GNUCITIZEN

Tiger Team Operations

The GNUCITIZEN Tiger Team is a specialized group responsible for testing the effectiveness of an organization's ability to protect assets by attempting to circumvent, defeat or otherwise thwart that organization's internal and external security.

Each Tiger Team operation involves several experts specializing in different areas of the Information Security field. This type of service proves to be extremely valuable to clients who have clear business and security objectives and would like to assess their organization's security by putting it against a practical, targeted, cyber attack performed by experienced Information Security experts.

We specialize in defeating security countermeasures by using the latest offensive technologies, and demonstrating key steps dedicated attackers may take in order to break into your organization's most valuable assets.

Penetration Testing

Unlike our Tiger Team operations, the GNUCITIZEN's penetration testing practices evolve around testing a specific component from your organization's digital assets. The GNUCITIZEN penetration test is tailor-made for the specific task.

We provide Onsite and Offsite penetration testing services which may include Black Box, White Box or Crystal Box approach to the given task.

Information Security Consulting

GNUCITIZEN is a very specialized group of individuals with a strong background in Information Security research, Cutting-edge Technologies and Innovative Thinking.

We provide a range of custom, security consulting services which involve engaging our creative input in your business workflow.

Cutting-edge Training

We are constantly involved with organizing training events and seminars for some of the biggest organizations worldwide. Our work has been featured across industry-standard events such as Black Hat, Defcon, OWASP, Hack in the Box and many others.

GNUCITIZEN has authored several industry-recognized books and currently maintains one of the most popular Information Security blogs today.

Information Security Research

The GNUCITIZEN organization releases quality research materials on a daily basis. We have produced numerous research papers and contributed to a number of best-selling books and popular media outlets.

GNUCITIZEN provides custom research services to companies and organizations in need.

Web2.0 Security Services

GNUCITIZEN provides cutting-edge web2.0 security testing and consulting services which aim to identify and prevent security issues within the client's Web2.0 integrations, such as AJAX, feeds, blogs, wikis, social networks, centralized identity management systems, micro formats, information aggregators, widgets, gadgets and mashups. The objective of the web2.0 security service is to determine what vulnerabilities, such as insecure design and implementation, weak identity control, information leakage, client/server insecurities and others, exist that may allow unauthorized access to the web2.0 infrastructure or leakage of private corporate data.

GNUCITIZEN has pioneered the web2.0 security consulting and penetration testing practices and research. We are defacto the first organization to recognize the insecure nature of web2.0 technologies and as a result we have produced numerous research papers, articles and presentations describing ways attackers could use to break into web2.0-enabled infrastructures.

Kiosk and Point of Access Terminal Security Services

Our Kiosk security services allow organizations to test both, customized and off-the shelf Kiosk software for any attacks that would allow malicious users to bypass the restrictions imposed by the system. GNUCITIZEN will test attacks such as:

• arbitrary command execution, i.e.: being able to launch the command prompt
• being able to go on-line for free (provided that users are supposed to pay for their Internet time)
• privilege escalation, i.e.: if the user account is currently running processes with limited privileges, is he able to escalate to administrator privileges?
• any other restrictions-bypass attacks that would allow users to perform actions they should be able to do

GNUCITIZEN can also analyze the security of the network topology where the Kiosk has been located. Could a malicious user probe other sensitive systems located in the same network after the Kiosk security software has been compromised? This is the kind of questions that our assessment will answer for you.

Point of Sale (POS) Terminals Security Services

POS terminals should be security-tested just like any other computer system. After all, they have storage, memory and processors just like any other computer system. Unfortunately, when working towards protecting customers' credit card data, POS terminals are often overlooked. Instead, other elements such as web servers, web applications and database servers are usually considered as part of the security-testing plan.

However, it might be possible for fraudsters to install malicious software (malware) on POS terminals that allows them to obtain credit card data and send them to the attackers' servers. Since many POS terminals these days are IP-based, they can connect to any random IP address on the Internet, thus allowing attackers to send captured credit card data to any system of their choice.

Whether you are a POS terminals manufacturer, or a merchant planning to introduce a certain POS terminal model throughout your organization, we can help you find out your POS terminals can be compromised by malicious users.

Information Gathering and Target Profiling Services

Information gathering refers to the act of collecting information which can be used to break into the target's network assets and perform other types of malicious activities. Information gathering practices are part of the standard toolkits used by skilled crackers, black public relation practitioners and in general entities which are engaged with corporate espionage.

GNUCITIZEN's Information Gathering and Target Profiling service allows organizations to assess their corporate networks, and in general digital assets, for leakage of critical data. We look into the information distribution of your organization in search for details which are critical to your line of business. We are also using advance techniques to pinpoint critical data which may usually be ignored or treated with less importance.

Our Information Gathering and Target Profiling service is based on our extensive research in the fields of meta-data extraction, semantic web, web2.0, reputation security and black public relations, social media security and others.

