RSSColumns

Interview: Bugcrowd Founders on Herding Ninjas for Crowdsourced Bug Bounties

| March 29, 2013

Bugcrowd LogoBy Jason Haddix

Love it or hate it, crowdsourcing is here to stay. While it’s been mostly confined to development and design, eventually it was going to come to security.  Two such gentlemen trying to pioneer the space are Casey Ellis and Sergei Belokamen. Being long-time hackers and having seen how the security space works, they decided to start Bugcrowd. Here’s a description directly from the source:

“Bugcrowd is by far the most comprehensive and cost-effective way to secure websites and mobile apps. We’ll do a brief consultation and help you set the budget, the duration, and which websites or apps you’d like our curated crowd of researchers to test. The Bugcrowd researchers get to work finding security flaws in your applications. All testing can be routed through Bugcrowd’s crowd-control system, providing control and accountability. Any bugs are submitted to our Secure Operations Centre as soon as they are found. We validate the flaws and, at the end of the bounty, reward the first researcher to find each unique flaw. We provide you with an easy to understand report for you to hand to your developers… We can even recommend partners to help you fix what we find!”

Join me as I interview them both about their new venture and uncover some interesting information about security testing on a massive scale, as well as how to start. For example, if you are a tester looking to participate, it couldn’t be easier. Fill out the “Ninja” form and create an online profile (public or private) in which you provide Bugcrowd with your PayPal email address. Then you wait until you receive an email message announcing a new bounty… and it looks a little something like this…

Continue Reading

Interview: Ilia Kolochenko, CEO of High-Tech Bridge

| January 15, 2013

Ilia Kolochenko TalkThe Ethical Hacker Network is an online magazine with a focus on those in the profession. It’s wonderful to have technical content, videos, book reviews and an active discussion forum, but what good does it do if we can’t help our readers achieve their career goals? Being an “online” magazine also means that we have a wide audience not confined within the borders of the United States. How can we also help our international audience? One way to answer both questions is to continue our ongoing series of interviews with ethical hacking movers and shakers. So here is another conversation with someone who can provide some quality insight to the questions posed above, because he did it. Ilia Kolochenko became a professional ethical hacker in Europe.

Ilia is the CEO of High-Tech Bridge, a security services and research outfit in Geneva, Switzerland. But clearly he wasn’t born a chief executive. Just like most of us, he grew up dreaming of being a hacker, even if he had no idea it was an actual profession. This is his story, and it was quite surprising to see just how similar it sounds. But that’s not a bad thing. He took his passions, combined them with his military skills, added in a little workplace frustration, and… Well you’ll just have to find out for yourself.

Continue Reading

Social Engineering as a Technical Tool

| September 28, 2012

Social Engineering as a Technical Tool Pic

When we speak about social engineering the normal conversation steers away from the technical and more to the psychological.  This month we are going to change it up a bit and steer head on into the technical arena for a discussion about penetration testing.

There seems to always be a debate online about pentesting, what it is and what it isn’t.  How to do it right, how to do it “real world,” how to do it hardcore and even l33t. But at the end of the day what each and every pentester wants (or should want) is to uncover the holes in the clients network, so they can be mitigated before the bad guys use those very same holes for malicious purposes.

That desire should drive each “real world” pentester to use every tool – technical or not – at his disposal for the benefit of his clients.  This is where our discussion about how to use social engineering as a technical tool or as a tool to get technical details.

Continue Reading

Video: An Insider’s Look at the Smartphone Pentest Framework

| September 25, 2012

Video: An Insider’s Look at the Smartphone Pentest Framework - Bulb Security LogoIn, Mobile Hacking 101, the first article in my new column on The Ethical Hacker Network, I felt it was appropriate to start from the beginning. Offer up a primer if you will to give the readers a brief synopsis of where we’ve been and where we’re heading in regards to smartphones, their security and their determined march into the enterprise. Now that the basics have been covered, it’s now time to start digging deeper into the technical aspects of smartphone security. The logical next step is to set the foundation of a mobile penetration testing lab and eventually enter the live testing phase. That’s where the Smartphone Pentest Framework (SPF) enters the picture. Being the developer of this project, I thought it might be interesting to give you a personal tour.

Often when I try to tell people about SPF, they naturally jump to the conclusion that this is a tool to let you run Nmap or Metasploit on a smartphone. While that is certainly cool, it’s been done before. SPF takes the opposite angle. Instead of pentesting from a smartphone (though some attacks in SPF can be launched from an on-device app), our goal is to instead perform a pentest of the mobile devices themselves. As mobile devices are joining more corporate networks every single day, do organizations have a security standard in place? If so, is it being properly enforced? Even if it is, do the smartphones in the environment open you up to total compromise as they access internal networks with direct access to sensitive resources, receive and store sensitive emails, and a wide variety of other security red flags? For this reason, all mobile devices should be in your organizations’ penetration testing activities. Like Metasploit for network pen testing, SPF is a tool to help make it easier to pen test those pesky mobile devices.

