Passionate about Information Security » Papers & Presentations

My ERP got hacked, an Introduction to Computer Forensics, available for download

Ismael Valenzuela — Wed, 13 Jan 2010 17:40:35 +0000

Thanks to Hakin9 (and especially to Ewa Dudzic) and the readers that selected my articles as the best in the latest issues, the series of two articles “My ERP got hacked, an Introduction to Computer Forensics” are now available for free download from the magazine site.

I’ve been also authorised to post them on my website, so feel free to download them from the updated “Papers & Presentations” page, where I have also posted some of the comments I received from several readers, as well as an interesting reference to my article from Harlan Carvey.

Happy reading!

Cracking into embedded devices and beyond!

Ismael Valenzuela — Tue, 22 Apr 2008 20:01:18 +0000

As promised in my previous post, I have just uploaded Cracking into embedded devices and beyond, Adrian Pastor’s presentation at ‘Hack in The Box’ Dubai 2008.

Thanks Adrian for your promptly response when asked for the slides and congratulations for your excellent contribution to the security community. Hope we can share a pint next time I’m in London. Un abrazo!

From HITBSecConf2008 website:

Presentation Title: Cracking into Embedded Devices and Beyond! (pdf)

Presentation Details

The presentation covers cracking into embedded devices by exploiting vulnerabilities present on default software running on the target device.

Most of the vulnerabilities discussed are web bugs that can be exploited remotely. The reason for focusing on such type of flaws, is because I’ve personally had several successful experiences discovering important/critical vulnerabilities. Additionally, the presentation is focused on vulnerabilities that can be exploited remotely.

Some of my personal discoveries will be covered, including vulnerabilities found on Axis IP cameras, Belkin “belkin54g” family of routers, BT Home Hub wireless routers (Thomson/Alcatel Speedtouch 7G), BT Voyager 2091, 3COM APXXXX Dual Radio 11a/b/g Access Point, and Linksys Wireless-G ADSL Gateway (WAG54GS). Some interesting vulnerabilities found on embedded devices by other peers will also be explained.

Not only *real attacks* will be explored, but also the *consequences* of cracking into embedded devices. How nasty can it get after an embedded device has been exploited? How far does the rabbit hole go?

In the case of routers, scenarios include eavesdropping the victim(s)’ Internet connection, controlling the traffic flow, stealing services such as TV streaming and VoIP. In the case of miscellaneous devices such as IP cameras scenarios include replacing the surveillance video stream, and one of my favorites: using the device as a stepping stone to penetrate into the corporate network after the device as been compromised from an attack originated from the Internet.

Classic attacks against embedded devices will also be discussed, although this will be a minor portion of the presentation. Finally, possibilities of exploiting FON, a community-shared Wi-Fi network will be discussed.

About Adrian

Adrian ‘pagvac’ Pastor, BSc (Hons) Computer Engineering, has been part of the security community for about four years, although he has been interested in the hacker culture since an early age. He currently works as a senior pentester and security researcher for ProCheckUp (www.procheckup.com), a leading independent specialist security organization based in London, UK. Additionally, Adrian is an active security researcher at GNUCITIZEN (www.gnucitizen.org), a renowned white-hat hacker think tank where he enjoys breaking things and publishing his findings.

Adrian is currently interested in topics such as web security, eavesdropping techniques, magstripes, and embedded devices. His research has been featured in established magazines and information portals such as BBC, The Washington Post, Wired, Slashdot, PC Pro, The Register, PC World, CNET and many others.

Integrating ISO 17799 into your Software Development Lifecycle

Ismael Valenzuela — Mon, 14 Apr 2008 21:11:27 +0000

I open the new section Papers & Presentations of this blog posting my latest article published on INSECURE Magazine: “Integrating ISO 17799 into your Software Development Lifecycle”.

In this paper, published on the 11th issue of INSECURE Magazine (May 2007), I explain how information security controls can be integrated in the Software Development Lifecycle (SDLC) using ISO/IEC 17799 (now ISO/IEC 27002). The article includes a summary table linking specific clauses in the standard to SDLC phases starting from the risk assessment stage, prior to drawing up security requirements, and continuing right through development, testing and operations to system disposal at the end of its life.

Thanks to Mirko Zorz, INSECURE’s Chief Editor, for publishing my work and thanks to all the colleagues in the security community that have reviewed my article and posted positive comments on their websites like Gary Hinson or Jose Manuel Fernández, to mention a few.

To download my article only, instead of the full issue, click on the image on the left. More info here.

In the following days I will be adding more papers and presentations to that section.