15 dic 2011

Entrevistamos a David Kennedy, creador de SET (Social EngineeringToolkit)

El pasado fin de semana nuestro compañero Luis (@streaming10) tuvo el placer de realizar una entrevista para Flu Project al gran David Kennedy, creador de la popular herramienta para ataques de Ingeniería Social, SET (Social Engineering Toolkit).
A continuación os dejamos con la entrevista:
Dave, my name is Luis (streaming10), and I colaborate with flu-project.com, I study law, but the social engineering, metasploit and the other hacking tools are my passion. These are the questions:
Thank you very much for talking with us, you are the first of our SEC Interviews and a pleasure to grant us some of your time.(sorry if my English is not very good, some of the blame lies with the translator of google)
1. How did you start the computer security world?
I started off at a real young age playing multi-user dimensions (MUD) and found a niche in computers. From there I worked on computer security related efforts in the United States Marines where I really took a liking to computer security. Shortly after the military, I joined a small security consulting company. Security quickly became a hobby and not just a job.
2. What blogs, magazines. often read to keep you updated computer security issues?
I don't really follow to many magazines or blogs. I use Twitter quite a bit to follow some very interesting people that often link to things that are of interest. I follow quite a few peoples work and usually keeps me up to date with the latest and greatest out there. For me, I find it hard to follow everything out there so I follow only what interests me.
3. How did you set SET?
SET started off as just an idea around building a social engineering tool when social-engineer.org was getting launched by Chris Hadnagy. I was often on a number of penetration tests and social-engineering was not an avenue anyone was accustomed to performing. Every time I would try to get it included in scope for an engagement, it was always taken out. We saw social engineering as being the next largest threat landscape out there and that's where SET was born. I think when I first wrote it, all it did was send some phishing emails. It's come a long ways and would have NEVER imagined it would have taken a life of its own like it has.
4. Do you publish soon a new version of SET? Any new surprise?
There should be a new version coming out within a month or so. Kevin Mitnick and myself presented at DerbyCon 2011 on Adaptive Penetration Testing and one of the techniques that Kevin used on profiling the targets machine on whats being used (java, adobe, etc) will be introduced into SET. It will allow selective targeting based on specific applications that are installed and attack those.
5. What ethical hacking applications are most used?
Application wise that really depends on whats my target. I rarely use vulnerability scanners if at all anymore. Metasploit obviously is a very large one however it if it's a web application, Burp is my go-to tool for it all. It really just depends on the situation and what I want to do. A lot of times for me it's about exploring whats out there, learning the network, and from there thinking of a way to attack it.
6. What would you recommend to young people who are starting out?
Make security your passion, your hobby. Instead of playing on XBOX or taking up a hobby that kills all your time, go home and work on security things. Security takes dedication, time, effort, and it takes someone who has passion for it. The biggest advice I can give you is never think that anyone in this industry is smarter than you, it's not the case. It's about how you learn, taking that and focusing it. I'll give you my secret that was shared with me from a good friend in the early 2000's. Pick a programming language and instead of reading a book, come up with a new tool that will help you in some way and figure out how to write it. That's how Fast-Track was born.
7. Is it more amazing that you've seen it done (or done) through social engineering?
Every social-engineer is something new and amazing. You really get to understand that there is rarely anything that can stop what you're doing and its just a big rush. I enjoy social-engineering more than an actual hack now because I'm interfacing with humans and its so unpredictable. It's not like an exploit where you've sat there and coded it and after an absorbent amount of work, you have a working product. With social-engineering, that person has been programmed differently than the other. It's how you behave, communicate, and ultimately get them to do what you want. It's such a complex art, yet so effective.
8. What programs or methods you use to anonymize your attacks?
I don't really need to be anonymous in my attacks as I do them legitimately however I do have servers all over the world that I leverage during attacks depending on what I'm trying to do.
9. The computer in general and in particular that we move into the hacking scene do not have a good reputation with women:). Do women will understand when we talk about hacking?
Women in security is still a long ways off. We are as you mentioned a predominantly male driven population however, I think that's slowly changing. You have several high-profile women that are presenting at security conferences and something that is becoming the norm. I think traditionally if you look how "hacking" took place, it was through sitting in the basement nerding it out, that takes a certain kind of person and I think it's mostly a guy thing however that perception is quickly changing.
10. Who would you like us to do the next interview? (please if you know, help us to work with us. And his twitter)
Chris Nickerson is always a good one to talk to. He is indi303 on twitter.

No hay comentarios:

Publicar un comentario