Workshop: Social Engineering for IT Security Professionals

René Pfeiffer/ September 28, 2011/ Conference

Social Engineering engagements can appear to be easy, especially to someone who already has experience in the Information Security industry. All InfoSec consultants have experienced situations where they’ve been let into a meeting or to perform an onsite engagement without the correct paperwork or permission, and we’ve all heard the stories of successful Social Engineering assignments. Combined with frequent news stories on the success of spear phishing and „blagging“ it can seem as though the simplest of attacks will inevitably compromise a target. However selling, scoping, executing and reporting on regular Social Engineering engagements requires a thorough understanding of the processes, techniques and risks involved, as well as the concepts and issues around Social Engineering in general. With that understanding you can ensure that you have those stories to tell to your peers, and

Talk (U21): Solving Social Engineering Attacks

René Pfeiffer/ September 1, 2011/ Conference

You’ve heard about social engineering. You know your weakest links. You have the task of defending your network against intruders. You know how to do this with your web applications, networks, clients and servers. All these things have neat classifications of attacks, best practice lists and lots of other resources. What about social engineering? How do you keep the wrong people out and your critical information in? How do you classify the attacks? Toby Foster of the University of York, student of Computer Science and intern at First Defence Information Security, tries to address this problem by talking about modelling and categorising and solving the attacks: „There are many definitions of social engineering; almost every book or website on the subject has a different definition. Probably the only consistent point is that it relies

Cargo Cult Security

René Pfeiffer/ August 21, 2011/ High Entropy, Stories

Here is a fictional story for you that bear no resemble to any living, dead or undead persons whatsoever. Imagine someone who is interested in establishing and maintaining a „medium“ to „high“ level of security for his or her business data. This person is a power user and uses harddisk encryption, an encrypted file server, access to internal data by VPN and GPG/PGP for communication. So far so good. Now for the bad news: untrusted devices without security software may also access internal resources and shiny new workstations run without anti-virus protection or firewalls. Questions about potential risks are ignored, suggestions to periodically check the security measures vanish into the big e-mail void, too. What is wrong with this picture? Well, given that all of this is purely fictional, some one you might recognise

See you at Ninjacon 2011 / BSidesVienna!

René Pfeiffer/ June 15, 2011/ Conference, Security

On June 18th the Ninjacon 2011 and the B Sides Vienna will take place. We will be present, help with the organisation, watch as many talks as possible and blog about it (at least we’ll send some tweets). If you got some time to spare, drop by (make sure you get a ticket first) or come to the party afterwards!

Have an app and share your data!

René Pfeiffer/ May 11, 2011/ Security

Apps are all the fashion. You can download them, and you can add them to web sites (such as your blog) including your favourite social network. Facebook has introduced applications back in 2007. If you want to tie an application to your account, the code needs to have proper credentials in order to connect an action with your profile. This is why most apps ask you to login before they start to work. The idea is to convert your login and password into a token that can be used to grant access, either for a limited time or indefinitely. Symantec’s Nishant Doshi reports that Facebook had a bug in its application framework exposing user access tokens to third parties. This basically means that you can do all the app can do (and possibly more)

Vacation 2.0 and its Disadvantages

René Pfeiffer/ September 14, 2010/ Security

Imagine you are the CEO of a small company. You have some days off. You relax, buy a newspaper and have a coffee. After browsing through the news and financial section you stumble upon a full-page advertising of your own company. The text reads: Dear world, our office is completely deserted. No one’s working at the moment. The rooms are completely unattended. No one will pick up the phone. Only the security guards will walk by and superficially check the door handles. Although the doors are tightly locked and the windows are (probably) closed, you can be sure that no one will enter the office space until INSERT_DATE. So if you want to try picking our locks and rearranging the furniture, feel free. You can take what you want. The coffee machine is plugged

Post navigation

Newer posts →

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Workshop: Social Engineering for IT Security Professionals

Share this:

Talk (U21): Solving Social Engineering Attacks

Share this:

Cargo Cult Security

Share this:

See you at Ninjacon 2011 / BSidesVienna!

Share this:

Have an app and share your data!

Share this:

Vacation 2.0 and its Disadvantages

Share this: