TigerDirect is “Mom Approved”?

0
Filed under Uncategorized

Way to capitalize on mothers day and cheesy “family” pictures…lol

 

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Dogfish Head 60 Minute IPA

0
Filed under Beer
Tagged as

Hoppy goodness…

20120413-185940.jpg

Slides from my “5 Lessons Learned From Breaking Into A Casino” Webcast

0
Filed under Penetration Testing
Tagged as , , ,

For those of you that attended the webcast yesterday (and those who didn’t) I’ve uploaded my slides to my SlideShare page.  Thanks to my co-presenters Richard Stiennon and Kevin Henry for presenting some great content with me!  If you’re interested Richard has posted  his slides to SlideShare as well.

Free Webcast April 10th: Learn about APTs, Business Process Hacking and Breaking into a Casino!

0
Filed under Penetration Testing, Spylogic News
Tagged as ,

On Tuesday April 10th at 12pm EST, 9am PST, 5pm GMT I’ll be presenting “5 Lessons Learned From Breaking In: Confessions of a Pentester & Other Stories” during a free webinar.  I’ll be talking about the five most common ways my team and I break into companies that you would think are highly secured such as energy companies and casinos.  I’ll be joined by Richard Stiennon and Kevin Henry who will be discussing business process hacking and APTs.  When you register you will get entered to win a full version of Netsparker Web Application Scanner (retail value of $5,950).  Register for free here.

 

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Smart Bombs: Mobile Vulnerability and Exploitation Presentation

0
Filed under Android, Apple, Mobile Applications, Mobile Security, Penetration Testing
Tagged as , , , ,

This week I co-presented “Smart Bombs: Mobile Vulnerability and Exploitation” with John Sawyer and Kevin Johnson at OWASP AppSec DC.  We talked about the some of the current problems facing mobile applications such as flaws found in the OWASP Mobile Top 10 and various privacy issues.  We also talked about how you go about testing mobile applications from the application layer (HTTP) down to the transport layer (TCP) and file system.  I highly recommend you take a look at John’s file system testing methodology as he takes more of a forensic approach which works really well.  The takeaway from the talk is that you need to look at all these areas when testing mobile apps and mobile apps are growing area of concern from a security and privacy perspective.

One update we forgot to mention in the talk is that you should use Mallory, which is a transparent TCP and UDP proxy for testing mobile applications.  This is an excellent tool created by the guys at Intrepidus Group.  We’ve found that some apps will bypass proxy settings and lots of apps are sending data over binary protocols and more.  Mallory is the tool you need for testing any mobile app fully!

Attacking & Defending Apple iOS Devices in the Enterprise Presentation Updates

0
Filed under Apple, Mobile Security
Tagged as , , , , , , ,

Below are links over on SlideShare to the latest version of my ever evolving presentation “Attacking & Defending Apple iOS Devices in the Enterprise”.  This is the version I presented at the SANS Mobile Device Security Summit a few weeks ago.  I include information on iOS 5, the latest jailbreaks at the time (this has since changed with the release of iOS 5.1) and some information on the security of iCloud.

Just a reminder that I’ll be presenting Smart Bombs: Mobile Vulnerability and Exploitation with John Sawyer and Kevin Johnson at OWASP AppSec DC on April 5th in Washington DC.  I’ll be focusing my research on iOS application testing and some of the vulnerabilities discovered in some of the top 25 iOS applications.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Dogfish Head 90 Minute Imperial IPA

0
Filed under Beer
Tagged as ,

One of the best IPAs out there…yum!

20120318-173742.jpg

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

SANS Mobile Device Security Summit Recap

2
Filed under Mobile Security
Tagged as , , , , , , , , ,

Just a quick post about the SANS Mobile Device Security Summit that I participated in.  Kudos to Kevin Johnson and Tony DeLaGrange from Secure Ideas for helping organize and lead the event.  They did a great job!  If you’ve been to SANS events in the past I assure you that this was much different.  First, there was a great line up which included Rafal Los (HP), Jack Mannino (nVisium Security), Chris Cuevas (Secure Ideas), John Sawyer (InGuardians), Josh Feinblum (The Advisory Board Company) and Daniel Miessler (HP ShadowLabs) to name a few.  Having a lineup of great speakers really made the summit flow as well as it did.

What I liked most about this event was that there were plenty of “real world” talks on how enterprises are deploying and managing mobile deployments.  Real in the “trenches” types of talks.  Here are some of the themes that I heard throughout all the talks:

  • Jailbreaking/Rooting is BAD
  • The OWASP Mobile Top 10 is going to be just as important as the traditional web application OWASP Top 10
  • Mobile Threats are an evolving, moving target.  Security teams have to be quick to adapt to new mobile technology
  • MDM (Mobile Device Management Solutions) are a requirement
  • Apple iOS devices are preferred over Android in the enterprise (seriously, that was the consensus).  No one seems to care about BlackBerry or Windows Mobile devices.  I think only one speaker mentioned Windows Mobile…

Speaking to the last point I find this pretty interesting.  Especially given the fact that Android seems to be beating Apple in regards to market share of devices and app store apps.  I also enjoyed hearing about some of the challenges and pitfalls real IT and security departments are facing.  Many of the speakers talked about some best practices they’ve developed and problems they’ve had.  One of the highlights for me was a talk by Det. Cindy Murphy from the Madison WI Police Department Computer Forensics Unit.  She shared some of her experiences with mobile device forensics and how this evidence holds up in court.  I highly recommend you check out this summit next year, it’s one not to miss!

I should have my slides from the latest version of my talk that I gave at the summit (Attacking & Defending Apple iOS Devices in the Enterprise) in the next day or so.

 

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Passcode Bypass in iOS 5.1? Not so fast!

0
Filed under Apple, Mobile Security

During the keynote at the SANS Mobile Device Security Summit here in Nashville this morning Rafal Los (aka: Wh1t3Rabbit) talked about a new passcode bypass vulnerability going around in the latest version of iOS (5.1).  Basically how it’s supposed to work is by opening up the camera on the lock screen you go to the photo gallery, press the home button and it takes you to the home screen bypassing the passcode.  I tried this and it didn’t work on my iPhone.  I was quickly prompted for my passcode.

I did some research and found this blog post which says this is simply a configuration issue with the passcode settings.  Check your setting for “Require Passcode” (under the Passcode Lock screen) and make sure it’s set to “Immediately”.  If it’s set to 1 minute or more, you really haven’t locked your device.  You’ve just been shutting off the screen. :-)  See the screen shot below for the passcode setting you should be using.

 

 

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Speaking at the SANS Mobile Device Security Summit

0
Filed under Apple, Application Security, Mobile Security, Penetration Testing
Tagged as , , , , , ,

I’ll be presenting “Attacking and Defending Apple iOS Devices in the Enterprise” Monday, March 12 @ 10am. I’ve got a bunch of new content about iOS 5, iCloud and the latest attacks on these devices. This is the inaugural event for SANS and I’m proud to be part of it! More information can be found here at the SANS website.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS