Computer Security & Technology

This article is part # 3 in the series on Penetration Testing. The first in this series talks about Penetration testing as a profession and a general introduction. The second introduces you to some critical keywords and security tips you need to be aware of before proceeding through the rest of this series.  

When you are performing the role of a security/pen tester, sometimes just having the right tools and skills is not enough. Either they are not enough or there are easier ways to get the management to understand how easy it is for someone to walk in and walk out with the keys to their “fort”.

One of the first things I want to share with you is what my Professor of a Security Class I took while I was an Undergrad at Florida Tech shared with us. So, he was performing a penetration test at a company and he was negotiating the price for which he is willing to perform the pen test of the company’s network. Apparantly, the company was driving a hard bargain. Finally, it reached an ultimatum situation and so the company asks… “why should we pay you so many X dollars more? Are you that Good?” or something on those lines. So my professor excuses himself from the meeting room on the pretext of using the rest room. He walks around the floor on which the meeting was set up. Here is what he finds. He finds passwords on Employees monitors, including in front of an employee who had an “Emergency Response Team” sign sitting outside his cube. As he is walking past he sees the Project Manager’s laptop bag with disks and flash drives in it, sitting outside near the receptionist or an employee’s desk. He just informs the lady that he was told to bring the bag inside, takes out the flash drive. He logs into one of the terminals, grabs some credentials stored on the flash drive, makes printouts of some confidential documents and brings it back to the meeting room, all within a time frame of around 5-10 minutes. No one asked any questions. My professor got the price he asked for and more and the company had an excellent pen test analysis done.

So what is the moral of this story: No matter how strong your filters are set or firewall configured. You must always take caution against the insider attack. You are only as strong as your weakest link. In this business, sometimes, we need to employ tactics such as social engineering amongst others to get our job done. In this article, I will talk about some of these tactics.

1. Using a Keylogger:  Keystroke logging (often called keylogging) is a diagnostic used in software development that captures the user’s keystrokes. It can be useful to determine sources of error in computer systems and is sometimes used to measure employee productivity on certain clerical tasks. Such systems are also highly useful for law enforcement and espionage—for instance, providing a means to obtain passwords or encryption keys and thus bypassing other security measures. A simple google search on download keyloggers gives you plenty of results. You might want to use a professional keylogger tool such as KeyKatcher or KeyGhost. While you are performing a security test on a system, keyloggers can be a helpful tool. However, please make sure that you have permission from the company to do something like this.

2. The ability to pick locks: Okay, this is one skill I don’t have too but if you are performing the role of a pen tester, remember that if something was stolen or picked from the company, it rather be you than some attacker. When performing a test, know the kinds of locks used by the company to secure its prime assets such as server rooms etc. While most companies these days are using card access, you might be in luck if they are using the traditional lock. An excellent paper highlighting the need for physical security is the “MIT Guide to Lock Picking” by an author who calls himself Ted the Tool. If you are going in this direction, contact your nearest law enforcement agency, fill out the necessary forms and get certified. The ability to pick the lock of a server room could be a valuable asset while performing a security test at a company. Again, please make sure you have permission from the company to do something like this.

Related Articles:

1. Introduction to Ethical Hacking and Penetration Testing

2. Important Computer Security Definitions and Terminologies

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

Been busy lately, where I am currently performing pen testing for a major company based in India. Under NDAs, I cannot disclose the name of the company.

However, the company has given me permission to incorporate some of the findings into this series: An Introduction to Ethical hacking through the eyes of a pen tester and hopefully helps anyone reading this blog on how to protect and secure a network by understanding how a Hacker operates and understanding their tools and methodologies.

Why would I want to publish such a series of articles; because, I did not want to be part of the problem anymore. The need to know and understand Computer Security has passed the realm of just security professionals. The web is an ugly place out there with hackers and crackers lurking at every corner selling their Trojans and the rest of their goods in the malicious code dept, trying to install Botnets and seeking to profit from your mistakes or rather lack of security awareness.
Every other day, you see articles on the newspaper and on the web on identity theft or credit card numbers being stolen from compromised database servers. The need for security professions who know networks and understand how Hackers operate is growing every day which companies utilizing such security professionals to test and break into their network before the bad guys do and patch up their security infrastructure. It is here that we, the “security tester” or “penetration tester” come in. 

