TEL +44 (0)207 127 4501 FAX +44 (0)207 127 4503 EMAIL info@oliverkinross.

com
www.cybersecurityuae.com Conference & Exhibition
Assess the nature of the
latest threats being faced
and the impact of these
upon your organisation
Discuss the most
promising cyber security
technologies in the marketplace
Assess the trends to watch in global cyber security
International Case Studies: Discover
the best practice in protecting your
organisation from cyber-attack
Network with your industry peers in
the comfort of a 5 star venue
The only event of its kind to take
place in the Middle East
Developments, Strategies and Best Practice
in Global Cyber Security
CYBER SECURITY UAE
SUMMIT 2013
March 18th & 19th, Dubai
Special
focus on the
Banking, Oil & Gas
& Government
Sectors
F
e
a
tu
r
in
g
C
y
b
e
r

S
e
c
u
r
it
y
T
r
a
in
in
g

W
o
r
k
s
h
o
p
s
o
n
h
o
w

to
P
r
o
te
c
t Y
o
u
r

O
r
g
a
n
is
a
tio
n
fr
o
m

C
y
b
e
r
A
t
ta
c
k
Protecting critical infrastructures
Main Sectors Covered:
2nd Annual
CYBER
SECURITY
UAE TECH 2013
Hurry exhibition
space for the 30
booth exhibition is
expected to sell out.
For further details on
exhibiting place email
info@oliverkinross.com
8 9 10 11 12
7
6
5
4
3
2
1
13
14
15
16
17
18
19
N
E
T
W
O
R
K
I
N
G

A
R
E
A
N
E
T
W
O
R
K
I
N
G

A
R
E
A
21 22
23 24
25 26
27 28
29 30
20
Electricity & Water
Oil & Gas
Financial Services
Transportation
Government
Defense
Join us for
the Gala Dinner and
Networking Evening
and make valuable
networking
contacts
GOLD SPONSOR
SILVER SPONSOR
The only
even
t of its kind
to take place
in the U
A
E
Featuring 30 top
level speakers!
STEVE HAILEY, President CEO,
CYBER SECURITY INSTITUTE
USAMA ABDELHAMID Director, UBS
KENAN BEGOVIC, Head of
Information Security,
AL HILAL BANK
AHMED BAIG, Head, Information
Security and Compliance,
UAE GOVERNMENT ENTITY
ZAFAR MIR Regional Manager
Information Security Risk,
HSBC BANK MIDDLE EAST
MAHMOUD YASSIN Lead Security
& System Eng Manager,
NATIONAL BANK OF ABU DHABI
AMR GABER, Senior Network
Security Engineer, DUBAI
STATISTICS CENTRE
HUSSAIN ALKHASAN, IT GRC
Manager, COMMERCIAL
BANK OF DUBAI (UAE)
AYMAN AL-ISSA, Digital Oil
Fields Cyber Security
Advisor, ABU DHABI MARINE
OPERATING COMPANY
TAMER MOHAMED HASSAN,
Information Security
Specialist, UAE
GOVERNMENT ENTITY
OMER SYED, Project Manager,
ROADS & TRANSPORT AUTHORITY
BIJU HAMEED, ICT Security
Manager, DUBAI AIRPORTS
AL BALUSHI BASHEER, Manager
of Information Security
and Systems Engineering,
NATIONAL BANK OF OMAN
NAVEED AHMED, Head of IT
Security, DUBAI CUSTOMS
MOHAMMED AL LAWATI, ICT
policy and Procedure
Advisor, OMAN AIRPORTS
MANAGEMENT COMPANY
MOHAMED ROUSHDY,
Chief Information
Ofcer, NIZWA BANK
HESHAM NOURI, IT Manager,
KUWAIT OIL COMPANY
ASHRAF SHOKRY, Chief
Information Ofcer,
AJMAN BANK
MOSTA AL AMER, Information
security Engineer,
SAUDI ARAMCO.
RIEMER BROUWER, Head
of IT Security, ADCO
ANDREW JONES, Chairman
of Information Security,
KHALIFA UNIVERSITY
MURTAZA MERCHANT,
Senior Security Analyst,
EMIRATES AIRLINE
FURQAN AHMED HASHMI,
Architect, EMIRATES
INVESTMENT AUTHORITY
Plus many more to
be announced!
02/2013
02/2013 (11)
4
team
Editor in Chief: Ewa Dudzic
ewa.dudzic@hakin9.org
Managing Editor: Ewa Duranc
ewa.duranc@hakin9.org
Editorial Advisory Board: Scott Paddock, Matthew Holley,
Derek Thomas, Imad Soltani, Gavin Inns
Proofreaders: Ewa Duranc, Derek Thomas, Kishore P.V.
Special Thanks to the Beta testers and Proofreaders who
helped us with this issue. Without their assistance there would
not be a Hakin9 magazine.
Senior Consultant/Publisher: Pawe Marciniak
CEO: Ewa Dudzic
ewa.dudzic@hakin9.org
Production Director: Andrzej Kuca
andrzej.kuca@hakin9.org
Art Director: Ireneusz Pogroszewski
ireneusz.pogroszewski@hakin9.org
DTP: Ireneusz Pogroszewski
Publisher: Hakin9 Media
02-682 Warszawa, ul. Bokserska 1
Phone: 1 917 338 3631
www.hakin9.org/en
Whilst every effort has been made to ensure the high quality
of the magazine, the editors make no warranty, express or
implied, concerning the results of content usage.
All trade marks presented in the magazine were used only for
informative purposes.
All rights to trade marks presented in the magazine are
reserved by the companies which own them.
DISCLAIMER!
The techniques described in our articles
may only be used in private, local networks.
The editors hold no responsibility for misuse
of the presented techniques or consequent
data loss.
Dear Hakin9 Readers,
I
n the second issue of Hakin9 OnDemand in 2013 we will
provide you with plenty of information on Cybersecurity and
the safety of the Interned-Based World. The newest issue of
Hakin9 OnDemand is divided into few sections. The first one,
Burning issue megaupload.com, is devoted to Kim Dotcom.
In this section one can find two articles, presenting two sides
of a coin on this burning issue. In the next section, Attack,
Hakin9 OnDemand will teach you about insider threat to cy-
bersecurity. Thus, you will be able to control and mitigate all
the threats in your organization. Furthermore, you will find out
how to sharpen your hacking skills at home. This article will
examine the Digital Dojo: the hackers home lab, the tools of
the trade, and the various avenues available which may aid
in growing the craft during off-hours at home. In this section
you will also find the story of a successful well-planned at-
tack. After reading this article you will definitely know what
steps could have been taken to recognize and nullify or avoid
this exploits. The last section of this months issue is entitled
Plus. Here you will find an intreview with William F. Slater,
III in which he discusses his story with Hakin9 magazine. In
the same section you can find press release by Digital Shield
Summit.
Enjoy reading!
Ewa Duranc and Hakin9 Team
E
D
I
T
O
R

