Category Archives: Penetration Testing

Mad Hulk does good

The Hulk is an iconic comic character created by Stan Lee and Jack Kirby, a brutal superhero who only manifests himself when his alter-ego Dr Bruce Banner loses control of his rage or is put in a position when his life is in danger. In the Marvel Comic universe, that is more often than not. Nobody wants to see Dr Banner sipping on coffee while meditating. Where’s the excitement in that?

A sort of digital manifestation of Hulk has materialised, aptly called the HTTP Unbearable Load King (the acronym being HULK), and what does it do? Well, “HULK get mad, HULK smash” is perhaps an apt explanation.

The back story to the origin of this denial of service (DoS) attack tool, which has managed to become the buzz topic of the moment, is that it was developed without malicious intent by a network security researcher.

Yes, you read right, its origins are entirely altruistic. You see, the gentleman in question produced the script to HULK as an “educational proof of concept”, a proactive exploration into exposing weaknesses on web servers, a form of penetration testing if you would.

The fascinating aspect of the story – if that wasn’t sufficiently amazing – was the fact that Barry Shteiman, a self-confessed nerd, who works for an application security company, posted the script on his website for everyone to use.

With a disclaimer of course: “The tool is meant for educational purposes only and should not be used for malicious activity of any kind.”

“What makes HULK dangerous is the fact that a single malicious actor with a single computer could feasibly take down a small, unhardened web server in minutes. We’ve tested the tool internally and it is functional,” commented Neal Quinn, chief operating officer at Prolexic.

“Fortunately, this is not a very complex DoS tool. We were quickly able to dissect its approach and stop it dead in its tracks. It is fairly simple to stop HULK attacks and neutralise this vulnerability with the proper configuration settings and rules.”

Commenting on his website, one enthusiastic user, going by the name of UnderPL, was amazed that a “single dos” could bring down his website. It indicates, perhaps, what it can be used for in a negative context, which can arguably be used as a criticism against Mr Shteiman’s openness and willingness to share, but this would be a mistake.

His creativity, which stems from a genuine interest in this field of study, as well as being a product of a curios disposition, of wanting to think outside the box, is an attribute to applaud, one that has led him to come up with a strategy that might have been developed by a cyber criminal in the foreseeable future and used to full effect without anyone knowing how to deal with it. Now we know the problem, we can strategise.

He therefore embodies characteristics that all IT experts need to have in being the best of the best. This isn’t Hulk gone mad, but “Dr Banner done a very good thing”. As Mr Quinn observed, in this instance, we can all relax.

“There is a lot at stake for businesses online – whether it’s a matter of money, reputation, regulatory compliance or business continuity. No one wants to be down for a second, let alone hours or days,” he expanded.

“Consequently, any threat can cause panic. While many DDoS threats are very real and severe, in the case of HULK, panic is not necessary. PLXsert is happy to share our practical, effective mitigation method that can be implemented on any WAF or content switch, and transform the HULK back into Dr Banner.”

Maybe we were wrong in the intro. Sometimes Dr Banner is much better company in some circumstances. Especially when all we want is a nice brew.


The slow rise in POS terminal attacks

Late last year there was conversation about the increasing frequency of point of sale (POS) terminal fraud, especially in the US. An extremely high-profile case that was discussed by security professionals with cyber security jobs and no doubt those on the hunt for IT security contract jobs concerned four Romanian nationals and a multimillion dollar scheme to commit POS fraud, which would have resulted in hundreds of merchants being swindled as well as compromising 80,000 US citizens.

They were attempting to do this remotely by hacking into POS systems and stealing data and payment from credit cards, debit cards and prepaid cards, but were, luckily, nabbed by the authorities. They face five years in prison if convicted.

“The hackers allegedly scanned the internet to identify vulnerable POS systems with certain remote desktop software applications installed on them, and then used the applications to log into the targeted POS system, either by guessing the passwords or using password-cracking software programs,” reported at the time.

It’s a serious threat, which the security industry most certainly has on its radar. Roll on the start of this month and the dialogue about POS attacks is still as topical as ever.

Speaking to SC Magazine, Bill Farmer, chief executive officer of Mako Networks, turned the discussion to “rogue terminals”, which exist outside of the central network, and are used as a mechanism to “harvest data” out of a business and into the hands of cyber criminals. What’s interesting is that adept criminals operate in a very surreptitious way.

“The cyber criminal will modify the device to steal the information and transmit it out to be stored,” he said. “It is not easily detectable as the compromised modules are transmitting data out for months at a time and are often in high-traffic places.”

