Interview: Sumit “Sid” Siddharth of NotSoSecure

| July 31, 2015 | 0 Comments

Sumit Siddharth of NotSoSecureTechnology permeates society. This is true not just in the United States but also across the globe. With it comes the opportunity to level the playing field amongst vastly different cultures around the world. But the one thing that remains is the constantly evolving virtual battlefield and its effects on the real world. And if one shows an uncanny ability to navigate this arena, it matters not from where they came. One such individual is Sid Siddharth of NotSoSecure.

Sid’s story is one of success. But it’s not from luck or privilege. Sid’s success comes from the simple concept of hard work. Each step along the way, Sid gave it his all and it was noticed. Even when there was no such thing as a professional ‘ethical’ hacker, Sid continued with his passion and that simple tool in hand… hard work. Because of that, doors opened for him in India, the UK, the US and beyond. Now he has his own company and travels the world as a speaker, instructor and penetration tester. In this interview, Sid shares his thoughts with the EH-Netters around the world looking to follow in his footsteps.

Continue Reading

Interview: Dave Chronister of Parameter Security

| May 5, 2015

Dave ChronisterHave you ever seen a speaker at a security conference, an expert being interviewed on television about the latest cyber attack or an instructor at a whiteboard with the breadth of knowledge one should have when putting your career in their hands? Have you ever wondered what it took for those people to get where they are? Now just imagine all of those people wrapped up into a single individual, add into the mix the extra duties of business owner and husband, and you start to get a picture of Dave Chronister of Parameter Security, HackerU and ShowMeCon.

Covering everything from his first programming project as a child and his BBS days through his first ‘real’ IT job and into how he became who he is today, read on for a fascinating interview. Dave also shares his thoughts on helping you get that job in InfoSec, hiring someone for your next security project and some great general advice. In anticipation of ShowMeCon 2015 June 8 – 9, get to know a little more about the man (and woman) behind St. Louis’ ONLY Premier Hacking & Offensive Cyber Security Conference.

Continue Reading

Interview: Bugcrowd Founders on Herding Ninjas for Crowdsourced Bug Bounties

| March 29, 2013

Bugcrowd LogoBy Jason Haddix

Love it or hate it, crowdsourcing is here to stay. While it’s been mostly confined to development and design, eventually it was going to come to security.  Two such gentlemen trying to pioneer the space are Casey Ellis and Sergei Belokamen. Being long-time hackers and having seen how the security space works, they decided to start Bugcrowd. Here’s a description directly from the source:

“Bugcrowd is by far the most comprehensive and cost-effective way to secure websites and mobile apps. We’ll do a brief consultation and help you set the budget, the duration, and which websites or apps you’d like our curated crowd of researchers to test. The Bugcrowd researchers get to work finding security flaws in your applications. All testing can be routed through Bugcrowd’s crowd-control system, providing control and accountability. Any bugs are submitted to our Secure Operations Centre as soon as they are found. We validate the flaws and, at the end of the bounty, reward the first researcher to find each unique flaw. We provide you with an easy to understand report for you to hand to your developers… We can even recommend partners to help you fix what we find!”

Join me as I interview them both about their new venture and uncover some interesting information about security testing on a massive scale, as well as how to start. For example, if you are a tester looking to participate, it couldn’t be easier. Fill out the “Ninja” form and create an online profile (public or private) in which you provide Bugcrowd with your PayPal email address. Then you wait until you receive an email message announcing a new bounty… and it looks a little something like this…

Continue Reading

Interview: Ilia Kolochenko, CEO of High-Tech Bridge

| January 15, 2013

Ilia Kolochenko TalkThe Ethical Hacker Network is an online magazine with a focus on those in the profession. It’s wonderful to have technical content, videos, book reviews and an active discussion forum, but what good does it do if we can’t help our readers achieve their career goals? Being an “online” magazine also means that we have a wide audience not confined within the borders of the United States. How can we also help our international audience? One way to answer both questions is to continue our ongoing series of interviews with ethical hacking movers and shakers. So here is another conversation with someone who can provide some quality insight to the questions posed above, because he did it. Ilia Kolochenko became a professional ethical hacker in Europe.

Ilia is the CEO of High-Tech Bridge, a security services and research outfit in Geneva, Switzerland. But clearly he wasn’t born a chief executive. Just like most of us, he grew up dreaming of being a hacker, even if he had no idea it was an actual profession. This is his story, and it was quite surprising to see just how similar it sounds. But that’s not a bad thing. He took his passions, combined them with his military skills, added in a little workplace frustration, and… Well you’ll just have to find out for yourself.

Continue Reading

Social Engineering as a Technical Tool

| September 28, 2012

Social Engineering as a Technical Tool Pic

When we speak about social engineering the normal conversation steers away from the technical and more to the psychological.  This month we are going to change it up a bit and steer head on into the technical arena for a discussion about penetration testing.

There seems to always be a debate online about pentesting, what it is and what it isn’t.  How to do it right, how to do it “real world,” how to do it hardcore and even l33t. But at the end of the day what each and every pentester wants (or should want) is to uncover the holes in the clients network, so they can be mitigated before the bad guys use those very same holes for malicious purposes.

