Category Archives: Penetration Testing

Slides from my “5 Lessons Learned From Breaking Into A Casino” Webcast

Filed under Penetration Testing
Tagged as , , ,

For those of you that attended the webcast yesterday (and those who didn’t) I’ve uploaded my slides to my SlideShare page.  Thanks to my co-presenters Richard Stiennon and Kevin Henry for presenting some great content with me!  If you’re interested Richard has posted  his slides to SlideShare as well.

Free Webcast April 10th: Learn about APTs, Business Process Hacking and Breaking into a Casino!

Filed under Penetration Testing, Spylogic News
Tagged as ,

On Tuesday April 10th at 12pm EST, 9am PST, 5pm GMT I’ll be presenting “5 Lessons Learned From Breaking In: Confessions of a Pentester & Other Stories” during a free webinar.  I’ll be talking about the five most common ways my team and I break into companies that you would think are highly secured such as energy companies and casinos.  I’ll be joined by Richard Stiennon and Kevin Henry who will be discussing business process hacking and APTs.  When you register you will get entered to win a full version of Netsparker Web Application Scanner (retail value of $5,950).  Register for free here.


Smart Bombs: Mobile Vulnerability and Exploitation Presentation

Filed under Android, Apple, Mobile Applications, Mobile Security, Penetration Testing
Tagged as , , , ,

This week I co-presented “Smart Bombs: Mobile Vulnerability and Exploitation” with John Sawyer and Kevin Johnson at OWASP AppSec DC.  We talked about the some of the current problems facing mobile applications such as flaws found in the OWASP Mobile Top 10 and various privacy issues.  We also talked about how you go about testing mobile applications from the application layer (HTTP) down to the transport layer (TCP) and file system.  I highly recommend you take a look at John’s file system testing methodology as he takes more of a forensic approach which works really well.  The takeaway from the talk is that you need to look at all these areas when testing mobile apps and mobile apps are growing area of concern from a security and privacy perspective.

One update we forgot to mention in the talk is that you should use Mallory, which is a transparent TCP and UDP proxy for testing mobile applications.  This is an excellent tool created by the guys at Intrepidus Group.  We’ve found that some apps will bypass proxy settings and lots of apps are sending data over binary protocols and more.  Mallory is the tool you need for testing any mobile app fully!