Uploaded byShah Sheikh
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
This document discusses hackers and security from the perspective of a penetration tester. It begins by distinguishing between hackers and crackers, noting that hackers are highly skilled individuals seeking knowledge, while crackers seek financial gain or to cause damage. It then discusses common misconceptions around security, noting that security is an architecture rather than appliances or policies. Several examples are given of exploiting popular security products and technologies. The document warns that the UAE is a vulnerable target given weaknesses in infrastructure and disaster recovery plans. It then describes hypothetical penetration tests against several large organizations in the UAE, highlighting vulnerabilities discovered. The document concludes by discussing mobile app security risks and advertising an upcoming security conference exhibition.
More Related Content
Similar to GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
- 1. Your Network inthe Eyes of a Hacker – Th3 0ff3n$!v3 V3r$!0n www.dts-solution.com Mohamed Bedewi – Sr. Penetration Testing Consultant Network+ | CCNA | MCSE | Linux+ | RHCE | Security+ | CEH | ECSA | LPT | PWB | CWHH | OSCP [email protected]
- 2.
- 3. Hackers are NOTCriminals
- 4. Wrong Conceptions AboutHackers • Hackers don't break into computer systems to steal information, that's Crackers. • There’s NO ethical hackers, either you have a hacker or a cyber criminal (Cracker). • Blackhat, Whitehat and Grayhat hackers are all hackers and they only seek knowledge. Hackers They will hack into your computer systems to learn new things and to enhance their technical skills, your sensitive information can get into their hands but luckily they’re only interested in the back-end technology and how it really works, they won’t cause any harm nor damage to your business and you won’t notice their presence, a blackhat hacker won’t report the threat while a whitehat hacker will do. Damage: Minimal Knowledge: Extensive Crackers They will hack into your computer systems to achieve financial gain or to cause damage to your business for different kind of reasons, your sensitive information will get into their hands and they’re willing to abuse them to the maximum extend, you won’t notice their presence and most probably they’ll back-door your systems to visit again whenever they want easily and without duplicating the effort. Damage: Extensive Knowledge: Minimal
- 5. The Truth AboutHackers • Hackers are highly skilled individuals, they’re capable of adapting new technologies in the matter of hours and they have a sharp attention to details (the devil is in the details). • Hackers are web designers, web developers, system engineers, infrastructure engineers, programmers, database engineers and virtualization engineers combined (overqualified). • Hackers are not engineers, they’re scientists, they achieve the impossible every minute and they know how your systems really work even better than your best senior engineer. Hacker Fast Adaptive Knowledgeable Creative Persistent Stealthy
- 6. Security is anIllusion
- 7. Wrong Conceptions AboutSecurity • Investing in Firewalls, Antiviruses, WAFs, IPSs, NACs…etc will not secure your systems. • Hiring security engineers to maintain your security solutions will not achieve security. • Complying with international standards and best practices will not grant you security. Security is NOT Policy Project Standard Training Appliance Magic
- 8. Security Can EasilyLet You Down Exploiting FortiGate Next Generation Firewall
- 9. Security Can EasilyLet You Down Exploiting McAfee ePolicy Orchestrator (ePO)
- 10. Security Can EasilyLet You Down Exploiting Infoblox Netcordia NetMRI
- 11. Security is anArchitecture, not an Appliance Art Wittmann
- 12. Why UAE isa Vulnerable Target The economy of the United Arab Emirates is the second largest in the Arab world, with a gross domestic product (GDP) of $570 billion (AED2.1 trillion) in 2014. 71% of UAE's total GDP comes from non-oil sectors. Public Wikipedia The underlying IT infrastructure for almost every entity in United Arab Emirates is very weak (for every 10 entities, there’s 9 entities which are heavily vulnerable), the attack surface is massively increasing with no proper security controls. Private Research The disaster recovery plan is absent in 83% of United Arab Emirates' entities, there’s no proper logging and monitoring of security violations and the response time for a security breach is critically long with no proper action plan. Private Research
- 13. What Security Expertsare Saying According to a survey carried out jointly by Kaspersky Lab and B2B International, 51% of users in the UAE faced financial cyber-attacks during the past year while only 10% of them admitted that they were victims - July, 2014. Kaspersky Lab According to Cisco Annual Security Report, businesses in the Middle East are facing a growing risk of cyber-attacks with a sharp rise in sophisticated malware attacks on the oil, gas, power and utilities sectors - Jan, 2014. Cisco Systems According to a survey commissioned by global Application Delivery Networking F5 Networks, 81% of surveyed UAE IT decision-makers believed their organization was more vulnerable than ever to cyber-attacks - Feb, 2014. F5 Networks
- 14. Serious Legal Warning •All information displayed will be totally obfuscated for privacy reasons. • We condone cracking and any computer mis-use or unauthorized access. • All our PT activities are carried out based on a strict Rule of Engagement. • Any security vulnerabilities discovered are reported back to TRA aeCERT. • Our aim is to raise information security awareness through the work we do. Please don’t get too excited and try this at home or work DTS Offensive Division
- 15. Gigantic Construction Entity SecurityControls in Place: • FortiGate Next Generation Firewalls with IPS enabled. • BIG-IP F5 Load Balancer with no direct IP access nor ping. • McAfee ePolicy Orchestrator (ePO) with HIPS enabled. • IBM QRadar (SIEM) centralized monitoring and logging server. • Imperva Incapsula cloud security and content delivery network. Attack Exposure and Technique: External Black-Box Penetration Testing with Zero knowledge of the underlying technologies. Activity Goal and Deliverables: Gaining full administrative access to the internal network through the DMZ without getting caught by security controls in place nor getting logged by the SIEM solution (QRadar). Challenge Accepted
- 16. Gigantic Construction Entity HTTPEnabled Methods: GET PUT <<<<<<<<<<<<<< POST DEBUG TRACE
- 17.
