Few links i found worth sharing from the week (Wk.20/2010):

Lot of talk about Metasploit now, after the Metasploit Framework 3.4.0 Release

An exploitable VM for testing Metasploitable

For the Pentester > Quickly gathering logins/emails with theHarvester and Metasploit

BTW this Advanced Penetration Testing (APT) – Pentesting High Security Environments content looks impressive

You can have a Open Secure Wireless

Well @securosis & @ashimmy are calling out to Infosec bloggers

Is Twitter Making Us Dumb? Bloggers, Please Come Back

Calling all security bloggers, come out, come out where ever you are

Advice: If you dont want to share dont post it > Why I'm not leaving Facebook

Yes, SIEM technologies have improved > Implementing SIEM

Off-topic:

Dell views net-books as a complement, and not a replacement, for laptops & they are right >

I found this Credit Card Concierge Experiment quite amusing

Posted via email from Ramki's posterous

Odds of losing confidential personal data is increasing

This article Electronic Medical Records: The Good, Bad, And Ugly was a trigger to this post.

If you lose your medical record along with 10 or 1000 others will it make any difference to you? I think it will be more traumatic if you are amongst few as the redress modes will be different.

What about losing credit card details?

Imagine now even malware can have QA and botnet is an industry they even run help desk. Added to this (probably) unethical practices like this and sophisticated attacks like this the chances of losing confidential information is increasing.

What are the odds does an average citizen have against these? Maybe high in places like USA & Europe but in a developing country they are pretty low.

Posted via email from Ramki's posterous

Hacking thoughts - Insecure ATM port

Warning:  These are just random thoughts and with lot of presumptions; readers are advised that trying/doing similar activity would be a serious criminal offense and finally I am not a native speaker of English and may have used colloquial words hence no arguments on English usage.

I used an ATM today; this machine of a major Indian private bank was located on the premise of its branch. As I finished and turned to exit I noticed network patch cords connected to the ATM NIC were exposed; it shouldn’t be like this … someone could

a) Take a picture (like I did) and shout at the bank about the lack of cable security
b) Yank out the cord and get the ATM out of order temporarily
c) Rig the I/O (network socket) by connecting a HUB & AP (power socket was inches away) and hack into the bank network

Third is serious stuff, I wondered how one could accomplish this task? here is a possible way...

Requirements:

• HUB & Pocket wireless AP, Laptop…
• Tools (NMAP, Cain and Abel, Wireshark,…)
• A quiet day, companion, crutches,…

Steps:

1) Select a Sunday night
a) Not much of traffic b) Detection may happen only well into business hours on Monday. 

2) Get into the ATM with a companion on crutches
He needs help and this takes care of the security guard.

3) Let the companion use the ATM (just fiddling around like operating) meanwhile do something like dropping papers on the floor and under the pretext of gathering them up; quickly connect the equipment (HUB, AP & power) move something inconspicuous like wastepaper bin (there is usually one) to hide them from normal view.
This takes care of the camera (you are out of the view and just picking up some papers) and the casual glance of anyone (wastepaper bin blocks the gear)

4) Sit in a parked car within range of the AP (I saw a good quiet lane across the road), and…

4a) Check for vulnerable hosts online, PWN and get data, plant back-doors, c&c,…

4b) Or simply capture packets from the ATM interface to check for valuable information

Idea of this post is just to look at the possibility hence kept simple; but this requires lot of skill (which I don’t have :-) ) and may turn out to be taken as FUD phenomenon.

I plan to inform the bank about this weakness let me see how they view it.

Posted via email from Ramki's posterous

Automated tool assisted vulnerability assessments

ISO27001 requirements 15.2.2: Technical compliance checking Control states - "Information systems shall be regularly checked for compliance with security implementation standards"

Code of practice ISO27002 states "Technical compliance checking should be performed either manually (supported by appropriate software tools, if necessary) by an experienced system engineer, and/or with the assistance of automated tools, which generate a technical report for subsequent interpretation by a technical specialist"

ISO27k certified companies need to conduct periodic vulnerability assessment and hence employ consultants for this. Mostly the scope is to run a series of predominantly automated tests using vulnerability scanners and provide a report & recommendations.

This makes them comply but Is this enough? NO

This post was triggered by thoughts after

> Reading  Information Escapology, part five – Careful with That Proxy, Eugene... Will a standard vulnerability assessment address this? i guess no. It depends on who is doing? depth? methodology? etc.

> After hearing this from a consultant (someone i trust). It seems after a capability presentation session to a large company, the company's CISO asked him if they were the Authorized Scanning Vendor for the scanning tools & was the consulting company PCI DSS compliant... these were the only questions he had on the vulnerability assessment service process; nothing on things like what is the typical approach, methodology, depth, etc. Is it enough if your consultant is an ASV for a tool? Do you need to be PCI DSS compliant to do a vulnerability scan?

Conclusion: For most of them it looks like only compliance matters (or) they want a testing service that is so cookie cutter that the scope will be automatically limited to the basic scan-and-patch kind of findings

Posted via email from Ramki's posterous