June « 2007 « PhishMe


	Archive for June, 2007


	Spoofing Caller ID illegal? Bad news for social engineering Friday, June 29th, 2007 This morning the story that caught my eye was a Slashdot link about CallerID Spoofing to be Made Illegal. `(1) IN GENERAL- It shall be unlawful for any person within the United States, in connection with any telecommunications service or IP-enabled voice service, to cause any caller identification service to transmit misleading or inaccurate caller identification information, unless such transmission is exempted pursuant to paragraph (3)(B).’ You can read the full text about it here: http://thomas.loc.gov/cgi-bin/bdquery/z?d110:s.00704: During the last couple years I’ve made use of the Telespoof.com’s caller ID spoofing service during telephonic social engineering engagements. Spoofing caller ID is something a motivated attacker will do to look more legitimate. I’ve also seen an occasion where spoofing the caller ID could fool certain PBX systems into direct access into voice mail boxes. Do I wish it was technologically impossible to spoof caller ID? You bet I do, it would make avoiding political fund raiser calls much easier. I know better, the bad guys will still spoof caller ID knowing that it will be virtually impossible to get caught. This means my customers who want authentic social engineering phone calls won’t get the total package and won’t know their true risk. The downside to this law is only the bad guys will be spoofing caller ID. This will also put companies like telespoof.com out of business. The upside is that it looks like Skype will be legally obliged to transmit caller ID. This is good news for people who have purchased Skype-IN phone numbers and whish it would transmit something other than +000000 More about Skype and caller ID here: http://share.skype.com/sites/en/2007/05/caller_identification_for_skyp.html -higB
	152 Comments »2007-06-29+12%3A47%3A30Aaron \| Posted in Techno, Tools


	Offshoring Development? Security is Still Your Problem! Thursday, June 28th, 2007 Build that trans-continental security bridge! While pen testing applications for one of my clients, I found that all the security issues I identified had the same 2 or 3 systemic causes. I made “strategic recommendations” – security training for developers and a security-aware SDLC, to name a couple. Months later, I went back to the same company, this time to test a bunch of other applications. The outcome wasn’t too different – same systemic problems. Once again, I emphasized the trend to my client. He told me that the applications were developed offshore, so my strategic recommendations from the last review were “impractical”. What could my client do to fight this negative trend? Over the years, I’ve had several discussions on this topic with security gurus, software developers working in offshore companies, and some folks at the receiving end of insecure code. The situation is best described by the everybody, somebody, nobody and anybody joke. In short, no one has taken the initiative on the security front. What can everybody do? Firstly, the outsourcers need to be willing to PAY FOR SECURITY. Yes, security doesn’t come free. This shouldn’t really be an issue given the tremendous savings realized by offshoring. But don’t just pay for security, demand it contractually. Just like you define performance metrics that the applications should meet to be accepted, define and enforce security metrics. Ensure that the terms of the contract are enforceable in a jurisdiction in your country (the outsourcer’s country). Suing the development company in their country will be a frustrating and futile endeavor at best! Secondly, find out what measures your offshore partner takes to protect your data, to educate their developers on security, and to implement security in the SDLC. Remember, an ISO audit doesn’t cover all these areas. Now for the offshore development company – use security as a competitive advantage. The last time I said this to some friends of mine who work as developers in India they said “We need VP approval to add even an optional line item in a proposal”. We all know what that means. If you want to hear more on this topic, you can hear the recording of a webcast I did with Watchfire: https://www.watchfire.com/securearea/seminararchives.aspx?id=253 -Rohyt
	7No Comments »2007-06-29+04%3A10%3A20Rohyt \| Posted in Security Management


	Windows Passwords: Guess-ability v/s Crack-ability Tuesday, June 26th, 2007 Post moved here: http://intrepidusgroup.com/insight/2007/06/windows-passwords-guess-ability-vs-crack-ability/
	Comments Off \| Posted in Techno, Tools


	Introduction Post: Welcome to blog.phishme.com Tuesday, June 26th, 2007 Welcome to http://blog.phishme.com – the home of rand(security)and technology discussions. We will use this blog to comment on topics like cool phishing ploys, IM and its privacy implications, hacking cars, and bashing on (or bowing to) the latest application hacks. Security geeks and a love of technology go hand in hand so expect some commentary on general tech too. We plan to post here at least once a week, so keep us on that RSS radar or keep visiting! Thanks, The Intrepidus Group Team http://intrepidusgroup.com
	5No Comments »2007-06-26+18%3A31%3A40Rohyt \| Posted in Uncategorized


	About Monday, June 25th, 2007 Phishme.com was created by the Intrepidus Group. Intrepidus Group is a leading provider of information security consulting services. To learn more about our company and our services, please visit our main site. http://intrepidusgroup.com
	2No Comments »About2007-06-25+23%3A03%3A13admin \| Posted in Uncategorized

Share This Page

Follow Us

Home / What is PhishMe / Blog / Who We Are / News & Events / Contact Us / Sign Up / Site Map

Company	Stay in Touch
Overview Management Careers Blog Contact	Twitter LinkedIn Facebook

©2013 PhishMe, Inc.