Author Archives: Dale

Review of the 3M Gold Privacy Filter

At Infosecurity Europe 2010 I got talking to the 3M guys about their new Gold Privacy Filter, and those lovely chaps gave me one to have a look at.

  • 3M Gold Privacy Filters provide twice the level of effective privacy protection and 14% higher clarity than standard black out privacy filters
  • User sees more clearly than ever while onlookers see nothing but a vibrant orange/golden screen

So why would you want a privacy filter?? Well if your a regular traveller and you don’t want the person next to you having a good peep whilst playing minesweeper, this will certainly help. Oh and of course those documents you work on containing sensitive data. It essentially just gives you some screen privacy and stops the shoulder surfers getting a look see.

There is not really alot to say, and I will let the below video demo do the talking. It does what is says on the tin, its easy to install and can be left in place 100% of the time. I will certainly be using this when travelling in the future. I do have one gripe with the product, but its most likely a personal thing. I have a matte screen, as reflections drive me mad, with the privacy filter in place, its glossy reflection city, and as its not something I am used to any more I couldn’t leave it on every day. I believe the previous version had gloss and matte sites, but this one seems the same both sides, still it does what it needs to do well, and serves its purpose, perhaps they mate release a matte version in the future.

Cyber Security Challenge

The Cyber Security Challenge UK is a not for profit organisation run by public and private sector leaders in information security.

I had heard about this before, but was given a hand out at Infosec 2010 so thought I would pop a quick post up about it.

Cyber Security Challenge UK will work with recognised experts to develop a series of professional ‘games’ that replicate the problems cyber security professionals have to deal with every day. They will require contestants to use all their talent and know-how.

To successfully proceed to the next round of each challenge contestants will be required to display quick, intelligent and creative thinking and the potential to develop the cyber security skills the UK needs to employ. Competitions will be open to all ages and skills levels, some will be targeted at school leavers and undergraduate students. Successful candidates can expect places in regional workshops and the best will receive offers of scholarships, places in mentoring schemes within leading private and public sector organisations and other career enhancing opportunities. It doesn’t stop there, ongoing communications will keep contestants informed about the best cyber security courses and jobs, with some contestants being introduced to the appropriate colleges and employers for their skill set.

For more information on the UK Cyber Security Challenge and to get involved visit the site.

A day at Infosecurity Europe 2010 in London

So on the 27th April I boarded the train down to London and Earls Court to attend Infosecurity Europe 2010. I have not been for a few years, but I had heard good things from people that since moving to Earls Court there had been a big improvement, so I thought I would check it out.

So if you have not heard of this exhibition, here is a brief intro. Its been going for 15 years, there are around 300 vendors, along with keynote speeches, seminars and work shops, and with around 12,000 visitors it get busy. Basically its an event to speak to lots of vendors to find out what they are working on, and to see what’s of interest, as well as meet and network with alot of people, and sit down for some quick talks. Oh and don’t forget the freebies, lots of pens if your into pen testing 🙂

So what did I think of the event? I agree the location is better than previous so thats a good thing, however I feel the event lacked a common theme that I have been used to in the past. I am not sure if this is a good thing or bad really. For example in the past vendors would have been focusing on DLP or something, but this year it all just felt more like everyone was in their own silo,  might be just me though.

I did get to meet some old faces, and met some new ones that I had only conversed with online, or who listen to the Eurotrash podcast so that was nice. I got to meet with some of the vendors I do some work with here and there, and some of the PR folks, and I hope to have some more interesting mini reviews coming along from the event.

So out of all these vendors who did I speak to, and was anything interesting going on. I went and listened to Ian Mann talk about social engineering (out of head hacker curiosity). Its only a 20 min talk, so not really alot of detail can be gained, but he gave a nice little overview of involving people at the target company, making them feel special, and the use of the fake get out of jail free card that I have mentioned myself. He did plug his book abit (I wont mention it here, you can find out for yourself) but I have not read it of received a review copy so cant comment on how good it is, and what answers it gives. Ian came across as a nice guy though.

I didnt really have much time between meeting with other vendors and people to attend any of the other talks, perhaps this is why others attend for all 3 days, I just dont have the free time to take 3 days out. I checked out the 3M stand who were giving a nice demo of a new micro projector, and a new version of their privacy screens for laptops and mobiles (more on this soon). I popped along to the Syngress stand and met Angelina for the first time, they had some good deals on their books and they seemed to be doing a good trade, I did miss Justin who was coming along to sign copies of his SQL book, another top infosec guy.

I met Steve Armstrong for the first time, some may know him from SANS (they had a stand there also), but he was at infosec to talk about Certified Digital Security which is a standard he has developed to provide a simple and easy to understand way for companies to get on the security trail. Its all freely available on the website, and if you want you can pay to become certified by an independant auditor, all sounds good to me.

I met up with the guys at IronKey for a demonstration of their new online banking solution. Its essentially a restricted trusted platform that can be used for your banking and other secure online transactions. It creates an isolated browser environment, with a secure vpn connection to carry out your online transfers. In the demo it worked really well, bypassing keyloggers etc. They also talked to me about their OS on a stick, which does what is says on the tin really, a custom Linux or Windows OS running from your IronKey. I also asked about the D series of IronKeys as I have had some questions about that, and we discussed how the D series use cheaper memory and are a little slower than the S series IronKeys. With regards to all of this I hope to get review units to do some testing myself and share the results.

