PenetrationTester.com

Risky Business Podcast #85

2008-11-03T12:21:00.000+11:00

I was listening to the the Risky Business podcast this morning (by the way thanks Patrick you do a great job putting the show together). In episode 85 (http://itradio.com.au/?p=206) Patrick talks to one of his sponsors and legendary security expert Marcus Ranum. Old Marcus has some funny views on pen testing and I think they are slightly missing the mark.

Marcus believes that tools such as CORE Impact and Metasploit are not a good idea as it makes a pen tester lazy (If I could generalise his comments to mean that). The things were left out which are an argument as to why tools such as the above are needed and why pen testing is still a valuable exercise are illustrated by the following points;

1. A pen test is not just exploitation of devices ! A pen test is about using the technical access you gain to gather business sensitive information to highlight the risk of weak IT Security controls. It's not about just getting the access !!!! Whilst the tech's in the target organisation understand the impact. It's about highlighting the business impact should someone malicious exploit the same vulnerability and attempt to extract sensitive business information or disrupt operations, this is what senior management are interested in.

2. The tools that assist a penetration tester such as CORE Impact and Metasploit are only as good as the person driving them. CORE Impact whilst having a automated wizard is handy but the manual process is required to get complete coverage. The reason customers like this tool being used is that it has great logging and reporting of all actions taken. Also as a tester when you are finished all you have to do is select cleanup and it removes all the agents (control modules you have installed whilst you have been exploiting systems). Once again great to show compromised hosts but unless you link these to business risk it's not that good for the customer. (Disclosure: Pure Hacking are re-sellers for CORE Impact)

3. Coverage - The old problem with any consulting job is time and with a pen test time is always limited. Customers might not want to dedicate much time to the assessment but still expect a tester to find all the holes ! That is obviously a tough job, with scanning tools at least you get coverage of the target environment and whilst it's working away you focus on the other manual tasks of the test.

4. The win or Loose scenario for a pen testers. This is not something we are too concerned about it's great to compromise a customer network and illustrate a security attack vector that they had not though of. But we still get paid even if we don't find any security weaknesses. In saying that however there are always security controls that can be strengthened to help reduce the risk a environment is exposed to.

5. Secondly both tools have very limited Web Application security support and the shift to Web Application security testing has been very significant in the last 3 years. Most pen testing I perform (70%) is now on Web Applications.

Happy to hear constructive thoughts on my post.

Cisco IP Phone 7936 Default Passwords

2008-09-30T16:02:00.001+10:00

Found it hard to find some of this info so thought I'd mention it my blog for fellow hackers/ Pen testers.

Passwords for the Cisco IP Phone 7936;

User Level Access @ Web interface: 7936

Admin Level Access @ Web Interface:**#

No actual username is required ! and after doing a bit of research it turns out if you change the accounts the rightful owner has no mechanism to change them back. If you thought a re-flash might be the answer the device requires administrator access to perform that function! So there is no mechanism to reset to factory defaults without admin access! There are a few stories of bricked phones as a result !

Being an infosec professional and having PCI knowledge is sometimes a curse

2008-08-31T10:52:00.001+10:00

One of the curse's of being an infosec professional has always been a healthy dose of paranoia. However this is often compounded by knowing the rules that people have to follow. Today I noted two really bad practices.

1.) The privacy laws in Sydney one are crap and two are not really followed but today I saw a great example of something to be scared of. I was in Kings Cross (Shopping I might add accompanied by my wife before you ask). We entered the swans club and as we are out of the 5km radius which allows us to enter as visitors we just have to prove it with photo ID. This is something we are all accustomed with. But when my wife gave it to them before you could say boo they scanned it and printed a "visitor pass" wtf?

Did they just take an electronic copy of my wife's drivers license ? Where is that stored ? How long do they keep it ? what do they use it for ? How do they dispose of the data when at end of life ?

There was no point going into a conversation with the burly front guy about his data security management plan so another potential risk to us a family...

2.) Then after a nice meal and a few czech beers I went to pay. I payed by visa and went to sign for the goods she checked my signature (could not speak english) her boss a guy who looked liked he'd worked in the cross for about 50 years next to her. She then proceed to ask me where on my visa was my security code (CVV2) I explained there but why and she wen to write it down !! Whoa sorry not letting you write that down.

