• 14/10/2010 -- Stuxnet as a Cold War Weapon and New Generation Armament (0)

• 16/01/2012 -- Cyber Security Conference 12 (0)

    * A mythical story about me
    * A demo for digital investigation and some brainstorming activities for an assassin plan
    * A demo for web application security includes port scanning, information gathering from http, https ports, banner grabbing, etc
    * Detailed information about OWASP and OWASP Turkey
    * Definition of Cyber World Concept
    * Examined the security necessity on cyber world
    * Defined cyber security concept
    * Talked about Terrorism, cyber-terrorism, cyber wars
    * Gave a functional approach to Terrorism
    * Highlighted the importance of web application security, threats, attack vectors, DoS, Buffer overflows, Injections,etc.
    * Generated a wide and deep multidisciplinary cyber security perspective
    * Finally, we talked about how we can prepare ourselves for future threats a little.

Actually, I was surprised by both seminars. I was planning to talk around 50 minutes however people were interested in the topic more than I could guess. So, I had to talk around 2-3 hours which I really enjoyed.

I think both seminars gave a new perspective about the future definitions of security and risk to listeners. I will write about these topics on this site later.

On the other hand, I will be in a IPTV show to talk about cyber terrorism with two lawyers soon, but before that, on the 29 April 2010, I will be in Yeditepe University, Istanbul to talk about cyber-terrorism for the Information Technologies Law Organization.

Besides that, I have a almost new job somewhere in Europe. I will also tell the details about that.

I will be in Istanbul Kultur University for a free seminar supported by OWASP. Fundamentally the topic will be about Cyber Wars, but also, will include;

• What is OWASP, OWASP Projects, seminar, society, etc.
• Internet as a new social and cultural domain
• Cyber world as a new milieu
• Why do we need a security perspective?
• First aggressions on the Internet
• Size and Shapes of threats
• Threat hierarchy of timeline
• Organized cyber crimes and cyber wars
• Cyber World and International Relations
• Terrorism and Cyber Terrorism
• How can we prepare for the future ?

Date: Tuesday, December 29, 2009
Time: 12:00pm – 1:30pm
Location: İstanbul Kültür Üniersitesi, Ataköy Kampüsü, Önder Öztunalı Konferans Salonu

http://www.webguvenligi.org/etkinlik/sunum-istanbul-kultur-universitesi.html
http://www.owasp.org/index.php/Turkey#tab=Meetings.2FConferences
http://www.owasp.org/index.php/Turkey#tab=Local_News.2FBrochure

Due to cost and compatibility with legacy systems, the most popular form of user authentication continues to be a secret password.

• Users may write them down or share them, so that they are no longer really secret.
• Passwords can be guessed, either by a person or a program designed to quickly try many possibilities.
• Passwords may be transmitted over a network either in plaintext, or encoded in a way which can be readily converted back to plaintext.
• Passwords may be stored on a workstation, server or backup media in plaintext, or encoded in a way which can be readily converted back to plaintext.

The fundamental and the biggest problem is remembering complex passwords for the people. When people have trouble remembering their passwords, they do one or more of the following things:

• Write down their passwords — and reduce security to the protection afforded by a piece of paper.
• Forget their passwords — and require frequent assistance from a computer help desk organization to reset it.
• Use very simple, easily compromised passwords.
• Reuse old passwords as often as possible.

The number of possible password combinations is calculated by taking the number of legal characters in a password, and raising that number to the number of characters in the password. The possibilities for some likely combinations are shown below:

Users must be obliged to choose their passwords from the widest possible set of characters, subject to the constraints of the systems where those passwords reside. For example, most mainframes do not distinguish between uppercase and lowercase, and only allow three punctuation marks (fourth row in the table above).

It is possible to divide creating secure passwords into two basic criterias; password length and password complexity. The passwords length is important to increase sample space of the probability, so at least 7 characters passwords must be used. However, this is not enough to provide protection. Additionally, password complexity is the supplementary precaution for the password security. The complexity consists of using lower case alphabets, upper case alphabets, numbers and special characters.

So with these information above, how can it be possible to create secure passwords?

