How to employ talents in the security industry

There are so many things to say on this subject, that it is really difficult for me to decide where I should start. I do not want to create a very long post, so, I will try to keep this brief and to the point. I will not try to explain each point in more detail because it wouldn't be much of a help at this stage, but I will try to give a few pointers on why it is currently considered a very challenging task for companies to employ talents.

Even thought this is not an article for talents in the music industry, I have included the following video for you all to see. Believe me when I say, everything will make sense by the time you read through the article.

(In case you cannot see the embedded video: https://youtu.be/_xj1ncF5hSY)

Again, before you read any further, keep in mind that everything I am writing here is about the process of: identifying and employing talents, and more specifically talents in information security and information technology, and especially those that have a 'growth mindset'. (I will talk about the 'growth mindset' at a different post).

When you find a job opening online, it is most likely to have been written/revised by the HR department based on what is currently being asked for this role, based on similar job opportunities on the Internet. You can actually spot such job openings by looking at the requirements and see that they ask for “a little bit of everything” that does not really make a lot of sense. If you are the person tasked with the responsibility to hire someone and you try to modify the HR’s “template/process” to suit the particular needs of this new job opening, good luck.

You are going to end up filling-in forms and forms, that do not ask the right questions on what you are trying to achieve, it is almost impossible to deviate from the HR’s template and at the end of the day after spending time on this, the HR will have the final say on what will be the final form of the job opening. On top, in most organisation the shortlisting phase is done by HR staff who in reality have no real understanding of what is your skillset for the particular job other than cross-checking the preset requirements in the job post. Hiring talents requires you as an organisation to rethink the whole process and ensure it actually invites talents to apply for the job openings your company has.

Talents do not fit in job descriptions. A talent does not live under a title saying I am a penetration tester, a security consultant, a security architect, etc. With talents, it works the other way around. They just know things (love to keep learning things) or they are really good on things that they do not know how good they are. They can combine information they already know to find solutions, they know how to solve problems, they have ideas, they think in a different way than other people do. Instead of trying to fit them in a job description, look behind the curtain and read between the lines during the selection process and the interview. Allow them to tell you what they can do for the company, and the role they are interested in.

Most of the time, the shortlisting process simply excludes talents from getting into an interview. Imagine you are the talent and you have to spend almost two-three hours of your time, trying to put your CV in an online web application, that asks you questions completely irrelevant, because it was meant to be generic. For example, when you are planning to hire a developer who is a talent, you want someone who really knows how to write code, who knows how to solve an algorithmic challenge because he/she takes pride on that, someone who is not going to reuse a solution from “stackoverflow” that has no idea how or why it seems to be working. These qualities cannot be put in a job description, cannot be highlighted in the automated shortlisting process. These qualities can only be identified during the interview when the person (talent) has a chance to answer the right questions.

The interview is the most important stage of the whole process. Let’s assume that the person being interviewed (who is a brilliant candidate and the talent the company is looking for) managed to overcome the aforementioned problems and got shortlisted for an interview (face-to-face or otherwise). The candidate, has now to face four major problems.

• The person conducting the interview is not trained or suitable for conducting interviews in general. Some of the people tasked to do this, they either do not like it, or they are really bad at it (even after training). The interview ends up being a great opportunity for people who know how or willing to “charm” the interviewer, and tell him/her what exactly he/she expects to hear. A talent is not there to charm anyone and play sympathy games. A talent expects to be respected as a person, valued for what he/she knows, demonstrate how eager he/she is to learn, what he/she can offer in this role and to be asked the right questions.
  
  
• It is true that talents might have awkward personalities but this is part of what makes them special and so good in what they do. Consequently, the interviewer not only needs to be really good at interviewing people but also needs to be able to read between the lines. Not all people are comfortable talking about themselves, or go into an interview with the right attitude, or reply to the questions like superstars, or say something catchy. Sorry to break it to you, but if this is what you want to see in an interview, then you are looking for a "used car salesman", not a talent. Allow people time to feel comfortable and open up slowly. If they cannot talk about themselves, ask things about them and they will tell you (their answers might be brief sometimes, and your role is to help them elaborate on them). There are occasions where the interviewee replies to a question with something brilliant or something the interviewer is not familiar with. Instead of having an empty expression on your face and try to change the subject, think about allowing the talent to elaborate on this. We all learn a new thing every day, and your pride won’t be hurt if you listen carefully for a change.
  