S

N
O
T
E
CONTENTS
BURNING ISSUE MEGAUPLOAD.COM
The Rise and Fall of Megaupload.com
and Kim Dotcom, and the Possible
Implications for the Internet-based
World of Piracy and Theft of Intellectual
Property
By William F. Slater, III
In January 2012 the U. S. Government took down the
Megauploads.com website and then quickly filed charges
against the owner, Kim Dotcom, and his colleagues for
alleged copyright infringement, conspiracy to commit
money laundering, racketeering, rewarding users who
uploaded pirated content for sharing, and turning a blind
eye to requests from copyright holders to remove copy-
right-protected files.
Kim Dotcoms Letter to Hollywood
By Kim Dotcom
The Internet frightens you. But history has taught us that
the greatest innovations were built on rejections. The VCR
frightened you, but it ended up making billions of dollars
in video sales. You get so comfortable with your ways of
doing business that any change is perceived as a threat.
The problem is, we as a society dont have a choice: The
law of human nature is to communicate more efficiently.
ATTACK
Insider Threat to Cybersecurity
Fighting the Enemy Within
By Arun Chauhan
This article explains Insider Threats to cyber security in
an organisation, with real life case examples. The author
is of the opinion that organisations have a tendency to lay
more emphasis on securing their perimeters and take the
insider threat lightly. Further, the author believes that pro-
cesses which we implement in our organisation have a
more important role to play than technology in safeguard-
ing from insider threats and recommends certain com-
mon guidelines / controls for mitigating this threat.
Cybersecurity Constantly Under Attack
By RIFEC Research Institute of Forensic and E-
Crimes Massimiliano Sembiante
Cybersecurity, crime, terrorism, attacks, wars, these and
other cyber categories continue to be used more or
less indiscriminately in many areas. This is partly at-
tributed to the fact that the industry is evolving rapidly
as well as because of the complexity resulting from the
combination of information technology and communica-
tions (Information and Communication Technology, ICT)
with other systems essential for sustainability of the key
features of modern societies (the so-called critical infra-
structures).
Hacking Humans: The Story of a
Successful Well-planned Social
Engineering Attack
By William F. Slater, III
This paper will review an actual incident related to a so-
cial engineering exploit, why this exploit was effective, and
what steps could have been taken to recognize and nullify
or avoid this exploits. The exploit that will be described
involves authority, pretexting, and deception, resulting in
psychological manipulation. The exploit had serious con-
sequences, both in my personal professional life.
The Digital Dojo: Sharpening Your
Hacking Skills At Home
By Terrance Stachowski and Michael Simbre
Ask any skilled hacker or penetration tester how they be-
came proficient at their craft and they will likely tell you
that they have spent an unbelievable amount of solitary
hours hammering away at a keyboard to hone their hack-
ing skills.
PLUS
Social Engineering:
The Single Greatest Threat to
Organizational Security
By Terrance J. Stachowski, CISSP, L|PT
Security planning is an onerous, complex and continual
process, largely because there exists two factions which
are continually at ends with one another. Security profes-
sionals work to erect walls which provide security to an
organizations data, networks, and personnel - whereas
the opposition is continually developing ways to go over,
under, around or through security barriers.
Interview with William F. Slater, III
By Ewa Duranc
I was inspired to write it because I knew that applying the
concepts described in the article would help make cyber-
space a little safer. The article explains how using a well-
designed security compliance framework can help an or-
ganization defend against the perils of cyberattacks and
cyberwarfare. As far as I know, no one yet been bold or
knowledgeable enough to take the time to write such an
article for the general public.
Digital Shield Summit Press Release
Monday, February 18, 2013; Dubai: Ideanomics today
officially announced the Emirates Identity Authorities in-
volvement with Digital Shield Summit 2013. H.E. Dr. Eng.
Ali Mohamed Al Khouri, Emirates ID Director General will
be the Chief Guest of Honour and will be inaugurating the
summit to be held on the 21st and 22nd of April in Abu
Dhabi, United Arab Emirates
06
10
12
16
20
30
42
52
48
CONTENTS
6 02/2013
B
U
R
N
I
N
G

