TEL +44 (0)207 127 4501 FAX +44 (0)207 127 4503 EMAIL info@oliverkinross.com

www.cybersecurityuae.com Conference & Exhibition

Assess the nature of the latest threats being faced and the impact of these upon your organisation

Discuss the most promising cyber security technologies in the marketplace

Assess the trends to watch in global cyber security

International Case Studies: Discover the best practice in protecting your organisation from cyber-attack

Network with your industry peers in the comfort of a 5 star venue

The only event of its kind to take place in the Middle East

Developments, Strategies and Best Practice in Global Cyber Security

CYBER SECURITY UAE SUMMIT 2013March 18th & 19th, Dubai

Special focus on the

Banking, Oil & Gas & Government

Sectors

Featuring Cyber

Security Training

Workshops on how

to Protect Your

Organisation from

Cyber Attack

Protecting critical infrastructuresMain Sectors Covered:

2nd Annual

CYBER SECURITY UAE TECH 2013

Hurry exhibition space for the 30

booth exhibition is expected to sell out.

For further details on exhibiting place email info@oliverkinross.com

8 9 10 11 127

6

5

4

3

2

1

13

14

15

16

17

18

19

NE

TW

OR

KIN

G A

RE

A

NE

TW

OR

KIN

G A

RE

A

21 22

23 24

25 26

27 28

29 30

20

Electricity & Water

Oil & Gas

Financial Services

Transportation

Government

Defense

Join us for the Gala Dinner and Networking Evening and make valuable

networking contacts

GOLD SPONSOR

SILVER SPONSOR

The only

event of its kind

to take place

in the UAE

Featuring 30 top level speakers!

STEVE HAILEY, President CEO, CYBER SECURITY INSTITUTE

USAMA ABDELHAMID Director, UBS

KENAN BEGOVIC, Head of Information Security, AL HILAL BANK

AHMED BAIG, Head, Information Security and Compliance, UAE GOVERNMENT ENTITY

ZAFAR MIR Regional Manager Information Security Risk, HSBC BANK MIDDLE EAST

MAHMOUD YASSIN Lead Security & System Eng Manager, NATIONAL BANK OF ABU DHABI

AMR GABER, Senior Network Security Engineer, DUBAI STATISTICS CENTRE

HUSSAIN ALKHASAN, IT GRC Manager, COMMERCIAL BANK OF DUBAI (UAE)

AYMAN AL-ISSA, Digital Oil Fields Cyber Security Advisor, ABU DHABI MARINE OPERATING COMPANY

TAMER MOHAMED HASSAN, Information Security Specialist, UAE GOVERNMENT ENTITY

OMER SYED, Project Manager, ROADS & TRANSPORT AUTHORITY

BIJU HAMEED, ICT Security Manager, DUBAI AIRPORTS

AL BALUSHI BASHEER, Manager of Information Security and Systems Engineering, NATIONAL BANK OF OMAN

NAVEED AHMED, Head of IT Security, DUBAI CUSTOMS

MOHAMMED AL LAWATI, ICT policy and Procedure Advisor, OMAN AIRPORTS MANAGEMENT COMPANY

MOHAMED ROUSHDY, Chief Information Officer, NIZWA BANK

HESHAM NOURI, IT Manager, KUWAIT OIL COMPANY

ASHRAF SHOKRY, Chief Information Officer, AJMAN BANK

MOSTA AL AMER, Information security Engineer, SAUDI ARAMCO.

RIEMER BROUWER, Head of IT Security, ADCO

ANDREW JONES, Chairman of Information Security, KHALIFA UNIVERSITY

MURTAZA MERCHANT, Senior Security Analyst, EMIRATES AIRLINE

FURQAN AHMED HASHMI, Architect, EMIRATES INVESTMENT AUTHORITY

Plus many more to be announced!

http://www.crackhackforum.com/

02/2013

02/2013 (11)

4

teamEditor in Chief: Ewa Dudzicewa.dudzic@hakin9.org

Managing Editor: Ewa Durancewa.duranc@hakin9.org

Editorial Advisory Board: Scott Paddock, Matthew Holley, Derek Thomas, Imad Soltani, Gavin Inns

Proofreaders: Ewa Duranc, Derek Thomas, Kishore P.V.

Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a Hakin9 magazine.