I also spoke to PGP, obviously as everyone is aware they are now under the ever growing Symantec umbrella. I am not sure how this will impact their offerings. MessageLabs where also at the show with their new Symantec branding, and I do know many people feel the MessageLabs offering and customer service has gone down hill a little since the acquisition, time will tell I guess.

I also popped along to the DESLock+ guys who had my review on the stand for people to take away, so thanks for that guys, and I also go to meet the lovely Annette Finch from C8 Consulting who does their PR.

I also spoke with SmoothWall, M86, Cisco, Blockmaster, DiskShred, MXI Security, SAINT and Webroot to name a few more. So all in all I had a good trip out, aside from missing my scheduled train home, so it really was a long day. So thanks to all the great people I spoke with and met, and to vendors where I got a couple of pens and some sweets 🙂

Social Engineering Tool Kit 0.5 Released

This post is a duplicate of the one I posted over at Head Hacker. The reason for posting here also is I covered SET here before Head Hacker was launched, and I didn’t want people to miss out on this exciting update.

The Social Engineering Tool Kit by Dave Kennedy has been updated to 0.5, Return of the Lemon 🙂

I have only just updated my version this morning, so have not yet had time to try out the new features myself, but I have to say I am excited by what the new version brings. Here are the high lights:

  • Harvesting of Credentials
  • Reporting Engine
  • SET HakSaw
  • Many Many Bug Fixes

I am excited about the new ability to harvest usernames and passwords from my cloned web pages, this really does bring a new and beneficial element to this approach. The HakSaw is also good news, allowing the SET to go more mobile. I look forward to seeing how this develops, especially with regards to any automation around autorun disabled clients. Keep up the awesome work Dave, and all that have helped along the way.

For full details of this release visit the Social Engineer Blog.

Digital Economy Bill Given the Green Light

You should be familiar with what the Digital Economy Bill is, if not you can check out the post on the topic back in June 09.

I am not one for politics, but I did actually find myself listening to this discussion in parliament yesterday. There was some interesting and valid points made and discussed, however the end result is as expected, the green light has be given, and the bill is pretty much in its intended form.

So if you live in the UK what does this bill mean to you?

Mainly it means your going to get a letter of caution from your ISP if a copyright holder suspects you have been illegally downloading and sharing content. This can lead to being disconnected and legal action.

It also makes you responsible for all activity on your Internet connection. This means home users, offers of free wi-fi or similar are held responsible for all activity and will be taken to court for any illegal files downloaded.

The Government, with court backing will also be able to block access to any site that hosts, provides the ability or is “likely to” access copyright material. So basically any site can be blocked.

All of this can be done based on assumption / accusation. Seeing as search engines provide the ability to access this information, I wonder if these will be blocked in the UK 🙂

So interesting times ahead. I am sure there is alot more to all of this, and maybe last minute changes may still occur. Once everything is fully official then will be the time to have a good read through and fully understand.

Kon Boot is Released – Now with 64bit fu

Hopefully you have all heard of Kon Boot before, and if not you have seriously been missing a trick. If you want to check out abit of history you can check out a post from June 2009 when I spoke about the previous version.

So Kon Boot, its awesome. I mean how awesome does it feel to be able to walk up to a machine and crack the password, pretty cool. Is it not then ever cooler then to just boot from a CD or USB and not have to bother?? I think so.. Kudos baby 🙂 , not to mention the support benefits also. So the initial release of Kon Boot gave us the ability to boot for a floppy or CD, but we ran into issues if the system wasn’t 32bit. Now Kon Boot gives us support of 32 and 64bit, and the ability to boot from USB also.

So before I get into the demo vids of Kon Boot doing its thing, I will make a few things clear. The original version of Kon Boot was a prototype by the guys at Kryptos Logic, Kon Boot is now a commercial product. Now before you start getting upset, its cheap as chips for what it is at $15.99 (£10.51 excl VAT) for a personal license, and with that you get 6 months support and free upgrades. A commercial license is also available for $75.99 (£49.97 excl VAT) and this gives you 12 months support, free upgrades and for multiple use within an organisation. Its not subscription based so you don’t need to renewed. So basically its a good deal in my mind. However to sweeten the deal I can offer you guys a 20% discount code for Kon Boot v1.1 making it even cheaper. So when you go to buy Kon Boot v1.1 simple enter code dalereader20 for 20% off.

Now the science part 🙂 You pop your media into a Windows PC and you boot it. The Bios is hooked by Kon Boot, and the magic begins. The kernel is modified temporarily to not require authentication once the OS is loaded. You get prompted for a password, you simply press enter and go about your activities. When done, shut down, remove the media, and everything is back to normal at next boot.

It is important to understand that even though this product has been tested and developed with many common bios versions supported, there may be the occasional issue. However this is what support is there for, and the guys at Kryptos Logic are quick to respond and helpful. I can say this as they have been working with me on an unsupported bios version I found whilst testing.

The video below will demonstrate Kon Boot working on a 32bit VM Installation via ISO, 32bit and 64 via USB. We know the CD and Floppy works from before anyway. Enjoy 🙂