- 18.
- 19. Major Transportation Authority SecurityControls in Place: • Juniper Next Generation Firewalls with IPS and UTM enabled. • Barracuda Web Application Firewall with no direct IP access nor ping. • Kaspersky Endpoint Security for Business with application control enabled. • Basic monitoring and logging for the entire infrastructure activated. • ISO 27001 Certified with good security awareness and regular trainings. Attack Exposure and Technique: External Black-Box Penetration Testing with Zero knowledge of the underlying technologies. Activity Goal and Deliverables: Gaining full administrative access to the fleet management system without getting caught by security controls in place nor getting logged. Challenge Accepted
- 20.
- 21.
- 22. Sensitive Governmental Entity SecurityControls in Place: Censored Attack Exposure and Technique: External Black-Box Penetration Testing with Zero knowledge of the underlying technologies. Activity Goal and Deliverables: Gaining full administrative access to the back-end database without getting caught by security controls in place nor getting spotted by security agents. Challenge Accepted
- 23.
- 24.
- 25.
- 26. Massive Financial Market SecurityControls in Place: Censored Attack Exposure and Technique: External Black-Box Penetration Testing with Zero knowledge of the underlying technologies. Activity Goal and Deliverables: Gaining full administrative access to the primary web application without getting caught by security controls in place nor getting spotted by the SOC team. Challenge Accepted
- 27.
- 28.
- 29. Sensitive Governmental Entity SecurityControls in Place: Censored Attack Exposure and Technique: External Black-Box Penetration Testing with Zero knowledge of the underlying technologies. Activity Goal and Deliverables: Gaining full administrative access to the ERP application without getting caught by security controls in place nor getting spotted by the SIEM Solution. Challenge Accepted
- 30. 30 By March 2015– 3298 SAP Security Notes Vulnerabilities in ERP (SAP and Oracle) 1 1 13 10 10 27 14 77 130 833 731 641 363 389 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 0 100 200 300 400 500 600 2007 2008 2009 2010 2011 2012 2013 2014 Oracle vulnerabilities per year Only one vulnerability is enough to get access to ALL your business critical data
- 31. Threat Modelling – Attacksbetween systems – Attacks on systems – Overall security status • Misconfiguration status • Vulnerability status • SAP Notes status Understand which system can be attacked, how SAP is connected with other enterprise apps and how crackers can escalate privileges Threat Modelling and Map
- 32.
- 33. TOP 10 MobileApplication in UAE 1- Salik recharge 2-RTA Dubai 3-Dubai mParking 4-DUBAI POLICE 5-mPay 6-DHA & Sehaty 7- HbMPSG 8- Carrefour UAE 9- DEWA 10- Cinema UAE
- 34. M1 - WeakServer Side Controls Mobile App Attacker Backend Server Internet SQL Injection
- 35. Very Popular MobileApplication in UAE :( Backend Database Vulnerable to SQLInjection
- 36. Vulnerable! Lead tofull Data Leakage Very Popular Mobile Application in UAE :(
- 37. Vulnerable! Lead tofull Data Leakage Very Popular Mobile Application in UAE :( Public Profile Full Name Password User ID Email Emirates ID >>>> Used Everywhere and Needed by Everyone <<< Increase Security Risk
- 38. On that bombshell… HowSecure do you Think you are ?
- 39. DTS Solution isExhibiting at GISEC
- 40. Thanks and Havea Good Day