Ivan Buetler

OWASP Guide Online

Ever wanted to know how to defeat web hacking attacks - what to do with the identified OWASP TOP 10 vulnerabilities? I really much appreciate the OWASP TOP 10 papers, but when it comes to mitigation and remediation, everything is deeply hidden somewhere.

That's why I like the following OWASP page - clear and simple to use
http://code.google.com/p/owasp-development-guide/wiki/Guide

Cheers
Ivan

Singapore and Asia

I am impressed! I was having a very good time here in Singapore. The course "mobile payment systems" is history. I very much appreciate the participants and their patience with me. Accidentally I was in front of the brand new convention centre at the opening ceremony. See the pics if interested.

http://www.but.ch/root/singapore/index.html

Hey - I am shortly before take off home. See you in Switzerland

Regards

Ivan

Mobile Payment Systems - Workshop in Singapore

Dear Blog Reader,
I will be in Singapore in June 24th and 25th, 2010! The Singapore company "Unistrategic" invited me to be their course facilitator - to introduce risks and phone hacking attacks that could be a threat for the mobile payment systems market.

MOBILE PAYMENT SYSTEMS – ETHICAL HACKING AND PENETRATION TESTING WILL GIVE YOU VALUABLE INSIGHTS ON HOW YOU AS A PROFESSIONAL CAN:

LEARN about the risk landscape of mobile payment systems
PARTICIPATE in a state-of-the-art Live-Hacking demonstrations
EXPERIENCE current hacking and defence strategies
GAIN insights into the latest hacking methods and attacks
EXPLORE new forensic analysis methods
EVALUATE security vulnerabilities and handle incidents

I am looking forward to performing the workshop in Singapore.

Have a safe week
Ivan

Reference:
http://www.unistrategic.com/index.php/component/option,com_eventlist/Itemid,4/did,466/func,details/

Apple WebKit Advisories

Dear blog readers,

Yesterday, I was updating my MacBook Pro and later in the afternoon, a bunch of ZDI bugtraq messages appeared. Did you notice the relationsship between the Advisories and the security update?

If not, read my single page paper about the update

http://www.hacking-lab.com/misc/downloads/apple_advisories_june_2010.pdf

We can learn from the past, market leading software is always more analyzed by the hacker community than fameless software. The Apple community feels save with their product and OS, but this changes slowely.

Cheers
Ivan

Mobile Payment Systems - M-Pesa (Kenya)

In March 2007, Kenya’s largest mobile network operator, Safaricom (part of the Vodafone Group) launched M-PESA payment service for the unbanked. With approximately 26 million people in South Africa without official bank accounts, M-PESA enables millions of mobile phone subscribers who have access to a mobile phone, but do not have or have only limited access to a bank account, to send and receive money via their mobile phones. “Pesa” is the Swahili word for cash; the “M” is for mobile. M-PESA customer can use his or her mobile phone to move money quickly, securely, and across great distances, directly to another mobile phone user. European financial institutes did not follow the micropayment wave, because most of the European customers have valid bank relationsships, access to credit cards or PayPal. But the Safaricom solution fills the gap for unbanked customers! Africaan people that work in Europe have the need to send money back home.

Technically, the SIM card of Safaricom has it's own SIM application installed, that is required for the payment process. Financial transactions required the customer to enter the PIN when the transaction is authorized.

I will talk about Mobile Payment Systems, security implications and fraud scenarios in Singapore soon (June 2010). From my previous research with the SmartCard APDU man-in-the-middle attack, the iPhone hacking and SS7 attack scenarios, I will disclose more about security threats of Mobile Payment Systems.

Have a safe day

Ivan

Schweizer Bundesrat startet Konsultation zum Überwachungsgesetz

Es gibt in der Schweiz einen neuen Gesetzesentwurf "Totalrevision des Bundesgesetzes betreffend die Überwachung des Post- und Fernmeldeverkehrs". Darin soll neu geregelt werden, wie man in Zukunft überwachen kann und darf.

Mutmassliche Straftäter sollen sich nicht durch die Verwendung neuer Kommunikationstechnologien der Überwachung durch die Strafverfolgungsbehörden entziehen können. Das Bundesgesetz betreffend die Überwachung des Post- und Fernmeldeverkehrs wird deshalb an die technische Entwicklung angepasst. Die Totalrevision zielt nicht darauf mehr, sondern besser

überwachen zu können.

Am 19. Mai 2010 schickt der Bundesrat die Totalrevision des Bundesgesetzes betreffend die Überwachung des Post- und Fernmeldeverkehrs in die Vernehmlassung ( Medienmitteilung).

http://www.heise.de/newsticker/meldung/Schweizer-Bundesrat-startet-Konsultation-zum-Ueberwachungsgesetz-1005163.html

Ivan

CLX.CustomerDay

Dear Blog reader,

The CREALOGIX Group is a leading independent software service provider with focus on comprehensive e-business and ERP solutions in Switzerland, Germany and Austria.
The shares of CREALOGIX Holding AG (CLXN) are traded on the SIX Swiss Exchange.

Next Thursday May 20th, 2010, CLX organizes their annual CLX.CustomerDay! I am invited as a keynote speaker after 5.p.m and I will talk about my recent research results, the combination of web-hacking and illegal trading markets - iPhone attacks and more...

CLX.CustomerDay

Hope to see you there.

Regards
Ivan

Jailbreaking iPad touch and more

Jailbraking iPhone and iPhad is in the next round. Using Spirit, one can jailbreak (not unlock) all iPhone’s (iPhone (Edge), iPhone 3G and iPhone 3GS) and iPod touches (iPod touch 2G and 3G) running on the firmware version 3.1.3/3.1.2, and iPad and iPad 3G on firmware 3.2 – untethered.

Reference: http://www.redmondpie.com/jailbreak-iphone-3gs-3.1.3-untethered-with-spirit-9140719/

For the end user, Spirit looks and works very much like Geohot’s blackra1n, and is available for both Windows and Mac OS X.
Have a save iPad & iPhone day

Ivan

DNS Sinkholing - Malware Investigation

Ever heard about DNS Sinkholing - Through registering expired domain names previously used in cyber espionage attacks as command and control servers, malware hunters were able to observe incoming connections from still-compromised computers. This allowed them to collect information on the methods of the attackers as well as the nature of the victims.

I think this is a smart technique ... dns sinkholing

Ivan

Reference: Shadows in the Cloud Report

APT - new buzzword - Advanced Persistent Threat

Dear blog reader,

Ever read about APT? -> Advanced Persistent Threat !!! APT stands for human being or organization, who operates a campaign of intellectual property theft using cyber mehods.

This is the topic I will investigate. I am currently writing a short report where I want to be the Advocatus Diaboli - try to write from a cyber terrorists point of view. It has the title: "How to own the World".

Today.... we have our ISSS evening in St.Gallen. Looking forward to seeing some of you soon.

Cheers
Ivan