Quantcast

Author: david b.

Getting Ahead of the Security Poverty Line 5: Security Awareness Enhancement Practices

This part of the keynote is dedicated to optimization of security awareness training programs, and the common drawbacks of external audits for organizations. Let’s talk about a couple of other problems and things we’ve done to deal with them. Security awareness – anybody here involved in security...

Getting Ahead of the Security Poverty Line 4: Effecting Long-Term Change

Andy Ellis now makes emphasis on risk reduction in a long-term perspective, concurrently highlighting some scare techniques security vendors tend to leverage. Now let’s look at some ways that people act, and I’m going to include a couple of my anecdotes here. First one isn’t me. So, I went and took 3...

Getting Ahead of the Security Poverty Line 3: Perceived and Actual Risk

The subject matter Andy Ellis focuses on here is the so-called Set-Point Theory of Risk Tolerance addressing the concept of perceived and actual risk. The Peltzman Effect Why are things getting worse for the organizations? And this comes back to the Peltzman effect. Sam Peltzman is an economist at the...

Getting Ahead of the Security Poverty Line 2: Degrees of Security Value

In this entry, Akamai’s Andy Ellis dwells on the degrees of security assurance within organizations, and explains why adversaries succeed in their attacks. How much security value is ‘good enough’? We’d all love to have perfect security; we’re not going to be there though. This graph is...

Getting Ahead of the Security Poverty Line

Andy Ellis, the Chief Security Officer at Akamai Technologies, gives a keynote at ‘Hack in the Box Amsterdam’ event, providing an in-depth view of the concept of present-day information security, its goals and constituents. Let’s start off with defining the security poverty line; the security...

Secure Password Managers and Military-Grade Encryption on Smartphones 5: The Summary

Elcomsoft employee Dmitry Sklyarov draws conclusions based on the study he and his colleague Andrey Belenko conducted about password keepers for smartphones. Now I’m going to move on to summary and conclusions. We mentioned iOS passcode many times during this presentation, and it’s probably a really good...

Secure Password Managers and Military-Grade Encryption on Smartphones 4: Paid iOS Password Managers

Having shed light on the specificities of free password managers for iOS, Dmitry Sklyarov now focuses on the popular paid password apps for this platform. Now that we have reviewed free password applications, it’s actually fair to assume that paid apps should be better than free ones. They should...

Secure Password Managers and Military-Grade Encryption on Smartphones 3: Free Password Keepers for iOS

It’s Dmitry Sklyarov’s turn to take the floor and talk about popular free password managers for iOS, their security implementation details, and common drawbacks. iOS Password Managers (Free) Actually, there are lots of applications available for people in the App Store, and we’ll start with free...

Secure Password Managers and Military-Grade Encryption on Smartphones 2: Device Backup and BlackBerry Password Managers

This part of the presentation accentuates data backup on smartphones, and provides an overview of popular password management applications for BlackBerry. Threat Model Let’s now move to the threat model. Throughout the research we assume that the attacker has physical access to the device, or the attacker...

Secure Password Managers and Military-Grade Encryption on Smartphones: Oh, Really?

Andrey Belenko and Dmitry Sklyarov, security researchers representing Elcomsoft Co. Ltd headquartered in Moscow, give a presentation at Black Hat Europe event to raise relevant issues of data protection on smartphones. We would like to welcome you on our talk at Black Hat Europe 2012. Today I’m here with...

Social Engineering Defense Contractors on LinkedIn and Facebook 6: Preventive Measures

In conclusion, Jordan Harbinger tells a few stories from his past experience to underscore the weakest human component in information security chain. Solutions So, the solutions are obvious, right? Training: sure, you got policies with respect to social media in your company, and you’ve got this classified...

Social Engineering Defense Contractors on LinkedIn and Facebook 5: Tactic for Eliciting Private Data

Having obtained basic data on the targets, Jordan Harbinger makes a bold move to get their almost intimate details by applying more advanced social engineering. Step 6: [Hypothetically] Elicit classified info Now that I have tons of information about the company, the facilities and how things work from the...

Social Engineering Defense Contractors on LinkedIn and Facebook 4: Executing the Attack

Jordan Harbinger highlights the use of social engineering while carrying out the attack, and provides the specific data he managed to retrieve via such tactic. Step 5: Execute the attack So, I added a bunch of my targets on Facebook and I was able to get the privacy settings down so that if I added a few...

Social Engineering Defense Contractors on LinkedIn and Facebook 3: Associating with Targets

This part is about the strategy Jordan Harbinger implemented to get in touch with targets and learn their additional personal details for a successful attack. Step 3: Associate and gain rapport with targets So, now I was in and it was time to see what I could dig up. I want to make sure that I get something...

Social Engineering Defense Contractors on LinkedIn and Facebook 2: Selecting the Targets

The next phase of Jordan Harbinger’s social engineering study involves joining the environment with potential targets who have top secret level clearances. The question is: was this just some face-to-face magic that social engineers, or myself, can work in person that was getting this type of result, or is...