  
• The almighty checklist of standardised questions and the tick in a box. Don’t do me wrong, having a checklist of questions that need/should be asked is fine, but make sure you are asking the right questions. Seriously, what is the purpose of the question “can you tell me the OWASP Top 10 by heart”. Such questions simply are asked to make the interviewer fill superior (establish his/her dominance in the room) and the interviewee to feel that he is not in charge (despite how "well" you respond to the question). Include questions that allow the interviewee to elaborate on his/her experiences and thought process (how do deal with problems, suggesting alternative solutions, investigating issues, proposing new project ideas, etc.), and not tricky/sneaky questions with a double meaning that he/she cannot think about at that particular moment mostly due to the stress of the interview. Also, make sure you took the time to read the CV (resume, for my US friends) of the person you are interviewing and allow him/her to tell you if they have done some amazing things (projects), and which are these (and how did they come up with the idea and why). Telling/Admitting to the interviewee that you haven’t read his/her CV before entering the room and conducting the interview, from where I stand, is simply unacceptable and you should not be conducting the interview (any interviews in general). If you haven't spend at least ten minutes to read through the submitted CV/Resume prior to the interview and highlight the thinks you would like the interviewee to elaborate upon, then clearly you are not interested in finding a talent for the company (and this lack of interest in finding a talent is currently being interpreted by many companies as a shortage of talents). You are simply wasting your time just to get away from work for an hour or so, wasting the interviewee's time and you just want another tick in a box saying that you conducted an interview.
  
  
• The interviewee can do nothing about his/her future “team-mates” feeling threatened by the fact the company is about to hire the talent they were looking for, for so long. It is not uncommon for the first interview to be conducted by the person who is supposed to become your future boss. This is actually really good as you get a vibe of the person in charge and he/she gets an opportunity to get to know you (and explain what he/she is looking for to bring in the team, the real need, not simple a generic job description). Imagine now the case where the talent nails that interview and his/her future boss is really impressed. So impressed, the candidate is asked to stay and do the second interview on the same day and get things going as fast as possible. Sometimes, that second interview is given to someone the candidate will end up working with, which is usually considered to be the “number two” guy on the team. As we are only human, there have been cases where the interviewer felt like he/she is not going to be the “number two” for much longer, because the candidate is really a talent. In that case, the almost future boss ends up getting a disappointing report / feedback from his/her “number two”, saying that the candidate failed the technical part of the interview. In one occasion, believe it or not, the guys conducting the second interview said this to each other after the interview: "This person is brilliant, has everything the team needs and what the company is actually looking for at the moment. However, if we decide to recommend this person, he/she will be able to everything (every task) we assign him/her to do without any problems or training. I am afraid he/she will be able to demonstrate that he/she can do both of our jobs within two-three months time".

Last but not least, asking the right questions. It was mentioned a few times during the article on purpose. First of all, keep in mind that is a lot easier for talents to identify talents in their particular area of expertise (I am not referring only to people with technical skills here). There is no point asking questions that anyone can answer using a search engine by simply clicking on the “I’m feeling lucky” option. Talents are being identified

  a) by their achievements (up to that point in time),

  b) the reason(s) why they did things in a certain way to solve a problem,

  c) the way they challenge themselves on a daily basis and 

  d) what challenging projects they have completed successfully,

  e) their particular and unique thought process,

  f) their out-of-the-box thinking and novel ideas, etc.

Ensure the questions being asked reflect upon these qualities. Allow the questions to take twists and turns, be flexible based on the personality and background of the person being interviewed, allow the questions to be scalable and progress slowly towards the right direction, elaborate and engage with the candidate in order to reveal the hidden diamond behind the sometimes, rough surface.

Based on the alluded, and assuming that you took the time to watch the embedded video, consider a job opening in the music industry where a record company wants to put together a band. Imagine now this record company interviewing for bands the way the Information Security industry conducts interviews for talents (automated short-listing process, narrow and irrelevant questions, interviews that do not allow you to demonstrate your talent(s) but reply to standardise checklists, etc). Just image the questions:

Q: What instruments each member of the band knows to play? A: None

Q: Do you sing? A: Well, this guy does, there rest of us make noises.

Q: Can you dance? A: No, we just sit on stools most of the time.

and so on... 

I would like to assume that you are now getting where I am going with this and I really hope you enjoyed reading this post (and the metaphor). I am considering making a proper presentation on the subject with more details and examples.

(This blog post was also posted here: https://www.peerlyst.com/posts/how-to-employ-talents-in-the-security-industry-grigorios-fragkos )

IP EXPO EUROPE 2016 (..and winning a drone)

I had the opportunity to be at IP EXPO last week, in London. For those of you who are not familiar with the event, IP EXPO Europe took place at ExCel London (5-6 October 2016). 

The interesting fact about IP Expo is that you can find vendors and services across the whole spectrum related to IT. More specifically, under one roof you will find anything you need related to Cloud and Cloud services, Cyber Security, network and infrastructure solutions, data analytics, DevOps, and Open Source. 