The boss gave me a steely scare as I explained that was not required and not a practice merchants needed to use. He said it was good for him ... I'm sure it was given the dodgy area but I was not going to let them so I whipped my card away. The stare from the ex-croatian war vet was very chilling best I leave my PCI speech / best practices speech on this guy for another day ;-).

It's tough being a infosec professional ...

Telstra's crap customer service for the iPhone

2008-07-18T14:13:00.000+10:00

A week of waiting, 10 calls, many hours on, hold still don't have my iphone unlocked! I bought it outright so i could use on any carrier and then rang the magic number to get it unlocked to any carrier 1800 782 489.

Rang them on Monday no joy. Received a call Tuesday from customer service section saying that they were waiting on Apple. Now a week later and many calls to telstra today I got fobbed off by saying that I had to follow the instructions on the apple site and that my IMEI had been logged with Apple as being unlocked and that I would have to do something my end to complete it ?

Wtf ? So I asked what that was and telstra customer support did not know and then the said look it up in the documentation supplied with the phone. Jeez so I doubled checked everything looked at the web site and left yet another message for the person dealing with my unlocking request.

No answer once again. Waiting ..

Loosing faith in PCI enforcement

2008-07-18T11:36:00.001+10:00

Whilst PCI-DSS is mandatory for compliance when an organisation processes, transmits and stores Credit Card data. It is up to the acquirer (the banks) to enforce the merchants (businesses taking CC transactions) to measure the compliance against PCI-DSS. This information is then passed on to the card brands as a report on the status of compliance of it's merchants against the standard.

The reason I have lost some faith as it became known to me that one large organisation doing millions of CC transactions who are not PCI compliant choose to pay the fines instead of ensuring they comply with the standard as it was cheaper in the short term.

What is the cost of non-compliance fine well don't forget the acquirer decides this but one customer is only fined $20,000 a year. Which for them is a very very small amount compared to the revenue they are making from taking CC transactions.

Lets hope these fines increase to the point where security actually starts getting some real attention by C-Levels.

Now a PCI-DSS QSA !

2008-07-18T11:25:00.001+10:00

I did the exam and training two weeks ago and got the results of passing yesterday. Now I'm armed and dangerous ;-)

Finding Credit Card Data for PCI Compliance Work

2008-07-01T21:24:00.001+10:00

During a PCI Audit compliance piece of work, you are as a QSA required to verify that various types CC sensitive data are not stored period. Although some types are permitted i.e. PAN (CC Number) and the expiry date as long as they are "protected". Well as someone with audit experience you know you won't get a truthful or comprehensive answer from the customer being audited. Often they don't know the entire process or they know that there might be "grey"areas.

So you have to test portions of the environment this is tricky at best. There are some tools however to help you find sensitive data in the environment;

https://source.its.utexas.edu/groups/its-iso/projects/senf/

http://www.hackaday.com/2008/06/20/finding-sensitive-data-with-freeware/

Malware at Auscert 2008 handed out by Telstra on USB Stick

2008-05-26T10:13:00.000+10:00

Funny this one I was there but didn't get a stick on the Thursday when it came to my attention (I was teaching a tutorial on the friday) as a student mentioned I tried to get one.

Which of course they refused to give me. They did tell me that they had 500 gave out 85 and only got back 15 so 70 odd infected sticks are still out there!

ZDNet USA

Appearance on SBS Insight 13 May 2008

2008-05-14T11:24:00.000+10:00

I was an invited guest on the SBS insight program. Which is a current affairs chat/panel show style. Managed to get some quotes in as the token "professional hacker" (Well someone had to play the role ;-) ).

SBS Insight - ID Theft MP4 Movie File

Overview & Transcript

Technorati Tags: Media

Appearance on Risky Business Podcast #58

2008-04-15T12:36:00.001+10:00

I did a brief interview with Patrick Gray on the Risky Business podcast episode number 58. Just a quick chat about the phising attempts on the australian seek.com.au website. These are being performed to garner the login details of the advertisers.

Our assumption is that is that it's to advertise fake jobs to collect mules to help launder money being siphoned away illegally from fraud victims. You know the adds earn thousands whilst working from home adverts.

Patrick does a great job and it is worth a listen every week to keep up on top of events and new information which routinely breaks from the podcast.

