The OWASP Top 10 2017 introduces the risk of insufficient logging and monitoring. Indeed, inherent problems in this practice are often underestimated and misunderstood. But why is a seemingly simple task ending up being a crucial point of information system security?
Introduction to Public Key Certificate
A digital certificate is a data file that allow, on the one hand, the non-repudiation and the integrity of data, and on the other hand, to identify and to authenticate a person or an organization and also to encode communications.
A digital certificate includes several information, as:
- A public key
- Authentication information
- A validity time
- An issuer that signs the certificate
This last point is crucial to verify the trustworthiness of a certificate. For this, when a certificate is received, a chain of trust is built to a certificate authority.
To explain the working of the chain of trust, let’s present some notions:
The Metasploit framework is an open source tool, allowing searching, analysing and exploiting vulnerabilities. It has many modules and tools that can be very useful during intrusion tests, whether on Web applications or on a company’s information system.
Although often used relatively basically, for example to launch a simple exploitation module on a target, this framework has options and tools that make it a key ally for a pentest. We will therefore see here how to use the Metasploit framework in an optimized way.
For the demonstration, we will attack a local network we are connected to.
In this previous article, we have seen what a SSRF vulnerability is, and how, in general, it can be exploited. We had placed ourselves in a quite simple theoretical framework, but various elements (either due to the vulnerability itself or due to security implementations) can make the task more complicated.
In this article, we will have a look at various methods to go further. On
- Various methods for manually bypassing filters;
- SSRFMap: a semi-automatic operating tool.
Now that we have introduced four main functionalities of Burp Suite in the previous article, we will go a bit further with some functionalities and extensions that can increase the quality of an audit and your efficacy.
Functionalities and screenshots presented in this article are from the version Professional 2.1.01.
Burp, by information security professionals, is often said to be our best friend. Burp doesn’t ring a bell? It is a software dedicated to web security audits, used by a majority of information security professionals. First, we will present you the software Burp and four fundamental modules. For those already familiar with the tool, a second more technical article details some functionalities and extensions to gain efficiency.
Alternative to classic Bluetooth, Bluetooth Low Energy is chosen increasingly for the IoT. This technology, also known as the abbreviation BLE, is establishing itself for connected devices, as it is ideal to send small amounts of data between devices and to preserve the battery; which matches the IoT’s needs perfectly. Classic Bluetooth, on its side, is used to send large amounts of data between a device and a user (wireless headphones and speakers are using Bluetooth for example).
While these two Bluetooth protocols are used for different purposes and are not compatible, they are nevertheless to some extent similar, as they have common technologies (software and hardware), such as the one managing pairing. Thus, security manager has to keep in mind that security breaches that impact classic Bluetooth affect sometimes Bluetooth Low Energy too; however, the latter has its own features and therefore its specific flaws.
We are happy and proud to share with you that we are now officially a CREST accredited company for penetration testing.
This accreditation demonstrates our commitment to
offer high level of professional penetration testing services. It certifies
that Vaadata respects appropriate processes and procedures for conducting
penetration testing and for the protection of its client information.
USB devices are so convenient. Whenever we need to store small amounts of data, we use a USB stick. Everyone owns one and we generally trust it to be safe. USB keys are one of the main ways to do industrial espionage, but attacks against random civilians and companies are also common.
The 2018 Honeywell report on USB threat to industrial operators analyzed a sample of 50 locations. Energy, chemical manufacturing, pulp & paper, oil & gas and other industrial facilities were concerned by the study. Among the locations targeted, 44% blocked a suspicious file originating from USB ports and 15% of the threats detected and blocked were high-profile threats, like Stuxnet, Wannacry and Mirai.
A 2016 experiment conducted on the University of Illinois Urbana-Champaign campus showed that from 297 USB sticks dropped around the university, students and staff members picked up 98% of them. By almost half of the USB drives picked up, someone plugged them in and clicked on a file.
A survey was then conducted on the persons who used the sticks. 68% of the respondents did not take any security measure when using the USB stick. 68% said they took the drive to give it back and 18% took it out of curiosity. This experiment shows how dangerous a simple USB device can be.
Internet of Things security is a current topic, however penetration testing on connected devices are far from being a widespread practice. Most manufacturers prioritize product functionalities and design first. However, even with a “security by design” approach, pentesting remains essential to know the real security risks, and then to take the necessary measures.
What is an IoT pentest?
A connected device is a complex solution, with various potential entry doors for an attacker. A connected device security audit (or pentest IoT) includes tests on the entire object ecosystem, i.e. electronic layer, embedded software, communication protocols, server, web and mobile interfaces. Server-side, web interfaces and mobile applications tests are not specific to IoT, however they are important tests as they are particularly high-risk areas. The tests on the electronic side, embedded software and communication protocols concern vulnerabilities more specifically the IoT.
There are three specific types of attacks on connected objects and embedded systems. Software attacks, non-invasive hardware attacks and invasive hardware attacks. The first take advantage of software vulnerabilities, the second recover information from the hardware without damaging it while the third involve opening the components and therefore destroying them in order to be able to extract secrets. While the first two types of attacks do not require many resources, this is not the case for invasive attacks, for which very expensive equipment is required.
Here are ten concrete tests conducted during the security audit of a connected device, illustrated by some mediatized and emblematic examples. For each of the points discussed below, there are many tools and methods that take advantage of very different vulnerabilities. This is therefore a non-exhaustive list.