Compared to InfoSecurity Europe, it is a smaller event but this ended up being good. The exhibitors had a standard booth size allocation and it was much easier to get around, talk to people and faster to find what you were looking for. Maybe it made more sense this particular layout to my OCD I guess. 

Towards a Cyber Resilience strategy (Cyber Security Awareness Month – Oct 2016)

As most of you already know, October is Cyber Security awareness month. The aim of the Cyber Security awareness month is to raise awareness across the international community about cyber threats, discuss best practices, and educate the public and private sector, on how to stay safe online.

Cyber Security is promoted extensively during this month and many events are being organized with the sole purpose to engage and educate public and private sector entities, while provide them with the necessary tools and resource to stay safe when connected online. Given the opportunity let’s talk about the UK’s Cyber Security Clusters and how you could get to engage, participate, network and most importantly ask any questions that you currently have regarding your organizations cyber security posture and staying safe online.

New laptop with a noisy (annoying) fan

I will keep this short. If you bought a new laptop (it can happen for desktop computers as well) and the manufacturer did not make sure the fan is completely silent (and you really want to punch them in the face because it is not 1998) then I suggest:

a) check if there is a firmware update for your laptop (sometimes there is and it fixes many issues)
b) you download this little utility before you start breaking things around the house and see if it works for your make/model. 

https://github.com/hirschmann/nbfc/releases 

(at the time of writing this blog post the version of the utility was 1.4.2)

Hope this helps, but make sure you keep an eye on your temperatures via an utility like HWmonitor to make sure the cooling still works properly. 

Securing Online Gaming 2016

The challenge of continuous security are going to be discussed at this year's annual "Securing Online Gaming" in London, on the 4th October 2016. It is a great to be among such amazing speakers and have the opportunity to speak about the challenges of securing online gaming. 

I will be representing DeepRecce which already has a leading role in the market when it comes to its cyber security solutions and its under 15 minutes deployable managed SOC solution across any number of hosts. 

My talk will discuss Online Gaming towards Cyber Resilience, and more specifically it will focus on:

• Today's challenges & requirements towards security online gaming
• How attacks are evolving, and what should we expect
• Taking steps for an effective Cyber Resilience strategy

The event will take place near the St. Paul's Cathedral and The Barbican. This is directly opposite the Museum of London. Located at 200 Aldersgate etc.venues St Paul's is a state of the art conference centre with the largest room holding up to 400 along with a further 12 rooms for conference breakouts, training and meetings.

44CON 2016

Another year, another 44CON in London. A line-up of great talks, and a very good opportunity to catch-up with friends from the industry. The event took place between 16-18/Sep 2016, at the ILEC Conference Centre. 

This year you were able to solder your badge while you were there. There was a nice corner dedicated to soldering, with solder irons provided and all the bits to make it work. 

I ended up making six of those in order to help out a couple of friends. It was really easy to make and really fun to do, especially when it started working as it should. 

The badge is called HIDIOT and it is short for HID IO Toolkit. :) The Human Interface Device Input/Output Toolkit (HIDIOT) is a USB-based board for manipulating and experimenting with USB HID class devices. The version given out at 44CON is unreleased. In effect, we decided to make our badge a piece of 0day hardware.

How to train your facebook ads..

Most of you use Ad Blockers and I am happy that you do for all sort of reasons, which I will not discuss here. This blog post is about how you can train the ads you get on different websites (mostly on social media) based on what you care less. Yes, that is right. If you really want to avoid being distrusted or even tempted from clicking on (sometimes malicious) ad links, then what is better than training the system behind the scenes to show you ads only on things that you really don't care about at all. :D

I will use the example of Facebook, which I have been doing for a long time and I realised just know that I haven't actually shared this with you all. 

What you see on the left hand side is a print screen from the ads I get on Facebook. Those side ads are not a problem due to way they are being displayed but, based on these ads, you get similar ads in your news feed as well. 

Thus, by training these ads, you will get relevant ads in your news feed as well. As you can see on your left, all the ads I get are about sports and sometimes about music. 

The reason is because I DO NOT CARE AT ALL about sports, or what is happening in the music industry. 

When you click to hide an ad, Facebook asks you the following:

 Why did you hide it?

 - I don't care about this

 - I keep seeing this

 - It's offensive or inappropriate 

 - Other

 - I want to see something else

When you are presented with these options, you just need to use them in a clever way. Anything that seems like you would be interested, lets say politics, environment, science, space exploration, ninjas, you select any on the options that classify it as "something you don't care". 

On the contrary, when you get ads that you really never cared about, such as sports, or gambling, you keep leaving these ads in your feed like it really matters to you. 

Doing that 3-4 times in a day, for a couple of days, trains the engine behind Facebook and starts displaying ads that you don't really care. 