Listen here

Nmap to Nikto Parser

2008-04-11T09:43:00.001+10:00

I had long been a wikto guy as it has much better integration and a nice flow to it when enumerating directories to launch the nikto database at. However it's been a little flaky on some of the larger sites recently and I needed to give the new nikto (version 2.02) a go. They have since implemented the same "AI" techniques i.e. fingerprinting web responses for 200 ok's and 404's not found etc. to give more accurate results (previous Nikto's had lots of false positives because it did not have this).

So as I had quite a few targets and all running web servers on various ports I needed a way to parse the nmap scan to nikto. Wow I was surprised I couldn't find anything, there are lots of Nessus/Nmap/nikto combined tools but I just needed something to format a file so I could easily just send it to Nikto. (Note:Maybe I missed something if so email me). The inital scans took so long to run due to the size of the target I wasn't about to use the nikto in nessus option which would have solved this as I didn't have the time.

Anyhow it came down to some old fashioned grepping.

Cat nmap.gnmap | egrep " 80/open| 443/open" > openweb.txt

(open file the file and make sure it look right do minor edits)

perl nikto.pl -h openweb.txt

I was surprised that there was not an easier way i thought these two and nessus would have been well developed and integrated by others by now. The new version of nikto is good and it outputs to html and hyperlinks all of the findings for you which makes verification much easier.

Hacker jailed for SWAT team prank

2008-04-02T16:53:00.000+11:00

A bit of caller-id spoofing I'm guessing still none the less a tad funny. Given that in the states caller-id spoofing is incredibly easy with services such as SpoofCard I'm sure there have been other cases.

SMH Article

The Animated gif of Pain

2008-03-31T10:43:00.000+11:00

Nasty hack were by some ruthless hackers added flashing gifs at full screen size on an epilepsy support forum. Bloody evil this act. Also first known direct pain caused by an web page (other than GOTSE).

http://www.wired.com/politics/security/news/2008/03/epilepsy

Penetration Testing / Ethical Hacking Certifications

2008-01-24T17:17:00.000+11:00

Known certifications;

Offensive Security Certified Professional (OSCP) (Offensive Security dot Com)
Certified Expert Penetration Tester (CEPT) (Information Assurance Certification Review Board (IACRB))
Certified Ethical Hacker (CEH) (EC-Council)
Certified Open Source Security Penetration Tester (OPST)
SANS ? (GPEN) (http://www.giac.org/certifications/security/GPEN.php)

Any other known certs ? Please help and contribute to the list.

Hacker Prankster

2007-12-03T13:15:00.000+11:00

I came across this first as a viral video doing the rounds. Then I browsed to the main page and found this collection done by this guy.

It's awesome he is doing practical jokes via hacking the target and then doing funny things such as changing the platform trains are coming to in a station over and over. Making a Tele Prompter for a news show go exteremly fast and putting his own stories on it. Also one in which he changes a road sign to his own message and adds his photo !

How he is getting away with it all is a huge mystery because he is not trying to hide his identity at all. It's all in dutch and no english so you have to do a bit of guessing at some of the text but still well worth a viewing.

http://www.infosupport.nl/Max

IDC Web site defaced by 'eco-terrorists'

2007-10-18T10:18:00.000+10:00

Bit of a surprise especially as they produce a lot of security related research statistics. I especially liked how Liam used there own (IDC) quotes in the article to highlight the trouble organisations face in securing there environments.

Liam contacted me to provide some commentary wasn't much to say other than yep it was a compromise and yes they added an irritating mp3 and an image depicting the global climate crisis.

I forgot to add the great hacking buzzword of hacktivist though bugger !

http://www.zdnet.com.au/news/security/soa/IDC-Web-site-defaced-by-eco-terrorists-/0,130061744,339283023,00.htm

Technorati Tags: Media

Auscert 2007 Day 1

2007-05-22T10:10:00.000+10:00

Well I'm at the gold coast for the annual premier AUSCERT IT Security Conference. A very good IT security conference and probably the best conference in Asia Pacific in my mind. Some great presentations On the first day including;

David Litchfield
Ivan Krstić
Marcus Sachs
Joanna Rutkowska.

Looking forward to more material if I survive the free beer and huge amounts of pastry based food ;-).

