Archive for January, 2009

Making Security Research Relevant

Monday, January 19th, 2009

I’m very very open and transparent about security, technology and what I do. I’ve written documentation so thorough that my clients have ended the contracts stating “we dont need you anymore – with these docs we can do the work ourselves” – in the grander scheme of things thats awesome. I love it when clients learn from me and it makes me feel really good about what I do – especially if it sticks the first time – but it certainly is prohibitive towards me paying my rent.

I’ve been very vocal in the last year about what I do – to the point it manifests itself as talks I give during BarCamp (LA and San Diego), and Refresh San Diego which is held at Qualcomm. Here is my most recent talk


Security 102, part 1 from Dan Tentler on Vimeo.


Security102, part 2 from Dan Tentler on Vimeo.

Video courtesy of @northlight


(more…)

Tags: , , , , , , , , , , , , , , ,
Posted in insight, rants, review | 1 Comment »

Twitter phishing scam

Monday, January 5th, 2009

So here’s the scoop:

The phishers phish more than just banking websites – twitter is vulnerable to this just like any other websites that take login information.

That being the case the phish is simple: You’re sent to a website that looks just like twitter, but isnt.

The site isnt twitter – so don’t give them your password!

Apparently people dont think phishers target twitter (well maybe not after today). Some high profile accounts were hacked today:

Britney Spears, Rick Sanchez from CNN, Fox News, Facebook, Barack Obama and The Huffington Post.

The need for security is everpresent. Please, watch where you’re going.

If you think you’ve been compromised, change your passwords immediately – and that doesn’t mean adding a 1 to the end of it.

I’ll be adding this subject matter to the security 101 talk happening at RefreshSD in San Diego at the Qualcomm campus on the 13th.

Posted in Uncategorized | No Comments »

Security 101 at Refresh SD – Jan 13, Qualcomm campus

Thursday, January 1st, 2009

I thought that doing security101 at places like oggis may have been a tactical mistake because I want people to actually learn and benefit from some of this stuff, so having the discussion broken by the wait staff frequently simply murdered all the momentum the discussion had and the event turned into a hacking 101 lab where I just demonstrated attacks.

That being the case doing a security101 class in an actual classroom environment where I can have the attendees comfortable and perhaps even have a projector would likely be far far better. Phelan was gracious enough to let me usurp the january installment of refreshsd to give my security101 talk in a more meaningful and more formal environment. Refresh this month is on the 13th – see refreshsd.org for details, or see the meetup group.
Here is my proposed curriculum:

Basic networking
- How do computers talk?
- what is a packet?
- whats IN a packet?

clear text versus encryption (http, ftp, dns)
how websites pass information around
How to tell if the site you’re on is passing your information encrypted or not.
Some network voodoo – watching the stream
-driftnet
-dsniff
-watching dns queries
(the next three may or may not be permitted depending on qualcomms network configuration)
basic man in the middle example
faking ssl certs
changing dns

Hope to see you all there!

Tags: , , , , , , , , , , ,
Posted in insight, training | No Comments »