Actually, our brains learn to ignore ads after a while, but when the content is irrelevant to your liking, your brain ignores them completely. I know it sounds weird, but you will end up going through your news feed and your brain will keep ignoring the ads. Especially ads that you don't care about, in such a way that you won't ever remember seeing the targeted add. Trust me and try it! ;)

Security BSides Manchester 2016

Thank you all for coming to my talk at Security BSides Manchester 2016. The conference took place on Thursday 18th August 2016, at Manchester Metropolitan University Business School, in the heart of Manchester.

The title of my talk was: 

Accessing the personal details of most of the InfoSec professionals & the Responsible Disclosure process.

The talk was not recorded due to the sensitive nature of the content and not much information was given in the abstract. 

Electromagnetic Field 2016 - EMF Camp

Electromagnetic Field [1] is a UK camping festival for those with an inquisitive mind or an interest in making things: hackers, artists, geeks, crafters, scientists, and engineers.

This year's badges were amazing! If you want to start hacking your badge, go to this link: https://badge.emfcamp.org/wiki/TiLDA_MK3

I actually had the opportunity to give a talk on the myths and truths when it comes to hacking airplanes. Thank you all for coming to my talk! The talk was recorded and streamed live at the same time. Soon, the video will be available on EMFcamp's youtube channel if you would like to watch.

This year the event took place between Fri 5th - Sun 7th Aug 2016. The organisers found a really nice location outside Guildford. It is an awesome camping site with power to your tent (if you remembered to bring an extension) and Internet access. Tickets are approximately £120 and if you are thinking of driving down, you need to purchase in advance a parking ticket. If you have a motor-home, you are also welcome. 

EMFcamp welcomes everyone, supports diversity and does not tolerate misconduct. So, pack your tent, some warm clothes, a couple bottles of/for water, a torch, your favourite drinks and you are all set. I suggest you get earplugs as well, especially if it is windy, you wont be able to sleep. 

Plenty of presentations to watch, a few canteens with drinks and food, and many different workshops. Many different villages [2] and a lot of fun stuff to do all day long! Except from attending interesting talks and workshops, from hacking stuff, making stuff, creating music through algorithms, practising your soldering skills, lock-picking, talking to people around the world through radio broadcast, and play fire ping pong, you can also enjoy the day with all sort of people, make new friends while have a a cold drink and warm food.

There is also a kids area as well where you can let them play from 10:00 am until 20:00 pm and overseen by professional carers. 

Pick your favourite activity as you go along or plan your day in advance by looking at the schedule on the website. 

You can follow EMF camp on twitter: @emfcamp 

[1] https://www.emfcamp.org
[2] map.emfcamp.org

0x Haxors - Deck of Playing Cards (hexadecimal)

Ever wanted a #geek version of a deck of playing cards based on the #hexadecimal numeral system (68 cards)? At last, a deck of playing cards based on the hexadecimal numeral system, also known as HEX. (meaning this is a custom-made deck that has 68 cards, not the 52 standard deck). ..check this Kickstarter project out!

Then you should check this out: 

https://www.kickstarter.com/projects/gfragkos/0x-haxors-deck-of-playing-cards 

This project in order to be completed needs to place an order for a custom design (graphics included) and a custom cut for these cards. All existing playing-cards printing facilities (patterns) are made to print the normal 52 cards deck and in this case we need way more: 68 custom high quality prints and cuts. (special packaging for each deck is needed as well)

Thus, by backing this project you will help with the significant cost of placing a custom order for designing and printing this special set of cards. 
We are aiming to make the cards high quality in order to last longer when you play.

So, to summarise: 
Please note that making a deck or 68 cards, instead of the standard 52 cards, it means that even the packaging is custom-made and the cost involved is WAY HIGHER that simply changing the drawing on a standard 52 cards deck.

• Graphics (by a professional graphic designer). 
• High Quality print 
• Quality cards with clear plastic coating to last longer and fill nicer (than paper cards). 
• We want them to be water resistant as well. 
• Special Order to print 68 cards for each deck. 
• Packaging design and making to fit 68 cards. (packaging need to be custom made) 
• Staff costs to pack all these decks and ship them worldwide.

Please, help this project to become a reality!

SnoopCon 2016

I had the honour to be invited again this year by the Cyber Security Testing and Validation Team at British Telecoms (BT) in order to attend their annual internal conference, as a guest speaker. The conference is known as SnoopCon and it is BT’s Penetration Testing and Ethical Hacking annual meet-up event which lasts five days.

The event is held behind closed doors, however it is customary that on the third day they invite people from the industry, recognising that their work would be an invaluable input if presented at their internal conference.

It was a great opportunity for me to catch-up with so many friends at SnoopCon. I also find out that Anoop Sethi has decided to retire after approximately 12302 days uptime (33 years) for BT. 

