Showing posts from 2013

"When we win, it is with small things, and the victory itself makes us small"

The video from the 44CON talk ( A talk about (infosec) talks ) we gave in September has been posted to YouTube. You can grab the slides [ here ] | You can watch the video online [ here ]

Phish your company, before someone else does!

Today we are happy to release to the public: Simply, Phish5 is Phishing as a service. It allows a fairly unsophisticated user to phish users in her organization, quickly, easily and from the comfort of her own browser. Why would we do this ? In the past year, a host of high profile news organizations were phished, and then publicly spanked. The attack that compromised the AP's twitter account [ Verge ] even led to a visible dip on the Dow. If you talk to security folks, they will quickly dismiss Phishing attacks with a trite: "Educate your users" Unfortunately, in any reasonably sized organization, this is not a trivial task & learning requires constant reinforcement. Phish5 exists to help with this. A super short registration process, and users can enter a list of victims, create phishing mails, create phishing pages and track results. The whole process should take less than 5 minutes! Phish5 means that you can track peoples behav

Introducing Consli, easy scheduling and feedback for conference organisers and attendees

The number of security conferences shows no signs of slowing down, feeding an ever-growing appetite for talks, presentations and content . If you're anything like us, both attending and speaking at conferences is part and parcel of your job, even if it's one event per year. In the absence of publication channels available in other disciplines such as good quality journals, security researchers have the option of blog posts, ezines such as Phrack, mailing lists or conferences. Many choose to go to conferences. It's a source of regular wonder that computing/IT conferences are still so heavily paper-based. Your conference pack is typically a sheaf of papers that includes, at a minimum, a schedule and a set of feedback forms. They lead to a few headaches for both attendees and organisers. Larger events have schedules where multiple talks happen in parallel. Planning my conference day involves circling talks I want to see, changing my mind, scratching out talks, circling ot

ThinkstScapes 2013-AH1: On the China report

The Mandiant APT1 report that was released a week ago has been causing some consternation, which makes it a ripe topic for our ThinkstScapes service . This morning, we issued an ad-hoc update to our customers containing our views of the APT1 report. In short, the data is interesting, but does not conclusively point to Unit 61938. There are too many open questions to justify the finger pointing. Take, for example, the markers released for the APT1 group. The report does not contain sufficient data to replicate the grouping of attackers bearing those markers into a single cohesive unit. By Mandiant's own admission the presence of a single marker is insufficient to tag an attacker as APT1, but thresholds are not provided for the number of markers required. In the end, it appears as if the classification boils down to an analyst's opinion, metrics are absent the public report. The entire report is founded on the notion that APT1 exists and is definable; should this not be the ca

Your company's security posture is probably horrible (but it might be OK).

The past few years have provided us with a number of high profile hacks and data breaches. In 2010 Google famously announced that they were hacked and put out details on the compromise (later dubbed the Aurora incident ). In the months that followed, it became clear that google were not the only Aurora victims. Companies in almost every sector from DuPont to Disney were also breached (but were less forthcoming on the details). If these companies, widely lauded as having the brightest minds in their respective spaces were so publicly spanked, an obvious question raises its head? Why wasn't yours? Sadly two of the likeliest answers to this question are equally uncomfortable. a) you haven't been compromised (yet) because people haven't bothered b) your company has been compromised and you just don't know it Brian Snow, former director of Information Assurance for the NSA said it best at a conference in Greece recently: "I’m here to tell you that your cyber


This post is about 6 months overdue, but we have been busy with a whole bunch of interesting projects (which always manages to dent blogging time.) One of these projects, is We formed Thinkst to work on difficult, interesting problems, and while working on security problems for a well known media organisation, we bumped into (a surprisingly common) problem organisations have: failing to benefit from the available insights afforded by the real-time social media networks. managed to win the Knight Fundation's News Challenge in 2012 (which we take as pretty good validation for the idea). If you have 3 minutes, checkout the video on the page . It still shows version-1 of the interface (we have gotten all fancy since!) but should give you a good overview of the product.