They then collect this data, keep onto it for months, then use it for small transactions a few months later and then at cash machines where lots of cash is extracted, Mr Farmer added.

What then can be done to eliminate this threat? Simple security measures can be effective – all of which deny cyber criminals easy access into a system. You wouldn’t leave your back door open at home or in your office would you? Apply the same concept to POS terminals.

One of the recurring themes is for organisations not to “affiliate” the name of the business with a Wi-Fi network. This is like handing swindlers the golden key.

Another strategy includes making sure that payment systems conform to the Payment Council Industry (PCI) Data Security Standard. The PCI Security Standards Council is a most useful asset given that it is responsible for the development, management, education and awareness of industry standards.

Carry out penetration tests as a form of risk assessment to identify weaknesses in the system. Especially vulnerable organisations are those that have POS terminals in a variety of locations and with a sizeable workforce who may, on occasion, leave terminals unattended.

Finally, keep one step ahead of the game, be leaders and innovate. Technology in the digital age doesn’t stop for anyone and neither should you. Invest in new equipment, get regular software updates. Change is good and it puts cyber criminals on the back foot. We’ve got competition, they lament. Indeed they have.

A little chat about penetration testing

Like ethical hacking, penetration testing – or pen testing to use its more popular name – is a way of assessing the security credentials of a network and/or system. Not to be confused with testing whether your dried up bic biro still works, it “tests” a system’s ability to keep information and data secure by identifying weaknesses that can be exploited. Therefore, what does work is commendable, but it doesn’t figure in this strategy. Recognising what doesn’t work is the goal of pen testing.

It can be argued then that professionals with a penetration testing job adopt the purported persona of cyber criminals and hackers. To beat ’em is to join ’em, so to speak: “If I was a hacker, what would I be looking to do to infiltrate or compromise a network?”

Pen testing is a proactive strategy rather than a reactive one, its philosophy being that preventing attacks is better than cleaning up “the mess”.  And many organisations swear by it. If you can spot what your system is lacking in terms of data protection before a criminal does, well, you put yourself in the enviable position of being one step ahead of the game.

However, for all its merits and popularity, there are questions within the industry as to whether the high-tech evaluative method is running out of steam, and entering into the murky world of bubbles. Is it, argue some professionals, reaching the zenith of its powers?

Arguments about the limits of pen testing would be of that conclusion. Limit is the buzzword. For example, a pen tester is restricted in the amount of access they have to assess, geographically speaking. While an internal test can be carried out, it can’t, for example, evaluate the vulnerabilities of outside interference. Equally, local access wire points are negligible when testing via the internet. Limits, limits and limits.

In an engaging LinkedIn discussion two years ago, H Wayne Anderson, managing member of General Business Consulting, LLC, commented:  “You might develop a false sense of security from addressing the wrong vulnerabilities, since an angry, incompetent or malicious insider often poses a greater risk to your data than outsiders do.”

That said, he did concede that proper penetration testing can identify such practices, so long as it is not the “starting place” for boosting the security of any given system.

“The basics must already be in place,” he wrote. “You should have a proper, tested backup regimen, patches tested and installed up to date, properly-sanitized SQL inputs, properly configured firewalls, network monitoring, and other preventative measures in place long before you start pen testing.”

However, in an intriguing and recent article from John Yeo, director of Trustwave SpiderLabs EMEA, he revealed is optimistic about the future of pen testing, its relevance to companies big and small and, accordingly, its strength.

He points out, cannily, that penetration testing and vulnerability scanning’s relationship is often confused, therefore, one assumes, criticism of pen testing might be misleading.

“Vulnerability scanners are great at identifying ‘low-hanging’ vulnerabilities, like common configuration mistakes or unpatched systems, which offer an easy target for attackers,” Mr Yeo wrote in SC Magazine.

“What they are unable to determine is the context or nature of the asset or data at risk, but they are also less able than humans to identify unknown unknowns.”

In contrast, pen testers are much more capable of doing this. Mr Yeo elucidates that he has experience of visiting a network that has undergone an automated scan for vulnerability and still, after human pen testing has occurred, vulnerabilities have been discovered.

“By incorporating pen testing activities as part of a wider information security strategy, organisations can validate the robustness of their security controls and identify as-yet unknown risks to their business,” he concludes. “The results of a penetration test and guidance provided help organisations to better protect sensitive data from falling into the wrong hands.”