Senior Consultant/Publisher: Paweł Marciniak

CEO: Ewa Dudzicewa.dudzic@hakin9.org

Production Director: Andrzej Kuca andrzej.kuca@hakin9.org

Art Director: Ireneusz Pogroszewskiireneusz.pogroszewski@hakin9.org

DTP: Ireneusz Pogroszewski

Publisher: Hakin9 Media02-682 Warszawa, ul. Bokserska 1Phone: 1 917 338 3631www.hakin9.org/en

Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage.All trade marks presented in the magazine were used only for informative purposes.

All rights to trade marks presented in the magazine are reserved by the companies which own them.

DISCLAIMER!The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

Dear Hakin9 Readers,

In the second issue of Hakin9 OnDemand in 2013 we will provide you with plenty of information on Cybersecurity and

the safety of the Interned-Based World. The newest issue of Hakin9 OnDemand is divided into few sections. The first one, Burning issue – megaupload.com, is devoted to Kim Dotcom. In this section one can find two articles, presenting two sides of a coin on this burning issue. In the next section, Attack, Hakin9 OnDemand will teach you about insider threat to cy-bersecurity. Thus, you will be able to control and mitigate all the threats in your organization. Furthermore, you will find out how to sharpen your hacking skills at home. This article will examine the Digital Dojo: the hacker’s home lab, the tools of the trade, and the various avenues available which may aid in growing the craft during off-hours at home. In this section you will also find the story of a successful well-planned at-tack. After reading this article you will definitely know what steps could have been taken to recognize and nullify or avoid this exploits. The last section of this month’s issue is entitled Plus. Here you will find an intreview with William F. Slater, III in which he discusses his story with Hakin9 magazine. In the same section you can find press release by Digital Shield Summit.

Enjoy reading!Ewa Duranc and Hakin9 Team

EDiT

OR

’S N

OTE

CONTENTS

BURNING ISSUE – MEGAUPLOAD.COM The Rise and Fall of Megaupload.com and Kim Dotcom, and the Possible Implications for the Internet-based World of Piracy and Theft of Intellectual PropertyBy William F. Slater, IIIIn January 2012 the U. S. Government took down the Megauploads.com website and then quickly filed charges against the owner, Kim Dotcom, and his colleagues for alleged “copyright infringement, conspiracy to commit money laundering, racketeering, rewarding users who uploaded pirated content for sharing, and turning a blind eye to requests from copyright holders to remove copy-right-protected files.”

Kim Dotcom’s Letter to HollywoodBy Kim DotcomThe Internet frightens you. But history has taught us that the greatest innovations were built on rejections. The VCR frightened you, but it ended up making billions of dollars in video sales. You get so comfortable with your ways of doing business that any change is perceived as a threat. The problem is, we as a society don’t have a choice: The law of human nature is to communicate more efficiently.

ATTACKInsider Threat to Cybersecurity – Fighting the Enemy WithinBy Arun Chauhan This article explains Insider Threats to cyber security in an organisation, with real life case examples. The author is of the opinion that organisations have a tendency to lay more emphasis on securing their perimeters and take the insider threat lightly. Further, the author believes that pro-cesses which we implement in our organisation have a more important role to play than technology in safeguard-ing from insider threats and recommends certain com-mon guidelines / controls for mitigating this threat.

Cybersecurity Constantly Under Attack By RIFEC – Research Institute of Forensic and E-Crimes – Massimiliano SembianteCybersecurity, crime, terrorism, attacks, wars, these and other “cyber categories” continue to be used more or less indiscriminately in many areas. This is partly at-tributed to the fact that the industry is evolving rapidly as well as because of the complexity resulting from the combination of information technology and communica-tions (Information and Communication Technology, ICT) with other systems essential for sustainability of the key features of modern societies (the so-called critical infra-structures).

Hacking Humans: The Story of a Successful Well-planned Social Engineering AttackBy William F. Slater, IIIThis paper will review an actual incident related to a so-cial engineering exploit, why this exploit was effective, and what steps could have been taken to recognize and nullify or avoid this exploits. The exploit that will be described involves authority, pretexting, and deception, resulting in psychological manipulation. The exploit had serious con-sequences, both in my personal professional life.

The Digital Dojo: Sharpening Your Hacking Skills At HomeBy Terrance Stachowski and Michael SimbreAsk any skilled hacker or penetration tester how they be-came proficient at their craft and they will likely tell you that they have spent an unbelievable amount of solitary hours hammering away at a keyboard to hone their hack-ing skills.

