The presentation I gave in Help AG's spotlight event on June 1,2 and 4. This talk is about social engineering and illustrates the things we find with customers in the region.
The talk I gave on social engineering in the Owasp chapter in Doha, Qatar. This covers few of the same points which I talked about in the helpag spotlight event.
ISO 27001 - information security user awareness training presentation - Part 1Tanmay Shinde
This is a presentation on information security and its importance. It talks about ISO 27001 in later part.
http://www.ifour-consultancy.com - software outsourcing company in india
Cybercrime and the Developer: How to Start Defending Against the Darker Side...Steve Poole
JavaOne 2016 Talk
In the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security. In this session, learn about a few of the simple actions you can take (and some behaviors you must change) to create a more secure Java application for the cloud. The world of the cybercriminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.
cyber crime & information security is most famous in the world..day by day increase cyber crime in internet world. that see. the detail about of cyber security.
The talk I gave on social engineering in the Owasp chapter in Doha, Qatar. This covers few of the same points which I talked about in the helpag spotlight event.
ISO 27001 - information security user awareness training presentation - Part 1Tanmay Shinde
This is a presentation on information security and its importance. It talks about ISO 27001 in later part.
http://www.ifour-consultancy.com - software outsourcing company in india
Cybercrime and the Developer: How to Start Defending Against the Darker Side...Steve Poole
JavaOne 2016 Talk
In the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security. In this session, learn about a few of the simple actions you can take (and some behaviors you must change) to create a more secure Java application for the cloud. The world of the cybercriminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.
cyber crime & information security is most famous in the world..day by day increase cyber crime in internet world. that see. the detail about of cyber security.
Jax london2016 cybercrime-and-the-developerSteve Poole
In the emerging world of DevOps and the Cloud, most developers are trying to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resiliency and scaling to an application. Still, one critical item consistently overlooked is security.
The world of the Cyber Criminal is closer than you realize. Watch a real man-in-the-middle demonstration and learn just how simple it can be for others to steal your secrets. In this talk you’ll learn about other practical examples of how you can inadvertently leave the doors open and what you can do to keep your system secure. In the end, security is everyone’s concern and this talk will teach you a few of simple actions you can take (and some behaviours you must change) to create a more secure application in the Cloud.
Basic Security for Digital Companies - #MarketersUnbound (2014)Justin Bull
Speaking about how to go about taking security seriously in a digital company. Be it from scratch, or fixing a legacy codebase, learn from Canada Revenue Agency's Heartbleed mess-up and advice from a white-hat hacker.
Attacker uses human interaction to obtain or compromise information.Attacker my appear unassuming or respectable
Pretend to be a new employee, repair man,
May even offer credentials.
By:Maulik Kotak
Cybercrime and the Developer: How to Start Defending Against the Darker SideSteve Poole
In the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security. In this session, learn about a few of the simple actions you can take (and some behaviours you must change) to create a more secure Java application for the cloud. The world of the cybercriminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Steve Poole
Cybercrime how bad can it be? Organised attacks around the world in 2016 have shown how unprepared we are to deal with the growth of Cybercrime. In this talk learn a little about the scale of the challenge developers face from assaults on our systems. Be prepared to be appalled and scared. Fainting is not allowed. Discover how to fight back and see how you can change your behaviour and your code to defend against these attacks.
Your destiny is clear - it’s time to be come a Cyber Defender
Securing & Safeguarding Your Library Setup.pptxBrian Pichman
With all the things that go "bump" in the night, nothing worries administrators and even end users more than a security incident. This webinar will focus on building an understanding of IT Security and the tools that can help mitigate risk. Moreover, attendees will leave with a clear understanding of general informational security terms and processes that they can implement in their library same day to help safeguard and better protect their infrastructure and data. Brian Pichman of the Evolve Project will lead us through putting together components for a Security and Risk Plan and how to properly respond to threats and attacks.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
More Related Content
Similar to Social Engineering - Help AG spotlight 15Q2
Jax london2016 cybercrime-and-the-developerSteve Poole
In the emerging world of DevOps and the Cloud, most developers are trying to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resiliency and scaling to an application. Still, one critical item consistently overlooked is security.
