Friday, 28 February 2014

Guest Speaker for Derby University (Digital Forensic Investigation Course)

I had the pleasure to be invited as a guest speaker to Derby University in order to give a talk about Penetration Testing in the real world and more specifically for the Digital Forensic Investigation course.

The talk included an introduction to the Payment Card Industry (PCI),  Payment Card Industry Data Security Standard (PCI DSS) and the Payment Card Industry Security Standards Council (PCI SSC). The participant had an opportunity to understand what is an Approved Scanning Vendor (ASV), a Qualified Security Assessor (QSA) and last but not least a PCI Forensics Investigator (PFI).

The students were introduced to penetration testing types, practices, methodologies, real stories from the industry, tools, and techniques. Black Box testing versus White Box testing was explained, the significance of white-listing was discussed and comparison of ASV, Vulnerability Assessment and Penetration Testing was given.

The second part of the talk focused on malware and included a more practical approach with a hands-on session. The talk focused on how easy could it be to create malware that is capable of evading AntiVirus detection (including reputation based detection). The students were given an executable file and a hex editor which allowed them to modify the given binary. Social engineering and spear phishing were also discussed. The purpose was to raise their awareness and allow them to understand with examples why we say there is no 100% security.

I had a wonderful day at the University, the students were very excited and I do hope they learned a lot. All the best with their course. The industry needs these knowledgeable future professionals. 

Saturday, 22 February 2014

Apple's SSL/TLS Bug

Yesterday, Apple pushed a rather spooky security update [1] for iOS that suggested that something was horribly wrong with SSL/TLS in iOS but gave no details​. 

A very quick test site for testing if you are vulnerable to this bug (use Safari browser) can be found here: 

Note the port number (which is the CVE number), the normal site is running on port 443 and that is expected to work. On port 1266 the server is sending the same certificates but signing with a completely different key. If you can load an HTTPS site on port 1266 then you have this bug.


Friday, 14 February 2014

Kali Linux Virtual Box Resolution

There are several ways people are suggesting for adjusting Kali Linux [1] resolution in Virtual Box. First of all, make sure you have the latest Virtual Box [2] along with the latest Extension Pack. 

Lets assume that you downloaded a VM image of Kali Linux from the aforementioned URL. I suggest you make sure your Kali Linux is up-to-date. To update your system, bring up the terminal and run the following command in order to fetch all the new updates: 
apt-get update

Then, run this command to upgrade your system: 
apt-get upgrade

It is not necessary to restart  your system at this state, but for those of you who might want to do this, just type in the terminal: reboot

Monday, 3 February 2014

Guest Speaker for Derby University (Digital Forensic Investigation Course) - Cyber-Security and Cyber-Defence

I was very excited to be invited by the Derby University once more and more specifically by the Digital Forensic Investigation Course in order to give a talk. The title of the talk was "Cyber-Security and Cyber-Defence in the industry and financial services utilising Penetration Testing and Computer Forensics".

The talk focused on the current Cyber-Threats, Cyber-Security and Cyber-Defense tactics. It introduced to the participants different types of security services, which included threat assessment, threat intelligence and threat management solutions. The talk also gave the students an opportunity to hear about the most successful vendors in the security industry.
Figure 1 - Guy Fawks Mask as a Rorschach Test

The trends in cybercrime were discussed along with why cybercriminals participate in cyber-gangs and the reasons why cybercrime is still successful. More specifically the talk looked into the reasons why cybercrime has a presence, how much does it pay, explored the increasing scope, scale, and complexity of cybercrime impacting the industry at the moment, how cyber-espionage is involved and how can we focus on real-world strategies to avoid being targeted.

A number of tools and techniques were introduced to the students along with a practical session on how easy would it be to create their own version of a malware capable of evading AntiVirus detection. All this raised their awareness and made start thinking outside-the-box when it comes to this fast evolving threat landscape of cyber-threats.

I do believe the students enjoyed the talk as the feedback was exceptional. I do hope they gained enough information during the day to go back and start looking into cyberthreats more closely and with a better understanding.