It is a great honour to have known Anoop, the man who fundamentally changed the way Security and Penetration Testing is viewed in BT. Given the opportunity, I would like to personally wish Anoop all the best with anything he decides to do and I would like to thank him for being such an amazing individual.

I had a fantastic day at BT and the quality of the guest talks was over the roof. I am going to outline here briefly the content of the talks in the order they were presented. 

Invitation to the largest European Cyber Security Challenge

ENISA (European Union Agency for Network and Information Security) is organising the European Cyber Security Challenge 2016 - the largest European challenge for cyber security talent. The Challenge will be held in November in Dusseldorf, Germany - and the Greek National Cyber Security team will compete with other national teams in various security-related challenges, such as web security, mobile security, crypto puzzles, reverse engineering, forensics.

The Greek team will be assembled in a qualifying round - in which we'd like to invite you to participate!

The qualifier will be held on Saturday, July 9 at the Department of Digital Systems of the University of Piraeus. The challenges will be similar to the ones outlined above, and the top 10 participants will comprise the Greek team that will travel to Germany. In order to be eligible, contestants need to legally reside in the country, be aged between 14-30, not have a Master's or higher degree or any professional experience in the information security sector - and of course have some InfoSec skills! Both competitions will be held in English, so contestants need to have at least basic understanding of the English language.

The Greek team is organised by TwelveSec and the Department of Digital Systems of the University of Piraeus, and supported by other major Greek universities and organisations, such as Security BSides Athens.

All you need to do to get the chance to compete in the qualifier is to register in the official website of the Greek team http://ecsc.gr/

Registrations are closing this week (Friday, July 1), so hurry up and register!

Security BSides Athens 2016

It has been a while since my last blog-post and the main reason for that, was the numerous things I had to keep track for organising:

Security BSides Athens 2016 (www.bsidesath.gr) 

It has been a very busy year trying to organise this Security BSides event for the first time in Athens, Greece, with plenty of “hiccups” to overcome in the meantime. 

Once we had a team of people who were equally excited and passionate about this, we started working towards the event details.  

---

Given the opportunity, I would like to personally thank the team once again, all the volunteers who helped out on the day, the review committee who provided constructive feedback to all submissions, the speakers who travelled from all over the world to be there and present, and last but not least, all of YOU who attended the event. 

Special thanks goes to our sponsors, who trusted us on our promise to deliver this information security community based conference. We couldn't be able to bring this event to Athens, especially for the first time if it wasn’t for them, and for that we really appreciate their contribution and support.

Of course, such an event would not be able to exist without the community support we had from fellow conferences all over Europe, the Universities that promoted the conference, the Hellenic Army General Staff, and all the people how were involved and made this event a success story. 

We had some great feedback already and we are committed to tweak things according to the recommendations and suggestions we received in order to make the event next year even better. There is always room for improvement and for more people to get involved. 

Ransomware - Did you update your incident response plan?

At the beginning of 2016 an article was published about the increasing threat of ransomware and provided advice on having an incident response plan that is ready to face this emerging threat. Our article focused on tips related to prevention, response and evading extortion. If you did not have a chance to read our article from January, we recommend that you read it as soon as possible.

Now, at the end of the first quarter of 2016, it is evident that ransomware has become a headache for those who did not take all the necessary precautions to avoid being the next target. Recently, the FBI released a statement to The Wall Street Journal that ransomware is a prevalent and increasing threat. As this recent article describes, attackers are trying new approaches to infection, such as ransomware ‘malvertising’, and have succeeded in creating the first Mac OS X ransomware.

Have a plan, Be Prepared
Due to the fact that it is not easy to deal with the situation after an organisation is hit by ransomware, the best course of action is to ensure there is a backup plan in place. It might come as a surprise but in order to understand the seriousness of the situation, consider that an official in the FBI’s Boston field office went against normal FBI policy and suggested to a conference audience that often the only solution is to pay the ransom. Sysnet wants to make sure you do not have to face that moral dilemma and for that reason we are trying to inform you about the increasing threat and ensure you have taken all the necessary steps towards prevention.

The Badlock day has arrived!

Badlock is a a crucial security bug in Windows and Samba. Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases are available [here]. 

Microsoft and the Samba Team have been working together in order to get this problem fixed and for a patch to be released. You will have to update your systems as this security flaw is expected to be actively exploited soon enough. 

Badlock is referenced by CVE-2016-2118 (SAMR and LSA man in the middle attacks possible).

There are additional CVEs related to Badlock. Those are:

• CVE-2015-5370 (Multiple errors in DCE-RPC code)
• CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
• CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
• CVE-2016-2112 (LDAP client and server don't enforce integrity)
• CVE-2016-2113 (Missing TLS certificate validation)
• CVE-2016-2114 ("server signing = mandatory" not enforced)
• CVE-2016-2115 (SMB IPC traffic is not integrity protected)

Please, find more information about badlock at the dedicated website created for that reason: badlock.org

Start Google Chrome in Incognito Mode by Default

I tend to use different browsers for different tasks, and that makes my life a lot easier when it comes to managing all the different things I have to do. From my point of view, the Google Chrome web browser is the ideal browser for its incognito mode when accessing known safe websites. 