I
S
S
U
E

M
E
G
A
U
P
L
O
A
D
.
C
O
M
K
im Dotcom and his colleagues were arrest-
ed a few hours later in New Zealand and
await extradition to the U.S. to be tried for
these charges. Conviction on these charges could
result in severe fines and possibly many years in
a U.S. Federal prison. This paper will discuss the
rise and fall of Kim Dotcom and Megauploads.com
and it will review issues how lawful governments
may treat similar offenses in the future.
The Rise and Fall of Megaupload.com and Kim
Dotcom, and the Possible Implications for the
World of Internet-based Software Piracy and Theft
of Intellectual Property.
Less than 24 hours after end of the global SO-
PA Protest on the world wide web, on January
19, 2012, the governments of the U.S. and New
Zealand acted swiftly to stop the Megauploads.
com empire that Kim Dotcom had built. The U.S.
Department of Justice shut down the Megaup-
load.com website and produced a 72-page fed-
eral indictment against Kim Dotcom, Megaup-
load.com, and several of the business partners
for alleged copyright infringement, conspiracy to
commit money laundering, racketeering, reward-
ing users who uploaded pirated content for shar-
ing, and turning a blind eye to requests from copy-
right holders to remove copyright-protected files.
Almost 12,000 miles away, on January 20, 2012,
New Zealands law enforcement authorities were
forcibly entering Mr. Dotcoms home, a leased
luxury mansion in the serene New Zealand coun-
tryside, and forcing their way into a safe room
where Mr. Dotcom was hiding with guns, cash,
and his closest colleagues (Acohido, 2012). Mr.
Kim Dotcom and his colleagues were then ar-
rested and now await extradition to the U.S. to
be tried for these charges. Conviction on these
charges could result in severe fines and possi-
bly many years of imprisonment in a U.S. Federal
prison. This paper will discuss the rise and fall
of Kim Dotcom and Megaupload.com and it will
review issues how lawful governments may treat
similar offenses in the future.
Originally as Kim Schmidt, Mr. Dotcom, a native
citizen of Germany, began is computer career in
Germany in his early 20s in the early 1990s. He
first began his career as a computer expert and
then very shortly afterwards opened a computer
security-related business. A short time later, Mr.
Schmidt was indicted in Germany on computer
fraud charges and later paid a fine and was re-
leased on probation. A few years later, Mr. Schmidt
changed his named legally to Kim Dotcom, per-
haps as a prelude to starting the Megaupload.com
business, and to position himself as a self-styled
Internet mogul entrepreneur.
Now as a 38-year old German foreign national
and temporary resident of New Zealand, at 6 feet 6
inches tall and over 285 pounds, Mr. Kim Dotcom,
is both in stature and in his actions, a larger than
life figure, who openly flaunted his wealth and his
playboy lifestyle, the obvious results of the success
of his Megaupload.com business (MikelVizualBa-
zzikHck, 2012). With an annual income of more
than $30 million, the flamboyant Mr. Dotcom could
afford nearly everything he wanted, except perma-
nent citizenship as a New Zealander. Yet after his
arrest on January 20, 2012, he and his colleagues
The Rise and Fall
of Megaupload.com and Kim Dotcom, and the Possible
Implications for the Internet-based World of Piracy and Theft of
Intellectual Property
In January 2012 the U. S. Government took down the Megauploads.
com website and then quickly filed charges against the owner, Kim
Dotcom, and his colleagues for alleged copyright infringement,
conspiracy to commit money laundering, racketeering, rewarding
users who uploaded pirated content for sharing, and turning a
blind eye to requests from copyright holders to remove copyright-
protected files.
Europes
No. 1
Information
Security Event
SECURE BUSINESS
SECURE THINKING
23-25
April 2013
Earls Court
London UK
Organised by:
Follow us
@infosecurity
WHY ATTEND INFOSECURITY EUROPE 2013?
Access Europes most extensive & free to attend knowledge
enhancing educational programme
Meet over 300 leading information security suppliers identify best
of breed, cutting edge technology & see real solutions in action
Hear from real experts & respected public & private sector IT
practitioners to discover how they spent their budget on the right
products, services and solutions
Network with your peers through a wide range of activities
including workshops & evening receptions
Earn CPE credits by attending the free educational programme
infosec.co.uk/register *
* Visitor registration is free online before Friday 19th April at 5pm. Onsite registration 20.
10 02/2013
B
U
R
N
I
N
G

