what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Wednesday, July 02, 2014

MYTHS ON BIOMETRICS

Myth: Iris recognition devices use lasers to scan your eyes,

Reality: Iris recognition cameras take a black and white picture and use non-invasive near-infrared illumination that is barely visible and very safe.

Myth: "Stolen" body parts can be used to fool the system.

Reality: Quality biometric recording and detection systems can determine "liveness" in order to prevent tis type of fraud.

Myth: Identical twins can fool the system.

Reality: If the system is poorly configured, then this is possible, though can be eradicated during during a White Box Penetration Testing. Good systems will highlight a false match, which will require human intervention to complete the identification process.

Myth: Biometrics will get rid of the evil in our world.

Reality: Identity Management systems cannot perform miracles.


Continue doing real Penetration Testing, and lets secure facilities for real.

Wednesday, June 25, 2014

WHY DO PEOPLE STILL CODE IN BIRTHDAYS



Safes are hard to break, they say, but as long as the Safe is used by a human being and build by one, its not a Safe 100% anymore

Sometime during Pentests we get to go Face Off with these machines and with enough intel we know what is behind that door is vital to what we are after. A lot of testers don't think this way, but as experience grows in this field, you get to learn that this is necessary strategy in Real Life types of Pentest like Blackbox. Now getting to where the safe is, is always a problem, it may require you to go through a lot of hoops, e.g as a Janitor, well during this operation, i acted as Network Support.

IT People have inclusive access to executive office, have you ever seen how an office boss get soo happy when you fix a MS Windows problem that had bothered them for a while.
"Now i can watch new movies?"
"Yes ma'am"
"Even the new ones that i couldn't before"
"Yes, i can copy for you more if you want to"
"Go ahead, Go ahead Chuck"

So one thing i have come to find is the use of digits as key codes, and personnels love using numbers they can remember, even i have that vulnerability on such authentication, e.g SIM Pin numbers, MBanking etc. The easiest digits people remember all their life even when suffering from Old Timers are birthdays. And a lot of users will simply use these on a Safe, now the problem as Pentesters is not being in a position to do enough research on target employees online, e.g Social Media and Online Security Assessment.

Surveillance and Recovery Assessment is essential for such intrusions in a great way and this is done in teams. You might find that you get a lot of access to a facility just through this kind of assessment. Am currently doing a Pentest which is similar to this, and i started as a Janitor, its amazing that the employees wont ask who you are as long as you are serving them or cleaning their desks.

Employees and senior management need to understand that security starts with everyone, not the ICT Department thrown at corner cubicle and paid peanuts.

So most safes are used for storage of money but others store confidential documents. The personnel dealing with these documents need to have that sense of security, especially with their surroundings and who has access to their office. Sometimes these Safes might have information about the whole infrastructure and other company secrets that can seriously damage the organization.

When buying a safe, its important to understand the tough ones, and the value it will add to the company as far as Security is concerned.

So whenever you hire an Security Firm for a Blackbox Penetration and they are just doing perimeter scans, just know these are the consultants we call Script Kiddles and they are not in anyway helping you to secure your Infrastructure.



Friday, June 13, 2014

THE NEW AL-QAEDA TOOL, THAT SUPPORTS RSA FOR ASYMMETRIC ECRYPTION

This tool was once reported in 2013, but recently been discovered to be used by Alqaeda for comm all over the world.