Social Engineering Example (Transcript from actual compromise)

11th Jan 2006

Nathan House

Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.

This is an example of a previous job I performed for a client. See how what seem like insignificant information enables me to build trust with people and achieve my successful compromise of the company.

PC Extreme Interviews our very own Nathan House

3rd Jan 2006

Ed Baldwin and Nathan House, PC Extreme

"Ed Baldwin talks to a man on the edge of computer security - Nathan House"

"What would you be left with if you took a hacker then removed his personality and his malicious interests? The fact is you'd end up with somebody who not only knew a lot about computers, but was also extremely talented. You'd also have somebody who was quite literally an expert when it came to computer and network security."

"But who are these people, what do they do and how do they do it? Join PC Extreme as we talk to top consultant Nathan House about modern network security"

Dilbert on Data Security [Gif]

14th Sep 2005

dilbert.com

Some data security humor from Dilbert.

VISAs Payment Card Industry Data Security Standard [HTML]

19th May 2005

Nathan House

Information to help merchants and service providers processing VISA, MasterCard and other credit cards understand the requirements of the new security standard. Failure to comply can result in permanent prohibition of the merchants or service providers participation in credit card processing programs, and a fine of up to $500,000 per incident.

Statcounter Script Injection User Session Hijack [PDF 82K]

4th May 2005

http://www.securityfocus.com/xxx

xxx

Nathan House

This advisory identifies a vulnerability that can disclose the authentication and session information of the all registered users of statcounter. Statcounter.com is one of the best and most well known website monitoring applications on the Internet. More than 1/2 million website's link to it according to google.

Gossamer Threads Links SQL login XSS Vulnerability [PDF 57K]

4th May 2005

http://www.securityfocus.com/bid/13484/

Secunia Advisory: SA15253

xxx

Nathan House

This advisory identifies a XSS vulnerability in Gossamer Threads database application "Links SQL" login page. This document covers examples of how to exploit the application and the solution provided by Gossamer Threads.

Home PC User Security Check List [PDF 17K]

30th March 2005

Nathan House

This simple checklist helps the home user maintain security on their home computer system and home network.

Default Password List [CSV 92K]
Default Password List [XML 930K]

15th March 2005

Nathan House

A list of the default passwords for standard installations. Used for pen testing and includes 3COM, Cisco, Bay Networks, Compaq, and many others

How in Windows NT/2000/XP is information enumerated through NULL session access, Remote Procedure Calls and IPC$? [TXT 16K]

19th November 2002

Nathan House

Details how hackers gather information through NULL session access, Remote Procedure Calls and IPC$ on Windows NT/2000/XP.

Love Letter (ILOVEYOU) Virus Fix - DIVORCE [ZIP 3K]

4th May 2000

http://www.securityfocus.com/tools/1441

Nathan House, Parv Suleman

This is here for nostalgia only. Do you remember the Love Letter virus? Most people do. It was the very first outlook virus that propagated by sending emails to your contacts list. Many copy cat viruses have followed it. We wrote this quick fix to the virus 2 hours after the virus hit the Internet and it proved to be the first available fix. The virus companies were a litter slower back in 2000. We comically named the fix divorce and it even got a mention on the BBC news at 10.

iPlanet Directory Server 4.11 on Solaris Security Baseline [DOC 1.17MB]

20th April 2000

Nathan House

Details the security actions and considerations to be taken and considered when using iPlanet 4.11 on Solaris 2.6.

BEA Web Logic 4.5.1 on Solaris - Security. As applied to company X. [DOC 672KB]

17th April 2000

Nathan House

This document details the security actions and considerations for BEA Weblogic 4.5.1 on Solaris 2.6 as applied to the Company X web site within Phase I delivery.

The Windows 2000/NT SID (Security ID) explained [TXT 6K]

22nd December 1999

Nathan House

A brief on how the Windows 2000/NT SID (Security ID) works

NTSA v1.0 - NT4 Manual Security Audit [ZIP 373K]

24th May 1999

Nathan House

Defines a manual method for auditing an NT based network for it's security configuration. Updated up until Windows NT4 SP4

Computer Crime & Misuse - Computer Misuse Act 1990 (CMA1990) [DOC 271K]

3rd December 1998

Nathan House

A report on understanding the effectiveness of UK computing legislation, how it effects your organisation, and what your organisation can do to complement the legislation.