31.1.2012 von tugrik.

The “Social Engineering Vulnerability Evaluation and Recommendation (SEVER)” methodology, located at http://www.kgb.to/SEVER_Instructions_Final.pdf , was recently highlighted to me, and also appeared in the darknet.org.uk blog in December 2011, although the document appears to date from April 2011.
The SEVER project hopes to

1. Provide the fastest means of training novices about complex social engineering concepts.
2. Provide penetration testers with a methodology that minimizes their effort while increasing their chance of success.

The truth is far from this, and the detail is unnecessary - I started writing references and in the end realised I was referencing at least every page, if not every paragraph.

In summary, the document is an “eighties text file” style rant about the author’s personal irritants; it doesn’t really detail a methodology at all, and concentrates on how to attack a single person rather than an organisation or other goal.  For example as part of a Social Engineering engagement the author appears to advocate the exploitation of phobias, use of lighting to induce migraines in the target, gaining rapport with the target through mutual use of illegal drugs, and torture.  I strongly suggest reading for entertainment purposes only.

In stating the above I’m presuming that Penetration Testers all obey the law, their job being to simulate the effect of criminal acts rather than commit them; also their intention is to show the customer that they are can be trusted with the information and access they’ve been granted. Also that as part of the engagement a Penetration Tester is not permitted nor willing to cause permanent physical and/or psychological damage to their client’s employees. The legal liability incurred by trying out many of the techniques listed would be “interesting.”

Geschrieben in opinion | Drucken | Keine Kommentare »

28.12.2009 von tugrik.

I wanted to say something, but, of course, Schneier has said it so well already…

http://www.schneier.com/blog/archives/2009/12/separating_expl.html

Seeing as the existing methods worked so well in preventing this attempt, it’s a good job they’re bringing in newer and more effective protective mechanisms….

Geschrieben in opinion, general | Drucken | 1 Kommentar »

8.12.2009 von tugrik.

The Internet isn’t the real world.  That’s not that hard a concept is it?  In training courses I’ve felt a little embarrassed when making a point of this early on in the presentation, as it feels like such an elementary point.

But occasionally, due to the nature of some of the mailing lists I’m on, I have to explain this. Some annoyed spam recipient, or a user with new firewall software and mad whois skillz, wants to exact retribution on the dastardly IP address that just attacked him; and I explain how difficult it is to tie received traffic to an IP address, and an IP address to a person.

Then I read this:

“Real Security Is Threat-Centric” at http://taosecurity.blogspot.com/2009/11/real-security-is-threat-centric.html by Richard Bejtlich.

Now if you’re trying to pin down the source of a concentrated attack by many parties, and trying to generally attribute it to a foreign power or a criminal gang, or a concentrated concerted attack, I can see his point about attribution, just, if I squint. However the online equivalents of Bejtlich’s “local residents” are unlikely to come under such an attack, and will more likely be spammed using hacked email accounts or faked sender addresses, compromised through a drive-by download, infected by a worm, simply be some bot, or similar.  In those cases attibution is very difficult, if not impossible.

To stretch Richard Bejtlich’s example even farther… imagine the situation, two suspects were questioned Friday, but the suspects claimed that their bodies had been compromised and were under the control of malicious ghosts, or that the evidence of the break-ins had been remotely faked by a rival of theirs from Brazil; or the victim’s possessions had only been copied, not removed, so no-one noticed they’d been “stolen” for several months, meaning all the forensic evidence of the break-in had been destroyed.

Ridiculous ideas, yes?  But their online equivalents are possible because… wait for it… The Internet is not the Real World, don’t expect the same methods to work on here.

Geschrieben in opinion | Drucken | Keine Kommentare »

6.12.2009 von tugrik.