I
S
S
U
E

M
E
G
A
U
P
L
O
A
D
.
C
O
M
Kim Dotcoms
Letter to
Hollywood
Dear Hollywood,
The Internet frightens you. But history has taught us that the greatest innovations were built
on rejections. The VCR frightened you, but it ended up making billions of dollars in video
sales.
STORY: Kim Dotcom: New Site Is Legal, Fresh Start, Not Revenge on Hollywood
You get so comfortable with your ways of doing business that any change is perceived as a
threat. The problem is, we as a society dont have a choice: The law of human nature is to
communicate more effciently. And the economic benefts of high-speed Internet and unlimit-
ed cloud storage are so great that we need to plan for the day when the transfer of terabytes
of data will be measured in seconds.
Businesses and individuals will keep looking for faster connectivity, more robust online
storage and more privacy. Transferring large pieces of content over the Internet will be-
come common not because global citizens are evil but because economic forces leading to
speed of light data transfer and storage are so benefcial to societal growth.
Come on, guys, I am a computer nerd. I love Hollywood and movies. My whole life is like a
movie.
I wouldnt be who I am if it wasnt for the mind-altering glimpse at the future in Star
Wars. I am at the forefront of creating the cool stuff that will allow creative works to
thrive in an Internet age. I have the solutions to your problems. I am not your en-
emy.
Providing freemium cloud storage to society is not a crime. What will Hol-
lywood do when smartphones and tablets can wirelessly transfer a movie fle
within milliseconds?
THR COVER Megauploads Kim Dotcom: Inside the Wild Life and Dra-
matic Fall of the Nerd Who Burned Hollywood
The very powerful and the very stupid have one thing in com-
mon. Instead of changing their views to ft the facts, they try to
12 02/2013
A
T
T
A
C
K
Insider Threat
To Cyber Security Fighting The Enemy Within
This article explains Insider Threats to cybersecurity in an
organisation, with real life case examples. The author thinks that
organisations have a tendency to lay more emphasis on securing
their perimeters and take the insider threat lightly. Further,
the author believes that processes which we implement in our
organisation have a more important role to play than technology
in safeguarding from insider threats and recommends certain
common guidelines / controls for mitigating this threat.
T
his article is meant for a diverse audience.
Decision makers across an organization will
benefit from reading it because insider threats
are influenced by a combination of technical, behav-
ioural, and organizational issues and must be ad-
dressed by policies, procedures, and technologies.
Staff members of an organizations management,
HR, Legal, Physical Security, Data Owners, IT, and
Software Engineering groups should all understand
the overall scope of the problem and communicate
it to all employees in the organization.
What do we understand by Insider Threat?
In the simplest of form, it means all individuals who
have / had authorised access to our cyber infrastruc-
ture and resources and intentionally misuse that ac-
cess to endanger the confidentiality, integrity and
availability of organisations data. Special emphasis
must be laid upon individuals who have recently left
the organisation or are in the process of leaving. The
reasons for which they leave the organisation also as-
sume importance whilst formulating an Insider threat
policy. The following personnel fall into the category
of insiders threat in the context of cyber security:
Current or former employees
Current or former Business partners and out-
sourcing companies
Insider threat becomes even more dangerous to
an organisation when we consider the scenar-
io where there is collusion between insiders and
Business competitors, organised crime and even
foreign governments.
Why are we more vulnerable from inside?
It is a human tendency to expect threat from out-
side and ignore the trouble indicators within the or-
ganisation. The first steps towards securing the cy-
ber infrastructure are always directed at securing
the perimeters and external interfaces of organisa-
tion. The best of technology is bought and imple-
mented, and we slowly and deeply sink into the
Comfort zone of being secure. We forget that off
the shelf security measures most of the times do
not cater to the threat arising from inside. As most
of my pen testing buddies would agree, the reverse
connect payload is a good indicator of how the at-
tackers realised this vulnerability of organisations
of not checking the traffic originating from inside.
In my early days of pen testing, I often heard this
example of breaking into the network being similar to
cracking a coconut hard from outside but soft and
creamy from inside. The person outside the organisa-
tion always has the tough job of breaking in through
solid defences and needs higher level of expertise
