Category Archives: InfoSec

A day at Infosecurity Europe 2010 in London

So on the 27th April I boarded the train down to London and Earls Court to attend Infosecurity Europe 2010. I have not been for a few years, but I had heard good things from people that since moving to Earls Court there had been a big improvement, so I thought I would check it out.

So if you have not heard of this exhibition, here is a brief intro. Its been going for 15 years, there are around 300 vendors, along with keynote speeches, seminars and work shops, and with around 12,000 visitors it get busy. Basically its an event to speak to lots of vendors to find out what they are working on, and to see what’s of interest, as well as meet and network with alot of people, and sit down for some quick talks. Oh and don’t forget the freebies, lots of pens if your into pen testing 🙂

So what did I think of the event? I agree the location is better than previous so thats a good thing, however I feel the event lacked a common theme that I have been used to in the past. I am not sure if this is a good thing or bad really. For example in the past vendors would have been focusing on DLP or something, but this year it all just felt more like everyone was in their own silo,  might be just me though.

I did get to meet some old faces, and met some new ones that I had only conversed with online, or who listen to the Eurotrash podcast so that was nice. I got to meet with some of the vendors I do some work with here and there, and some of the PR folks, and I hope to have some more interesting mini reviews coming along from the event.

So out of all these vendors who did I speak to, and was anything interesting going on. I went and listened to Ian Mann talk about social engineering (out of head hacker curiosity). Its only a 20 min talk, so not really alot of detail can be gained, but he gave a nice little overview of involving people at the target company, making them feel special, and the use of the fake get out of jail free card that I have mentioned myself. He did plug his book abit (I wont mention it here, you can find out for yourself) but I have not read it of received a review copy so cant comment on how good it is, and what answers it gives. Ian came across as a nice guy though.

I didnt really have much time between meeting with other vendors and people to attend any of the other talks, perhaps this is why others attend for all 3 days, I just dont have the free time to take 3 days out. I checked out the 3M stand who were giving a nice demo of a new micro projector, and a new version of their privacy screens for laptops and mobiles (more on this soon). I popped along to the Syngress stand and met Angelina for the first time, they had some good deals on their books and they seemed to be doing a good trade, I did miss Justin who was coming along to sign copies of his SQL book, another top infosec guy.

I met Steve Armstrong for the first time, some may know him from SANS (they had a stand there also), but he was at infosec to talk about Certified Digital Security which is a standard he has developed to provide a simple and easy to understand way for companies to get on the security trail. Its all freely available on the website, and if you want you can pay to become certified by an independant auditor, all sounds good to me.

I met up with the guys at IronKey for a demonstration of their new online banking solution. Its essentially a restricted trusted platform that can be used for your banking and other secure online transactions. It creates an isolated browser environment, with a secure vpn connection to carry out your online transfers. In the demo it worked really well, bypassing keyloggers etc. They also talked to me about their OS on a stick, which does what is says on the tin really, a custom Linux or Windows OS running from your IronKey. I also asked about the D series of IronKeys as I have had some questions about that, and we discussed how the D series use cheaper memory and are a little slower than the S series IronKeys. With regards to all of this I hope to get review units to do some testing myself and share the results.

I also spoke to PGP, obviously as everyone is aware they are now under the ever growing Symantec umbrella. I am not sure how this will impact their offerings. MessageLabs where also at the show with their new Symantec branding, and I do know many people feel the MessageLabs offering and customer service has gone down hill a little since the acquisition, time will tell I guess.

I also popped along to the DESLock+ guys who had my review on the stand for people to take away, so thanks for that guys, and I also go to meet the lovely Annette Finch from C8 Consulting who does their PR.

I also spoke with SmoothWall, M86, Cisco, Blockmaster, DiskShred, MXI Security, SAINT and Webroot to name a few more. So all in all I had a good trip out, aside from missing my scheduled train home, so it really was a long day. So thanks to all the great people I spoke with and met, and to vendors where I got a couple of pens and some sweets 🙂

Social Engineering Tool Kit 0.5 Released

This post is a duplicate of the one I posted over at Head Hacker. The reason for posting here also is I covered SET here before Head Hacker was launched, and I didn’t want people to miss out on this exciting update.