IDC Security and Continuity Conference 2007

2007-03-20T16:37:00.000+11:00

I am lucky enough to be speaking at the IDC Security and Continuity Conference 17th April 2007. Should be a good day some interesting speakers this is what is says about me;

"Chris Gatford from Pure Hacking who will provide insights into the world of a penetration tester.

Chris will speak about war stories, Point & Click Hacking tools and the fun that can be had with new technologies.

Chris Gatford is a Senior Security Consultant with Pure Hacking in Sydney, and performs penetration tests for organisations all around the world. Pure Hacking specialises in conducting independent security penetration testing, including internal and external penetration testing and application audits, providing ongoing security management and executing global agreements for penetration testing.Chris has reviewed countless IT environments and has directed and been responsible for numerous security assessments for a variety of corporations and government departments.

Ethical hacking or penetration testing simulates what hackers would do when trying to attack computer systems. Locating and detailing the holes in the company’s existing security measures and providing recommendations to protect systems and data are some of the tasks ethical hackers carry out."

IDC Australia:

http://www.idc.com.au/events/security07/

Technorati Tags: Conference

A Note To Employers: 8 Things Intelligent People, Geeks and Nerds Need To Work Happily

2007-03-20T11:18:00.000+11:00

I just had to post this article I found how true is this !!
-------------------------------------------------------------

A Note To Employers: 8 Things Intelligent People, Geeks and Nerds Need To Work Happily:

*NOTE: “I recieved many questions regarding my own job, and like I said in my interview with Jason Calacanis - Position Tech ROCKS - this post was written regarding all the bad jobs I’ve had in the past and to all of my dearest geek friends who have to deal with crappy jobs every day.”

There are many reasons to let geeks work the way they want to work. Today they work in every industry. They are the knowledge base, blood and sweat equity of many businesses. They work harder than most. They work longer than most. Their job isn’t a separate “thing they do” while they look forward to going home and relaxing. Geeks *live* what they do. They eat, sleep and breathe it. They are your systems administrators, your IT team, your programmers, your web developers, your designers… and sometimes even your customer service and sales people. Anyone who understands how to leverage todays technology to increase intelligence, productivity and efficiency; anyone who stays up nights working to get better at what they do; anyone whose job is their life - is a geek. These are the most important asset your company has. For this reason, its important to give geeks what they want. Best part is, if you do, they most likely will not leave your company to work for someone who will.

#1. Let them work when they want

Geeks work almost every moment they are awake. They are online before they go to the office. They are home working after the office closes. They work weekends. They are even sometimes working in their dreams. Employers should understand this and more importantly appreciate it. Don’t force geeks to work 8 - 5 if there is no real need other than “company morale.” Meetings are one thing, so is socializing with coworkers, but a relaxed office schedule will do wonders for the contentment levels of your employed geeks.

#2. Let them work where they want

Geeks prefer to have a couch around to nap on if they are tired. Some like no windows, others want to stare out into a city or landscape. At home, geek’s offices are usually more lived in, more comfortable and enjoyable than anywhere else in the world. This is because they love what they do, and they do it so much of the time they need to be comfortable where they do it.

#3. Let them control their lighting

There is nothing more annoying than working in bright crappy fluorescent lighting if you prefer to work in the dark, or vice versa. Geeks usually have sensitive eyes from staring at CRT monitors for too long. The last thing you want is your geeks to have headaches. Most geeks aren’t very pleasant to work with when they have headaches.

#4. Let them wear headphones

Geeks are experts in the arts of “focus.” Focusing takes removing all unnecessary distractions from your environment and creating a state where nothing else is going on but what they are working on. The harder the problem they are trying to solve or the more creative they have to be, the more they need to focus. Headphones, or simply a lack of ringing phones and talking sales people allow geeks to focus much easier.

#5. Do not expect them to wear a suit

Geeks find arbitrary activities that lack real and meaningful purpose, a waste of time and energy. This includes attire. Most companies today are aware of this and even practice casual dress so as to make everyone more comfortable, but geeks are a special case. “Suits” (the kind of person) usually represent a business man who lacks most things other than a nice smile and great negotiation skills.

#6. Do not make them participate in company events (unless you are sure it is geek-friendly)

Most geeks will not be jumping up and down with joy to attend a company party to celebrate the local football team, unless of course there is beer, and they can hang around and talk to each other about geeky things. Keep this in mind when planning company events. Geeks like to have fun, just not the same kind of fun as your typical non-geek.

