Saturday, March 29, 2008

Pentration testing development

Penetration testers can be very innovative people. The drive to look for new vulnerabilities or new ways of exploiting them demands this attitude. Its not good enough just to churn through a list of known issues. So it came as no surprise to hear about a development by a penetration testing company. It has produced a tool that sniffs out passwords, documents, and other sensitive data in a matter of minutes.

"DaisyDukes is a memory sniffer that resides on a USB device. A researcher can plug it into an unattended machine that is turned on but has been locked and reboot the machine off a compact operating system contained on the drive. Depending on the user's needs, it can be configured to capture the entire contents of a computer's memory, or sniff out only certain types of data - say a password to access the company network or unlock a user's private encryption key.

It turns out both Windows and Linux retain "boatloads and boatloads" of passwords in memory, said Sherri Davidoff, a security analyst with IntelGuardians, the penetration-testing firm that developed the tool. It's already been able to isolate passwords for Thunderbird, AOL Instant Messenger, GPG, SSH, Outlook, Putty and TrueCrypt, among others, and with additional research they believe they can find many more.

"The idea here is let's see if we can hit an office building, get in and out in 25 minutes or less and walk out with some interesting passwords," said Tom Liston, an IntelGuardians security consultant who along with Davidoff co-presented the tool at the CanSecWest security conference in Vancouver."

For a fuller article on this visit: The Register

Client side assurance services