Posted by Sulaiman Alhasawi on Feb 20, 2014 in ICS
, Sulaiman Alhasawi
I’m now looking for the latest solutions regarding SCADA security in case I have missed some since I started my journey in this field. I will make a series of solutions regarding the topic – small and simple.
Most control systems such as SCADA are old systems and incapable to face the danger of the current risks and attacks. The time when control systems were designed functionality was the only goal, nobody cared about security because most of those systems were closed in a LAN or in a room .Perhaps Internet was not there as well. The problem raised when control systems were connected to the Internet. The lack of secure design and poor hardware and capability/performance brought problems. In short most of control systems lagged in comparison to average modern system in term of design and performance. So when typical security people interfered to help fix the security problems of control systems the result was not good. One of the reasons is those systems can not handle the pressure that typical security scanners can put on targeted machines such as Nessus or Nmap. There are many other reasons but I want to keep this topic short , remember
Nessus the famous security scanner was adjusted to help scan control systems. They added a new feature in Nessus with the cooperation with Digitalbond to scan control systems with little or no pressure. The feature is called ” nessus-credentialed-scanning” . This feature can be used after being authenticated by the target in order to use netstat command of the target and send the results back to Nessus ! The advantage of such feature is what I already mentioned that is minimizing the load .However they are already aware of some drawbacks such as if the target control machine is already – for example - infected by a Rootkit which the correct number of ports is manipulated by the later !
Oh well there are other issues that a good hacker ca use to play with, but the above solution is a good start. I wont bore you with details but I at least I gave you what I promised
Posted by Author on Feb 16, 2014 in Entrepreneur
Above all else, stay far from the lowest part level plan Kilimanjaro trips. Yes, your companions may have had an incredible experience with a plan driver. Some individuals additionally win lotto. However a lotto ticket fetches a couple of bucks, a Mt. Kilimanjaro tour fetches a couple of thousand with flights and what not.
In the event that the excursion sucks and you don’t even make it to the summit, is that truly cash spared? It’s squandered! In the event that all the stars adjust accurately a plan specialist may well guide you to the summit effectively, however you need a great risk in any climate! Furthermore you need to realize that you will live, regardless of what happens on that mountain.
It’s challenging to provide for you value rules (I provided for a few recommendations on the expenses page), in light of the fact that there are such a large number of variables. Beginning stage, way, number of days on the mountain, booking through an operator or straightforwardly… as you begin looking around you will get a feel for the costs soon enough. Burrow through the sites of the administrators you think about.
What amount of data do they impart? Contact them and request more data. It is safe to say that they are open and transparent about how they run things? If not, ask yourself for what good reason not. Somebody who has loads of experience and learning, fabulous supplies, an extraordinary saftey record and incredible victory rates might not conceal that, right? What’s more I discover there is no preferable path over to generally contact tour administrators to get a feel for the extent to which they truly think about their customers. Tragically a lot of people exceedingly proficient Kilimanjaro trekking organizations that treat their customers to a great degree well, still keep their costs aggressive at the out of pocket of the doormen. To verify a Kilimanjaro tour driver truly thinks about you as well as about their staff, check the accomplice project of the International Mountain Explorers Connection. The IMEC is behind the doormen support extend in Kathmandu, Nepal, and additionally the Kilimanjaro Porters Assistance Project (KPAP) in Moshi. The organizations recorded as accomplices not just consented to treat their doormen as proposed by the undertaking and to pay them a reasonable compensation.
They likewise consented to be examined and assessed by the KPAP on a standard support. Checking if your picked Kilimanjaro tour driver or organization is recorded on that page is one imperative thing you can do to enhance the circumstances of the Kilimanjaro doormen. (A global organization may not be recorded on that page, yet the Tanzanian specialist they use on the ground is. So if booking universally, discover what the name of the organization is that will really be managing you on Kilimanjaro.) There is an added profit to picking a capable accomplice. Do you imagine that a specialist who sets an illustration regarding the matter of caring for even the least staff parts, might then disregard the security and welfare of their customers? I don’t think so. Truth be told, numerous organizations recorded on that page are doubtlessly in the top closure of the value range, yet there are likewise some that are sensibly competitive. Still, when you need a great Kilimanjaro tour, you can just go so low in the cost
Posted by Sulaiman Alhasawi on Feb 13, 2014 in Kuwaiti students North Wales
, kuwaiti students uk
Finally the electricity is back ! It went off since yesterday’s noon . First of all let me tell you how it feels to live without power in North Wales this time of year. The wind so bad yesterday ( as fast as 100 mph) the blew up the power lines and disconnected more than 80,000 properties in UK. My landlord who I rent the his house (he is 86 old) told me he never saw a wind like that in his life. It was cold 2-5 C ! So my house was dark and freezing for more than 24 hrs . Th power came back about 6 pm today. The kids and I hated it because we also were bored we had no internet and no games ! Life is really different when you are disconnected from the world (the internet) and w/o electricity.However it was peaceful and I had fun with the kids playing with the candles at night. Of course my computer was switched off so I could not do any phd research . It is expected to have strong winds tomorrow 60-70 mph .
