READ NEW HAKIN9 OPEN FOR FREE AND BECOME A CYBER SECURITY EXPERT!

Dear Readers,

Christmas is near but Santa already arrived to Hakin9 redaction. We decided to make a special gift for you and publish new issue completely free of charge.
This time you will deal with few aspects of cyber security. Inside Hakin9 Open – Cyber Security you will find 4 sections: Cloud Security about vulnerabilities which you can find in Cloud Services. You will also read on how to prevent of data loss, and learn a bit about Microsoft Cloud . Second section dedicated to iOS Hacking, one of the most popular Operation System used in mobile devices made by Apple Inc.
Third chapter Web Security will lead you from web security and attacks to WordPress security. And the last one – Advanced Exploitation will give you advanced knowledge on Black-Box Penetration Testing and Java Virtual Machine.
You will also find extra articles about QR Codes hacking and password cracking.

Hakin9 team would like to thank you all for this year you spent with us, and wish you Merry Christmas and Happy New Year!

---

Cloud Security

Information splitting in Cloud Storage Services
By Marius Aharonovich, IT Security Department Manager at Avnet, CISSP
The use of cloud computing services is expanding rapidly in recent years as it enables scalability, quick adaptation to dynamic changes in business requirements and total cost of ownership reduction. However, these services create challenges regarding information confidentiality and availability, where the cloud service provider is solely responsible for managing the computing infrastructure and information security.

Security in Microsoft Cloud
By Shruti Prasad, Lead in Microsoft Practice at Collabera Solutions Ltd., CEH, MCPD Azure Certified
While cloud services are gaining popularity and witnessing a predictive growth, security remains the biggest concern impeding the fast adoption of cloud services. The thought of sensitive data floating on the cloud continues to make people nervous. In spite of all the challenges, Cloud is here to stay!

Not enough security In-The-Cloud
By Alexander Larkin, Senior Developer at InfoTeCS
The history of In-The-Cloud. Problems with making hosted services secure. How it can help and why attacks can make no profit of using it today in some cases.

Cloud Computing Security Challenges 
By Ahmed Fawzy, CEH,CHFI, ECSA, ITIL, MCP, MCPD, MCSD, MCTS, MCT  
Recently the cloud computing became the most requested service across the IT services as we all know that there are many companies, organizations and governments moved to cloud for example half of the US government moved to cloud. The main objective of this article is to discuss just discuss the types of new risks surround move our data to the cloud and evaluate the dreams of unify the storage layer across the world as per some researches.

iOS Hacking

iOS Application Hacking, a rising star
By Antonio Ieranò, VP – Security Analyst and R&D Advisor at KBE Intelligence 
Mobile computing is a reality and mobile security is an obvious consequence. As we all are aware the market is nowadays divide into 3 main stream: Android, iOS and the others. Although Android is under the spotlight since its birth because of its security issues, and the issues related to the several “fork” that android generated to every single phone vendor, think of the HTC security issues last year for example, also iOS is becoming a target for malware, hacking and security concerns.

Non-Standard Way to Get Inaccessible Data from iOS
By Kirill Ermakov, Lead Information Security Expert at QIWI 
In the wake of my speech at Positive Hack Days, I would like to share information I got exploring a daemon configd on iOS 6 MACH. As you know, iOS gives little information about Wi-Fi connection status. Basically, the Public API allows getting SSID, BSSID, adapter network settings, and that’s all. And what about encryption mode? Signal power? You can look under the cut for more information on how to get such data without Private API and jail breaking.

iOS Hacking
By Terry Cutler, Co-founder of Digital Locksmith. Inc, CEH
François Proulx, Senior mobile application developer
With constant access to email, applications, the Internet, and company data, workers are using their devices to stay in touch with family, friends, and co-workers through social networks. This means that people are building a larger database and adding data to their applications. The appeal for hackers with mal-intent is obvious; the build up of data could mean massive attacks on sensitive company or government data. The crazy part is that it all could have been launched––unknowingly and cleverly––through a Smartphone.

Web Security

WordPress & Web Application Security
By Marc Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA- IAM, NSA-IEM
WordPress is a system that many organizations use to develop Web Application. It can be risky for an organization to rely on WordPress without implementing proper security controls. This article presents you the basic elements and security controls regarding Web Application using WordPress.

Web Authorization Attacks
By Niharika Ramachandra Murthy, Infotech Student at University of Stuttgart 
The logic behind Authorization is that the authenticated user’s session is proved with a unique random token which is used to identify him in the application. Since HTTP is a stateless protocol to overcome this session management is in place.

Advanced Exploitation

Black-Box Penetration Testing Scenario
By Basem Helmy, Information Security Engineer,  ECSA/LPT
All information in this article is from a real penetration testing scenarios. Some of steps in the article are strait forward; maybe it will need more skills to bypass some restrictions like the antivirus, host intrusion prevention system and firewalls.

Instrumentation: Entering The Mysterious World of Java Virtual Machine
By Hardik Suri, Security researcher at Juniper Networks 
Java is one of the most frequently exploited software by cybercriminals. The fact that more than 10 0 days have been actively exploited in the year of 2012-2013 shows the rate at which java 0 days are cropping up. Traditional IPS vendors have always lacked the capability to block java exploits generically; simple string matching methodology used by traditional IPS is easily evaded by the ever changing complex code obfuscation used by cybercriminals today. A dynamic scanning approach could help us look inside the actual vulnerability hiding behind all those obfuscation layers. Instrumentation, a tool which allows us to enter the Java Virtual Machine environment and monitor the execution of a program in real-time can provide us with that alternative.

Extra

How Hackers use QR Codes to hack you?!
By Ahmed Fawzy, CEH,CHFI, ECSA, ITIL, MCP, MCPD, MCSD, MCTS, MCT  
First of all, the price of technology often be the security challenges we face as a security professionals or end users when this technology come to our life to be added value and increase the luxury of our life but in fact it may have a potential risk, in this article we will discuss how hackers exploit the QR technology to hack others.

Password Cracking
By George Lewis, Director at Big Data Solutions, CISSP
This article will cover Exploitation Phase and mainly will focus on Gaining Access / Privilege escalation throughout different Password Cracking techniques.