In order to speed things up, I tend to start it in incognito mode by default. Not many people know this, but it is really easy to start Chrome in incognito mode by default. 

If you already have Chrome already installed, locate the executable on  your system. You can R-Click on your existing shortcut (i.e. on the Start menu) and choose, "Open file location". 

Building a Security Operations Centre (SOC)

Building a Security Operations Centre (SOC) is undoubtedly the best move you can make towards protecting not only your organisation’s data, systems and services, but also any sensitive information about your clients that you handle or store. This article is a brief overview of the task of building a SOC, introducing not only the key elements but also how the challenges of increased security requirements and rapid response are addressed.

The process for building a SOC can be time consuming and it is directly related to the available budget. The best approach is to create a plan that allows for incremental phases of implementation. Starting with a gap analysis, you will be able to define and prioritise the milestones for incremental improvements by setting the appropriate expectations and timelines. To start with, take a look at the Centre for the Protection of National Infrastructure (CPNI) and more specifically the Top 20 Critical Security Controls guidance.

The incremental improvements need to take under consideration the collaboration and communication between people, technology, and processes. These are the three equally important components that define a SOC.

Format a memory card back to its original size

After using an SD card to install Kali Linux on Raspberry Pi, I decided I had to reformat it to its original size. If you try to do this using the format tool on Windows you won't be able to format your card. 

The best way to do this, if you want to use Windows, is to start the command prompt and use the diskpart command line tool. Insert your memory card and follow the instructions below.

Start the command prompt and run the command: diskpart

This will open up a new command prompt window similar to the following screen.

Raspberry Pi 2 Model B and Kali Linux 2.1 - quick setup

In order to install Kali Linux on Raspberry Pi, you will need to download the new image for Raspberry Pi 2 version 2.1 from https://www.offensive-security.com/kali-linux-arm-images/ (filename: kali-2.1-rpi2.img.xz). 

Many people want to play around with this combination of a Raspberry Pi and Kali Linux, but they do not want to waste any time figuring out why something is not working as it should. This quick setup guide is structured in a way that will allow you to streamline the process and make sure you have your Raspberry Pi up and running within a few minutes. 

[Extraction]
The .xz extension (for more info on xz see: http://tukaani.org/xz/) means that the image file is compressed and needs to be extracted. You can download the xz utilities using the command: apt-get install xz-utils 

Under Linux, in order to decompress the file you can use the command:
unxz filename.any.xz or the command xz -d filename.any.xz 

Since version 9.04 the package p7zip manages xz files and can extract them using the command: 7za e filename.any.xz

Decrypting RSA with Obsolete and Weakened eNcryption (DROWN)

An OpenSSL security hole enables Secure Sockets Layer (SSLv2), to be used to attack modern web sites. Even though this is a  an ancient, long deprecated security protocol, it is estimated to be able to "kill" at least one-third of all HTTPS servers (approx. 11.5 million servers). 

The attack is dubbed as DROWN based on the words: 

Decrypting RSA with Obsolete and Weakened eNcryption. 

Obsolete Microsoft Internet Information Services (IIS) versions 7 and earlier are vulnerable as well, and editions of Network Security Services (NSS), a common cryptographic library built into many server products prior to 2012's 3.13 version, are also open to attack. 

OpenSSL 1.0.2 users should upgrade to 1.0.2g. 
OpenSSL 1.0.1 users should upgrade to 1.0.1s. 

If you're using another version move up to 1.0.2g or 1.0.1s

OpenSSL 1.0.2g is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html):

• http://www.openssl.org/source/
• ftp://ftp.openssl.org/source/

The flaw was identified by academics and the code for the attack has not yet been released. The main reason for this, is to allow people to patch their systems before the vulnerability starts being exploited. 

For further information on the issue, please visit the site: https://drownattack.com

Migration/Protection: https://drownattack.com/#mitigation
Instructions for Apache: https://drownattack.com/apache.html
Instructions for Postfix: https://drownattack.com/postfix.html
Instructions for Nginx: https://drownattack.com/nginx.html

There is also an offline scanner available on GitHub: 
https://github.com/nimia/public_drown_scanner

Teach your brain to regenerate passwords instead of remembering them

@TripwireInc posted a brief article about my talk for @AbertayHackers and #SecuriTayV happening this Friday 26/Feb. For those attending, you will learn how to teach your brain to regenerate passwords instead of remembering them! 