PLUSSocial Engineering: The Single Greatest Threat to Organizational SecurityBy Terrance J. Stachowski, CISSP, L|PTSecurity planning is an onerous, complex and continual process, largely because there exists two factions which are continually at ends with one another. Security profes-sionals work to erect walls which provide security to an organization’s data, networks, and personnel - whereas the opposition is continually developing ways to go over, under, around or through security barriers.

Interview with William F. Slater, IIIBy Ewa DurancI was inspired to write it because I knew that applying the concepts described in the article would help make cyber-space a little safer. The article explains how using a well-designed security compliance framework can help an or-ganization defend against the perils of cyberattacks and cyberwarfare. As far as I know, no one yet been bold or knowledgeable enough to take the time to write such an article for the general public.

Digital Shield Summit – Press ReleaseMonday, February 18, 2013; Dubai: Ideanomics today officially announced the Emirates Identity Authorities in-volvement with Digital Shield Summit 2013. H.E. Dr. Eng. Ali Mohamed Al Khouri, Emirates ID Director General will be the Chief Guest of Honour and will be inaugurating the summit to be held on the 21st and 22nd of April in Abu Dhabi, United Arab Emirates

06

10

12

16

20

30

42

52

48

COnTEnTS

6 02/2013

BU

RN

iNG

iSSU

E –

MEG

AUPL

OA

D.C

OM

Kim Dotcom and his colleagues were arrest-ed a few hours later in New Zealand and await extradition to the U.S. to be tried for

these charges. Conviction on these charges could result in severe fines and possibly many years in a U.S. Federal prison. This paper will discuss the rise and fall of Kim Dotcom and Megauploads.com and it will review issues how lawful governments may treat similar offenses in the future.

The Rise and Fall of Megaupload.com and Kim Dotcom, and the Possible Implications for the World of Internet-based Software Piracy and Theft of Intellectual Property.

Less than 24 hours after end of the global SO-PA Protest on the world wide web, on January 19, 2012, the governments of the U.S. and New Zealand acted swiftly to stop the Megauploads.com empire that Kim Dotcom had built. The U.S. Department of Justice shut down the Megaup-load.com website and produced a 72-page fed-eral indictment against Kim Dotcom, Megaup-load.com, and several of the business partners for alleged “copyright infringement, conspiracy to commit money laundering, racketeering, reward-ing users who uploaded pirated content for shar-ing, and turning a blind eye to requests from copy-right holders to remove copyright-protected files. Almost 12,000 miles away, on January 20, 2012, New Zealand’s law enforcement authorities were forcibly entering Mr. Dotcom’s home, a leased luxury mansion in the serene New Zealand coun-tryside, and forcing their way into a “safe room” where Mr. Dotcom was hiding with guns, cash, and his closest colleagues (Acohido, 2012). Mr.

Kim Dotcom and his colleagues were then ar-rested and now await extradition to the U.S. to be tried for these charges. Conviction on these charges could result in severe fines and possi-bly many years of imprisonment in a U.S. Federal prison. This paper will discuss the rise and fall of Kim Dotcom and Megaupload.com and it will review issues how lawful governments may treat similar offenses in the future.

Originally as Kim Schmidt, Mr. Dotcom, a native citizen of Germany, began is computer career in Germany in his early 20s in the early 1990s. He first began his career as a “computer expert” and then very shortly afterwards opened a computer security-related business. A short time later, Mr. Schmidt was indicted in Germany on computer fraud charges and later paid a fine and was re-leased on probation. A few years later, Mr. Schmidt changed his named legally to “Kim Dotcom”, per-haps as a prelude to starting the Megaupload.com business, and to position himself as a self-styled Internet mogul entrepreneur.

Now as a 38-year old German foreign national and temporary resident of New Zealand, at 6 feet 6 inches tall and over 285 pounds, Mr. Kim Dotcom, is both in stature and in his actions, a larger than life figure, who openly flaunted his wealth and his playboy lifestyle, the obvious results of the success of his Megaupload.com business (MikelVizualBa-zzikHck, 2012). With an annual income of more than $30 million, the flamboyant Mr. Dotcom could afford nearly everything he wanted, except perma-nent citizenship as a New Zealander. Yet after his arrest on January 20, 2012, he and his colleagues

The Rise and Fall of Megaupload.com and Kim Dotcom, and the Possible Implications for the Internet-based World of Piracy and Theft of Intellectual PropertyIn January 2012 the U. S. Government took down the Megauploads.com website and then quickly filed charges against the owner, Kim Dotcom, and his colleagues for alleged “copyright infringement, conspiracy to commit money laundering, racketeering, rewarding users who uploaded pirated content for sharing, and turning a blind eye to requests from copyright holders to remove copyright-protected files.”