Posted by Sulaiman Alhasawi on Feb 12, 2014 in kuwaiti students uk
I was interested to know about security assessment and penetration testing as part of my phd study.So I installed MetaSploit in order to give a shot. The idea of my interest came when I was in Kuwait last Christmas holiday. I was brainstorming of the possibility to do an online business while im a student – something I like and have fair knowledge about. I was thinking about testing my friends’ websites security, I liked the idea.BUT ! This would me -maybe- in trouble with the hosts providers because most of the people I know they use other companies servers (sharing). So I stopped doing this unless one of my friends owns that server. MetaSploit is a well known tool for such a task and there others of course.However Metasploit framework is nicely done and contains many of the well known vulnerabilities unlink if you get individual tools such as Nmap and do things manually which will take sometime and research effort. Its nice to have an automated tool that is based on an up-2-date vulnerability database and let the tool do the job and reporting. This business model is well established in many current security companies and to my knowledge most have their own tools designed for different purposes. Oh well I still thinking for my own business model
Posted by Sulaiman Alhasawi on Jan 28, 2014 in CrossFit
Here I come to UK after a 1 1/2 month holiday in Kuwait. My cousin told me about CrossFit because we were discussing martial arts. I told him that I have not trained for a while and my fitness is not that good. He suggested to me CrossFit and to be honest I never heard about it before. I did some search about it and it looked good to me becuase they combine strength and stamina and thats the ultimate goal for fighters and myself too. So I found a place in NorthWales very near my house in Gaerwen. It takes 5 minutes to drive there. So I gave it a try and I liked it. So I enrolled in the basic movements course (2 days) to learn the 9 basic movements. So far so good. The place is nice , nice people and friendly coach Phil. They have a website http://www.thecrossfitplace.co.uk/ and a facebook page. I have 1 1/2 year left in Uk and then the journey will be over and back to Kuwait for good. Its been a wonderful experience full of memories. I have learned about my self a lot more than that I would have learned otherwise at home. Today we did the below workout ( an hour) and my scores were medium :
1 min Squats
2 min Lat Jumps
3 min push ups
4 min back extension
5 min pull ups
Posted by Sulaiman Alhasawi on Nov 23, 2013 in P.hd.
How to setup your own hacking / penetration testing lab for free ?
Tools required :
- Damn Vulnerable Web App (DVWA)
- A computer with a built-in [Linux, Mac or Windows):)
That's it Simple and easy !
Now Lets explain the above software :
XAMMP contains Apache, MySQL ,TomCat and others in one pack, so its convenient not to bother with downloading and setting up those servers. So in essence those servers is what you need to practice or leanr security skills. Most websites contain HTML , PHP or a database and many of running applications on those websites have bugs or vulnerabilites, this will lead me to the next application.
DVWA will use XAMMP servers in order to function as most files in DVWA are written in PHP and you will need MySQL to hack its database. The great things about DVWA is it teaches you learn critical and common attacks in the internet such as (As mentioned by DVWA document and in their wording) :
- Brute Force: HTTP Form Brute Force login page; used to test password brute force tools and show the insecurity of weak passwords.
- Command Execution: Executes commands on the underlying operating system.
- Cross Site Request Forgery (CSRF): Enables an ʻattackerʼ to change the applications admin password.
- File Inclusion: Allows an ʻattackerʼ to include remote/local ﬁles into the web application.
- SQL Injection: Enables an ʻattackerʼ to inject SQL statements into an HTTP form input box. DVWA includes Blind and Error based SQL injection.
- Insecure File Upload: Allows an ʻattackerʼ to upload malicious ﬁles on to the web server.
- Cross Site Scripting (XSS): An ʻattackerʼ can inject their own scripts into the web application/database. DVWA includes Reﬂected and Stored XSS.
