is TCP/IP Illustrated by W. Richard Stevens (either edition works). Know the difference between TCP and UDP. Understand routing, be able to in detail describe how a packet gets from one place to another. Know how DNS works, and know it in detail. Understand ARP, how it’s used, why it’s used. Understand DHCP. What’s the process for getting an automatic IP address? What happens when you plug in? What type of traffic does your NIC generate when it’s plugged in and tries to get an automatically assigned address? Is it layer 2 traffic? Layer 3 traffic?
3. If you don’t understand the things in item 2, then you can’t possibly understand how an ARP Spoof or a MiTM attack actually works. In short how can you violate or manipulate a process, if you don’t even know how the process works, or worse, you don’t even know the process exists! Which brings me to the next point. In general you should be curious as to how things work. I’ve evaluated some awesome products in the last 10 years, and honestly, after I see it work, the first thing that comes to my mind is “how does it work”.
4. Learn some basic scripting. Start with something simple like vbs or Bash. As a matter of fact, I’ll be posting a “Using Bash Scripts to Automate Recon” video tonight. So if you don’t have anywhere else to start, you can start there! Eventually you’ll want to graduate from scripting and start learning to actually code/program or in short write basic software (hello world DOES NOT count).
5. Get yourself a basic firewall, and learn how to configure it to block/allow only what you want. Then practice defeating it. You can find cheap used routers and firewalls on ebay, or maybe ask your company for old ones. Start with simple ACL’s on a router. Learn how to scan past them using basic IP spoofing and other simple techniques. There’s not better way to understand these concepts than to apply them. Once you’re mastered this, you can move to a PIX, or ASA and start the process over again. Start experimenting with trying to push Unicode through it, and other attacks. Spend time on this site and other places to find info on doing these things. Really the point is to learn to do them.
6. Know some forensics! This will only make you better at covering your tracks. The implications should be obvious.
7. Eventually learn a programming language, then learn a few more. Don’t go and by a “How to program in C” book or anything like that. Figure out something you want to automate, or think of something simple you’d like to create. For example, a small port scanner. Grab a few other port scanners (like nmap), look at the source code, see if you can figure any of it out. Then ask questions on forums and other places. Trust me, it’ll start off REALLY shaky, but just keep chugging away!
8. Have a desire and drive to learn new stuff. This is a must; It’s probably more important than everything else listed here. You need to be willing to put in some of your own time (time you’re not getting paid for), to really get a handle on things and stay up to date.
9. Learn a little about databases, and how they work. Go download mysql, read some of the tutorials on how to create simple sample databases. I’m not saying you need to be a DB expert, but knowing the basic constructs help.
10. Always be willing to interact and share your knowledge with like minded professionals and other smart people. Some of the most amazing hackers I know have jobs like pizza delivery, janitorial, one is a marketing exec, another is actually an MD. They do this strictly because they love to. And one thing I see in them all is their excitement and willingness to share what they’ve learned with people who actually care to listen and are interested in the same.
These things should get you started. Let me know if you have questions or comments.
Keatron.
1. Mastery of an operating system. I can’t stress how important it is. So many people want to become hackers or systems security experts, without actually knowing the systems they’re supposed to be hacking or securing. It’s common knowledge that once you’re on a target/victim, you need to somewhat put on the hat of a sysadmin. After all, having root means nothing if you don’t know what to do with root. How can you cover your tracks if you don’t even know where you’ve left tracks? If you don’t know the OS in detail, how can you possibly know everywhere things are logged?
2. Good knowledge of networking and network protocols. Being able to list the OSI model DOES NOT qualify as knowing networking and network protocols. You must know TCP in and out. Not just that it stands for Transmission Control Protocol, but actually know that structure of the packet, know what’s in it, know how it works in detail. A good place to start is TCP/IP Illustrated by W. Richard Stevens (either edition works). Know the difference between TCP and UDP. Understand routing, be able to in detail describe how a packet gets from one place to another. Know how DNS works, and know it in detail. Understand ARP, how it’s used, why it’s used. Understand DHCP. What’s the process for getting an automatic IP address? What happens when you plug in? What type of traffic does your NIC generate when it’s plugged in and tries to get an automatically assigned address? Is it layer 2 traffic? Layer 3 traffic?
3. If you don’t understand the things in item 2, then you can’t possibly understand how an ARP Spoof or a MiTM attack actually works. In short how can you violate or manipulate a process, if you don’t even know how the process works, or worse, you don’t even know the process exists! Which brings me to the next point. In general you should be curious as to how things work. I’ve evaluated some awesome products in the last 10 years, and honestly, after I see it work, the first thing that comes to my mind is “how does it work”.
4. Learn some basic scripting. Start with something simple like vbs or Bash. As a matter of fact, I’ll be posting a “Using Bash Scripts to Automate Recon” video tonight. So if you don’t have anywhere else to start, you can start there! Eventually you’ll want to graduate from scripting and start learning to actually code/program or in short write basic software (hello world DOES NOT count).
5. Get yourself a basic firewall, and learn how to configure it to block/allow only what you want. Then practice defeating it. You can find cheap used routers and firewalls on ebay, or maybe ask your company for old ones. Start with simple ACL’s on a router. Learn how to scan past them using basic IP spoofing and other simple techniques. There’s not better way to understand these concepts than to apply them. Once you’re mastered this, you can move to a PIX, or ASA and start the process over again. Start experimenting with trying to push Unicode through it, and other attacks. Spend time on this site and other places to find info on doing these things. Really the point is to learn to do them.
6. Know some forensics! This will only make you better at covering your tracks. The implications should be obvious.
7. Eventually learn a programming language, then learn a few more. Don’t go and by a “How to program in C” book or anything like that. Figure out something you want to automate, or think of something simple you’d like to create. For example, a small port scanner. Grab a few other port scanners (like nmap), look at the source code, see if you can figure any of it out. Then ask questions on forums and other places. Trust me, it’ll start off REALLY shaky, but just keep chugging away!
8. Have a desire and drive to learn new stuff. This is a must; It’s probably more important than everything else listed here. You need to be willing to put in some of your own time (time you’re not getting paid for), to really get a handle on things and stay up to date.
9. Learn a little about databases, and how they work. Go download mysql, read some of the tutorials on how to create simple sample databases. I’m not saying you need to be a DB expert, but knowing the basic constructs help.
10. Always be willing to interact and share your knowledge with like minded professionals and other smart people. Some of the most amazing hackers I know have jobs like pizza delivery, janitorial, one is a marketing exec, another is actually an MD. They do this strictly because they love to. And one thing I see in them all is their excitement and willingness to share what they’ve learned with people who actually care to listen and are interested in the same.
These things should get you started. Let me know if you have questions or comments.
Keatron.
Tuesday, December 18, 2012
Hackers at the Controls
This leaves me to the question of how vulnerable the government and private sectors are for these types of compromise of SCADA and building control systems.
Most hack jobs are attempts at ‘low hanging fruit’ or extraction of data. If the players are looking to ‘step it up’, then the heart of the data centers must be considered.
They are all, large and small, requiring the same components:
- Power
- HVAC (heat exchange)
- Flame Retardant Systems
- Secondary Power (UPS and generators)
- Physical Controls
- Space and Equipment
This may fall under facilities or IT, or a mixture of both, but a lot is vendor supported so that means controls go out the window.
Default or low strength passwords may be common!
Read more...
Subscribe to:
Posts (Atom)