Europe’s No. 1

Information Security Event

SECURE BUSINESS

SECURE THINKING

23-25 April 2013

Earls Court London UK

Organised by:Follow us @infosecurity

Why AttENd INFOSECURIty EUROPE 2013?

Access Europe’s most extensive & free to attend knowledge enhancing educational programme

Meet over 300 leading information security suppliers – identify best of breed, cutting edge technology & see real solutions in action

Hear from real experts & respected public & private sector IT practitioners to discover how they spent their budget on the right products, services and solutions

Network with your peers through a wide range of activities including workshops & evening receptions

Earn CPE credits by attending the free educational programme

Register for FREE at infosec.co.uk/register *

* Visitor registration is free online before Friday 19th April at 5pm. Onsite registration £20.

10 02/2013

BU

RN

iNG

iSSU

E –

MEG

AUPL

OA

D.C

OM Kim Dotcom’s

Letter to Hollywood

Dear Hollywood,

The Internet frightens you. But history has taught us that the greatest innovations were built on rejections. The VCR frightened you, but it ended up making billions of dollars in video sales.

STORY: Kim Dotcom: New Site Is Legal, ‘Fresh Start,’ Not Revenge on Hollywood

You get so comfortable with your ways of doing business that any change is perceived as a threat. The problem is, we as a society don’t have a choice: The law of human nature is to communicate more efficiently. And the economic benefits of high-speed Internet and unlimit-ed cloud storage are so great that we need to plan for the day when the transfer of terabytes of data will be measured in seconds.

Businesses and individuals will keep looking for faster connectivity, more robust online storage and more privacy. Transferring large pieces of content over the Internet will be-come common – not because global citizens are evil but because economic forces leading to “speed of light” data transfer and storage are so beneficial to societal growth.

Come on, guys, I am a computer nerd. I love Hollywood and movies. My whole life is like a movie.

I wouldn’t be who I am if it wasn’t for the mind-altering glimpse at the future in Star Wars. I am at the forefront of creating the cool stuff that will allow creative works to

thrive in an Internet age. I have the solutions to your problems. I am not your en-emy.

Providing “freemium” cloud storage to society is not a crime. What will Hol-lywood do when smartphones and tablets can wirelessly transfer a movie file

within milliseconds?

THR COVER Megaupload’s Kim Dotcom: Inside the Wild Life and Dra-matic Fall of the Nerd Who Burned Hollywood

The very powerful and the very stupid have one thing in com-mon. Instead of changing their views to fit the facts, they try to

12 02/2013

ATTA

CK

insider Threat To Cyber Security – Fighting The Enemy WithinThis article explains Insider Threats to cybersecurity in an organisation, with real life case examples. The author thinks that organisations have a tendency to lay more emphasis on securing their perimeters and take the insider threat lightly. Further, the author believes that processes which we implement in our organisation have a more important role to play than technology in safeguarding from insider threats and recommends certain common guidelines / controls for mitigating this threat.

This article is meant for a diverse audience. Decision makers across an organization will benefit from reading it because insider threats

are influenced by a combination of technical, behav-ioural, and organizational issues and must be ad-dressed by policies, procedures, and technologies. Staff members of an organization’s management, HR, Legal, Physical Security, Data Owners, IT, and Software Engineering groups should all understand the overall scope of the problem and communicate it to all employees in the organization.

What do we understand by insider Threat?In the simplest of form, it means all individuals who have / had authorised access to our cyber infrastruc-ture and resources and intentionally misuse that ac-cess to endanger the confidentiality, integrity and availability of organisation’s data. Special emphasis must be laid upon individuals who have recently left the organisation or are in the process of leaving. The reasons for which they leave the organisation also as-sume importance whilst formulating an Insider threat policy. The following personnel fall into the category of insider’s threat in the context of cyber security:

• Current or former employees• Current or former Business partners and out-

sourcing companies

Insider threat becomes even more dangerous to an organisation when we consider the scenar-io where there is collusion between insiders and Business competitors, organised crime and even foreign governments.

