Optiv Blog

Understanding the New PCI Data Security Standard Guidelines.

· By Evan Tegethoff ·

Recently, the Risk Assessment Special Interest Group (SIG) and Payment Card Industry (PCI) Security Standards Council published the PCI Data Security Standard (DSS) Risk Assessment Guidelines Information Supplement. This document provides guidelines for performing a PCI risk assessment in accordance with PCI DSS Requirement 12.1.2. This requirement mandates that any organization that stores, processes, or transmits cardholder

Continue reading

Preparing for the Next Spear Phishing Attack

· By Eric Milam, Martin Bos ·

If you need proof that any organization can be hacked, even the most secure ones, just do an Internet search for “spear phishing attacks.” You might be shocked at the number of public and private entities that have announced they have been victims of this increasingly common type of attack. And those are just the

Continue reading

Password Disclosure in D-Link Surveillance Cameras (CVE-2012-4046)

· By Jason Doyle ·

Many people are using the popular D-Link network cameras available at Best Buy, Office Depot, Staples and amazon.com, expecting a private video feed to their home or office. However, this may not be the reality. In recent research, I exposed a critical security flaw in the way D-Link’s DCS-9xx Series IP cameras perform authentication which puts users at risk of eavesdroppers wanting to peer into their private lives or gather intelligence about a target organization.

Continue reading

FishNet Security Experts Present UK Webinar on Mobile Security

· By Gregg Martin ·

Enterprise users are using multiple devices to tap into the corporate network. Connectivity, portability and productivity are the “three legs” of mobility for users. Executive adoption, generational workforce changes and costs to employer and employees are a few critical considerations that enterprises must weigh in making decisions around mobile security.

Continue reading

Disaster Recovery Testing - The Sandy Effect


Most organizations that we do business with have disaster recovery policies and/or business continuity policies, but in the weeks leading up to and following Hurricane Sandy, we started to wonder how many of these policies are tested on a regular basis.

Continue reading

PLUG and PWN: No-tech to Low-tech Hacking, Part Two

· By Hao Nguyen ·

Continuing with the first part of this post, we’ll take a look at another device to drop onto a client’s network during a successful social engineering engagement once physical access is obtained. TP-Link makes several portable routers that are compatible with OpenWRT. They are pretty small and can be hidden onsite at a client facility.

Continue reading

Owning Computers Without Shell Access

· By Royce Davis ·

Consultants often upload and execute a binary payload to a remote system during penetration tests for the purpose of footprinting the target, gathering information, and leveraging that information to compromise additional hosts. When the scope of the engagement calls for the consultant to remain stealthy and undetected throughout the assessment, uploading a shell to your target is potentially catastrophic.

Continue reading

IP Theft Prevention: Beyond Just Technology

· By Arif Faiz ·

News headlines about credit card numbers being stolen and other successful security attacks on intellectual property (IP) during the last decade have raised awareness in these kinds of threats. Although many companies still intuitively want to keep major security incidents from public view, they are now much more open to communicating details of the attacks because of legal obligations to regulators and their customers.

Continue reading

Analyzing CVE 2012-0158

· By Ed Miles ·

On a recent engagement, we encountered a number of malicious documents. Among these, we discovered a mostly undocumented strain of CVE-2012-0158 exploit samples. These tainted files performed the usual exploit of the ListView2 control within the MSCOMCTL.OCX library, however in this case, the container format was a Microsoft Compound File Binary Format of the Word variety.

Continue reading

Social Engineering: An Expanding Frontier in Online Attacks

· By Eric Milam, Martin Bos ·

Social engineering is an expanding frontier for attacking public and private entities and their employees. With this approach, a malicious attacker gathers details about individuals working within an organization in hopes of using that information to gain control of credentials or underlying systems used by the employee base.

Continue reading
(78 Results)