Thursday, April 19, 2012

RaiderSec Meeting 04/17/2012

Hey everyone!

I just wanted to thank everyone who made it out to the meeting, and I hope you all enjoyed learning about Cross-Site Scripting (XSS) vulnerabilities and their exploitation. You can find the slides from the last meeting here.

As mentioned in the meeting, next Tuesday (April 24, 2012) Lance will be continuing the topic of input validation vulnerabilities in web applications by going in depth about SQL Injection vulnerabilities. The widespread prevalence and impact SQL Injection vulnerabilities can have will make this a very important and interesting topic.

I look forward to seeing everyone at the meeting!

Wednesday, April 11, 2012

RaiderSec Meeting 04/10/2012

Hey everyone!

I just want to thank everyone who made it out to the meeting yesterday! I hope everyone enjoyed learning about how social engineering attacks work, as well as why the human element of security is (and very likely always will be) the weakest link in a company's defenses.

As I mentioned in the meeting, next week we will begin covering web application vulnerabilities. Until then, feel free to read up on some of the vulnerabilities listed in OWASP's Top 10 Project Report to get an idea of the vulnerabilities we will be discussing in detail.

Also, you can find the slides for the social engineering presentation here. I look forward to seeing everyone at the next meeting!

-Jordan

Sunday, April 8, 2012

Social Engineering - Exploiting the Human Element of Security

Introduction

"Hi, this is Rick from [Internet Service Provider]. We're seeing some unusual traffic from your location. It's most likely nothing to worry about, but we have a field tech on his way to diagnose the problem. Can you make sure he has access to the network to run some quick tests?"

At most, this phone call may take 3-5 minutes, and already the risk for the target being compromised is very high, especially if the individual on the other end of the line agrees to help the "field tech" (very likely the same person who called). This technique is one very specific example of "Social Engineering," and throughout this post, we will see how these techniques are often leveraged by attackers to exploit the human element of security for malicious gain.