Why are we more vulnerable from inside?It is a human tendency to expect threat from out-side and ignore the trouble indicators within the or-ganisation. The first steps towards securing the cy-ber infrastructure are always directed at securing the perimeters and external interfaces of organisa-tion. The best of technology is bought and imple-mented, and we slowly and deeply sink into the “Comfort zone” of being secure. We forget that off the shelf security measures most of the times do not cater to the threat arising from inside. As most of my pen testing buddies would agree, the reverse connect payload is a good indicator of how the at-tackers realised this vulnerability of organisations of not checking the traffic originating from inside.

In my early days of pen testing, I often heard this example of breaking into the network being similar to cracking a coconut – hard from outside but soft and creamy from inside. The person outside the organisa-tion always has the tough job of breaking in through solid defences and needs higher level of expertise and resources to accomplish his task. Even then his chances are slim, compared to a malicious insider al-ready sitting inside the network who merely has to do what the external attacker calls as “post exploitation” tasks. He has the access and authorisation and most importantly the trust of the resources owner.

What risks are posed by a malicious insider to an organisation?Data theftWith the proliferations of mobile storage and comput-ing devices, the problem of data theft by insiders has multiplied manifold. This coupled with a never before

16 02/2013

ATTA

CK

CyberSecurityConstantly Under Attack

Cyber security, crime, terrorism, attacks, wars, these and other “cyber categories” continue to be used more or less indiscriminately in many areas.

This is partly attributed to the fact that the in-dustry is evolving rapidly as well as because of the complexity resulting from the combi-

nation of information technology and communica-tions (Information and Communication Technology, ICT) with other systems essential for sustainabili-ty of the key features of modern societies (the so-called critical infrastructures).

Whether for espionage or sabotage purposes, corporations, governments, military and banks are increasingly becoming the target of criminal activi-ties. Attacks such as: Viruses, DDoS, exploitations techniques, hijacking, etc. are constant threats for all the existing assets. Hackers, specifically target the weak parts of the network infrastructures to pen-etrate fortified systems and commit cyber-crimes.

It’s a real war out there, but it’s taking place on a new battlefield, “The Network”.

Modern economies are preparing to protect from cyber-attacks, investing important budget on re-searches, countermeasures and investigation. Critical infrastructures must be prepared to poten-tial threat that may impact, resulting in economical and reputational losses.

Cyber-attacks can be performed in many differ-ent ways. Common attack vectors are:

• Scam Email – Using Social Engineering tech-niques to convince the receiver to open a fake links or files.

• Network – using for example, PHP scripts or Web Applications written for Apache.

• Instant Messenger – using social engineering and other vulnerabilities.

• Distributed denial of service – occurs when multiple systems (i.e.: using a botnet) flood the bandwidth or resources of a targeted system.

• Virus infection – virus such as: Trojans, spy-ware, worms etc. can be conveyed on the tar-get system in many different way. In many cas-es infection can spread rapidly, compromising a huge number of computers in short time.

Cyber-hacktivism and cyber-terrorismCyber-criminals are not only targeting money and data but, for instance, hacktivists and cyber terror-ists are politically motivated and aim to attack and compromise infrastructures, in order to gain visi-bility and defend their country’s honor or promote specific causes.

These attacks have ranged from mere annoy-ances, such as the defacement of websites, to full-scale digital blockades of the target country, such as the 2007 cyber-attacks against Estonia. Most likely, one of the biggest, public cyber-war between two countries (Ref. 01).

The entire X-Road (Figure 1) the Estonian e-in-frastructure, a system of more than 355 govern-ment organizations interconnected, including ser-vices such as: Telecom, Tele2, Uninet, Delfi, Atlas communications and many others, was under a cyber-attack for about 3 weeks. Estonian Govern-ment claimed the attack was launched from Rus-sian Government as a political repercussion.

Probably, the most important case associated to APT (Advanced Persistent Threat) so far, has been “Titan Rain” (Ref. 03). This was the desig-nated name that US Government gave to a per-

Web: www.rifec.com Twitter: www.twitter.com/rifecLinkedin: www.linkedin.com/company/rifecEmail: info@rifec.com

Protection through Research

The growth of the internet and the massive use of new tech-nologies has been the biggest social change of this lifetime. Increasing dependence on these technologies has brought new risks. RIFEC takes these risks seriously. In our laboratories we conduct researches to tackle these threats and develop our response. Our objective is to set strategies to reduce vulner-abilities and secure the benefits of a trusted digital environment for businesses and individuals.