Social Engineering Defense Contractors on LinkedIn and Facebook

Jordan Harbinger, expert in interpersonal dynamics and social engineering, gives a great keynote at DerbyCon event, highlighting the methods it takes to elicit confidential information from people with top secret level security clearance. Thank you guys for coming to DerbyCon, aka EarlyCon, aka HangoverCon...

PharmaLeaks 4: Spamming Techniques and Payment Service Providers

In his presentation’s final part, Damon McCoy dwells on the spamming strategies used by pharma affiliates, and breaks down the costs online pharmaceutical networks have to bear. Strategies for Spamming Now that we’ve looked at some general numbers on affiliates, let’s look at some of the top earning...

PharmaLeaks 3: Customer Acquisition and Affiliate Statistics

Damon McCoy highlights the customer influx trends and basic characteristics of the affiliates operating within the three major online pharmaceutical programs. Now that we’ve looked at product demand and demographics, let’s take a look at how these programs attract new customers (see graph). On the Y...

PharmaLeaks 2: Demographics and Revenue Structure for GlavMed, SpamIt and Rx-promotion

In this entry, Damon McCoy provides results of the study about customer base, products and revenue structure of major online pharmaceutical affiliate programs. In previous studies, a lot of people, including our group, have inferred just small little parts of these online businesses. And it’s always been...

PharmaLeaks: Understanding the Business of Online Pharmaceutical Affiliate Programs

Damon McCoy, Assistant Professor at George Mason University’s Computer Science Department, gives a great presentation at USENIX Security Symposium dissecting the business model of spam-driven online pharmaceutical industry. I am going to be presenting our work on PharmaLeaks, or as I like to call it:...

Questions with Kevin Mitnick 5: Present-Day Hackers and Controversial Legislation

Final part of this interview is a Q&A section, where Kevin Mitnick answers viewer questions about his attitude to today’s hackers and other relevant matters. Shannon Morse: Well, Kevin, right now we are going to have some awesome viewer questions for you. Alright, so the first one comes from...

Questions with Kevin Mitnick 4: The Grey Hat Houdini of Hackers

Kevin Mitnick expresses his ideas on the state of security nowadays, discussing some real-world engagements he undertook and new projects coming up. Shannon Morse: Given that this book is kind of a look at your past days and hacking, is there anything you regret from the past days? Kevin Mitnick: Yeah, you...

Questions with Kevin Mitnick 3: Escaping Prosecution

In this part, the once most wanted hacker Kevin Mitnick tells Hak5’s Shannon Morse about his experience with the law enforcement when he was a fugitive. Shannon Morse: Speaking of people that you might have social-engineered, and same with the people that might have accused you of things: did you worry...

Questions with Kevin Mitnick 2: Social Engineering and Technical Hacks

This entry reflects autobiographic facts provided by Kevin Mitnick during his interview at Hak5, specifically outlining social engineering tricks he used. Shannon Morse: There were a whole lot of security flaws for a lot of corporates, a lot of companies that you write about in your book. Did you run into...

Questions with Kevin Mitnick

Interviewed by Hak5 tech show’s Shannon Morse, the legendary former hacker Kevin Mitnick unveils exciting facts of his intricate and captivating life story. Shannon Morse: Today I am so excited to have Kevin Mitnick in this studio. Now, Kevin, you are known as the world’s greatest, most wanted hacker....

History of Hacking 4: Real-World Phone Phreaking Stories

As a copestone of his talk, John Draper tells a few stories from his phone phreaking past to show the power you could have playing around with phone numbers. Okay, what I’d like to do now is tell a few stories about some of the stuff that we did, because I kind of wanted to save the best for last. One of...

History of Hacking 3: The Dawn of Computer Hacking

Reasons for phone phreaking effectiveness, as well as peculiarities and flaws of the first known online systems are what John Draper outlines in this part. Why Phone Phreaking Worked Well, AT&T’s decision to use what they called ‘in-band signaling’ was their downfall, very bad idea....

History of Hacking 2: Insight into Phone Phreaking

This part of John Draper’s presentation is about the various methods of phone phreaking as one of the early manifestations of hacking into systems. Phone Phreaking 101 Who is a phone phreak? A phone phreak is a person, usually blind, because the only things that are in their lives are audio and what they...

History of Hacking: John “Captain Crunch” Draper’s Perspective

Well-known old school hacker and phone phreak John “Captain Crunch” Draper delineates the major milestones in the evolution of different types of hacking at CONFidence IT security event. Hello everybody! I don’t know if you’ve heard of me or not, but I was the old school hacker back in the...

Pwned by the Owner 4: Lessons Learned

At the end of his fantastic Defcon talk, Andrew ‘Zoz’ Brooks takes some time to provide more details about the thief’s identity, and lists the lessons learned. Who is Melvin Guzman? The Close-Up Well, Melvin Guzman is the kind of person who spells his own name wrong on his Facebook page (see snapshot)....