The first thing to fallow Comlen rule. Never heard about it ? Don’t worry ! this is what i called it… Comlen means enough complexity with enough length. For example, 8 unique characters with 4 complexity units (1 uppercase, 1 lowercase, 1 number, 1 special char). As I mentiioned you above, these kind of password structures are not easy remembered unfortunately. Even remembering the complex passwords is the best solution, if you cannot do that, you can use password manager programmes. Using password management tool to store passwords should really become a habit. Anytime you create a password, note it down on a password manager tool, that will encrypt the password and store it safe for you. Another deal is using passphares to remember them. If you don’t want to use password management tool, Use Passphrase to easily remember the passwords. You can use initials of a song or a phrase that are very familiar to you. for e.g. “Passwords are like underwears, change yours often!” phrase can be converted to a strong password “Prlu,Curs0!”

There are common senses below. All the following points are nothing new and very much common senses. But most of the time, we tend to ignore these items.

1. Create unique passwords every time.
2. Change your passwords for all your accounts once every 6 months.
3. Never write down your passwords.
4. Don’t share with anyone.
5. Never keep the same password for two different sites.
6. Don’t type your password when someone is looking over your shoulder.
7. Never send your password to anybody in an email.
8. Change password immediately when they are compromised.
9. Don’t use the “Remember password” option on the browser without setting the Master Password.
10. Don’t type your password on a computer that does not belong to you.

There is a simple python function which produces complex passwords:

1. Reboot
2. Hold apple + s down after you hear the chime.
3. When you get text prompt enter in these terminal commands to create a brand new admin account (hitting return after each line):
   • mount -uw /
   • rm /var/db/.AppleSetupDone
   • shutdown -h now
4. Reboot

Or you can just type "password username" and change your user’s password after mounting "/"

If you look at the real time CSI investigation cases, you can easily easily that the threats generally comes from the ones who are in the closers circle of relationships.

This is same in Cyber World. Recent surveys indicate that better than 50 percent of business with an Internet server have experienced remote attack. That’s an impressive figure, however, a far higher percentage of business are attacked from within. 

Every year, thousands of business suffer demonstrable damages at the hands of disgruntled employees. In a recent case, a programmer was fired from a medical billing firm. Then the programmer run a script that deleted a month’s worth of billing records. The firm had no backups and therefore lost thousands of dollars. Cases like that are common.

Why are internal attacks so prevalent ?

The first and the simplest reason of why internal attacks so prevelant than the remote attacks is attacking a network or a system from inside is far easier.

Authorized users can have access to information that remote users can not. This is understandable. Furthermore, local users already enjoy some level of trust, not only simply at a network level but also human level. This is a major advantage.

Authorized or trusted users can gain or already have more and more information about the company and its local mechanisms, etc. Therefore, these kind of information can provide the local attackers to find new, creative and wide attack vectors and surfaces.

Assume an employee in a data processing center of a university. He is responsible from the switching and routing stuff. So, he has a big chance to packet sniffing in the local network and can see the flowing traffic. Besides then, if he is malice person, he can use his trusted human level in order to gain critical information about the users via social engineering, like e-mail passwords, local user passwords, etc. The attack surface is really wide.

Is it possible to prevent all the internal attacks and make the internal network more secure?

The answer to that question has very complex meanings and changeable dynamics. We can never say that there is 100 percent of security. However, we can raise the security level and can control and forestall the threats as much as possible.

It is possible to simply divide ensuring at least a minimal level of internet security into three fundamental parts. The first part is that clear and understandable policies must be written to make the users aware of security. The second and critical step of increasing the security level is that making the users aware of the policies. Moreover, access levels must be well-organized and need-to-know based access control lists must be prepared.

Many firms have no such policies and their administrative folks believe that users ignore the policies even if they are clearly set forth. That may or may not be true. However, that is no reason the avoit writing policies. Besides that, policies may not prevent your users snooping around, but if you do have written policies, you have the ammunition to dismiss that emplotee on the spot.

Some reports suggest the average employee in a small business spends up to an hour a day surfing the web for personal use — perhaps looking at video or file-sharing websites, playing games or using social media websites such as Facebook.

It’s not just time that this activity could cost you. Analyst reports show that the number of malware and virus threats is increasing by more than 50 percent each year, and many of these destructive payloads can be inadvertently introduced to the network by employees.

"It’s very easy for a rootkit to be hidden in a game or a video clip, and a novice user may not notice anything out of the ordinary," warns Graham Titterington, a principal analyst with Ovum.