RIFEC OFFER A FREE RISK ANALYSIS SERVICE CONTACT US FOR FURTHER INFORMATION

RESEARCH INSTITUTE OF FORENSIC AND E-CRIME

20 02/2013

ATTA

CK

Hacking HumansThe Story of a Successful Well-planned Social Engineering Attack

Ask any skilled hacker or penetration tester how they became proficient at their craft and they will likely tell you that they have spent an unbelievable amount of solitary hours hammering away at a keyboard to hone their hacking skills.

The exploit had serious consequences, both in my personal professional life. The exploit was short-lived, occurring in August 2008,

but very likely damaged my career and reputation at Gehenomsoft where I was employed at the time. In addition, this exploit quickly escalated to a crimi-nal assault against me, and though the case was never resolved, it was a very traumatic experience. This paper will explore why each of these social en-gineering techniques was effective, and how I could apply knowledge and techniques learned in the ma-terials from my Social Engineering class, as well as other research materials, to prevent similar attacks.

Using authority and Pretexting as Social engineering WeaponsThis brief paper will examine an incident in which authority and pretexting was used with deception to help an intruder to gain access to an office ar-ea that was protected by traditional physical se-curity controls as well as policies, as well as the outcomes of each of this incident. In his book, In-fluence: Science and Practice, Robert Cialdini dis-cusses the concept of authority as a trigger that can influence human behavior, for better or worse (Cialdini, 2009). Pretexting is a social engineer-ing technique in which the social engineer invents a story that sounds convincing, so that he or she may gave a favor or access to an area to which they might not otherwise be able to obtain access (Hadnagy, 2011). Each of these social engineering techniques used deception, intent, and motive can constitute formidable threats that can overcome most of the people without the specialized experi-

ence and training to recognize them. This incident happened to me at the Gehenomsoft Midwest-ern Regional Office in Downers Grove, IL, while I worked at Gehenomsoft in 2008.

In his book, Cialdini reviewed the classic 1974 case study of Professor Milgram was cited as an exam-ple of how authority could be used to influence be-havior. The Milgram study showed a truly dark side of authority, where his student subjects were willing to follow orders to send large voltages of electricity into the bodies of the study’s participants, despite what the subjects’ consciences might have other-wise led them to believe whether following these or-ders was morally right or wrong. The fact that these subjects consistently followed orders and shocked the participants without argument, compassion, or question illustrated the degree to which they were influenced by his authority as a professor and the architect of the study. This was Milgram’s simple fi-nal conclusion of his experiment: “It is the extreme willingness of adults to go to almost any lengths on command of an authority that constitutes the chief finding of the study (Cialdini, 2009).”

The Social engineering exploit: What Happened?This social engineering attack, which involved the use of authority, pretexting and deception occurred on Friday evening, August 22, 2008, at the site of the Gehenomsoft’s Midwest Regional Office in Downers Grove, IL. The intruder had quietly entered the build-ing past the first floor security checkpoint about 6:00 PM and appeared in the hall way on the third floor of this secure office building after business hours,

http://htbridge.ch

30 02/2013

ATTA

CK

The Digital Dojo Sharpening Your Hacking Skills At Home

Ask any skilled hacker or penetration tester how they became proficient at their craft and they will likely tell you that they have spent an unbelievable amount of solitary hours hammering away at a keyboard to hone their hacking skills.

Serious hackers and penetration testers might be largely self-taught, studied for se-curity or networking certifications, pursued

an IT security degree, or found guidance under a patient and experienced mentor, but one thing almost every one of them will have in common – especially if they are trying to remain proficient – is that they are continuously learning, expanding their knowledge, and practicing to keep their skills sharp. The goal of this paper is to look at ways of keeping that digital sword sharp, and one of the best ways to do so is through hands-on practice. This article will examine the Digital Dojo: the hack-er’s home lab, the tools of the trade, and the vari-ous avenues available which may aid in growing the craft during off-hours at home.

introductionHacking isn’t a skill one simply learns overnight, it takes immeasurable hours of learning, analysis, tri-al-and-error, and a ghoulish level of tenacity. There are so many sub-categories of hacking that no indi-vidual hacker is likely to be a master of them all, the majority will focus their efforts on specific areas of expertise and attempt to learn the basics of the ar-eas outside their wheelhouse. For example, a hack-er who specializes in network security may not be as sharp at webpage exploitation; a systems expert may not be graceful at social engineering, and so on. There’s simply too much to learn and the land-scape is constantly changing, making it nearly im-possible to maintain a true mastery of all aspects of hacking. For example, there are various program-ming languages a hacker may want to become pro-

ficient in: Python, Pearl, C++, Java, and though not really a language, HTML; it could take years to mas-ter these alone, but learning to program isn’t where a hacker stops it’s more likely that’s where they be-gin. Most hackers will want to have an at least a ba-

Figure 1. Digital Dojo (2013). Art by Terrance Stachowski

http://wwww.ebnetsoft.com

42 02/2013

PLU

S

Social engineeringThe Single Greatest Threat to Organizational Security

Security planning is an onerous, complex and continual process, largely because there exists two factions which are continually at ends with one another. Security professionals work to erect walls which provide security to an organization’s data, networks, and personnel – whereas the opposition is continually developing ways to go over, under, around or through security barriers.

