Penetration Testing

RE: SMS Banking

Mon, 08 Feb 2010 07:42:15 GMT

Posted by Craig S. Wright on Feb 07

The solution needs to be based on risk.

Where a system uses an SMS response with a separate system (such as a web
page), the probability that the banking user is compromised and a fraud is
committed, P(Compromise), can be calculated as:
P(Compromise) = P(C.SMS) x P(C.PIN)

Where: P(C.SMS) is the probability of compromising the SMS function and
P(C.PIN) is the compromise of the user authentication method

The user can...

Tools Update - Fist week of February 2010

Mon, 08 Feb 2010 07:15:20 GMT

Posted by SD List on Feb 07

Hello

Here is the site's newsletter "Security Database Tools Watch"
(http://www.security-database.com/toolswatch).
This letter summarizes the articles and news items published since 7 days.

New articles
--------------------------

** Acunetix WVS v6.5 build 20100203 released **
by ToolsTracker
- 3 February 2010

Acunetix Web Vulnerability Scanner (WVS) is an automated web application
security testing tool that...

NEMESIS linux packet injection command line tool - IP options file as input argument

Mon, 08 Feb 2010 07:09:55 GMT

Posted by woman on Feb 07

Hi,

NEMESIS linux packet injection command line tool:
================================================
I am looking for some document or website that explains by example the
content of the file that is used as input argument in IP/TCP OPTIONS

nemesis ip -O file

There is no details about it in the MAN pages or nemesis website.
What file format is used: text, ASCII, hex?

Thanks,
woman...

Re: pentesting voip network-please help

Mon, 08 Feb 2010 07:02:44 GMT

Posted by Yiannis Koukouras on Feb 07

Unfortunately not. Cain is basic in this category.
It's true, if you want it to be done seriously....Backtrack is the answer...

Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras
---
The information contained in this communication is intended solely
for the use of the individual or entity to whom it is addressed
and others authorized to receive...

Re: SMS Banking

Mon, 08 Feb 2010 06:56:13 GMT

Posted by Markus Matiaschek on Feb 07

Hi,

I'd just like to make some comments, i didn't think about a solution
for your problem.

First of all i think that my Budi wibowo got something wrong regarding
who is sending the PIN.

Second, GSM is cracked: http://reflextor.com/trac/a51 and can be
intercepted and decrypted. You should take this into account.

Third i think the only farely safe way to make money transfers is with
transaction numbers, TANs. German banks send mobileTANs to...

Dradis Framework v2.5 is out!

Mon, 08 Feb 2010 06:48:47 GMT

Posted by etd on Feb 07

Hi all,

We have pushed a new major release of Dradis (an open source framework
to enable effective information sharing), and it comes with a few new
features [i]:

* Improved Note editor: bigger, easier to use and supports formatting!
* New First Time User Wizard
* Keep track of all the activity with the built-in RSS feed
* More plugins:
o New HTML Export reporting plugin.
o New Burp Upload plugin so you can use Burp Scanner output....

RE: SMS Banking

Mon, 08 Feb 2010 06:44:18 GMT

Posted by Thor (Hammer of God) on Feb 07

SMS based solutions are inherently insecure; not just from the application level, but from the carrier level. You're
assuming the carrier media is secure, which is not the case as Karsten showed at the CCC when he cracked GSM.

I think you would be far better served to create a client side application (client specific of course) where you could
build security into the application itself, use SSL, etc for client-to-server inquiries and...

Re: pentesting voip network-please help

Mon, 08 Feb 2010 06:37:48 GMT

Posted by Todd Haverkos on Feb 07

Yiannis Koukouras <ikoukouras () gmail com> writes:

Does it work in Cisco environments though? I honestly don't know.

Absent a way to get onto the VOIP vlan , it's nice features would be
sadly useless. In most Cisco deployments, the phones themselves and
all the call traffic are on a dedicated VLAN.

When I've done such assessments, I've used voiphopper under Linux to
dot he CDP dissection to find the VLAN and create the virtual...

RE: Flash Web Application

Mon, 08 Feb 2010 06:30:46 GMT

Posted by PortSwigger on Feb 07

With Burp, you can get rid of the browser certificate warnings if you wish,
by installing Burp's CA certificate in your browser. Burp generates a new CA
certificate on installation, and creates a valid certificate for each domain
you visit, signed by the CA cert.

Further details, and instructions for installing the CA cert, can be found
here:

http://portswigger.net/proxy/servercerts.html

Cheers
PortSwigger

-----Original Message-----
From:...

Re: Nessus, Harmful?

Fri, 05 Feb 2010 18:12:02 GMT

Posted by Kevin Shaw on Feb 05

I'm likely preaching to the choir here; but something I would advise
with Nessus or any other vulnerability, configuration, patch or port
scanning tool: know your target environment. I work with a different
network or communications medium - satellite, microwave - every week.
You tune your assessment for the equipment you are looking at - one
setting may not break a fiber channel SAN while it will wreak havoc on a
small office worth of...

Re: SMS Banking

Fri, 05 Feb 2010 18:03:35 GMT

Posted by Doug Farre on Feb 05

Mobile phone numbers can be spoofed. My piece of advice is that all
transactions must be acknowledged by the user. For instance, user
makes a request, system asks the user if for confirmation, then the
system proceeds.

Also, keep in mind that a lost cell phone can mean the user's pin is
compromised as the sms msgs are all stored in plain text.

Re: SMS Banking

Fri, 05 Feb 2010 17:29:07 GMT

Posted by Budi wibowo on Feb 05

instead of using sms for putting the pin, please use flash sms.
Safe and will not give any log on mobile phone.

Regards
Budi wibowo
-----Original Message-----
From: "M.D.Mufambisi" <mufambisi () gmail com>
Date: Thu, 4 Feb 2010 18:20:22
To: <pen-test () securityfocus com>; <security-basics () securityfocus com>
Subject: SMS Banking

Hi All,

Im designing an SMS baking application but i need to research on the...

Re: Flash Web Application

Fri, 05 Feb 2010 17:03:40 GMT

Posted by Zaki Akhmad on Feb 05

There's no problem on the certificate. After I use webscarab as proxy,
I can't click the flash application :( So I can't proceed.

Re: pentesting voip network-please help

Fri, 05 Feb 2010 16:21:45 GMT

Posted by YGN Ethical Hacker Group on Feb 05

http://www.tacticalvoip.com/tools.html

YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to become certified....

SMS Banking

Fri, 05 Feb 2010 16:16:45 GMT

Posted by M.D.Mufambisi on Feb 05

Hi All,

Im designing an SMS baking application but i need to research on the
security risks involved first. Im thinking of subscribing mobile phone
number along with a pin. eg Number 222-222-222 PIN 20029. So when the
individual wants to enquire his balance, he sends a text messgae like
Bal 20029 i.e. BAL PINNUMBER. The control here is that the sms and pin
has to come from the subscribed number and only that number. I also
want to be able to...