PENTESTING TRICKS – PENTEST OPEN 05/13

PENTESTING TRICKS
Social Engineering and Phishing Attacks Using Android Device
By Domagoj Vrataric
Picture this: you are involved in penetration testing of a serious client, a bank or telecommunication company. Besides usual testing of corporate network and Web applications, it is very important to make sure that all employees are introduced to risk of social engineering and phishing attacks. This article will show how it is possible to make such attacks with Android device and a few applications.

Using XSS in a Spear-Phishing Attack
By Carlos A. Lozano
When a client asks for a social engineering tests, most part of security consultants try to perform a phishing. However, there is a lot of other possibilities to get better results without complexity. By reading this article you will learn how to mix simple techniques with malicious ones to evaluate security controls where people are involved.

Wireless Penetration Testing: Beyond the IEEE 802.11 Family of Standards
By Francesco Perna
The wireless penetration testing covers a large family of wireless protocols. Usually the penetration testing companies offer to their Customer only WiFI (IEEE 802.11 family of standards) penetration test, leaving out the others widespread wireless technologies. Wireless protocols like Bluetooh, ZigBee, RFID, NFC, GPRS/EDGE/HSPA, SAT are often used by the Companies in the mission-critical environments, but the security problems are often upstaged by the business needs until a threat agent remembers them how expensive is a breach in terms of money and reputation.

CASE STUDIES
Hacking a Bank
By Andrei Bozeanu
A couple of years ago, I was contacted by a major commercial bank in my country to conduct a series of Blackbox penetration tests against their external network, recently after they acquired a very costly Information Security Management System from a major international audit firm. The real reason they contracted my services was in fact to see how their newly employed system would react in a real life scenario, and the scope of my actions was to gain access to their internal network, and no one, myself included thought this was going to be an easy task. Challenge accepted!

Do No Harm
By Jack Jones
There is no question that penetration testing, done well, can be incredibly valuable in helping executives make well-informed decisions to better manage their company’s risk landscape. A pentest, however, can be worse than useless if it results in wasted resources and unnecessary business impact. The difference often hinges on the critical thinking you apply when interpreting test results.

WAR CAMP
Applying a Security Compliance Framework to Prepare Your Organization for Cyberwarfare and Cyberattacks
By William F. Slater, III
One of the main disadvantages of the hyper-connected world of the 21st century is the very real danger that countries, organizations, and people who use networks computer resources connected to the Internet face because they are at risk of cyberattacks. This article will introduce come concepts about the realities and weapons of cyberwarfare and discuss how an organization can use a security compliance framework of controls to mitigate the risks.

Integration of Cyberwarfare and Cyberdeterrence Strategies into the U.S. CONOPS Plan to Maximize Responsible Control and Effectiveness by the U. S. National Command Authorities
By William F. Slater, III
This paper deals with issues related to the present situation of lack of a clearly defined national policy on the use of cyberweapons and cyberdeterrence, as well as the urgent present need to include strategies and tactics for cyberwarfare and cyberdeterrence into the national CONOPS Plan, which is the national strategic war plan for the United States.

LET’S TALK ABOUT SECURITY
SECUCON 2013 Conference Summary
By PenTest Team
SECUCON 2013 – A conference hosted by SECUGENIUS – A unit of HARKSH Technologies Pvt Ltd at GGNIMT, Ludhiana with a vision to create awareness for the need of SECURITIES in social living and to spread a message of generating opportunities in the same field. The article covers a short summary of the event.

Smartphone a win-win product for both consumers and sellers
By Rajiv Ranjan
Nowadays, Smartphones are the basic part of life for every corporate employee. They use
smartphone devices to gain access to the companies credential and to check company specific
mails and data. Thus security remains a big concern at the workplace. So penetration testing
needs to be done at every available aspect whenever it is possible.

INTERVIEW
Interview with Ian Whiting, CEO of Titania Company
Ian Whiting has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve.
By PenTest Team

PRODUCT REVIEW
Titania’s Paws Studio Review
By Jim Halfpenny
Whether you see compliance as a burden or an aspiration we are frequently mandated to meet a
certain set of security requirements around our information assets. One important aspect is
being able to demonstrate to yourself and to others that your systems meet the criteria set by
your compliance regime. How do you ensure that your systems are compliant with your policies
or those mandated by compliance standards? A program of auditing your systems will help you
understand the state of your estate.