One major problem with many security plans is that most organizations focus exclusive-ly on technical countermeasures, but the

weakest link in security, the human element, is of-ten overlooked. Attackers are aware of this defi-ciency, and use an unethical approach known as social engineering to exploit this weakness. This paper examines how social engineering attacks take advantage of normal human behavior and demonstrates the real and present threat that this type of dishonest attack poses. Historical data ex-tracted from Kevin Mitnick’s case, and the DEF-CON 18 Social Engineering Capture-the-Flag (CTF) – How Strong is Your Schmooze results will be utilized to build this case study. Additionally, this paper will investigate what organizations can do to diminish this threat.

introductionIn the current age of technology, many organiza-tions have come to rely on information systems as one of the most important tools for facilitating nearly every aspect of business activities. The use of information technology expedites workflow, in-creases productivity, accelerates communication and allows for multiple employees to view and work on a single project concurrently. One major concern with organizations relying so heavily on information systems is that enormous amounts of data, much of which could be considered sensitive or valuable in nature, is used, stored, and created on these systems.

Security has become a critical affair for manag-ers at all levels of innumerable governments and

organizations; clients with concerns about pro-tection of their personally identifiable information (PII), privacy and identity fraud or theft are de-manding it; vendors, suppliers, and business part-ners require it from one another, especially when there exists a mutual network and information ac-cess (Allen, 2009).

Though many organizations take security seri-ously and put an enormous emphasis on both tech-nical and physical safeguards such as firewalls, id cards, intrusion detection systems (IDS), and guards, there is little emphasis placed on the hu-man element of security. A million dollars worth of state-of-the-art technical and physical safeguards could be, and continues to be, rendered useless by hackers who know how to manipulate and bypass the weakest link in any security program, the hu-man being.

Understanding Social engineeringSocial engineering is an art or a better put, the science, of expertly manipulating other humans to take some form of action in their lives (Hadnagy, 2011). A social engineer is someone who takes advantage of the credulity, indolence, good man-ners, or even passion of employees (Microsoft, 2006). Social engineering is basically a con-game and the social engineer is nothing more than a sophisticated con-artist who employees tactics of skillful lying, influencing, persuading, smooth talk-ing, trickery, and deception to convince their tar-get that they are someone they are not, or require access to something they do not have authoriza-tion to access.

48 02/2013

PLU

S

ewa Durnac: How was your article selected for publication by Hakin9? William F. Slater, iii: I was identified as a Cyber-security professional who is also a writer back in October 2012. They contacted me via e-mail and asked me to start writing articles for Hakin9 maga-zine. I think that they found me either on LinkedIn.com or via a Google search. The January 2013 ar-ticle was my fourth article with the magazine. The editors and publishers at Hackin9 magazine are also fun to work with and they seem to appreci-ate working with Cybersecurity professionals who can write and deliver articles that meet their quality standards as well as their publication submission deadlines.

eD: Was the article something that developed out of a class project?WS: No. I was inspired to write it because I knew that applying the concepts described in the ar-ticle would help make cyberspace a little safer. The article explains how using a well-designed security compliance framework can help an or-ganization defend against the perils of cyberat-tacks and cyberwarfare. As far as I know, no one yet been bold or knowledgeable enough to take the time to write such an article for the general public. Note that I did not receive any academic credit or even any compensation for writing this article.

eD: What led to your interest in Bellevue University’s Cybersecurity program?WS: I was accepted into the M.S. in Cybersecurity program at Bellevue University on Friday, Aug. 26, 2011. I chose this program for two reasons: 1) you

folks appear to really have your act together com-pared to everyone else; and 2) I hope to work at least another 20 years, and the Bellevue Univer-sity M.S. in Cybersecurity program will equip me to accomplish some great things, including teach-ing and equipping the Cyberwarriors of America’s future.