So what will you learn in this series on Penetration Testing?
I will try to offer you a structured approach to security and penetration testing. I will also try to explain in-depth some of the tools which hackers typically use. Remember you are trying to be the Ethical hacker and you need to know how to use and implement the tools of the trade.

A network is only as secure as its weakest link. You are trying to discover vulnerabilities within a network and find that weak link before the bad guys.

Disclaimer: You will learn about some tools and methodologies which are not meant to be used for Hacking purposes. Hacking or compromising a computer or a network is illegal in many parts of the world. Please use them to further understand how computer security works.  If you are trying to take up the role as a penetration tester for a company, make sure you have a contract signed with the client and what you can and cannot do clearly defined. Also, make sure you read your ISP’s contract and their acceptable use policy defining any scanning software such as port scanners. Anytime you run something that denies a user access to a system or a network resource is illegal.

Mark Sunner, Chief Security Analyst at MessageLabs was among the many security analysts watching one Trojan called “Spam Thru”, a piece of malware designed to send spam from an infected computer, at the turn of last year. Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor.

Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machine’s processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.

The thing that worries Mark Sunner the most is that he suspects the major traffic spike towards the end of 2006 was merely a test run for more if not similarly sophisticated botnets to follow. Sunner adds

” With new levels of sophistication this has reached a real milestone. Botnets are getting smaller, more stealthy and more discreet and yet the volumes of spam are going up. Without a hint of scaremongering, will this get a lot worse throughout 2007 in terms of botnet sending? Absolutely, yes.”

The British IT-Sicherheitsfirma Message Lab registered a dramatic increase in Spam Mail traffic from 64.4% to 72.9% late last year, all attributed to Spam Thru.

Read more »

The most visible form of fee fraud today is the Nigerian Letter or 419 fraud. A typical letter claims to come from a person needing to transfer large sums of money out of the country or from a lottery company. As the Nigerian letter has become well known to potential targets, the gangs operating the scams have developed other variations.

So apparantly, the Nigerian Scammer has shifted base out of Africa and into the Queen’s country, England. Below is a picture of the email.

Related Articles:

Read everything you need to know about the Nigerian Email Scam here in this in-depth article on Crimes of Persuation

Spamming is the abuse of electronic messaging systems to send unsolicited bulk messages. While the most widely recognized form of spam is email spam, spam in blogs is becomming huge these days along with search engine spam and mobile phone messaging spam.

Spamming is economically viable because advertisers have no operating costs beyond the management of their mailing lists, and it is difficult to hold senders accountable for their mass mailings. Because the barrier to entry is so low, spammers are numerous, and the volume of unsolicited mail has become very high. The costs, such as lost productivity and fraud, are borne by the public and by Internet service providers, which have been forced to add extra capacity to cope with the deluge.

Blog Spam or “blam” for short is spamming on webblogs. This type of spam takes advantage of the open nature of comments in the blogging sftware by placing comments to various blog posts that provided nothing more than a link to the spammer’s commerical web site.

Blogs such as TechCrunch have caught over 1 million spam comments. For most blogs such as this one and AskStudent, the protection from such Blog Spam like TechCrunch is Akismet.

Today, I saw a new method of Blog Spam by these spammers. They are using TinyURL, a very popular web service which provides short aliases to long URLs. TinyURL inspite of its benefits has had to face the criticism that they are opaque, hiding the ultimate destination from a web user. This opaqueness is now being leveraged by spammers, who can use such link in spam and thus bypassing URL blacklists.

UPDATE:

TinyURL has blocked the above site stating that they abused their policy. How does one deal with such spam? Post in comments area.

Related Articles:

1. How to hide your email address from spammers, a thorough guide

2. How a PayPal phishing email looks like and how to detect it

3. Top phishing targets are Ebay and PayPal followed by Banks

4. References: Wikipedia article on spammer