Blog
Pentesting in the spotlight – a view
As 44Con 2012 starts to gain momentum (we’ll be there again this time around) I was perusing some of the talks from last year’s event…
It was a great event with some great presentations, including (if I may say) our own Ian deVilliers’ *Security Application Proxy Pwnage*. Another presentation that caught my attention was Haroon Meer’s *Penetration Testing considered harmful today*. In this presentation Haroon outlines concerns he has with Penetration Testing and suggests some changes that could be made to the way we test in order to improve the results we get. As you may know a core part of SensePost’s business, and my career for almost 13 years, has been security testing, and so I followed this talk quite closely. The raises some interesting ideas and I felt I’d like to comment on some of the points he was making.
Pfortner calls on SensePost expertise to validate their security posture
Pretoria South Africa — SensePost, a leader in penetration testing and information security services, announced today that Pfortner had called on their expertise to validate their encryption services in South Africa. With the financial services sector in South Africa being deeply competitive, Pfortner needed to provide a high-level of assurance for their clients as to the security of their encryption service. As a standard requirement Pfortner clients have to be totally confident in the security of their service before any further engagement.
Foot printing – Finding your target…
We were asked to contribute an article to PenTest magazine, and chose to write up an introductory how-to on footprinting. We’ve republished it here for those interested.
Network foot printing is, perhaps, the first active step in the reconnaissance phase of an external network security engagement. This phase is often highly automated with little human interaction as the techniques appear, at first glance, to be easily applied in a general fashion across a broad range of targets. As a security analyst, footprinting is also one of the most enjoyable parts of my job as I attempt to outperform the automatons; it is all about finding that one target that everybody forgot about or did not even know they had, that one old IIS 5 webserver that is not used, but not powered off.
Mobile Security – Observations from the developing world
By the year 2015 sub-Saharan Africa will have more people with mobile network access than with access to electricity at home.
This remarkable fact from a 2011 MobileMonday report came to mind again as I read an article just yesterday about the introduction of Mobile Money in the UK: By the start of next year, every bank customer in the country may have the ability to transfer cash between bank accounts, using an app on their mobile phone.
Hacking By Numbers – March 2012
Our next locally scheduled training sessions have been planned for March. If you’re interested in attending, the dates and locations are:
1) HBN Extended (Cadet Camp; Bootcamp) 6-9th March
The HBN ‘Extended Edition‘ is simply an intensive extended version of the regular Bootcamp course. Whilst the content and structure are essentially the same as Bootcamp, the Extended Edition offers students a deeper understanding of the concepts being presented and affords them more time to practice the techniques being taught. Extended Edition is currently offered in Switzerland and South Africa only, or can be arranged on request.
Press Release – London Hacking & Security Courses
School’s never out for the Pro!
We’re proud to announce that we are now offering our highly successful penetration testing training courses to the UK market from 2012.
SensePost has been providing penetration testing training courses to corporates and governments across the globe, and at prestige security events such as Black Hat and OWASP for over a decade. Initially, three courses in London for 2012 have been organised:
HBN Extended Edition (4 days) – 13-17, February 2012 HBN W^3 Edition (3 days) – 14-16 March 2012 HBN Unplugged (2 days) – 18-19 April 2012 The first course, HBN Extended Edition is set at an introductory level for technical people without experience in the world of hacking or penetration testing. It presents attendees with the background information, technical skill and basic concepts that are required to get started in this field.
Competition winner announced
On Saturday Dec 3, at BSides Cape Town we announced the winner of a prize for local information security research. The purpose of the competition was twofold. Firstly, to highlight interesting research produced in .za for the purpose of publicising up ‘n coming security folks, since there are a few disparate communities (academic / industry is the greatest split). Secondly, to provide some degree of reward in the form of a cash prize. The prize is (unsurprisingly) not meant to compensate for time spent, but rather to give the typical researcher who conducts the work in their spare time some recognition and perhaps a cool gadget to associate with the work.
R5000 ZA research prize to be presented at B-Sides Cape Town, nominations sought
SensePost is proud to announce a competition to identify the best information security research published by a resident of South Africa in 2011 (Jan 1st to Dec 3rd). Much security research is unfunded and private but, when published, enters the toolsets and minds of security companies worldwide. South Africa’s security industry is best-described as “fledgling”, and we want to support researchers who produce quality research.
Heads up: even if you’re not a researcher, you can still win by nominating work, so continue reading.
Mobile Security Summit 2011
This week, Charl van der Walt and I (Saurabh) spoke at Mobile Security Summit organized by IIR (http://www.iir.co.za/detail.php?e=2389).
Charl was the keynote speaker and presented his insight on the impact of the adoption of mobile devices throughout Africa and the subsequent rise of security related risks. During his talk, he addressed the following:
Understanding the need for mobile security to be taken seriously in Africa Analysing the broader implications for the user and the company The types of attacks occurring against mobile devices What does the future of mobile security look like and what are the potential threats to users? Understanding the particular threats posed by smartphones and other portable devices, e.g. tablets The presentation can be accessed via link below:
Squinting at Security Drivers and Perspective-based Biases
While doing some thinking on threat modelling I started examining what the usual drivers of security spend and controls are in an organisation. I’ve spent some time on multiple fronts, security management (been audited, had CIOs push for priorities), security auditing (followed workpapers and audit plans), pentesting (broke in however we could) and security consulting (tried to help people fix stuff) and even dabbled with trying to sell some security hardware. This has given me some insight (or at least an opinion) into how people have tried to justify security budgets, changes, and findings or how I tried to. This is a write up of what I believe these to be (caveat: this is my opinion). This is certainly not universalisable, i.e. it’s possible to find unbiased highly experienced people, but they will still have to fight the tendencies their position puts on them. What I’d want you to take away from this is that we need to move away from using these drivers in isolation, and towards more holistic risk management techniques, of which I feel threat modelling is one (although this entry isn’t about threat modelling).