,

Why every company should get hacked

Did you know that, in traditional western movies, the heroic cowboy wears a white hat, while his enemy wears a black one? That’s where the expression ‘white hat hacking’ comes from. White hat hackers are the good guys. They specialise in penetration testing with the intention of alerting companies to vulnerabilities in their systems, software and networks, to pre-empt hacking attempts by an ill-intentioned individual.

Penetration tests
Penetration tests combine manual and automated methods and technologies. Their objective is to methodically compromise servers, endpoints, web applications, wireless networks, network devices, mobile devices and other potential points of exposure. Once the vulnerabilities have been successfully exploited, the testers use the compromised system to launch further exploits and go deeper and deeper from one vulnerability to the next.

White hat hackers evaluate the ability of organisations to protect their networks, applications, endpoints and users. The hackers use external and internal attempts to by-pass security controls with a view to gain unauthorized access to protected assets. Afterwards, full test results and recommendations are sent to help prioritise remediation efforts. Consequently, the company is in a better position to anticipate emerging security risks and protect its critical systems and most valuable information.

There are two main reasons to hire external penetration testers:

  1. Security breaches and interruptions in the performances of your services or applications can have long-term consequences. In addition to the financial aspect, it has an impact on your business’ reputation, with decreased customer loyalty, negative press, fines and penalties.
  1. Defensive security mechanisms such as user access controls, cryptography and firewalls are useful, but don’t offer a full protection against potential security risks. New vulnerabilities are discovered each day, and attacks become more and more sophisticated. White hat hackers eat, sleep and breathe this, so they are in the best position to show companies where they need to improve their defenses.

Hackers come in different shapes and sizes, and may wear different hats. We only wear white ones. Interested in finding out how we work? Let us know and send us an email.

Create your own Android penetration testing toolbox

Are you a security expert with some experience in mobile pen testing? Then you know that testing Android applications is a real pain in the apps. Mainly because of the various tools and environments needed for mobile penetration testing. All available Android test distributions have flaws, such as missing and/or non-working tools. Luckily, there is a solution to this irritation. Build your own customised mobile testing toolbox, so you have all the tools you need always at hand!

Training

Not sure what steps to follow? Just register for our 1-day training ‘PWN Android Apps with your Custom Built Toolbox’. Our next session will be on November 24th, at the BeNeLux OWASP Day. The course helps you to discover what to do and what issues to focus on, all inspired by our real-life experience.

After this training, you will be able to create, update and manage a robust test environment for Android testing. You will also learn how to use different tools together and what to do if a certain tool doesn’t work. The course focuses on applications running on the device. We’ll also discuss other topics, for example applications attacking other applications and non-HTTP traffic. Moreover, you will get a ready-to-use plan of attack for testing Android applications and some real life examples.

I am a Web Application Security, Mobile Application Security and Software Testing expert at Toreon. I’ll be giving the training together with my colleague Stephanie Vanroelen who focuses on Web Application and Mobile Application Security.

Free

If you are a member of OWASP, you can follow this training for free during the BeNeLux OWASP Day on Thursday 24th November, from 8:30am to 5:30pm at imec-DistriNet at the University of Leuven. There is a limited number of seats available.

Click here to register, or send an email if you can’t make it and would like to discuss other options.

, ,

The youth is out there…

Have you read the research from Kaspersky Lab, on how a lack of guidance for youth results in their temptation to exacerbate cyber-crime instead of preventing it? At Toreon, we didn’t need an extensive and expensive study to realise that youth is the future and that the interest for IT and cybersecurity can’t be sparked young enough. That is why, at the end of the Cyber Security Awareness Month and in collaboration with BruCON, we met up with kids and students to teach them about IT, hacking and cybersecurity.

Hak4Kidz
During the second Hak4Kidz Belgium event, BruCON invited children and youngsters between 7 and 15 for Hak4Kidz Belgium. Six Toreon volunteers assisted in teaching how much fun IT and science are. The event was fully booked in no time.

A few of the things that the children learned:

  • Issues as a fun puzzle waiting to be solved
  • Failure means you get to try again
  • By sharing knowledge, you can focus on solving new problems instead of solving resolved issues over and over again.

slack-for-ios-upload-2 slack-for-ios-upload-1 14917096_10154698227818734_110096449645637643_o 14917084_10154698227018734_4754124548059580092_o 14883569_10154698226353734_5182076026402427068_o14714871_10154698227433734_6605774733114813769_o

Student CTF
During the Student CTF, we took it to the next level. For most CTF’s the gap between the skillsets needed and those taught in school is too large, making it impossible for students to participate. That’s why we created 39 challenges for some hundred students of both specialised and less specialised fields of study, from the University of Ghent and HOWEST. We didn’t expect them to just solve the challenges, but started with introductions on SQL Injection, Traffic analysis, Android reverse engineering and gave lots of tips and tricks.

brucon_ctf3 brucon_ctf

We learned a lot too!
The children and students were not the only ones who learned a lot during these days. We were able to reaffirm how important it is to reach and guide youth in time, but most of all: what an incredible amount of talent is getting ready to enter the real world. The winning team of the Student CTF was even able to solve 36 of the 39 challenges!

What do you think? Did we teach the right things? Would you handle it differently? Or are you interested in a next edition of one of these events? You can let us know in the comments!

,

Want to take your application security to the next level?

When you build an application, are you sure it is safe? Are you certain attackers won’t be able to gain access to private or potentially injurious data? And are you absolutely convinced that an attacker is not able to crash the availability on your system?

Read more