That desire should drive each “real world” pentester to use every tool – technical or not – at his disposal for the benefit of his clients.  This is where our discussion about how to use social engineering as a technical tool or as a tool to get technical details.

Continue Reading

Video: An Insider’s Look at the Smartphone Pentest Framework

| September 25, 2012

Video: An Insider’s Look at the Smartphone Pentest Framework - Bulb Security LogoIn, Mobile Hacking 101, the first article in my new column on The Ethical Hacker Network, I felt it was appropriate to start from the beginning. Offer up a primer if you will to give the readers a brief synopsis of where we’ve been and where we’re heading in regards to smartphones, their security and their determined march into the enterprise. Now that the basics have been covered, it’s now time to start digging deeper into the technical aspects of smartphone security. The logical next step is to set the foundation of a mobile penetration testing lab and eventually enter the live testing phase. That’s where the Smartphone Pentest Framework (SPF) enters the picture. Being the developer of this project, I thought it might be interesting to give you a personal tour.

Often when I try to tell people about SPF, they naturally jump to the conclusion that this is a tool to let you run Nmap or Metasploit on a smartphone. While that is certainly cool, it’s been done before. SPF takes the opposite angle. Instead of pentesting from a smartphone (though some attacks in SPF can be launched from an on-device app), our goal is to instead perform a pentest of the mobile devices themselves. As mobile devices are joining more corporate networks every single day, do organizations have a security standard in place? If so, is it being properly enforced? Even if it is, do the smartphones in the environment open you up to total compromise as they access internal networks with direct access to sensitive resources, receive and store sensitive emails, and a wide variety of other security red flags? For this reason, all mobile devices should be in your organizations’ penetration testing activities. Like Metasploit for network pen testing, SPF is a tool to help make it easier to pen test those pesky mobile devices.

Continue Reading

Interview: Barry Cooper of FishNet Security Training

| August 27, 2012

barry_cooper.pngWe describe ourselves as The Ethical Hacker Network, a free online magazine for security professionals. With that in mind, we try to have a wide range of topics of varying difficulty, all with an aim towards helping the readers on their chosen career paths. As the Editor-in-Chief of EH-Net, I am constantly asked online and off about the best way to get into the field, how to get a job and most often about the value of certifications, experience and education. Long-time colleague, Barry Cooper of FishNet Security Training & iSWAT 2012 in September, not only has an abundance of each but also works in the security and training fields. So who better to offer up some advice?

For a little background information, Mr. Cooper has over 25 years of experience in information technology and security designing, developing, and delivering technical training courses for over 15 years. He has significant expertise in systems analysis, computer programming, information security, instructional design, and network engineering.  Mr. Cooper is responsible for the vision, operation, and management  of the FishNet Security Training organization. In addition, he manages vendor, security, and distance learning product development. Under his guidance, FishNet Security’s training LOB now include 10 national training centers and offers well over 100 courses. He also developed FishNet Security’s eLearning capability and remote live training delivery systems from the ground up. Barry has attained over 70 high-level security and technical certifications including CISSP, JNCI, CCSI and CTT+.

And we are lucky to have him answer some questions and offer some great advice.

twitter-icon.png delicious.png

Discuss in Forums {mos_smf_discuss:Editor-In-Chief}

Continue Reading

Mobile Hacking 101

| August 15, 2012

Mobile Hacking 101 - helloandroid evil app

Next item on the board meeting agenda: the war on smartphones! For some time now, smartphones have been quietly creeping into our society and slowly infiltrating our families and companies. It started off simply enough: the CEO’s husband bought her an iPad for Christmas, and she thought it would be pretty savvy to be able to answer work email on it at a business meeting half way around the world. The fashion slowly trickled down the food chain until everyone wants to put their smartphone devices on the company network. While vacations used to be a time of relaxation, when the pressures of everyday life at the office could be forgotten, now it can be a serious career hazard to be unable to answer emails during the few minutes at the beach when your laptop is out of Wi-Fi range. Gone are the days of parents hovering around the living room praying teenagers will make it home from their dates in one piece and by curfew. In the age of smartphones there’s voice chat, video chat, text messaging, picture messages, and email continuously available to worried parents. Special smartphones are even being marketed to the under 13 crowd and all are susceptible to mobile hacking.

Whether it’s bringing your own device or special company BlackBerrys handed out at company meetings, chances are smartphones are able to access emails, deliverables and reports, and other sensitive data in your company environment. How secure are those smartphones? What sorts of attacks are common against the various smartphone platforms? What user behaviors open up your sensitive data to attack? What information could someone who has access to the data on your smartphone learn about you, your family, and your workplace? There are many paths attackers can take to interfere with your smartphone’s intended operation. Jailbreaking, malware, text messages with malicious links, and client-side attacks (like the Safari webkit vulnerability) are a few of the paths discussed in this first entry in a series of articles on hacking mobile devices serves as a primer to the EH-Net crowd. Read on to get a better idea some of the different ways your phone can be compromised along with some of the scenarios attackers are using to make this happen.

Continue Reading