The world of the Cyber Criminal is closer than you realize. Watch a real man-in-the-middle demonstration and learn just how simple it can be for others to steal your secrets. In this talk you’ll learn about other practical examples of how you can inadvertently leave the doors open and what you can do to keep your system secure. In the end, security is everyone’s concern and this talk will teach you a few of simple actions you can take (and some behaviours you must change) to create a more secure application in the Cloud.
Basic Security for Digital Companies - #MarketersUnbound (2014)Justin Bull
Speaking about how to go about taking security seriously in a digital company. Be it from scratch, or fixing a legacy codebase, learn from Canada Revenue Agency's Heartbleed mess-up and advice from a white-hat hacker.
Attacker uses human interaction to obtain or compromise information.Attacker my appear unassuming or respectable
Pretend to be a new employee, repair man,
May even offer credentials.
By:Maulik Kotak
Cybercrime and the Developer: How to Start Defending Against the Darker SideSteve Poole
In the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security. In this session, learn about a few of the simple actions you can take (and some behaviours you must change) to create a more secure Java application for the cloud. The world of the cybercriminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Steve Poole
Cybercrime how bad can it be? Organised attacks around the world in 2016 have shown how unprepared we are to deal with the growth of Cybercrime. In this talk learn a little about the scale of the challenge developers face from assaults on our systems. Be prepared to be appalled and scared. Fainting is not allowed. Discover how to fight back and see how you can change your behaviour and your code to defend against these attacks.
Your destiny is clear - it’s time to be come a Cyber Defender
Securing & Safeguarding Your Library Setup.pptxBrian Pichman
With all the things that go "bump" in the night, nothing worries administrators and even end users more than a security incident. This webinar will focus on building an understanding of IT Security and the tools that can help mitigate risk. Moreover, attendees will leave with a clear understanding of general informational security terms and processes that they can implement in their library same day to help safeguard and better protect their infrastructure and data. Brian Pichman of the Evolve Project will lead us through putting together components for a Security and Risk Plan and how to properly respond to threats and attacks.
Similar to Social Engineering - Help AG spotlight 15Q2 (20)
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
2. SOCIAL ENGINEERING
• You bought a firewall, great.
• Humans are helpful, by nature.
• Manipulate people to get things done
• A fancier way of “lying”
• We’ve all done it.
Find people Find info
Fake
Emails
3. SOCIAL ENGINEERING
• 2 ways of finding people:
• Casting a net (phishing)
• Quantity > Quality
• Whoever sticks is a victim
• Very noisy
• Targeting (spear phishing)
• Quality > Quantity
• Takes more time, more research, more effort.
4. PHISHING
• Humans haven’t change in the past few decades:
Recent “Rombertik” malware:
- State of the art malware (quite nasty though)
- Quite “lame” distribution
5. SPEAR PHISHING
• Email from somebody who
“knows you”
• You probably know them as well, else it’s
just embarrassing.
• Somebody who took time to
research about you
• Interested in you
• Rather, what you know
• Who you know
• What you have access to.
6. 1. FINDING PEOPLE
• Target a domain, find its users:
• Maltego: visualizing OSINT
• Metasploit: finding email addresses
Emails are probably:
firstname.lastname@helpag.com
7. 1. FIND PEOPLE (2)
• Emails are firstname.lastname@helpag.com
• Let’s look for more names
stephan.berner@helpag.com?
angelika.plate@helpag.com?
alexandra.pisetskaya@helpag.com?
nadia.zamouri@helpag.com?
ahmad.khaled.hawasli@helpag.com?
aashish.sharma@helpag.com?
prashant.jani@helpag.com?
…
Let’s dig just a bit further….
https://ae.linkedin.com/in/nsolling
9. STUDY TARGET
• Examine digital footprint further
• Interests:
• Porsche
• PADI diver
• Line6 (guitar) pod
• Merc GL550
• Trivial Pursuit ;)
10. TARGET SELECTION
• What can we do so far?