#7. Do not hold a lot of arbitrary meetings that could have otherwise been handled through email or IM

This one is important. Like I said, geeks need to focus to be happy and able to focus. Nothing is more of an interruption than someone walking into their space unexpectedly and saying “hey do you have a minute?” The answer is usually going to be a disgruntled “Sure.” The truth is geeks are fine with attending planned meetings (and will happily be there if the meeting is really a necessary one for them to attend in person), but are usually most happy communicating through email and IM. These forms of communication are most appealing to geeks because they do not interrupt you, and polite geeks will even respond with a quick “hold on a sec, I’m in the middle of something.” Email and IM are recorded, searchable records of conversations. They are efficient and to the point. This also makes geeks happy. Geeks can discuss anything through email and IM and will usually be more willing and thorough with their response. Face to face meetings are important, geeks know that, but I would guess that 90% of conversations and meetings held face to face, would be more efficient and end with happier people, if they were held in a recordable, written, virtual space.

#8. Do not make them do anything other than work

This one isn’t completely accurate all the time. Geeks are team players, but they are also easily insulted by being given a task below their level of expertise or outside of the scope of their position. They’ll do it, but they won’t be totally happy. This includes: answering phones, taking out trash, going shopping for company supplies, and “filling in” for a sales person.

I hope this summary helps employers further understand the world of geeks, and how to keep them happy. I also hope this helps other geeks out there approach their employers with a list of what they need to work happy.

Australia a soft target as ISPs lag in battle to block spam and phishing

2007-03-01T11:43:00.000+11:00

Australia a soft target as ISPs lag in battle to block spam and phishing:

The low adoption rate of effective spam, phishing and other unwanted messaging filters by Internet Service Providers (ISPs) SPs has made Australia a soft target for e-commerce abuse.

Yahoo Pipes

2007-02-15T15:29:00.000+11:00

Yahoo released a new tool called Yahoo Pipes.It allows you to select a bunch of feeds and apply various filters and inputs to give you a custom RSS Feed. I have created a pipe parsing a lot of information security feeds looking for Australia & New Zealand specific stories which might be of use to us here in Australia and New Zealand.

I've been published !

2006-12-07T10:19:00.000+11:00

I am very happy to report that I have just received the printed book that I have co-authored from Syngress "Network Security Assessment: From Vulnerability to Patch". I was very lucky to get this opportunity and would like to thank Steve Manzuik for giving me this opportunity. I was a last minute replacement and on the actual printed copy my name is actually present on the cover !

If you are going to buy it please do it from this link so I can try and at least make the minimum wage level for the effort I went to when writing it.

"Network Security Assessment: From Vulnerability to Patch" (Steve Manzuik, Andre Gold, Chris Gatford)

Working on a Mac in A WINDOWS shop

2006-12-07T09:52:00.000+11:00

I have long been a supporter and promoter of the power of OS X. Although I have never had to use it as my main office system. So I have been discovering some of the challenges and gotchas of working like this since my recent career change.

1. MS Word for Windows and MS Word for OS X do not always play nice together. I have had issues with images not being displayed correctly when originally pasted in the OS X version. The fix was to import rather than copy and paste.

2. Printing to a windows printer is not nice. I have always been amazed at the ease in which everything just works including printing but this is not the case when trying to print to a windows printer. It took some googling before I found instructions for this what would seem to be a simple task.

3. Leaving files .ds_store (OS X index files) all over the LAN file server is a quick way to get crapped on by your work chums. There is a command line option to turn this off again it doesn't help you tout the pros of a mac to your new work mates.

So I am discovering these joys as I go and taking them in my stride trying to keep my apple chin up. As I often then show them can you XP/Linux OS do this get the application here here

Oh happy day when Ernst & Young showed me a better way

2006-10-13T09:40:00.000+10:00


After 6.5 years with Ernst & Young I decided to make a change and I have handed in my notice. Needless to say this video was the final straw ;-) !

Information Security Summit 2006

2006-07-30T22:33:00.000+10:00

I am speaking at the Information Security Summit once again. This year it's once again in Darling Harbour in the Sydney Convention & Exhibition Centre. It's always a good turn out and in a great venue.

I will be covering powerful but simple attacks in a few demos. I plan to show the IPOD of death, and some Password cracking with the ophcrack Live CD among others.