what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Saturday, August 22, 2009

WHY WE MIGHT NEED A BETTER SECURITY ASSESSMENT VENDOR



THE SCAMS

During the mail list last week, a member brought up this issue whereby i was also involved in the consultancy in a company situated in Ghana.
http://lists.my.co.ke/pipermail/security/2009-August/000566.html


This a bit hilarious provided that these guys were doing a security assessment for the company and i expected such a company like KPMG to be aware of the security assessment factors and which services are offered during such an engagement.

THE FACTORS

So which factors does a client need to look into before taking in a Security Assessment:
a)Penetration testing External or Internal
b)Durations, how many times do you need the service, annually, semi-annually?
c)Last but not least, which security assessment service do you need.

Before we go down to some explanations, during a presentation at KRA i did explain the difference between a Vulnerability Assessment and a Penetration Test. To make that statement short, a penetration test is the actual outcome after a vulnerability assessment. In short a penetration test is the actual hands on confirmation of a vulnerability picked up during a Vulnerability Assessment therefore its a VA logical conclusion.

EXTERNAL AND INTERNAL TESTING

During a test, you might choose if you want the pentest to be performed outside your network from a remote site or you want the engineers to be in the network. When its performed externally, the engagement is taken inform of an outsider Blackhat who is supposed to bypass your firewall and any device on your perimeter from the internet. In such kind of test, the testers are not given any IP ranges, no DNS and no users, in short, no information, they have to covertly collect it and perform as much intelligence as they can before picking their prime targets. This test is commonly known as Blackbox pentesting.

The internal testing, this is carried more of like an inside threat. Someone who is already behind the perimeter, who has much info about the network and the organization. Here the testers will try to use social engineering, privilege escalation, exploitation etc.

DURATIONS, HOW MANY TIMES DO YOU NEED THE SERVICE, ANNUALLY, SEMI-ANNUALLY?

This may be considered by the security team in an organization that needs this service and also from the consultants perspective. The factors may include:
a) Threat Intelligence
b) Security Incidents (scan, bruteforces, hack attempts, DOS)
c) Insiders
d) Business espionage
e) Perimeter devices and applications e.g Portals, may need external blackbox pentests
d) Application and system changes including addition of clients and employees


WHICH SECURITY SERVICE DO YOU NEED?

One thing I have noticed with most of the security vendors in Africa is that they come with crazy names for their products that leaves customers wondering which to take and get up tricked into non service commitment. When a client asks for a security assessment, or an organization which needs one, this is what to look into as the services needed.

a) Vulnerability Assessment

b) Penetration testing

c) Web Application Assessment

d) Physical Security Assessment

This is just to mention the most important ones. I will be writing a brief blog entry for each of them soon.

./Chuks


Monday, August 17, 2009

Hacking in EA just grew bigger


Recently, after the last few posts in sec forums, though the hate and the mail list trolling, i realized a sudden increase of attacks on some of the servers i man security-wise. The attacker was going mostly for the webserver keeping me awake on Friday, through Saturday and i had to get a little of sleep on Sunday.

One crazy initiative is that the guy was trying to look for links which he can use to gain access to one of the sites.

41.223.57.73 - - [16/Aug/2009:16:01:57 +0300] "GET /www2/admin HTTP/1.1" 404 275 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.76 - - [16/Aug/2009:16:02:16 +0300] "GET /www2/admin.html HTTP/1.1" 404 280 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"

41.223.57.74 - - [16/Aug/2009:16:03:13 +0300] "GET /admin.html HTTP/1.1" 404 275 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.75 - - [16/Aug/2009:16:03:43 +0300] "GET /administrator HTTP/1.1" 404 278 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.74 - - [16/Aug/2009:16:03:55 +0300] "GET /administrator/backup HTTP/1.1" 404 285 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.78 - - [16/Aug/2009:16:04:07 +0300] "GET /administrator/login.php HTTP/1.1" 404 288 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"

41.223.57.76 - - [16/Aug/2009:16:04:28 +0300] "GET /admin.php HTTP/1.1" 404 274 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"

41.223.57.75 - - [16/Aug/2009:16:05:29 +0300] "GET /vpn_administration HTTP/1.1" 404 283 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"

41.223.57.77 - - [16/Aug/2009:16:06:06 +0300] "GET /vpn_administrator HTTP/1.1" 404 282 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"

41.223.57.73 - - [16/Aug/2009:16:10:13 +0300] "GET /www2/administrator HTTP/1.1" 404 283 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13


This was not even as bad as sshd attack which took 47 to 50 hours of straight bruteforce. He was trying usernames like admin, admin_companyname and companyname and all these are not on default sshd port. A snipet here.

Aug 15 01:10:01 xxxxx sshd[3834]: pam_unix(sshd:auth): authentication failure; logname= uid=0 e uid=0 tty=ssh ruser= rhost=41.223.57.74
Aug 15 01:10:01 xxxxx sshd[3834]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Aug 15 01:10:02 xxxxx sshd[3834]: Failed password for invalid user admin from 41.223.57.74 port
48129 ssh2
Aug 15 01:10:17 xxxxx sshd[3834]: pam_unix(sshd:auth): check pass; user unknown
Aug 15 01:10:17 xxxxx sshd[3834]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Aug 15 01:10:19 xxxxx sshd[3834]: Failed password for invalid user admin from 41.223.57.74 port
48129 ssh2

The bruteforce goes on through Saturday to Sunday......
Aug 16 00:03:03 xxxxx sshd[7758]: Failed password for invalid user admin_xxxxx from 41.223. 57.72 port 57217 ssh2
Aug 16 00:03:09 xxxxx sshd[7758]: pam_unix(sshd:auth): check pass; user unknown

Aug 16 00:03:09 xxxxx sshd[7758]: pam_succeed_if(sshd:auth): error retrieving information about user admin_xxxxx
Aug 16 00:03:11 xxxxx sshd[7758]: Failed password for invalid user admin_xxxxx from 41.223.
57.72 port 57217 ssh2
Aug 16 00:04:52 xxxxx sshd[7768]: Invalid user admin_xxxxx from 41.223.57.72

This is just to warn the hacker upto this mischief, just know i am watching you alot and if you have never seen such crazy logs in your perimeter machines, please check again.

All the above IPs are from Zain Modems.

./Chuks

Saturday, August 08, 2009

Incoming SecureICT!!!!



Okey guys, you remember the http://secureict.co.ke/. we are getting ready for the Conference. See you guys there, am doing Wireless Penetration testing presentation.

Good weekend.

./Chuks