and resources to accomplish his task. Even then his
chances are slim, compared to a malicious insider al-
ready sitting inside the network who merely has to do
what the external attacker calls as post exploitation
tasks. He has the access and authorisation and most
importantly the trust of the resources owner.
What risks are posed by a malicious
insider to an organisation?
Data theft
With the proliferations of mobile storage and comput-
ing devices, the problem of data theft by insiders has
multiplied manifold. This coupled with a never before
16 02/2013
A
T
T
A
C
K
CyberSecurity
Constantly Under Attack
Cyber security, crime, terrorism, attacks, wars, these and other
cyber categories continue to be used more or less indiscriminately
in many areas.
T
his is partly attributed to the fact that the in-
dustry is evolving rapidly as well as because
of the complexity resulting from the combi-
nation of information technology and communica-
tions (Information and Communication Technology,
ICT) with other systems essential for sustainabili-
ty of the key features of modern societies (the so-
called critical infrastructures).
Whether for espionage or sabotage purposes,
corporations, governments, military and banks are
increasingly becoming the target of criminal activi-
ties. Attacks such as: Viruses, DDoS, exploitations
techniques, hijacking, etc. are constant threats for
all the existing assets. Hackers, specifically target
the weak parts of the network infrastructures to pen-
etrate fortified systems and commit cyber-crimes.
Its a real war out there, but its taking place on a
new battlefield, The Network.
Modern economies are preparing to protect from
cyber-attacks, investing important budget on re-
searches, countermeasures and investigation.
Critical infrastructures must be prepared to poten-
tial threat that may impact, resulting in economical
and reputational losses.
Cyber-attacks can be performed in many differ-
ent ways. Common attack vectors are:
Scam Email Using Social Engineering tech-
niques to convince the receiver to open a fake
links or fles.
Network using for example, PHP scripts or
Web Applications written for Apache.
Instant Messenger using social engineering
and other vulnerabilities.
Distributed denial of service occurs when
multiple systems (i.e.: using a botnet) food the
bandwidth or resources of a targeted system.
Virus infection virus such as: Trojans, spy-
ware, worms etc. can be conveyed on the tar-
get system in many different way. In many cas-
es infection can spread rapidly, compromising
a huge number of computers in short time.
Cyber-hacktivism and cyber-terrorism
Cyber-criminals are not only targeting money and
data but, for instance, hacktivists and cyber terror-
ists are politically motivated and aim to attack and
compromise infrastructures, in order to gain visi-
bility and defend their countrys honor or promote
specific causes.
These attacks have ranged from mere annoy-
ances, such as the defacement of websites, to full-
scale digital blockades of the target country, such
as the 2007 cyber-attacks against Estonia. Most
likely, one of the biggest, public cyber-war between
two countries (Ref. 01).
The entire X-Road (Figure 1) the Estonian e-in-
frastructure, a system of more than 355 govern-
ment organizations interconnected, including ser-
vices such as: Telecom, Tele2, Uninet, Delfi, Atlas
communications and many others, was under a
cyber-attack for about 3 weeks. Estonian Govern-
ment claimed the attack was launched from Rus-
sian Government as a political repercussion.
Probably, the most important case associated
to APT (Advanced Persistent Threat) so far, has
been Titan Rain (Ref. 03). This was the desig-
nated name that US Government gave to a per-
20 02/2013
A
T
T
A
C
K
Hacking Humans
The Story of a Successful Well-planned Social Engineering Attack
Ask any skilled hacker or penetration tester how they became
proficient at their craft and they will likely tell you that they have
spent an unbelievable amount of solitary hours hammering away at
a keyboard to hone their hacking skills.
T
he exploit had serious consequences, both
in my personal professional life. The exploit
was short-lived, occurring in August 2008,
but very likely damaged my career and reputation
at Gehenomsoft where I was employed at the time.
In addition, this exploit quickly escalated to a crimi-
nal assault against me, and though the case was
never resolved, it was a very traumatic experience.
This paper will explore why each of these social en-
gineering techniques was effective, and how I could
apply knowledge and techniques learned in the ma-
terials from my Social Engineering class, as well as
other research materials, to prevent similar attacks.
Using Authority and Pretexting as Social
Engineering Weapons
This brief paper will examine an incident in which
authority and pretexting was used with deception
to help an intruder to gain access to an office ar-