The best advice is to constantly update and patch your IT systems to ensure you are protected against new threats as they emerge, advises Paul Vlissidis, a technical director with NCC Group. "Don’t rely on monthly or quarterly security downloads," he says. "The time between vulnerabilities being discovered and then exploited is shrinking all the time, so it’s important to update patches and antivirus software regularly, and ideally layer several antivirus products rather than using just one."

There are now a staggering number of ways that information can be taken from your computer networks and released outside the organisation. Whether it’s an MP3 player, a CD-ROM, a digital camera or USB data stick, today’s employees could easily take a significant chunk of your customer database out of the door in their back pocket.

"These types of devices are effectively very portable, very high-capacity hard drives," says Andy Kellett, a senior research analyst with Butler Group. "Someone can walk away with up to 60GB of data on a USB stick, so it’s not a trivial matter."

Research conducted by Websense found that a quarter of UK workers who use PCs at work admit copying data onto mobile devices at least once a week. In addition, 40 percent say they use USB sticks to move data around, and a fifth have revealed their passwords to third parties

In addition, Kellett recommends considering whether to block access to web-based email and data-storage services, such as Gmail. "If someone can store confidential documents to an online storage site, that information is completely beyond your control," he says.

Finally, consider locking down networks to prevent wireless access using Bluetooth or Wi-Fi — except for authorised users with authorised devices. "Information loss over Bluetooth on an unsecured network is very difficult to detect indeed," says Kellett.

Using SNMP it is possible to obtain the condition of a hard-drive partition, uptime of Switches, Routers, UPS, etc or traffic density on the port of a Router, etc. and run into Application Layer on TCP/IP stack. Furthermore, it runs multitude devices and operation systems such ;

• Core Network Devices (Routers, Switches, Hubs, Bridges, and Wireless Network Access Points)
• Consumer Broadband Network Devices (Cable Modems and DSL Modems)
• Consumer Electronic Devices (Cameras and Image Scanners)
• Networked Office Equipment (Printers, Copiers, and FAX Machines)
• Network and Systems Management/Diagnostic Frameworks (Network Sniffers and Network Analyzers)
• Networked Medical Equipment (Imaging Units and Oscilloscopes)
• Manufacturing and Processing Equipment, etc. 

The agent module which works and collect the information on the intended device, the manager part that interacts with the agent and takes the data from it, additionally, network management element which works on the manager and provides all the devices visible, traceable and reconfigurable, are the three main components of the SNMP protocol in order to work properly.

SNMP is a request-wait for apply based protocol. Network Management Component sends a request to a device that consist of Agent module, and after that the Agent returns the reply of the request to network management component. Management and Monitoring issues are handled five different types of messages in SNMPv1 which is is formally defined in RFC1157 : GetRequest, SetRequest, GetNextRequest, GetResponse, and Trap.

A single SNMP message is referred to as a Protocol Data Unit (PDU). These messages are described using Abstract Syntax Notation One (ASN.1) and translated into binary format using Basic Encoding Rules (BER). SNMP request messages are sent from managers to agents. Request messages can poll the agent for current performance or configuration data, ask for the next SNMP object in a Management Information Base (MIB), or modify configuration settings. SNMP agents should reliably decode request messages and process the resulting application data.

OUSPG’s research focused on the manner in which SNMPv1 agents and managers handle request and trap messages. By applying the PROTOS c06-snmpv1 test suite to a variety of popular SNMPv1-enabled products, the OUSPG revealed the following vulnerabilities:

VU#107186 – Multiple vulnerabilities in SNMPv1 trap handling

SNMP trap messages are sent from agents to managers. A trap message may indicate a warning or error condition or otherwise notify the manager about the agent’s state. SNMP managers must properly decode trap messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many SNMP managers decode and process SNMP trap messages.

VU#854306 – Multiple vulnerabilities in SNMPv1 request handling

SNMP request messages are sent from managers to agents. Request messages might be issued to obtain information from an agent or to instruct the agent to configure the host device. SNMP agents must properly decode request messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many SNMP agents decode and process SNMP request messages.

Vulnerabilities in the decoding and subsequent processing of SNMP messages by both managers and agents may result in denial-of-service conditions, format string vulnerabilities, and buffer overflows. Some vulnerabilities do not require the SNMP message to use the correct SNMP community string.