Let's cut to the chase. Despite the existence of a number of advanced authentication mechanisms, such as Single Sign-On (SSO), different types of Biometrics, multi-factor authentication, etc., the use of passwords is still the most popular means of authenticating users.

The need to generate, and hopefully to remember these passwords, has become even more demanding due to the rapid increase in the number of systems and online accounts being used. 

Best practice is that these passwords need to be as strong as the assets they protect, and password management applications are supposed to be the most straightforward solution for storing them safely.

If you think about it for a moment, no one has ever actually taught you how to think when choosing a password. Due to the fact, it is generally considered a straightforward task, it is assumed that you actually know how to choose the appropriate password for protecting a particular asset (email, social media account, OS login, etc.).

The rise of the (Chief) Data Protection Officer

Back in August 2015, Sysnet discussed the complexity of what the term CyberSecurity represents, especially in the context of today’s threat landscape. This complexity is not only constantly increasing but it is also expanding at an exponential rate. The risks involved demand constant attention and very good understanding of the new technologies being introduced onto the cyber defence ‘chessboard’.

Sysnet also explored the noticeable shift in the traditional roles of the CSO (Chief Security Officer) and the CIO (Chief Information Officer) which have changed a great deal over the past five years. Their focus on managing security by applying resources to the most crucial system components, in order to reduce the likelihood of a successful breach, is now considered an insufficient approach in the current environment of cyber threats. Threats are changing faster than traditional risk management approaches can cope with, and a more proactive and adaptive approach is needed for an effective cybersecurity strategy.

Looking back a bit further, Sysnet discussed the new EU Data Protection Regulation, which requires the appointment of a Data Protection Officer (DPO) for most organisations, and explained the role and responsibilities of the appointed DPO. 

Critical vulnerability found in glibc

A critical vulnerability has been found in Glibc. The critical flaw affects nearly all Linux machines, as well as API web services and major web frameworks. Glibc is the GNU C library which was at the core of last year’s GHOST vulnerability. 

The flaw, CVE-2015-7547, effects all Linux servers and web frameworks such as Rails, PHP and Python, as well as Android apps running Glibc. The vulnerability was discovered by researchers at Google and Red Hat and a patch has been made available. Google has released further information on the issue in its advisory. 

It is strongly suggested to patch all effected systems immediately, as this vulnerability is considered critical and could be exploited for malicious reasons (allows remote code execution). More specifically, the vulnerability effects all versions of Glibc since version 2.9 and there are no temporary mitigations that can be implemented until Linux machines are patched. 

Tim Cook's letter..

Tim Cook's letter about a recent demand made to Apple by the US government. (February 16, 2016)

A Message to Our Customers

The United States government has demanded that Apple take an unprecedented step

which threatens the security of our customers. We oppose this order, which has

implications far beyond the legal case at hand. This moment calls for public

discussion, and we want our customers and people around the country to

understand what is at stake.

The Need for Encryption

Smartphones, led by iPhone, have become an essential part of our lives. People

use them to store an incredible amount of personal information, from our private

conversations to our photos, our music, our notes, our calendars and contacts,

our financial information and health data, even where we have been and where we

are going. All that information needs to be protected from hackers and criminals

who want to access it, steal it, and use it without our knowledge or permission.

Customers expect Apple and other technology companies to do everything in our

power to protect their personal information, and at Apple we are deeply

committed to safeguarding their data. Compromising the security of our personal

information can ultimately put our personal safety at risk. That is why

encryption has become so important to all of us. For many years, we have used

encryption to protect our customers’ personal data because we believe it’s the

only way to keep their information safe. We have even put that data out of our

own reach, because we believe the contents of your iPhone are none of our

business.

Critical Security updates for all Windows versions

Microsoft has released a number of security updates to address vulnerabilities across all of its Operating Systems. All the vulnerabilities were reported to Microsoft under a responsible disclosure agreement, thus, these are not believed to have been actively exploited by attackers. 

• MS16-009: A security update for Internet Explorer 9 through 11 to patch 13 security issues, including remote-code-execution (RCE) and information disclosure issues.
• MS16-011: An update for Microsoft's Edge browser in Windows 10 patches 6 security issues, 4 of which address remote code execution vulnerabilities.
• MS16-012: An update to address two remote-code-execution flaws in Windows PDF Library and Reader for Windows 8.1, Windows 10 and Server 2012. These could allow attackers to run malicious code on an affected system by tricking users into opening a specially-crafted PDF file.
• MS16-013: An update for a memory-corruption flaw that could allow a remote attacker to execute arbitrary code as the logged-in user by tricking a user into opening a specially crafted Journal file.
• MS16-015: An update to patch 6 memory-corruption vulnerabilities in Microsoft Office, each of which could allow a remote attacker to run arbitrary code by tricking a user into opening a specially-crafted Office file.
• MS16-022: A security update for vulnerabilities found in Adobe Flash Player across all supported versions of Windows 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1.

