Chained Exploits compromise valuable Twitter account

Aamir Lakhani from drchaos.com wrote a good article on how chaining together social engineering tactics compromised a highly visible twitter account. The original post can be found HERE

Who can we trust? It’s a tough question. We think we can trust our friends, co-workers, mentors, and colleagues because they are people we see and interact with often as frequently as we do with our family members. Unfortunately, there is risk in trusting others, particularly when those we trust have privileged access to our accounts and sensitive information. When our trust and exposure extends to those who we work with, and incorporates intimate knowledge of our business concerns, corporate cultural developments, and technology secrets, we must face the reality of insider threats. Unlike external attackers, those we consider to be on the inside of our trust circles do not need to hunt for valuable information, nor do they need to exploit strong perimeter defenses; insiders already know what is valuable and where it is stored.

FTDCircle Chained Exploits compromise valuable Twitter account Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Cool Penetration Testing Application: Cobalt Strike

CBStrike Cool Penetration Testing Application: Cobalt Strike

If you are familiar with penetration tools, then you should know Metasploit. For those that love GUIs, there is a fantastic open source GUI management for Metasploit known as Armitage (found HERE). The same developers of Armitage created a more advanced penetration testing package for a $2,500 annual cost. The tool is called cobalt Strike (CS) and can be downloaded at www.advancedpentest.com for a 21day trail. They also have a 4-hour lab that lets you try out the core cobalt Strike features. It is worth spending the time to  test the tool and get some lab time even though the lab itself is is pretty easy. Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

Dont Just Click Any Link – Avoiding Phishing, Social Engineering And Other Attacks

shark Dont Just Click Any Link   Avoiding Phishing, Social Engineering And Other Attacks

I’ve said this many times before … the Internet is full of bad things. Of those bad things, one of the most common threats is Phishing attacks. Wiki defines phishing as “the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication”. The majority of successful phishing attacks clone popular social networking sources and provide hyperlinks with the hope a target will click the link without questioning the authenticity of the source.

I wrote a post about what to look for regarding fraud email and craiglist sales HERE and 2 example craiglist cons HERE. The concepts are generally the same regarding identifying phishing attackers however in some cases, the attack will be a clone of a real message or website, which makes it very difficult to detect. Best practices is THINK BEFORE YOU CLICK! Here are some examples why this is important. Continue reading

VN:F [1.9.22_1171]
Rating: 4.0/5 (1 vote cast)

RSA Europe talk on Emily Williams found on PCWorld, Yahoo news, Cio.com and other sources

privacy nsa security 100053240 gallery RSA Europe talk on Emily Williams found on PCWorld, Yahoo news, Cio.com and other sources

My buddy Aamir Lakhani and I performed a penetration test using social media sources (Facebook and LinkedIn) as a method to compromise users from our target. You can find more about our project aka Emily Williams HERE and HERE as well as at www.drchaos.com. Continue reading

VN:F [1.9.22_1171]
Rating: 4.0/5 (2 votes cast)

Book Complete: Web Penetration Testing with Kali Linux – Released August 2013

KaliLinux Pentest  Book Book Complete: Web Penetration Testing with Kali Linux   Released August 2013

We are done! Aamir Lakhani (www.DrChaos.com) and I have finished our book “Web Penetration Testing with Kali Linux”.

You can pre-order the book from Packt Publishing’s website at:

http://www.packtpub.com/web-penetration-testing-with-kali-linux/book Continue reading

VN:F [1.9.22_1171]
Rating: 4.3/5 (6 votes cast)

Speaker at (ISC)2 Security Congress 2013 Chicago Sept 24th-27th on Social Engineering / Remote Hacking

Conference2 Speaker at (ISC)2 Security Congress 2013 Chicago Sept 24th 27th on Social Engineering / Remote Hacking

I’ll be speaking at this years (ISC)2 ASIS International Conference in Chicago. More info on the event can be found HERE. The conference program can be found HERE.

Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

PART 2 “The Attack” – THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

 PART 2 “The Attack”   THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Last year Aamir Lakhani and Joseph Muniz developed a fake identity known as Emily Williams with the purpose of compromising a specific target using social media. We created Emily Williams based on research from Robin Sage, which showcased how a fake identity could obtain sensitive information from social media resources. We wondered if a similar approach could be used for targeted attacks and developed Emily Williams for that purpose. More information on developing Emily Williams via Part 1 of this project can be found HERE. Continue reading

VN:F [1.9.22_1171]
Rating: 4.7/5 (10 votes cast)

THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Disclaimer: This post has been modified to exclude specific subjects not approved for public viewing


emily1 new THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Emily Williams and Robin Sage

Emily Williams and Robin Sage don’t exist in the real world. They are fake social network accounts designed to obtain sensitive information. Robin Sage was created in late 2009 to obtain information from intelligence on US military personnel. Her story was presented at the Black Hat hacker conference upsetting many people by exposing the type of sensitive data provided over social networks. Joey Muniz and Aamir Lakhani decided to go one-step further and ask the hard question: “what else can happen outside of data being leaked over social networks”. We decided to find out using Emily Williams. Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (7 votes cast)