I have been making a living in Information Tech-nology since I started my service in the United States Air Force in July 1977. I served as a Com-puter System staff officer (AFSC 5135B) at Stra-tegic Air Command Headquarters supporting the command control systems that provided command control and communications capability to SAC forces globally for the leadership of SAC and also the National Command Authorities. If you are in-terested in what I did at HQ SAC, there are several interesting pictures here: http://billslater.com/my-usaf. After becoming ill in 1980, I left active duty in October 1980 and travelled to Houston, TX to be-gin my civilian career in IT. My career has involved many roles and many technologies over the years. You can see a synopsis of my career here: http://billslater.com/career and here: http://billslater.com/interview.

eD: What has been your impression of the program thus far?WS: It’s been very educational and VERY in-tense. I am completing my 11th and 12th classes in this program and it basically means that when-ever school is in session, I have had no weekend time off since August 2011. Between work, teach-ing, and my M.S. and Cybersecurity course work, I have stayed extremely busy. It has been worth it, but I don’t think people outside the program re-

An Interview with

William F. Slater, iiiM.S. in Cybersecurity ProgramBellevue University, Bellevue, NE

52 02/2013

PLU

S

Digital Shield Summit Announces Partnership with Emirates Identity Authority

EIDA Group Director to inaugurate summit, speaker lineup unveiled; including Dubai Customs, aeCERT, Emirates Group, Emirates NBD and Meraas Holding.

Monday, February 18, 2013; Dubai: Ide-anomics today officially announced the Emirates Identity Authorities involvement

with Digital Shield Summit 2013. H.E. Dr. Eng. Ali Mohamed Al Khouri, Emirates ID Director General will be the Chief Guest of Honour and will be in-augurating the summit to be held on the 21st and 22nd of April in Abu Dhabi, United Arab Emirates

The summit primarily tackles problems relating to digital security and digital infrastructure. The main objective is to see how to develop and manage in-formation resources and deal with challenges such as delivering a robust information and compliance framework, streamlining models for digital, infor-mation management, collaboration and social net-working.

Along with H.E. Dr. Eng. Ali Mohamed Al Khou-ri the Advisory Board also consists of Tariq Al Hawi, Director of aeCERT, Guruswamy Periyasa-my, Head of IT Security and Innovation at Emir-ates Group and Naveed Ahmed, Head of IT Secu-rity for Dubai Customs. Ajay Rathi, Head of IT for Meraas Holding, Amit Bhatia, Group Risk Manage-ment and IT Security Manager for Emirates NBD, will also be in attendance and will be speaking at the summit.

“In a knowledge based economy, with govern-ments and businesses continuing to invest heavily in critical technology deployments, utilities compa-nies looking at forming utility grids allowing them to virtualize and scale their resources at record pace and end users adopting the latest technology de-vices, a growing concern remains on the under-lying threat of digital security to new technology

adoption and the increasing channels of communi-cation that have been created to communicate with it.” says Savio Coutinho, CEO at Ideanomics, “The Digital Security Summit will provide a unique plat-form for various verticals to come together to dis-cuss and address key challenges faced with grow-ing data and look at the role both government and service providers can take, in protecting its critical data and users at large.”

emirates identity authority (eiDa)Emirates Identity Authority (EIDA) is an indepen-dent federal authority established by virtue of the federal decree No. (2) of 2004. The decree has empowered the Authority with ultimate powers re-quired for the execution of the Population Register and the ID card program.

Established in 2012, Ideanomics Global has opened operations in several key countries which support the roll out of our events globally. Based in Dubai, our offices organize and conceptualize Conferences and Summits, Trainings and Live Events.

For further queries on Digital Shield Middle East please contact Eric Wang on +9714 4232868 or email on info@ie2global.com.

http://atola.com/?s=haking

AnDevCon™ is a trademark of BZ Media LLC. Android™ is a trademark of Google Inc. Google’s Android Robotis used under terms of the Creative Commons 3.0 Attribution License.

BOSTON• May 28-31,2013The Westin Boston Waterfront

Follow us: twitter.com/AnDevConA BZ Media Event

Register NOW at www.AnDevCon.com

Get the best real-world Android developer training anywhere!• Choose from more than 75 classes

and tutorials

• Network with speakers and other Android developers

• Check out more than 40 exhibiting companies

“AnDevCon is one of the best networking and information hubs available to Android developers.”

—Nate Vogt, Android Developer, Willow Tree Apps