From http://www.wired.co.uk/wired-magazine/archive/2009/12/features/25-ideas-for-2010-neurosecurity.aspx ( 25 ideas for 2010: Neurosecurity ), a quote from Kevin Fu, of the Medical Device Security Centre:

“Hopefully the medical community will have the proper regulatory incentives to manufacture devices that can resist the security and privacy risks introduced by wireless communication,” says the MDSC’s Kevin Fu. “Otherwise it’s a no-brainer that some depraved person will attempt to cause harm.”

Undoubtedly this has been taken out of context.  Partly because the second point doesn’t follow on from the first - the threat will be there regardless of whether it will be resisted or not.  But mainly…  hoping that a community will come together to provide regulatory incentives is obviously overly optimistic: the glacial evolution of the PCI DSS shows that it’s unlikely at best. I’m hoping the BioTechnology Indsutry Organisation Device Security Standard ( BIO DSS ) is alive and well by the time I require one of the devices.

Geschrieben in opinion | Drucken | Keine Kommentare »

1.12.2009 von tugrik.

Just started reading “Hacking: The Next Generation”, and disappointed to see piggy-backing receive such a very small amount of coverage. This is such an important issue, and so varied, I think I could write a chapter on it given a chance…

Geschrieben in books, opinion, hacking | Drucken | 1 Kommentar »

19.10.2009 von faintdreams.

Having recently been forced to migrate back to using Windows, I feel compelled to comment on Microsoft’s new ‘Security Enhancements’ in the Vista and Windows 7 OS.

Upon starting a Computing MSc I was dismayed to find out that the first trimester was windows- centric. Running a virtual machine under OSX on my Macbook was not practical (due to speed and HDD space concerns) and so I opted for a new lightweight Toshiba laptop to be my course workhorse.

For a non Linux machine, Vista (or nothing) were the OS choices I had and so reluctantly I opted for Vista - with a Windows 7 upgrade to follow as soon as that is available. Little did I know what I was letting myself in for.

The ‘User Access Control’ (UAC) in windows is useless - why? Because it is so intrusive as a piece of security software that I can only liken it to having to unlock 15 deadbolts, AND entering a safe combination every time you want to go through a door, or open a window inside your own house.

To fully understand how irritating it is to use ANY application under Vista with UAC turned on, let me explain that the previous example includes EVERY door / window in your house. You HAVE to shut each door / window behind you when you change rooms, and EVERY time you open a door you have to unlock all fifteen of the deadbolts AGAIN. Imagine your house is somewhat sentient, so ideally you want to say to your house “I have been to the toilet today. I do not wish to unlock the toilet door EVERY time I need to use it. I wish to authorise the door to stay open as long as the sensors see ME either entering or leaving the room.” “NO.” says your house, “I will not allow you to designate security passes to ANY of the doors. I will force you to lock and unlock EVERY DOOR, during EVERY INSTANCE OF USE. You can either authorise EVERY door / window for every instance of use, EVERY TIME or you have to leave all the doors / windows open to everyone ALL THE TIME.

Any sane person would just switch off the house security protocols and leave every door open all the time - right? WRONG.

What you want to do to keep your house secure is make sure that the front door and the windows are shut by default and only THOSE SPECIFIC INSTANCES of holes in your house require authorisation to open, and ONLY YOU have the key. As ‘Keyholder’ you can walk around the house unmolested the rest of the time without having to worry about constantly opening doors you just walked through. Also if you get a pet, you would supposedly want your pet to be able to walk unfettered from room to room, but not walk out the front door, or jump out of the windows.

I may be stretching the point somewhat, but in my illustration, the ‘you’ in the house is the logged on Administrative user, the doors / windows are pre-installed (or pre-approved) windows applications and the pet represents any third party applications you install.

Perhaps I am just being dense, but my google-fu fails me when it comes to ways to authorise individual Apps under the UAC tool.

So in essence I am reduced to leaving all my doors and windows open in order to do anything, and that is far from secure.

Geschrieben in opinion | Drucken | Keine Kommentare »

12.10.2009 von matti.

Geschrieben in humour, opinion, general | Drucken | Keine Kommentare »