Recently, i was selected to be involved to perform an assessment on a SCADA environment. It was an amazing experience getting to see the SCADA systems, the monitoring and the control systems that control the powerplants and power grids. Although there were many challenges faced during the assessment, it allowed me to develop my own methodology for performing a Vulnerability Assessment on SCADA networks.
I was more than happy to share the basic requirements and techniques on how to properly perform a VA on SCADA networks/systems to Hakin9. Unfortunately, you need to subscribe to Hakin9 before you can download a copy.
Link: https://hakin9.org/advanced-exploitation-with-metasploit/
a bookworm who loves cyber security. a sucker for hacker and security conferences. loves attending and promoting conferences and has spoken at multiple conferences globally (almost). interests include cyber threat intelligence, cyber 'warfare', cyber 'terrorism' and cyber conflict.
Friday 27 June 2014
Thursday 26 June 2014
GISEC (Gulf Information Security Expo & Conference) Dubai - 2014
GISEC (Gulf Information Security Expo & Conference) Dubai - 2014
I was pleased to be selected as part of a team to demonstrate BT's capability in GISEC conference recently which was held at the Dubai World Trade Center. I contributed to the idea of having a 'Cyber Challenge' to the BT booth inspired by the exposure i have from attending to hackers conferences. I was also given an area to showcase the Ethical Hacking capability providing demonstration and presentation to passerby.
It was a very tiring and satisfying experience! Given the fact that i was able to come up with an end to end demo by myself without any critics from management gave me a sense of confidence they have on me to deliver.
First, it was the Cyber Challenge stand. This challenge is about the ability for a pentester to be able to find a XSS vulnerability and exploit it. Day 1 challenge was to inject a script inside the affected parameter and provide an alert pop up. Day 2 challenge was to 'deface' a website by embedding an image on it and Day 3 challenge was to inject a script that will come out with an output in the result section and upon clicking on it, will be redirected to another page.
Sound simple right? But during the 3 days, only 3-4 people managed to complete the challenge.
On the ethical hacking stand, my job was to perform demos on anyone who has the interest to see it. I was happy to know that some people came up to me and said that the booth managed to gather a huge number of people, mostly were curious to see the demo. I won't go into the details of my demo but all i can say is that the demo was similar to the demo i presented with a colleague at Defcon Kerala, India last year.
But one of the best and memorable moments was the fact that i got to meet many strangers in the professional world and exchanging contacts after that. Well, thats what we called 'Networking'. All in all, it was a great and superb experience and i am sure this will continue in the near future.
Below are some of the pictures taken:
I was pleased to be selected as part of a team to demonstrate BT's capability in GISEC conference recently which was held at the Dubai World Trade Center. I contributed to the idea of having a 'Cyber Challenge' to the BT booth inspired by the exposure i have from attending to hackers conferences. I was also given an area to showcase the Ethical Hacking capability providing demonstration and presentation to passerby.
It was a very tiring and satisfying experience! Given the fact that i was able to come up with an end to end demo by myself without any critics from management gave me a sense of confidence they have on me to deliver.
First, it was the Cyber Challenge stand. This challenge is about the ability for a pentester to be able to find a XSS vulnerability and exploit it. Day 1 challenge was to inject a script inside the affected parameter and provide an alert pop up. Day 2 challenge was to 'deface' a website by embedding an image on it and Day 3 challenge was to inject a script that will come out with an output in the result section and upon clicking on it, will be redirected to another page.
Sound simple right? But during the 3 days, only 3-4 people managed to complete the challenge.
On the ethical hacking stand, my job was to perform demos on anyone who has the interest to see it. I was happy to know that some people came up to me and said that the booth managed to gather a huge number of people, mostly were curious to see the demo. I won't go into the details of my demo but all i can say is that the demo was similar to the demo i presented with a colleague at Defcon Kerala, India last year.
But one of the best and memorable moments was the fact that i got to meet many strangers in the professional world and exchanging contacts after that. Well, thats what we called 'Networking'. All in all, it was a great and superb experience and i am sure this will continue in the near future.
Below are some of the pictures taken:
Thursday 12 June 2014
Anti Virus is Dead..So What's Next?
When i was in GISEC (Gulf Information Security Expo &
Conference) in Dubai this year, i presented demos on the BT booth demonstrating
how a web vulnerability called XSS (Cross Site Scripting) can be further used
to gain access to the browser as well as the systems using the art of social
engineering. Through using two different exploit frameworks, i was able to
demonstrate how i was able to create a payload to bypass any Anti Virus
applications that was installed on the victim's machine.
After the demonstration, i showed them an online article and asked them, what do they think
should be done to protect the hosts or workstations given the fact that,
according to the article, Anti Virus is dead. Majority of them couldnt provide
me a straight answer. Some mentioned to install firewalls, others said that
patches must be properly updated and installed. While the answers might help to
prevent, the solution i recommended to them was 'Endpoint Security'.
'Endpoint Security' has many definitions and one of the
definitions i usually referenced to is the fact that it is a solution that consists of not just an Anti Virus
but a host based behavioural blocking components such as an IDS/IPS (Intrusion
Detection/Prevention Systems), a host based firewall, Anti Spyware component as
well as NAC (Network Access Control). With these components installed, as i
explained to them, although my payload will be able to bypass the Anti Virus
and Anti Spyware components, the IPS will definitely detect it and will prevent
it from being executed.
"But i have a
NIPS (Network Intrusion Prevention Systems) and a firewall that will protect
external attacks from penetrating my internal systems and servers."
claimed a person. "But what about
your own internal employees attacking your infrastructure?" I
questioned him back while i showed him an online article. According to an article last last year, 58% of information security incidents were attributed to insider
threat. We have seen many cases, due to relaxed policies, employees are able to
bring their own devices to connect to the organization's network, able to bring
external storage drives and plug it into the organization's machines and of
course, users having administrative privileges to execute and install third
party software in their organization's machines. These situations potentially
allow malware coming into the internal networks and spreading throughout the
organizations.
While there will never be a patch for human stupidity,
security managers must quickly propose a solution to protect their networks
from both external and internal attacks. While having security mechanisms
protecting the perimeter of the organizations are able to deter external
threats, most organizations fail to understand the critical need to protect for
possible internal threats as well. Yes, one can argue that network based
solutions can protect to the scenario i demonstrated but then again, is that really
enough?
Subscribe to:
Posts (Atom)