Dear Readers, We would like to present you second episode of CynjaSpace....
With this very new issue we would like to introduce a completely fresh topic – BIOS Security. With our step by step tutorials you will learn how to protect your system on the most basic level. BIOS is the easiest way to infect computers, but with our articles written by experts you will get advanced knowledge which will allow you to protect your data successfully, and make you an expert of BIOS security.
This time sou will find sections How To Hack BIOS and How To Secure BIOS. Sou will also read estra articles Mobile Application Penetration Testing and Deploying SQL Injection Attacks in POst Method Data to Hack Websites.
Keep Your BIOS Safe with Hakin9′s Step-by-step tutorials!
How To Protect BIOS?
BIOS Security – Important Yet Overlooked
By Rob Gangemi and Azeem Nizam, Information Security Consultants, CISSP, CISA, CISM, CRISC, CCISCO
BIOS Security is an easily overlooked part of computer security. Thanks to worrying malware releases such as Mebromi and terrifying proof-of-concepts such as Rakshasa however – government agencies and hardware manufacturers are making serious strides to combat this glaring security weakness.
How To Hack BIOS?
BIOS Security? Build a PXE Attack Server
By Tony Lee, Scientist at FireEye
and Chris Lee, Security Consultant at Foundstone
As consultants we are often hired to evaluate the security of kiosks or computers that are designed to interface with the general public. The most secure configurations are ones that limit user interaction to the file system, command prompts, and the Internet. One of the best ways to limit user interaction to the hard drive is to lock down the Basic Input/Output System (BIOS) to help prevent booting to alternative Linux distros. This includes disabling booting to USB devices, locking down the boot order, and password protecting the BIOS. In various engagements we will run across kiosks that are fairly locked down, but still vulnerable due to a very commonly seen BIOS configuration. This article discusses how attackers can take advantage of this BIOS setting to allow the Preboot eXecution Environment (PXE) to be an administrator’s best friend and worst enemy.
ACPI Tables Overloading. A Hands-On Approach
By Marco Sogli, BIOS Engineer at SECO
With the ever increasing demand for efficient systems, including servers, personal computers and portable devices, the trade-off between performance and power consumption has become critical for almost all system architectures. Power efficiency needs to be achieved not only through an optimized hardware design, but also through a deep software optimization, for example enabling the system to run in low power mode and to support dynamic switching to higher performances when the CPU/GPU tasks become more heavy, all of this, trying to keep the whole system quiet and cold.
Mobile Application Penetration Testing
By Bhaumik Shah, CISA, CEH, Information Security Consultant at Polaris Financial Technology LTD.
The mobile application security market has seen a massive boom in the last couple of years owing to the availability of affordable smart phones from a variety of vendors and the advent of Bring Your Own Device (BYOD) into work. The usage of these applications has provided users with easy and active access to manage financial transactions, online procurement of various types of goods, access to entertainment and ability to stay connected online. It has helped businesses to increase productivity and flexibility for users. This in turn has made mobile applications vulnerable to hostile online threats from hackers which lead to loss of personal and professional information related to their financials, credit card details, personally identifiable information (PII), email addresses, passwords and making them victims of ever-growing cyber criminals. Thus mobile applications need to be continuously scanned and tested for security risks and exposures.
Deploying SQL Injection Attacks in POst Method Data to Hack Websites
By Pranshu Bajpai, Computer Security Professional Specialized in Systems, Network and Web Penetration Testing,
Saurabh Mishra, Cyber Security Professional
It is easier to dump the database if SQL Injection Vulnerability exists in the GET Method Parameters than in the case of POST Method Parameters. Havij or SQLmap, Tools cannot substitute knowledge. Here we explore how we can exploit an SQL Injection Vulnerability existing in the POST Parameter with the help of a case study.SQL Injection Vulnerabilities have been exploited since they were first discovered by ‘rain.forest.puppy’ who wrote a paper about it in the ‘Phrack’ magazine in 1998. It has been a favorite of Hackers to gain access into the database which contains vital information about users like ‘user-ids’, ‘passwords’, ‘emails’ etc.