It is highly recommended to ensure that any systems running any version of the Microsoft Operating System are updated as soon as possible. 

Abertay Ethical Hacking Society: 5th annual Security Conference: Securi-Tay V

Securi-Tay [1] is an Information Security conference held by the Abertay Ethical Hacking Society [2], and supported by the Abertay University in Dundee. The aim of the conference is to provide an opportunity to industry professionals, students and information security enthusiasts to attend and share knowledge and information. This year will be the fifth year the conference is taking place (hence the V) and it will be held on February 26th - 27th, 2016. Personally, I believe this conference offers a fantastic opportunity to students to meet and network with experts in the area of security, share information and have a first glance on how their future in the security industry can be like. 

I was very pleased to get accepted to speak at the conference again this year and I am already looking forward to it. The talk is about passwords and more specifically on how to train your brain to "regenerate" different passwords for different accounts, instead of remembering them. I know that this is not very clear at the moment, but I promise you that everything will be explained during the presentation. This is something I started working more than 10 years ago. I actually published two papers on the subject, one paper describing the thought process and one paper on how to reverse the password generation process during a computer forensics investigation based on an individual's profile. 

Temporary and Disposable Email: Anonymity, Privacy or Security?

There are several websites available that offer temporary and disposable email addresses, which have become quite popular among Internet users today, as they provide a quick alternative to anyone who wishes for their email address to remain private when sending and receiving emails. 

Some of these temporary and disposable email addresses are available only for a few minutes, while others remain publicly available for anyone to access once they have been created. The same goes for websites that offer access to publicly available mobile numbers for receiving text messages (SMS). There is a wide range of numbers available, from different countries.

Effectively, a user can register to an online service by using a publicly available mobile number and receive any verification texts online.

Some may argue that these temporary and disposable email addresses and SMS services provide some sort of privacy. That might be true, especially under specific circumstances, but do not confuse anonymity with privacy, and security.

Entering fake details while using a disposable email allows users to subscribe avoiding any future incoming communications from that particular website to their email or phone, but at what cost?

The "prediction" frenzy for 2016 in CyberSecurity and the Black Swan effect

The past few days, a number of articles have hit the web, which have as their main subject the attempt to predict emerging threats for 2016. Moreover, numerous webinars and discussion panels are being organized, mainly to express an opinion on these claimed predictions. I would like to share with the readers of my blog that this “prediction” frenzy is happening for a very specific underlying reason. 

The information security industry and more specifically the vendors, attempt to shift their value proposition once more in 2016, and make it the year of “predicting” attacks, initially from detection to prevention, and now to prediction. This is going to be the InfoSec buzzword for this coming year. 

Detection > Prevention >  Prediction 

It is sometimes annoying to see that some industry professionals (especially tied to specific vendors, as a publicity stand for quick profit) discuss/present such ideas as novel, when in reality researchers, especially in academia, have worked upon the evolution of threat assessment, and detection, many years back. Several PhD theses have been written on how intrusion detection will evolve, and even more on how unification of networkevents will address the problem of managing the vast amounts of information generated (later called “Big Data”). Also, how prevention can be effective across different geographic locations, how will this lead to “Threat Intelligence” needs, by sharing attack patterns across heterogeneous systems in real-time (including IoT), and what are the realistic expectations for predicting cyber threats, based on the abstraction of network events, and the behavioural analysis of cyber-criminals, and trends in cybercrime.

The Rise of Ransomware - Tips on prevention, response and evading extortion

Ransomware, a malware that prevents or in some cases limits users from accessing their data has been on the rise. Last year, 2015 saw a considerable increase with Crowti (also known as CryptoWall) and FakeBSOD being the two instances that affected more than 850,000 systems between June and November. In the first quarter of 2015, ransomware saw a 165% increase compared to the previous year. In the second quarter of 2015, 4 million samples of ransomware were identified indicating 58% ransomware growth. Ransomware is expected to grow in 2016 considering that more than half of malware attacks in 2015 also carried ransomware.

The main function of ransomware is to prevent the user (or users if it infects a server) from using that particular system. It does this by encrypting the files that it finds stored in the filesystem and connected drives. Usually, ransomware also tries to prevent certain applications and services from running.

Malicious files

These malicious files are called ransomware because they demand a payment (a ransom) in order to allow the users to decrypt their files; the attacker provides the decryption key in exchange for the payment. Some of these types of malicious files try to convince individuals that they have done something illegal in an attempt to scare them into making the payment (ransomware acting as scareware). In order to be more believable, some ransomware payment demands pretend to be from a law enforcement agency. The ransom usually starts at a few US dollars to hundreds of dollars or its Bitcoin equivalent.