First Published Article in Hakin9

Recently, i was selected to be involved to perform an assessment on a SCADA environment. It was an amazing experience getting to see the SCADA systems, the monitoring and the control systems that control the powerplants and power grids. Although there were many challenges faced during the assessment, it allowed me to develop my own methodology for performing a Vulnerability Assessment on SCADA networks.

I was more than happy to share the basic requirements and techniques on how to properly perform a VA on SCADA networks/systems to Hakin9. Unfortunately, you need to subscribe to Hakin9 before you can download a copy.

Link: https://hakin9.org/advanced-exploitation-with-metasploit/

GISEC (Gulf Information Security Expo & Conference) Dubai - 2014

GISEC (Gulf Information Security Expo & Conference) Dubai - 2014

I was pleased to be selected as part of a team to demonstrate BT's capability in GISEC conference recently which was held at the Dubai World Trade Center. I contributed to the idea of having a 'Cyber Challenge' to the BT booth inspired by the exposure i have from attending to hackers conferences. I was also given an area to showcase the Ethical Hacking capability providing demonstration and presentation to passerby.

It was a very tiring and satisfying experience! Given the fact that i was able to come up with an end to end demo by myself without any critics from management gave me a sense of confidence they have on me to deliver.

First, it was the Cyber Challenge stand. This challenge is about the ability for a pentester to be able to find a XSS vulnerability and exploit it. Day 1 challenge was to inject a script inside the affected parameter and provide an alert pop up. Day 2 challenge was to 'deface' a website by embedding an image on it and Day 3 challenge was to inject a script that will come out with an output in the result section and upon clicking on it, will be redirected to another page.

Sound simple right? But during the 3 days, only 3-4 people managed to complete the challenge.

On the ethical hacking stand, my job was to perform demos on anyone who has the interest to see it. I was happy to know that some people came up to me and said that the booth managed to gather a huge number of people, mostly were curious to see the demo. I won't go into the details of my demo but all i can say is that the demo was similar to the demo i presented with a colleague at Defcon Kerala, India last year.

But one of the best and memorable moments was the fact that i got to meet many strangers in the professional world and exchanging contacts after that. Well, thats what we called 'Networking'. All in all, it was a great and superb experience and i am sure this will continue in the near future.

Below are some of the pictures taken:

Anti Virus is Dead..So What's Next?

When i was in GISEC (Gulf Information Security Expo & Conference) in Dubai this year, i presented demos on the BT booth demonstrating how a web vulnerability called XSS (Cross Site Scripting) can be further used to gain access to the browser as well as the systems using the art of social engineering. Through using two different exploit frameworks, i was able to demonstrate how i was able to create a payload to bypass any Anti Virus applications that was installed on the victim's machine.

After the demonstration, i showed them an online article and asked them, what do they think should be done to protect the hosts or workstations given the fact that, according to the article, Anti Virus is dead. Majority of them couldnt provide me a straight answer. Some mentioned to install firewalls, others said that patches must be properly updated and installed. While the answers might help to prevent, the solution i recommended to them was 'Endpoint Security'.

http://www.pcworld.com/article/2150743/antivirus-is-dead-says-maker-of-norton-antivirus.html

'Endpoint Security' has many definitions and one of the definitions i usually referenced to is the fact that it is a solution that consists of not just an Anti Virus but a host based behavioural blocking components such as an IDS/IPS (Intrusion Detection/Prevention Systems), a host based firewall, Anti Spyware component as well as NAC (Network Access Control). With these components installed, as i explained to them, although my payload will be able to bypass the Anti Virus and Anti Spyware components, the IPS will definitely detect it and will prevent it from being executed.

http://www.techrepublic.com/blog/it-security/endpoint-security-what-makes-it-different-from-antivirus-solutions/

"But i have a NIPS (Network Intrusion Prevention Systems) and a firewall that will protect external attacks from penetrating my internal systems and servers." claimed a person. "But what about your own internal employees attacking your infrastructure?" I questioned him back while i showed him an online article. According to an article last last year, 58% of information security incidents were attributed to insider threat. We have seen many cases, due to relaxed policies, employees are able to bring their own devices to connect to the organization's network, able to bring external storage drives and plug it into the organization's machines and of course, users having administrative privileges to execute and install third party software in their organization's machines. These situations potentially allow malware coming into the internal networks and spreading throughout the organizations.

http://www.infosecurity-magazine.com/view/32222/58-information-security-incidents-attributed-to-insider-threat-/

While there will never be a patch for human stupidity, security managers must quickly propose a solution to protect their networks from both external and internal attacks. While having security mechanisms protecting the perimeter of the organizations are able to deter external threats, most organizations fail to understand the critical need to protect for possible internal threats as well. Yes, one can argue that network based solutions can protect to the scenario i demonstrated but then again, is that really enough?