Author Archives: Tom

Teaching SANS SEC542: Web App Penetration Testing and Ethical Hacking in St. Louis July 8-13

Filed under Application Security, Penetration Testing
Tagged as ,

Just a quick update to let everyone know that I’ll be teaching SANS SEC542: Web App Penetration Testing and Ethical Hacking in St. Louis July 8-13th through the Community SANS program.  This is a fantastic 6 day class with lots of hands-on exercises, sharing of my real world web app testing experiences and a Capture the Flag event in which students will be able to use the methodology and techniques explored during class to find and exploit vulnerabilities within an intranet site.  I’m very excited to teach you the skills required to be a great web application penetration tester!

Check out the SANS class information page for more information about the class, agenda and location.

Save 10% on your registration using code: TomStLouis

See you in St. Louis!

Presenting at SANS 2013 in Orlando Next Week

Filed under Conferences, Mobile Security
Tagged as , , ,

I’ll be at SANS 2013 in Orlando this weekend assisting Kevin Johnson with his SEC542: Web App Penetration Testing & Ethical Hacking class and giving two SANS@Night presentations:

This is a great opportunity to see Social Zombies again if you missed our talk at DerbyCon last year.  Registered attendees of SANS 2013 get into the talks for free!  If you see me at the conference next week say hi and feel free to harass Kevin if you’re taking his class! 😉

Project Mayhem to be Unleashed at Black Hat Abu Dhabi

Filed under Penetration Testing
Tagged as , , , ,

For the last several months I’ve been performing research on techniques attackers could use for performing accounting fraud in popular accounting systems. This research coincides with a whitepaper that SecureState has developed entitled “Cash is King: Who’s Wearing Your Crown?” To perform this research I have collaborated with a coworker of mine, Brett Kimmell, who is the manager of SecureState’s Risk Management practice. Brett and I will be presenting the findings from our research at the Black Hat security conference in Abu Dhabi on December 6. This is by far the most unique topic I’ve researched in that we’ve combined penetration testing techniques with ways to commit fraud and more importantly, showing real world accounting fraud prevention. Brett Kimmell is a CPA and has many years of experience with accounting and fraud detection. He was also the CFO for a large non-profit organization. Combine this skill set with penetration testing and cutting edge malware development and you have research that truly demonstrates attacks that literally hit the “bottom line” of a company. As a penetration tester I find that gaining access to customer data, passwords, credit cards, PHI and other standard fare (ie: Trophies) are just the beginning of what can damage a company. In this research we take it to the next level and show the damage that can be done where it truly hurts a company: the financial system. It’s my hope is that this is just the start of showing organizations’ true business risk through advanced penetration testing.

In our work we’ve focused our research on Microsoft Dynamics Great Plains (GP). GP is the most popular accounting system used by small to midsized businesses across the world. In our research we show how attackers can commit undetectable fraud by manipulating accounting systems like GP. These attacks are quite different than finding and exposing a 0-day in software, as our research is centered on creating attacks (including custom created malware) that specifically targets a company’s accounting processes. The attacks we illustrate in our research show that technical controls cannot be solely relied on to prevent fraud. Non-technical accounting controls must be implemented and proper oversight maintained to be effective in combating modern fraud.

Next week we will be releasing our whitepaper as well as “Mayhem”, which is proof-of-concept code designed to hijack and manipulate the accounting processes within Microsoft Dynamics GP. Mayhem was created by the talented Spencer McIntyre of SecureState’s Research & Innovation Team. Mayhem is actively being developed but even in its current state (which we will demonstrate at Black Hat) will make you take a hard look at how a company needs to defend against this type of threat. Similar to how banking Trojans have targeted banking consumers in recent years, Mayhem is the first type of attack that we know of that targets the accounting systems of a company. While we focus on Microsoft Dynamics GP in our research, it can be easily ported to other types of accounting systems. Stay tuned next week as we reveal details about Mayhem and how our research puts a new focus on accounting controls.