ea that was protected by traditional physical se-
curity controls as well as policies, as well as the
outcomes of each of this incident. In his book, In-
fluence: Science and Practice, Robert Cialdini dis-
cusses the concept of authority as a trigger that
can influence human behavior, for better or worse
(Cialdini, 2009). Pretexting is a social engineer-
ing technique in which the social engineer invents
a story that sounds convincing, so that he or she
may gave a favor or access to an area to which
they might not otherwise be able to obtain access
(Hadnagy, 2011). Each of these social engineering
techniques used deception, intent, and motive can
constitute formidable threats that can overcome
most of the people without the specialized experi-
ence and training to recognize them. This incident
happened to me at the Gehenomsoft Midwest-
ern Regional Office in Downers Grove, IL, while I
worked at Gehenomsoft in 2008.
In his book, Cialdini reviewed the classic 1974 case
study of Professor Milgram was cited as an exam-
ple of how authority could be used to influence be-
havior. The Milgram study showed a truly dark side
of authority, where his student subjects were willing
to follow orders to send large voltages of electricity
into the bodies of the studys participants, despite
what the subjects consciences might have other-
wise led them to believe whether following these or-
ders was morally right or wrong. The fact that these
subjects consistently followed orders and shocked
the participants without argument, compassion, or
question illustrated the degree to which they were
influenced by his authority as a professor and the
architect of the study. This was Milgrams simple fi-
nal conclusion of his experiment: It is the extreme
willingness of adults to go to almost any lengths on
command of an authority that constitutes the chief
finding of the study (Cialdini, 2009).
The Social Engineering Exploit: What
Happened?
This social engineering attack, which involved the
use of authority, pretexting and deception occurred
on Friday evening, August 22, 2008, at the site of the
Gehenomsofts Midwest Regional Office in Downers
Grove, IL. The intruder had quietly entered the build-
ing past the first floor security checkpoint about 6:00
PM and appeared in the hall way on the third floor
of this secure office building after business hours,
30 02/2013
A
T
T
A
C
K
The Digital Dojo
Sharpening Your Hacking Skills At Home
Ask any skilled hacker or penetration tester how they became
proficient at their craft and they will likely tell you that they have
spent an unbelievable amount of solitary hours hammering away at
a keyboard to hone their hacking skills.
S
erious hackers and penetration testers
might be largely self-taught, studied for se-
curity or networking certifications, pursued
an IT security degree, or found guidance under
a patient and experienced mentor, but one thing
almost every one of them will have in common
especially if they are trying to remain proficient
is that they are continuously learning, expanding
their knowledge, and practicing to keep their skills
sharp. The goal of this paper is to look at ways of
keeping that digital sword sharp, and one of the
best ways to do so is through hands-on practice.
This article will examine the Digital Dojo: the hack-
ers home lab, the tools of the trade, and the vari-
ous avenues available which may aid in growing
the craft during off-hours at home.
Introduction
Hacking isnt a skill one simply learns overnight, it
takes immeasurable hours of learning, analysis, tri-
al-and-error, and a ghoulish level of tenacity. There
are so many sub-categories of hacking that no indi-
vidual hacker is likely to be a master of them all, the
majority will focus their efforts on specific areas of
expertise and attempt to learn the basics of the ar-
eas outside their wheelhouse. For example, a hack-
er who specializes in network security may not be
as sharp at webpage exploitation; a systems expert
may not be graceful at social engineering, and so
on. Theres simply too much to learn and the land-
scape is constantly changing, making it nearly im-
possible to maintain a true mastery of all aspects of
hacking. For example, there are various program-
ming languages a hacker may want to become pro-
ficient in: Python, Pearl, C++, Java, and though not
really a language, HTML; it could take years to mas-
ter these alone, but learning to program isnt where
a hacker stops its more likely thats where they be-
gin. Most hackers will want to have an at least a ba-
Figure 1. Digital Dojo (2013). Art by Terrance Stachowski
42 02/2013
P
L
U
S
Social Engineering
The Single Greatest Threat to Organizational Security
Security planning is an onerous, complex and continual process,
largely because there exists two factions which are continually at
ends with one another. Security professionals work to erect walls
which provide security to an organizations data, networks, and
personnel whereas the opposition is continually developing ways
