Quantcast

Archive: 2015

Adaptive Penetration Testing 6: The Teensy Attack

What’s described here is another somewhat hilarious security assessment story, where a company got compromised through keyboards presented to the IT staff. Dave: The next one is Company 2, which is malicious media. This actually happened this month. It was an engagement that I was working on. It’s a...

Adaptive Penetration Testing 5: Physical Part of the Compromise

The InfoSec celebrities narrate the details of another facet of the assessment, where the company’s premises and IT infrastructure were physically trespassed. Dave Kennedy: Kevin, by far, is one of the most meticulous people I’ve met. I mean, for me it’s kind of a hack job, I’m like “Oh, this...

Adaptive Penetration Testing 4: Windows UAC Bypass

Dave Kennedy and Kevin Mitnick discuss a method to circumvent User Account Control on Windows by means of a Java applet and the Social-Engineer Toolkit. Dave: What I’m going to show you here is a demonstration of that actual bypass using the Social-Engineer Toolkit and the Java applet. What I’m going to...

Adaptive Penetration Testing 3: Prep for a Software Vendor Compromise

Moving on from theory to practice, Kevin Mitnick and Dave Kennedy share some experience on extensive preparation for an actual software company breach. Dave: Our first demo is Company 1, which Kevin was doing assessment on in December 2010. Kevin: It was a company that developed software for the financial...

Adaptive Penetration Testing 2: Real vs Simulated Breach

Dave Kennedy and Kevin Mitnick focus on nuances of real-world company breaches as opposed to simulated ones and explain why the former are more instructive. Dave Kennedy: We are the only industry that I know of who keep increasing their budget, keep increasing their capital expenditures, and continue to get...

Adaptive Penetration Testing by Kevin Mitnick & Dave Kennedy

Computer security gurus Kevin Mitnick and Dave Kennedy taking the floor at DerbyCon to explain the concept of adaptive pentesting and cover its advantages. Dave Kennedy: Thanks everybody for coming for the talk! Obviously, Kevin Mitnick and myself wanted to get together and get a talk around adaptive...

Masquerade 5: Closing Thoughts

Before winding up with the presentation, Ryan Lackey and Marc Rogers provide some final details on the travel routers and answer DEF CON audience’s questions. Ryan Lackey: So, out of this full range of hardware we needed to come up with initial piece of hardware that we wanted to support as a development...

Masquerade 4: Introducing Secure Travel Routers

The experts finally get to the point of integrating different hardware and firmware components into a single device intended for one’s security when traveling. Marc Rogers: There are Tor pluggable transports (see right-hand image), which is a great tool. There are seven of them that are live right now, I...

Masquerade 3: “The Great Firewall of China”

In addition to describing China’s web traffic restriction approaches, the speakers also touch upon the benefits and disadvantages of VPNs and Tor. Ryan Lackey: Then we’ve got examples of when you travel to places like China. China is a great place to visit, but they have a fairly restrictive...

Masquerade 2: The Verbose Metadata

Ryan Lackey and Marc Rogers mostly focus on network forensics here, in particular the types of metadata that can be retrieved as a result of such analysis. Ryan Lackey: So, what are the common mistakes and vulnerabilities here? These are just several examples (see right-hand image), there’s a bunch more....

Masquerade: How a helpful man-in-the-middle can help you evade monitoring

Presenting at DEF CON, Ryan Lackey and Marc Rogers, security researchers at CloudFlare, highlight various methods and helpful tools to avoid OPSEC failures. Ryan Lackey: Hello everyone! I’m Ryan Lackey, and this is Marc Rogers. Unfortunately, our third co-speaker The Grugq is not here, as you can tell. I...

Don’t Fuck It Up 7: Secure Messaging

Staying on the safe side with things like commercial webmail, Skype and online chats is what Zoz talks about in the closing part of his DEF CON presentation. Let’s go to messaging (see right-hand image). After all these years, email still fucking sucks. Fighting spam aids tracking because that’s why...

Don’t Fuck It Up 6: OPSEC with Phones

Zoz underscores the immense amount of personally identifiable data that cell phones can leak and provides recommendations on using burner phones securely. Let’s move to phones. What does that little Benedict Arnold in your pocket do to give you away? So much frickin’ stuff (see right-hand image). The...

Don’t Fuck It Up 5: The Silk Road and Dread Pirate Roberts Story

Zoz contemplates on the potential weak links of using Tor hidden services, making some assumptions about OPSEC fails by the infamous Dread Pirate Roberts. Here’s some more good news: the big list and the small list. These are the recently leaked XKeyscore filter rules (see left-hand image). Basically,...

Don’t Fuck It Up 4: Use Tor the Right Way

Zoz has got some great points on the ways of using Tor securely, providing real-world fail examples and underscoring that Tor is not really for encryption. Let’s go multi-hop. Don’t fuck it up when you use Tor. Hopefully everyone here knows what Tor is and the main way you fuck it up when you use Tor,...

Don’t Fuck It Up 3: The Ins and Outs of VPNs

This part provides the analysis of whether using VPN services prevents traffic interception and gets a user on some kind of a potential suspects list. So, here’s the first tool, VPNs (see left-hand image). You are going to use an insecure network – are you safe? Two questions when it comes to tools:...

Don’t Fuck It Up 2: The 7 Deadly Sins

The things that Zoz focuses on in this part are the notions of tradecraft and OPSEC as well as the 7 critical don’ts that can get you busted unless followed. People who were trained to do sketchy shit and not fuck it up, including organized crime and the feds – two groups to which there’s not an...

Presentation by Zoz – Don’t Fuck It Up!

Technology and security enthusiast Andew ‘Zoz’ Brooks delivers a fascinating DEF CON presentation about proper OPSEC and other guidelines to stay safe online. I didn’t know that disobedience was going to be the theme of DEF CON 22 and I submitted this talk. So I guess I didn’t fuck it up....

The State of Incident Response by Bruce Schneier 5: Questions and Answers

Bruce Schneier takes questions from the Black Hat attendees about issues related to incident response such as under-investing in defense, striking back, etc. So, with that, I’m happy to take questions. Or not, but that seems odd. Alright, so, the way this works is one person has to raise their hand, and...