The CERT Advisory goes on to report the impact of these vulnerabilities:
    1. unauthorized privileged access
    2. denial-of-service attacks
    3. unstable behavior (service interruptions)
The CISO needs to keep the following concerns in mind when managing risk in the enterprise.

1. Threat: Fuzzing – Exposed Shared Secrets: A major vulnerability of SNMP v1/v2c is that the shared secret is sent in the clear; it is not encrypted. This is true whether the SNMP request is querying counter information, inspecting topology data, or reconfiguring the device. Since the shared secret is not hidden, an attacker can monitor the SNMP traffic to determine network topology and harvest those shared secrets. Among hackers, this is called fuzzing; amongst security professionals, this is Packet Sniffing.

   For example, using SNMP v1/v2c in an insecure network such as a DMZ means an attacker can monitor SNMP traffic and get community strings to perform their own queries or reconfigure devices using SNMP SET. By monitoring SNMP traffic or performing a query directly, an attacker can quickly determine the sysObjectID for each device. The sysObjectID tells the hacker the kind of operating system (OS) the device has. Knowing which OS allows the attacker to determine a suitable target and pick suitable tools to use against that target.
    

2. Threat: Service Interruptions: Vulnerabilities with decoding and processing the SNMP request message (whether a trapor request) in various software products is exploited by the Badly Formed SNMP Trap Attack. The impact of this attack is to blind the management software (prevent it from receiving more traps by causing it to crash) or blind the agent (making it unable to be queried by causing it to crash). The ability of the management software to continue to manage is degraded at best or disabled at worst.

   From within a DMZ, an attacker can reach the management software in the secure network when holes in the firewall are open to allow SNMP traffic or SNMP traps through directly. The attacker constructs special packets with ASN.1 decode errors. When the management console receives the message, it may exit abnormally. When critical daemons exit abnormally, the management software is degraded, causing service
   interruptions.
    

3. Threat: Denial Service : The denial-of-service attack disables management software by sending to a host more SNMP traffic than the host can process. The backlog of traffic to process causes the SNMP agent or manager to dedicate an unbalanced amount of CPU to process the attack’s traffic.

   From within a DMZ, an attacker can flood SNMP traps to the management console when SNMP traps are permitted to flow through firewalls from the DMZ to the secure side. This flood of traps (whether they are bogus or legitimate) causes the management software to backlog. The software uses too much CPU while processing the backlog, causing the management software to stop functioning effectively.

4. Threat: Unauthorized Privilege Access: This threat is the most feared by system managers – a vulnerability that can provide the attacker elevated, privileged access on a host or network device. A common vulnerability is caused by buffer overflow, but is specific to the software processing the SNMP packet.

   If an attacker determines SNMP v1/v2c SET community strings, the attacker can execute privileged commands. On networking devices, privileged commands may be used to reconfigure the device to behave undesirably. With advanced host agents, commands may be sent to the agent, which then execute in privileged state.

Today, mitigating risks with the SNMP protocol involves the choice of one or more mitigating factors:

• using SNMPv3 (not v1 or v2c),
• deploying an IPS appliance to protect against denial-of-service, or
• a management protocol proxy firewall which verifies SNMP traffic to ensure its authentic and valid as well as mitigating SNMP-based attacks.
• changing the community strings after set up SNMP
• keeping the protocol up to date

All the Resources are in the Reference Page.

One of the news is I have an Iphone now. I was very confused about Iphone and Omnia. However, it was very lucky for me that one of my friend had an Omnia, and i had a chance to try it. I think Omnia sucks, especially about operating system and touch screen. Touch Screens cannot be compared between Iphone and Omnia. Additionally even Omnia proccessor is quite well, Windows Mobile is freezing many times and the responses are too slow. As you know, Omnia has a 5megapixel camera, but there is no big difference between iphone’s 2 megapixel camera. And, you can increase your shooting picture ability of Iphone via installing third party programmes. So that, it s not a big advantage that ability of Omnia is quite well. 

Anyway, I have an Iphone now and I really had questionmarks in my mind about some missing things about Iphone. For example, you cannot connect your iphone to your computer without using Itunes, but in theoritically of course =). My first day with Iphone really sucked because when I looked around the packet repository of Iphone, i saw that the free softwares were not enough and i felt a bit locked or kind of stuck. However when I cracked the operating system of iphone, the world had changed for me. =) Perhaps it is not ethical but I have to say that you can only start to use iphone after you cracked its operating system.