to go over, under, around or through security barriers.
O
ne major problem with many security plans
is that most organizations focus exclusive-
ly on technical countermeasures, but the
weakest link in security, the human element, is of-
ten overlooked. Attackers are aware of this defi-
ciency, and use an unethical approach known as
social engineering to exploit this weakness. This
paper examines how social engineering attacks
take advantage of normal human behavior and
demonstrates the real and present threat that this
type of dishonest attack poses. Historical data ex-
tracted from Kevin Mitnicks case, and the DEF-
CON 18 Social Engineering Capture-the-Flag
(CTF) How Strong is Your Schmooze results will
be utilized to build this case study. Additionally, this
paper will investigate what organizations can do to
diminish this threat.
Introduction
In the current age of technology, many organiza-
tions have come to rely on information systems
as one of the most important tools for facilitating
nearly every aspect of business activities. The use
of information technology expedites workflow, in-
creases productivity, accelerates communication
and allows for multiple employees to view and
work on a single project concurrently. One major
concern with organizations relying so heavily on
information systems is that enormous amounts of
data, much of which could be considered sensitive
or valuable in nature, is used, stored, and created
on these systems.
Security has become a critical affair for manag-
ers at all levels of innumerable governments and
organizations; clients with concerns about pro-
tection of their personally identifiable information
(PII), privacy and identity fraud or theft are de-
manding it; vendors, suppliers, and business part-
ners require it from one another, especially when
there exists a mutual network and information ac-
cess (Allen, 2009).
Though many organizations take security seri-
ously and put an enormous emphasis on both tech-
nical and physical safeguards such as firewalls,
id cards, intrusion detection systems (IDS), and
guards, there is little emphasis placed on the hu-
man element of security. A million dollars worth of
state-of-the-art technical and physical safeguards
could be, and continues to be, rendered useless by
hackers who know how to manipulate and bypass
the weakest link in any security program, the hu-
man being.
Understanding Social Engineering
Social engineering is an art or a better put, the
science, of expertly manipulating other humans to
take some form of action in their lives (Hadnagy,
2011). A social engineer is someone who takes
advantage of the credulity, indolence, good man-
ners, or even passion of employees (Microsoft,
2006). Social engineering is basically a con-game
and the social engineer is nothing more than a
sophisticated con-artist who employees tactics of
skillful lying, influencing, persuading, smooth talk-
ing, trickery, and deception to convince their tar-
get that they are someone they are not, or require
access to something they do not have authoriza-
tion to access.
48 02/2013
P
L
U
S
Ewa Durnac: How was your article
selected for publication by Hakin9?
William F. Slater, III: I was identified as a Cyber-
security professional who is also a writer back in
October 2012. They contacted me via e-mail and
asked me to start writing articles for Hakin9 maga-
zine. I think that they found me either on LinkedIn.
com or via a Google search. The January 2013 ar-
ticle was my fourth article with the magazine. The
editors and publishers at Hackin9 magazine are
also fun to work with and they seem to appreci-
ate working with Cybersecurity professionals who
can write and deliver articles that meet their quality
standards as well as their publication submission
deadlines.
ED: Was the article something that
developed out of a class project?
WS: No. I was inspired to write it because I knew
that applying the concepts described in the ar-
ticle would help make cyberspace a little safer.
The article explains how using a well-designed
security compliance framework can help an or-
ganization defend against the perils of cyberat-
tacks and cyberwarfare. As far as I know, no one
yet been bold or knowledgeable enough to take
the time to write such an article for the general
public. Note that I did not receive any academic
credit or even any compensation for writing this
article.
ED: What led to your interest in Bellevue
Universitys Cybersecurity program?
WS: I was accepted into the M.S. in Cybersecurity
program at Bellevue University on Friday, Aug. 26,
2011. I chose this program for two reasons: 1) you
folks appear to really have your act together com-
pared to everyone else; and 2) I hope to work at
least another 20 years, and the Bellevue Univer-
sity M.S. in Cybersecurity program will equip me
to accomplish some great things, including teach-
ing and equipping the Cyberwarriors of Americas
future.
