Developing A Hacker Mindset

Developing A Hacker Mindset - Notes from Santhosh Tuppad's Security Testing Workshop

Hi Guys, 
I have attended the security testing workshop taken by Santhosh Tuppad.  I would like to share the pointers that I have noted.  
Intro:
Santhosh started the session with his introduction.  Then he just asked the participants to say their name and the kind of testing that they are involved in.  But then everyone including me told the name, years of experience, Company name, the type of testing that we are doing and the reason why we are attending this session.  Finally he asked us why we are giving additional information when it is not being asked for.  That’s a good punch that I didn't expect.  J  Lesson learnt: Never provide any information that is not asked for.
Then we discussed about hacking, Social Engineering Attacks.  Hacking- Stealing data.  I had a delusion that Brute force method is used only for testing login screen by trying with different combinations of password and then came to know that “Brute force” is just a problem solving technique where a series of possible ways are worked out and each possibility is experimented.

Social Engineering Attack – Examples:
  • Shoulder Surfing (e.g.: People may have button camera which records the keys that you are keying in and they will pretend that they are not viewing your keyboard)
  • Social Engineering Websites
  • Manipulating people
  • People can steal your data using NFC using mobiles.  For more info on NFC refer tohttp://en.wikipedia.org/wiki/Near_field_communication
  • Dustbin!  - I wondered how this could be an example.  It seems we can get good amount of info if we dig through it, like person might have received a credit card (a valid reason for asking party! :-) ). He might have left the pin number which can be used to hack his account

Session Management:
There is talk about session management.  Client Side and Server Side sessions are there.  For a simple login and logout a tester has to think about the various ways to log out from the application.
  • Click the log out button or link to log out
  • Close the tab/browser
  • Session time out
  • Crashing the browser
  • System shutdown etc
Browser Engine:
Tester who is doing Compatibility testing should know about Browser engine.   Following are the browser engines for mostly used browsers.  For more information on browser engines refer tohttp://en.wikipedia.org/wiki/Web_browser_engine
  • Chrome - KHTML
  • Firefox – Gecko
  • IE – Trident
  • Opera – Presto
Different Versions of Same FF browser in same machine:
We can do that by choosing the “Custom” option while installing Firefox and choosing a different folder for installation. 
Note: You cannot open multiple versions of firefox browser at a time.  Make sure that the firefox browser is closed and then try to launch a particular version to carry out the testing

Building a hacker’s mindset:
We had a discussion such as how to develop a hacker’s mindset.  We had couple of case studies.  Various ideas came out of the discussion.  In the end it is a good session and learned that a hacker needs to explore and not much rely on a particular technique.

Case 1:
Xyz bank has implemented security to a room in which multi billionaire accounts are handled such that the door could open only if the (authorized) person’s retina matches with the recorded one. 

Case 2: 
ABC implemented a security mentioned in a house to protect the treasure.
  • Security guard at the gate
  •  Finger print security implemented in a room – only authorized person is allowed
  • On getting in to the room another Finger print security implemented for a door along with that user need to provide a pin to open the room which has treasures

Tips/Info from Santhosh:
  1. It’s not a best practice if a site is restricting the user to have password only upto xx characters.  There shouldn’t be any upper limit.
  2. Password in a lower case is not a stronger password.  Possibility of getting hacked is more.
  3. Whenever confidential documents are destroyed using paper shredder, make sure that it is not horizontal or vertical – people can get to know about the info by rearranging.  You can use Cross-Cut or any other type.  For more info on Shredders - http://en.wikipedia.org/wiki/Paper_shredder
  4. Visit OWASP (Open Web Application Security Project) site (http://owasp.com/index.php/Main_Page) – become a member and contribute by putting your testing efforts
  5. Security, Hacking, Penetration testing refers to same concept. 
  6. Try Brutus – password cracking tool.  For more info refer to http://www.hoobie.net/brutus/index.html
  7. Perl Clip – tool to generate random text.  For more info refer to http://satisfice.com/tools.shtml - Using this tool try to hack the PDF document which is password protected.  (Bank monthly statement)
  8. Aircrack ng - http://www.aircrack-ng.org/ - tool recover keys once enough data packets have been captured
  9. Tamper Data - https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ - tool helps to view and modify HTTP/HTTPS headers and post parameters
  10. Read Michael Bolton blog - http://www.developsense.com/blog  and improve your knowledge on testing. 
  11. Most of the add-ons are compatible to FF3.6.x
  12. Refer to http://tuppad.com/blog/2012/08/24/addons-tools-and-the-tests-you-can-perform-with-them-mindmap/ for add-ons that can be used for testing.  Look out for other articles that Santhosh has posted.  They are really cool stuff.
  13. Refer to http://www.w3.org/TR/WCAG/ for knowing more about Web Content Accessibility Guidelines
  14.  Refer to Behind the asterisks - https://addons.mozilla.org/en-us/firefox/addon/behind-the-asterisks-eladkarak/ for an add-on which shows the characters in password field when you hover over the field
  15. Try  wireshark - http://www.wireshark.org/ which is a network protocol analyzer for Unix and Windows
  16. Kevin Mitnik – when he was 13 landed in Prison for his hacking activities – he wrote a book when he was in jail now it is the bestselling book on hacking
  17.  Keyloggers – a tool to record the keystroke activities
  18. User mantra browser which has collection of add-ons which can be used for testing

Closure:

It’s hard to forget someone who gave you so much to remember.  Thanks! to Santhosh who gave much information to us to remember and practice with respect to Security testing.  Hats off! to him for deviating away from normal workshops which features PPT presentations and other stuff.  You can follow his writings in http://tuppad.com/blog/   Happy Testing!

Comments

Post a Comment