The Social Engineering Tool Kit by Dave Kennedy has been updated to 0.5, Return of the Lemon 🙂

I have only just updated my version this morning, so have not yet had time to try out the new features myself, but I have to say I am excited by what the new version brings. Here are the high lights:

  • Harvesting of Credentials
  • Reporting Engine
  • SET HakSaw
  • Many Many Bug Fixes

I am excited about the new ability to harvest usernames and passwords from my cloned web pages, this really does bring a new and beneficial element to this approach. The HakSaw is also good news, allowing the SET to go more mobile. I look forward to seeing how this develops, especially with regards to any automation around autorun disabled clients. Keep up the awesome work Dave, and all that have helped along the way.

For full details of this release visit the Social Engineer Blog.

Digital Economy Bill Given the Green Light

You should be familiar with what the Digital Economy Bill is, if not you can check out the post on the topic back in June 09.

I am not one for politics, but I did actually find myself listening to this discussion in parliament yesterday. There was some interesting and valid points made and discussed, however the end result is as expected, the green light has be given, and the bill is pretty much in its intended form.

So if you live in the UK what does this bill mean to you?

Mainly it means your going to get a letter of caution from your ISP if a copyright holder suspects you have been illegally downloading and sharing content. This can lead to being disconnected and legal action.

It also makes you responsible for all activity on your Internet connection. This means home users, offers of free wi-fi or similar are held responsible for all activity and will be taken to court for any illegal files downloaded.

The Government, with court backing will also be able to block access to any site that hosts, provides the ability or is “likely to” access copyright material. So basically any site can be blocked.

All of this can be done based on assumption / accusation. Seeing as search engines provide the ability to access this information, I wonder if these will be blocked in the UK 🙂

So interesting times ahead. I am sure there is alot more to all of this, and maybe last minute changes may still occur. Once everything is fully official then will be the time to have a good read through and fully understand.

Twitter improving on URL Security.. Never to late

There are many url shortener services on the web, twitter even has its own built in function.

One of the problems here is, we don’t actually know where we are going. So it fits in the tweet, but leads straight along to FAIL.

Twitter have now decided they are going to take some steps, to reduce the risks associated with the url shortening. Their new service that will run behind the scenes will be checking and verifying these links, and intercepting and disabling the bad ones on the twitter service before we board the fail bus.

This is good news, and I am sure will be welcomed by many. I also recommend using the Firefox plugging Long URL Please, to see what’s going on.

Head Hacker – Social Engineering, Hypnosis, NLP and more…

Information Security is a huge passion of mine, its more than just a job, its my way of life. I am sure to many people who are not as passionate, that’s sounds sad, boring and dull.

However, what if I was to talk to you about breaking into organisations, manipulating people to get information, and so much more. Sounds interesting, welcome to the world of Head Hacking.

Social Engineering is something many people have heard about, but we are clearly still not doing much about the people aspect of Information Security, and this is something we really need to patch.

Social Engineering, is different things to different people, but essentially its all about manipulation. There are many ways to manipulate people, but some of them are often overlooked, and maybe considered about out there. Social Engineering is something I enjoy, and linked with that are other passions which add many additional benefits. I am talking about Hypnosis, Neuro Linguistic Programming, Mind Tricks, Mentalism, Misdirection, Influence and more.

If any of this sparks some interest, then please visit and sign up to my new site Head Hacker. I hope to build this site into an interesting, topical and knowledgeable resource.

Thanks

Dale

Cloud Security News and Discussion on LinkedIn

Everyone is familiar with the current buzz word that is Cloud Computing, and hopefully most of you that have some security interest with cloud have visited Craig Balding’s Website Cloud Computing Security. Now Craig has created a LinkedIn group for news and discussions on Cloud Security, so if your interested, have questions to ask, and knowledge to answer then I recommend you take a look.