I have been making a living in Information Tech-
nology since I started my service in the United
States Air Force in July 1977. I served as a Com-
puter System staff officer (AFSC 5135B) at Stra-
tegic Air Command Headquarters supporting the
command control systems that provided command
control and communications capability to SAC
forces globally for the leadership of SAC and also
the National Command Authorities. If you are in-
terested in what I did at HQ SAC, there are several
interesting pictures here: http://billslater.com/my-
usaf. After becoming ill in 1980, I left active duty in
October 1980 and travelled to Houston, TX to be-
gin my civilian career in IT. My career has involved
many roles and many technologies over the years.
You can see a synopsis of my career here: http://
billslater.com/career and here: http://billslater.com/
interview.
ED: What has been your impression of the
program thus far?
WS: Its been very educational and VERY in-
tense. I am completing my 11th and 12th classes
in this program and it basically means that when-
ever school is in session, I have had no weekend
time off since August 2011. Between work, teach-
ing, and my M.S. and Cybersecurity course work,
I have stayed extremely busy. It has been worth
it, but I dont think people outside the program re-
An Interview with
William F. Slater, III
M.S. in Cybersecurity Program
Bellevue University, Bellevue, NE
52 02/2013
P
L
U
S
Digital Shield Summit
Announces Partnership with Emirates Identity Authority
EIDA Group Director to inaugurate summit, speaker lineup
unveiled; including Dubai Customs, aeCERT, Emirates Group,
Emirates NBD and Meraas Holding.
M
onday, February 18, 2013; Dubai: Ide-
anomics today officially announced the
Emirates Identity Authorities involvement
with Digital Shield Summit 2013. H.E. Dr. Eng. Ali
Mohamed Al Khouri, Emirates ID Director General
will be the Chief Guest of Honour and will be in-
augurating the summit to be held on the 21st and
22nd of April in Abu Dhabi, United Arab Emirates
The summit primarily tackles problems relating to
digital security and digital infrastructure. The main
objective is to see how to develop and manage in-
formation resources and deal with challenges such
as delivering a robust information and compliance
framework, streamlining models for digital, infor-
mation management, collaboration and social net-
working.
Along with H.E. Dr. Eng. Ali Mohamed Al Khou-
ri the Advisory Board also consists of Tariq Al
Hawi, Director of aeCERT, Guruswamy Periyasa-
my, Head of IT Security and Innovation at Emir-
ates Group and Naveed Ahmed, Head of IT Secu-
rity for Dubai Customs. Ajay Rathi, Head of IT for
Meraas Holding, Amit Bhatia, Group Risk Manage-
ment and IT Security Manager for Emirates NBD,
will also be in attendance and will be speaking at
the summit.
In a knowledge based economy, with govern-
ments and businesses continuing to invest heavily
in critical technology deployments, utilities compa-
nies looking at forming utility grids allowing them to
virtualize and scale their resources at record pace
and end users adopting the latest technology de-
vices, a growing concern remains on the under-
lying threat of digital security to new technology
adoption and the increasing channels of communi-
cation that have been created to communicate with
it. says Savio Coutinho, CEO at Ideanomics, The
Digital Security Summit will provide a unique plat-
form for various verticals to come together to dis-
cuss and address key challenges faced with grow-
ing data and look at the role both government and
service providers can take, in protecting its critical
data and users at large.
Emirates Identity Authority (EIDA)
Emirates Identity Authority (EIDA) is an indepen-
dent federal authority established by virtue of the
federal decree No. (2) of 2004. The decree has
empowered the Authority with ultimate powers re-
quired for the execution of the Population Register
and the ID card program.
Established in 2012, Ideanomics Global has
opened operations in several key countries which
support the roll out of our events globally. Based
in Dubai, our offices organize and conceptualize
Conferences and Summits, Trainings and Live
Events.
For further queries on Digital Shield Middle East
please contact Eric Wang on +9714 4232868 or
email on info@ie2global.com.
AnDevCon

is a trademark of BZ Media LLC. Android

is a trademark of Google Inc. Googles Android Robot

is used under terms of the Creative Commons 3.0 Attribution License.
BOSTON May 28-31, 2013
The Westin Boston Waterfront
Follow us: twitter.com/AnDevCon A BZ Media Event
Register NOW at www.AnDevCon.com
Get the best real-world Android
developer training anywhere!
Choose from more than 75 classes
and tutorials
Network with speakers and other
Android developers
Check out more than
40 exhibiting companies
AnDevCon is one of the best
networking and information hubs
available to Android developers.
Nate Vogt, Android Developer, Willow Tree Apps