• Target Nicolai Solling
• Hey, we met at (Porsche club / ManAge
spa / PADI course / Rugkobbelskolen … )
• “Your Gargash Enterprises service…”
• Exploit Nicolai’s trust
• Target Nicolai’s contacts
• We know who he knows (social network)
• We know their email addresses (firstname.lastname@helpag.com)
• We know Nicolai’s writing style
• Exploit their trust
11. EXTRA, TECHNICAL TRICKS
• Need to trick a user to “believe us”
• Let technology help us
• Abuse 33 year old protocol: SMTP
• Fake email thread
• Fake CC
12. FAKE EMAIL THREAD
• SMTP just sends text to a
program.
• “Email threads” have no connection.
• Unless we have the entire thread,
digitally signed, we can’t trust it at all
• Modern equivalent of saying:
“Can I go dad? Mom said I could go”
13. FAKE CC
• CC doesn’t really exist
• It’s a MIME header we said we did
HELO blah
MAIL FROM: admin@flurk.org
RCPT TO: michael.hendrickx@helpag.com
DATA
From: Michael Hendrickx <michael@flurk.org>
Content-Type: text/plain;
Subject: Very important email
Cc: khaled hawasli <khaled.hawasli@helpag.com>,
barack.obama@whitehouse.gov
To: michael.hendrickx@helpag.com
Hey guys,
As per our conversation, please install the security update
located at http://evil.com/patch.exe
Well, in fact, this is an email that Khaled and Obama will
never get - but you can never find that out!
Thank you,
Security Admin
14. PUTTING IT ALL TOGETHER
• A person who knows a lot about you can do a lot of
damage
• It’s from Nicolai
• Sounds like him
• To people that he knows
• The “right” people are in CC
• Shared responsibility
• Based on previous email
thread
• Which we can’t check.
15. PUTTING IT ALL TOGETHER
• Creative spear phishing
To: Khaled Hawasli, Khalilov
cc: Michael Hendrickx
Hi Everyone,
I am very thrilled with the new VPN
software! It’s much faster. Have you
tried it?
Nicolai
To: Nicolai, Khaled Hawasli
cc: Michael Hendrickx
Hey man,
That’s awesome
> Hi Everyone,
> I am very thrilled with the new VPN
> …
To: Michael,
cc: Nicolai, Khalilov
Michael, you should try it!
> Hey man,
> That’s awesome
>> Hi Everyone,
>> I am very thrilled with the new VPN
>> …
In fact, all this is actually:
To: Khaled Hawasli, Khalilov
cc: Michael Hendrickx
Hi Everyone,
I am very thrilled with the new
VPN software! It’s much
faster. Have you tried it?
Nicolai
To: Nicolai, Khaled Hawasli
cc: Michael Hendrickx
Hey man,
That’s awesome
> Hi Everyone,
> I am very thrilled with the
new VPN
> …
To: Michael,
cc: Nicolai, Khalilov
Michael, you should try it!
> Hey man,
> That’s awesome
>> Hi Everyone,
>> I am very thrilled with the
new VPN
>> …
Nobody was ever CC’d
16. CONCLUSION
• The more people know about you, the more they
can target you.
• Minimize digital footprint
• Verify email contents
• Be cautious
• Use digital signatures
• Don’t trust anything sent to you
• Mommy said I could go.
17. CONTACT US | WWW.HELPAG.COM | INFO@HELPAG.COM
DUBAI, UAE
ARJAAN OFFICE TOWER,
OFFICE 1201 / 1208, PO BOX 500741
T +971 4 440 5666
F +971 4 363 6742
ABU DHABI, UAE
SALAM HQ BLDG,
BLOCK 6, EAST 1-16, OFFICE 503, PO BOX 37195
T +971 2 644 3398
F +971 2 639 1155
DOHA, QATAR
AL DAFNA – PALM TOWER
OFFICE 4803, WEST BAY, P.O. BOX 31316
T +974 4432 8067
F +974 4432 8069