Continue Reading

Interview: Barry Cooper of FishNet Security Training

| August 27, 2012

barry_cooper.pngWe describe ourselves as The Ethical Hacker Network, a free online magazine for security professionals. With that in mind, we try to have a wide range of topics of varying difficulty, all with an aim towards helping the readers on their chosen career paths. As the Editor-in-Chief of EH-Net, I am constantly asked online and off about the best way to get into the field, how to get a job and most often about the value of certifications, experience and education. Long-time colleague, Barry Cooper of FishNet Security Training & iSWAT 2012 in September, not only has an abundance of each but also works in the security and training fields. So who better to offer up some advice?

For a little background information, Mr. Cooper has over 25 years of experience in information technology and security designing, developing, and delivering technical training courses for over 15 years. He has significant expertise in systems analysis, computer programming, information security, instructional design, and network engineering.  Mr. Cooper is responsible for the vision, operation, and management  of the FishNet Security Training organization. In addition, he manages vendor, security, and distance learning product development. Under his guidance, FishNet Security’s training LOB now include 10 national training centers and offers well over 100 courses. He also developed FishNet Security’s eLearning capability and remote live training delivery systems from the ground up. Barry has attained over 70 high-level security and technical certifications including CISSP, JNCI, CCSI and CTT+.

And we are lucky to have him answer some questions and offer some great advice.

twitter-icon.png delicious.png

Discuss in Forums {mos_smf_discuss:Editor-In-Chief}

Continue Reading

Mobile Hacking 101

| August 15, 2012

Mobile Hacking 101 - helloandroid evil app

Next item on the board meeting agenda: the war on smartphones! For some time now, smartphones have been quietly creeping into our society and slowly infiltrating our families and companies. It started off simply enough: the CEO’s husband bought her an iPad for Christmas, and she thought it would be pretty savvy to be able to answer work email on it at a business meeting half way around the world. The fashion slowly trickled down the food chain until everyone wants to put their smartphone devices on the company network. While vacations used to be a time of relaxation, when the pressures of everyday life at the office could be forgotten, now it can be a serious career hazard to be unable to answer emails during the few minutes at the beach when your laptop is out of Wi-Fi range. Gone are the days of parents hovering around the living room praying teenagers will make it home from their dates in one piece and by curfew. In the age of smartphones there’s voice chat, video chat, text messaging, picture messages, and email continuously available to worried parents. Special smartphones are even being marketed to the under 13 crowd and all are susceptible to mobile hacking.

Whether it’s bringing your own device or special company BlackBerrys handed out at company meetings, chances are smartphones are able to access emails, deliverables and reports, and other sensitive data in your company environment. How secure are those smartphones? What sorts of attacks are common against the various smartphone platforms? What user behaviors open up your sensitive data to attack? What information could someone who has access to the data on your smartphone learn about you, your family, and your workplace? There are many paths attackers can take to interfere with your smartphone’s intended operation. Jailbreaking, malware, text messages with malicious links, and client-side attacks (like the Safari webkit vulnerability) are a few of the paths discussed in this first entry in a series of articles on hacking mobile devices serves as a primer to the EH-Net crowd. Read on to get a better idea some of the different ways your phone can be compromised along with some of the scenarios attackers are using to make this happen.

Continue Reading

Social-Engineer.org is Vegas Bound Baby!

| July 20, 2012

Social-Engineer.org Logo

20 years.  Hard to believe, but Defcon has been around for 2 decades.  And Black Hat has been doing its thing for 15 years and continues to buck the conference trend and grow in attendance each year.  These two security conferences are some of the pace setting events for our industry.  For the last few years, the crew at Social-Engineer have been a part of these events, and this year is no different. As you may know, we have 2 arms of our organization. Social-Engineer.org is the free web portal that strives to achieve “Security Through Education” not only with our core crew but also with many excellent contributors.  Social-Engineer.com is our commercial arm offering social engineering services (such as penetration tests) and training.  Here are some of the events, happenings and schedule for us during the annual pilgrimage to Vegas.

Continue Reading

Video Review: Cobalt Strike Penetration Testing Software

| June 29, 2012

cobalt_hacker.jpg

By Ryan Linn 

Cobalt Strike is the latest tool that Raphael Mudge (@Armitagehacker) has released at http://www.advancedpentest.com/ to help penetration testers optimize their workflow and pen testing tasks.  Cobalt Strike is a commercially supported version of Armitage, Cyber Attack Management for Metasploit, with a whole slew of new features added to aid in social engineering attacks, phishing, and targeted exploitation.  As described on their own site:

"Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Cobalt Strike exploits network vulnerabilities, launches spear phishing campaigns, hosts web drive-by attacks, and generates malware infected files from a powerful graphical user interface that encourages collaboration and reports all activity."

Stay with us after the break as we examine more details of this new software package, thoughts on how it might fit into your arsenal of tools and also an exclusive video by Ryan Linn offering a first look at Cobalt Strike to all EH-Netters.

twitter-icon.png delicious.png

Discuss in Forums {mos_smf_discuss:Linn}

Continue Reading