Lets go back to the issue of connecting iphone to computer. Normally, it is done by Itunnes and you are allowed just transfering music or video files. On the other hand, SSH is used by some people to connect them each other and with that way you have a chance to transfer any kind of file you need. There are some programmes to do this from Microsoft Windows or OSX operating systems. Normally ordinary users does not know what the SSH is and also Iphone is a derivative of BSD, and that issue can be an handicap for them. Because, there is a default root password on Iphone which is alpine . That means, if you do not change your default root password and are trying to connect iphone and computer via SSH, some attacker also connect your iphone via SSH with default root password.

All in all, when you use that way in order to connect your iphoe from computer, you have to change you default root password and also, when you do not need the SSH, you have to turn it off.

In this technique, it is possible to divide the key into two parts, public keys and private keys. Public keys are public =). You can share it with anyone you want, but the private one must be kept secret. Incoming messages would have been encrypted with the recipient’s public key, and can only be decrypted with corresponding private key. The keys are related mathematically, but cannot be derived each other practically.

As you can see in the figure, Bob wants to send a message to Alice. Bob encrypts the data (Hello Alice) using Alice’s public key and sends it. When the encrypted data receives Alice, she has to use her private keys in order to decrypt it.

After a short brief, lets come back to our topic. First you have to install the gnupg programme according to install procedure of your operating system or distro.

In order to communicate in an encrypted way, you have to generate your keys.

To generate the keys, open a terminal and type "gpg – -gen – -key". In order to export your public key out, type "gpg – - export [UID]"  or you may need to other people’s public keys. In that situation, save the public key in a file name is for example "Bob.txt" or "Bob.asc", then type in terminal "gpg – -import Bob.txt".

Now we have our public and private keys and also Bob’s public key has already imported. Assume that we have data.pdf as a document which we want to send in encrypted way. The only thing that we should do is, "gpg -u [sender] -r [Bob] –armor –encrypt [filepath]". If we want to decrypted the file that is sent by one of our friends, assume that that files is "abc.doc", the we should type "gpg – - output [filename] – -decrypt [encryptedfilepath]".

 After these information, i want to give you some extras;

gpg –list –keys list of all keys imported your system

gpg –list –sigs list of all signs imported your system

gpg –fingerprint list fingerprints as HEX

gpg –list-secret-keys shows imported secret keys

gpg –delete-key [UID] deletes any key according to User ID

The biggest problem for me while I was using other stuff was the dependence of Operation System Platforms. I want to see all of my secure docs from every kind of OS. This is extremely important. Because, even I am feeling as a penguen, I have to use also Microsoft products as a System and Security, also Penetration Test Engineer.

Other problem is that there is a process of Ecrypt/Decrypt in manually. This makes me tired while i am working several docs that have to be secured. 

Truecrypt is a software used real-time "on the fly encryption" methodology. You can create a virtual encrypted disk within a file and either individual partitions or an entire storage.

It is an Open Source project and runs under GNU Linux, Mac OS and also Microsoft Windows. Thats why, you can work with all of your encrypted files from these operating systems.

You just create an encrypted zone, and then paste your files in it. The software works real time "on the fly encryption" as i told you before, so Truecrypt runs quietly at the background and can encode the file when you work with it. You don’t need to use any specific command or process to encrypt the files. This is pretty nice.

There is a two options about the filesystem, FAT and NONE. If you are using GNU Linux and want to use your encrypted zone as a EXT3, you have to do extra work.

We can divide our works into two main part with stuff from console and from GUI of software. The first and main part is GUI. You use GUI when you create a new encrypted zone. While you are creating it, you will see the two options for the filesystem. Select your zone as a FAT firstly and click next button and create the zone. After that mount it with GUI. However, do not close the GUI. Now, open a console, format your zone as a EXT3 via using mkfs.ext3 command. Then remount your zone on the GUI. You can check it whether it is EXT3 or not with mount command.

If you give importance to your privacy, I recommend you to use truecrypt. It is a very easy way to protect the personal files from all common Operating System without doing any specific stuff or using any specific command. 

hello :- display(‘Hello World!’) , nl .