Remote Desktop Security Services

Remote desktop technologies such as CITRIX, Microsoft RDP and others are the life blood of any modern corporate network. They are primarily used to allow the externally and internally based staff members to access their desktops remotely via SSL, PPT or IKE VPN. Therefore, the security of these technologies is essential to the overall security of the networks that make use of them.

GNUCITIZEN provides information security services targeting these specific technologies. We have performed extensive research in this field and have identified several design flaws within the architectures of CITRIX and Microsoft RDP. Our Remote Desktop Security Services include tests to identify any kind of misconfiguration and administration problems which can lead to a compromise of your remote desktop technologies and the network resources that support them.

Social Media Security Services

Social media technologies such as wikis, blogs, social networks, feeds, and others have proved to be extremely valuable to organizations of various sizes and types. These new technologies are often used as a tool to enable better communication between all stakeholders.

Although social media technologies are widely used today, they are often found to be insecure. The GNUCITIZEN team has performed extensive research in the fields of social media security, blog security, web2.0 security and others, and has publicly proven that social technologies need to be handled very carefully when it comes to security.

GNUCITIZEN provides cutting-edge Social Media Security Services to clients who have or are planning to implement social media technologies.

Reputation Security Services

The growing number of malicious reputation attacks has steadily lessen the effectiveness of the common reputation strategies. Today, it is not just a matter of luck whether this unpleasant event will ever occur, but when and how much affected your organization will be.

In collaboration with Spin Hunters, the GNUCITIZEN team is offering a system of external reputation tests. Our unique framework is based on three individual approaches, which could be tailored to suit any client's demands or corporate environments:

• Assessing current/potential information risks
• Challenging the key relationships with the stakeholders
• Defining personal vulnerabilities

The major problem with defamation scenarios is that they could vary in nature and style and could be implemented in many different communication levels. Therefore it is a vital necessity for any organization to gain better understanding of the basic smear technologies and to become promptly aware of existing slander indications.

Other Cutting-edge Security Services

• Cloud Computing Security Services
• SaaS (Software as a Services) Security Services
• Client-side Security Services
• Merchant Security Services
• Surveillance Systems Security Services
• Social Engineering Security Services
• Financial Information eXchange (FIX) Security Services

Web Application Security Services

GNUCITIZEN provides a thorough security examination of web-based applications. The objective of the service is to ensure that the application is securely deployed, configured and written with all security considerations in mind. Our focus is to identify all web-based vulnerabilities exceeding those covered by the OWASP Top 10, including, but not limited to:

• Cross-site Scripting (XSS) of all types: reflected, persistent and DOM-based
• Cross-site Request Forgeries (CSRF)
• Remote Command Execution
• SQL Injection of all types: blind and error-based
• Directory Traversal
• AJAX Insecurities and JavaScript Hijacking
• Control-return Line-feed (CRLF) Injection and HTTP Response Splitting (HRS)
• Weak Session Management
• Privilege Escalation
• Side-jacking
• XML Manipulation
• Session Fixation
• Insecure storage
• Information leakage in public resources
• Clickjacking or UI Redress Attacks
• Brute Force Attacks

Additionally, GNUCITIZEN has technology-specific web security expertise in Flash, Flex, Java Applets, Java Servlets, Web Browsers and Browser Extensions.

GNUCITIZEN has an extensive background in web application security research. Members of our team have co-authored several industry-recognized books and have contributed many articles to our blog and other popular printed and online media outlets. We are most known for pioneering the web2.0, browser and client-side information security practices and research.

Desktop Application Security Services

GNUCITIZEN's desktop application security services aim to examine desktop components and applications by testing from internal and external perspectives. We are specifically looking into client-side vulnerabilities, session and authentication controls, system and network integration, privacy, endpoint security and others.

GNUCITIZEN has vast experience in dealing with client-side technologies. During the course of our research work, we have identified numerous browser vulnerabilities, issues within KIOSK software and Remote Desktop systems such as Microsoft RDP and CITRIX.

Wired Network Infrastructure Security Services

GNUCITIZEN provides a detailed security overview of network systems, the underlying computer network infrastructure, employed networking protocols and the policies adopted by the network administrator to protect the network and its resources from unauthorized access. All network components are examined from variety of internal and external perspectives.

The GNUCITIZEN team have a strong background in network security. We have performed an extensive research in the areas covered by network security practices and have identified several serious design and implementation problems with key technologies such as DHCP and mDNS protocols, multicast clouds, UPnP (Universal Plug and Play), SNMP (Simple Network Management Protocol) and others. We have also been involved with extensive research in the areas of Embedded Devices and Router security. Additionally, GNUCITIZEN has experience testing high-profile financial exchange systems such as those based on the Financial Information eXchange (FIX) protocol.

Wireless Network Infrastructure Security Services

Our approach to wireless security includes the identification of neighboring, ad-hoc and rogue networks, and the assessment of all wireless access points, client laptops, firewalls, routers, VLANs, other network appliances, other embedded devices, bluetooth components, etc.

GNUCITIZEN specialize in testing and auditing wireless and non-wireless organizations. We have in-depth knowledge of wireless technologies and have developed several offensive and defensive techniques during the course of our research work.