- Easter eggs: Full path Disclosure, Authentication bypass and some others. (ﬁnd them!). "
The above vulnerabilities are classified by OWASP as one of the top vulnerabilities in the web. Of course they are not the full list in OWASP but the 8 skills supported by DVWA is an excellent start for any one who wants to learn penetration testing. There are 3 levels of security you can choose from : low , medium or high. Low means its weak and vulnerable while high means secure. The good thing about that classification is you can the choose for each security level and learn what it takes to secure your web application of course not in a deep way but to show you the idea. Its not recommended to upload DVWA to your real host/webserver as the application contains many bugs and you don't want some one to mess with your host.
How to setup things ?
- After you install XAMPP , open its control panel and start Apache and MySQL.
- Extract the contents of DVWA i inside XAMPP folder under /htdocs .
- In your browser type: http://127.0.0.1/DVWA_folder and you will be taken into the setup phase. If you get a database error like "can not connect to database .." open a file under DVWA/config/config.inc.php and make sure the following fields look like this :
$DVWA[ 'dbuser' ] = ‘root’;
$DVWA[ 'dbpassword' ] = ”;
$DVWA[ 'dbdatabase' ] = ‘dvwa’;
That’s it and the hacking lab is ready to run, you get any tool you want or follow the guides that DVWA has put under each attack. Plenty to read and a lot of learning I know Well that what makes a real hacker! Have Fun !
P.S. There are of course other methods and tools into setting up a hacking tools, I’m currently in the process of compiling them especially my Emulab testbed that im preparing for my Ph.D. I will make sure to show you my progress in the future.
Posted by Sulaiman Alhasawi on Oct 15, 2013 in Uncategorized
Posted by Sulaiman Alhasawi on Oct 6, 2013 in Kuwaiti students North Wales
, kuwaiti students uk
It seems that the issues that I mentioned in my last topic about UK visas are taken seriously and its now no longer for Kuwaiti citizens to queue up in the British visa centers in Kuwait in order to get a visa . Its free for tourists. We can get a 6-month visa once we land on UK lands like the old days. This only applies to visitors only. Students have to request a visa , but I hope they (UK Embassy) don’t take all the money if an applicants make a mistake. I have noticed that the websites are not updated yet from both sides and there still shows that Kuwaiti needs a UK visa. C’mon web admins !! If you read Arabic, you can read the approval Letter that was sent by the British authorities.
Point # 1 :I don’t normally complain about things that i cant change, however I have an opinion about my experience regarding obtaining a visa for study/tourism to study-in/visit the UK. I’m from Kuwait and in there the UK embassy is making million of dinars (1 Dinar = 2.3 Pounds) every month. The number of tourists especially in Summer is huge , add to that the big ratio of Kuwaiti students like myself who wants to study in UK. I don’t have any thing against it except one thing : Why is it when a visa is rejected, the UK takes the full amount of money ? I think this is a rip off. The amount is huge 100+ pounds depending on type of visa. You can take processing fees if you want but please don’t take the full amount and ask me again to reapply and repay the same amount !!!!
Point # 2 : If a British citizen wants to visit Kuwait he/she can enter free of charge for a month , here is a quote from gov.uk “British nationals travelling by air can get a free 30-day entry permit/tourist” !!! . Why do we have to pay then as Kuwaiti citizens when we come to UK . There must be an equality. It used to be the case before year 2000 not any more. I demand the Kuwaiti government to reach an agreement about that. We should be equal, otherwise let the British pay.
Point # 3 : While filling the UK visa form and I can assure you its not fun. Its thick and stupidly complicated . You need a guide or a course in order to fill it. My point is in the form they ask you how much you want to spend !!! What ? How the hell I will know. OK be strict to poor/troubled nations who are escaping to UK, but please we come from the gulf and we are interested in immigration. We bring money to your economy more than you do to ours. My suggestion is to have different forms that suits the standard of a particular country or a person. Suppose that a millionaire who comes from India and interested to visit UK , will you ask him how much he will spend ? I’m sure he is different than a poor person from the same country. Beside what will it benefit you if you know his/he spending.Be smart !
Posted by Sulaiman Alhasawi on Aug 8, 2013 in Uncategorized
Happy Eid Mubarak every one and May Allah has accepted your fasting in Ramadan. I have stopped blogging for a while nearly 4 months . I know its laziness but I was busy with my studies and life. I’m back now to : 1- research after a month halt due to fasting. 2- hopefully blogging consistently 3- new ideas and change in my blog.