Optiv Blog

Understanding the New PCI Data Security Standard Guidelines.

· By Evan Tegethoff · 0 Comments

Recently, the Risk Assessment Special Interest Group (SIG) and Payment Card Industry (PCI) Security Standards Council published the PCI Data Security Standard (DSS) Risk Assessment Guidelines Information Supplement. This document provides guidelines for performing a PCI risk assessment in accordance with PCI DSS Requirement 12.1.2. This requirement mandates that any organization that stores, processes, or transmits cardholder

Continue reading 0 Shares

Preparing for the Next Spear Phishing Attack

· By Eric Milam, Martin Bos · 0 Comments

If you need proof that any organization can be hacked, even the most secure ones, just do an Internet search for “spear phishing attacks.” You might be shocked at the number of public and private entities that have announced they have been victims of this increasingly common type of attack. And those are just the

Continue reading 0 Shares

Password Disclosure in D-Link Surveillance Cameras (CVE-2012-4046)

· By Jason Doyle · 0 Comments

Many people are using the popular D-Link network cameras available at Best Buy, Office Depot, Staples and amazon.com, expecting a private video feed to their home or office. However, this may not be the reality. In recent research, I exposed a critical security flaw in the way D-Link’s DCS-9xx Series IP cameras perform authentication which puts users at risk of eavesdroppers wanting to peer into their private lives or gather intelligence about a target organization.

Continue reading 0 Shares

FishNet Security Experts Present UK Webinar on Mobile Security

· By Gregg Martin · 0 Comments

Enterprise users are using multiple devices to tap into the corporate network. Connectivity, portability and productivity are the “three legs” of mobility for users. Executive adoption, generational workforce changes and costs to employer and employees are a few critical considerations that enterprises must weigh in making decisions around mobile security.

Continue reading 0 Shares

Disaster Recovery Testing - The Sandy Effect

· 0 Comments

Most organizations that we do business with have disaster recovery policies and/or business continuity policies, but in the weeks leading up to and following Hurricane Sandy, we started to wonder how many of these policies are tested on a regular basis.

Continue reading 0 Shares

PLUG and PWN: No-tech to Low-tech Hacking, Part Two

· By Hao Nguyen · 0 Comments

Continuing with the first part of this post, we’ll take a look at another device to drop onto a client’s network during a successful social engineering engagement once physical access is obtained. TP-Link makes several portable routers that are compatible with OpenWRT. They are pretty small and can be hidden onsite at a client facility.

Continue reading 0 Shares

Owning Computers Without Shell Access

· By Royce Davis · 0 Comments

Consultants often upload and execute a binary payload to a remote system during penetration tests for the purpose of footprinting the target, gathering information, and leveraging that information to compromise additional hosts. When the scope of the engagement calls for the consultant to remain stealthy and undetected throughout the assessment, uploading a shell to your target is potentially catastrophic.

Continue reading 0 Shares

IP Theft Prevention: Beyond Just Technology

· By Arif Faiz · 0 Comments

News headlines about credit card numbers being stolen and other successful security attacks on intellectual property (IP) during the last decade have raised awareness in these kinds of threats. Although many companies still intuitively want to keep major security incidents from public view, they are now much more open to communicating details of the attacks because of legal obligations to regulators and their customers.

Continue reading 0 Shares

Analyzing CVE 2012-0158

· By Ed Miles · 0 Comments

On a recent engagement, we encountered a number of malicious documents. Among these, we discovered a mostly undocumented strain of CVE-2012-0158 exploit samples. These tainted files performed the usual exploit of the ListView2 control within the MSCOMCTL.OCX library, however in this case, the container format was a Microsoft Compound File Binary Format of the Word variety.

Continue reading 0 Shares

Social Engineering: An Expanding Frontier in Online Attacks

· By Eric Milam, Martin Bos · 0 Comments

Social engineering is an expanding frontier for attacking public and private entities and their employees. With this approach, a malicious attacker gathers details about individuals working within an organization in hopes of using that information to gain control of credentials or underlying systems used by the employee base.

Continue reading 0 Shares
(78 Results)