Grey bar Blue bar
Share this:

Sat, 17 Jan 2015

Commercial Snoopy Launch! [ ShadowLightly ]

Hello world!


We've been busy squireling away on a much requested project - a commercial Snoopy offering. We've called it ShadowLightly, and we'd like to invite you to join the beta explorer program. We're going to offer ten 3-month trials to the site (you'd need to buy sensors / build your own), and in return we'd ask that you help us debug any issues. To apply, please email explorer@shadowlightly.com - introduce yourself, and tell us a little about why you'd like to join the program.


To those who missed the Snoopy party: it's a distributed, tracking, profiling, and data interception framework. It's all open source and you can run your own setup for non-commercial purposes. Here's some more info:
http://www.sensepost.com/blog/10754.html
http://www.sensepost.com/blog/11042.html


How does this ShadowLightly thing work? You'd create an account on our ShadowLightly.com site, register your sensors, run your sensors uploading their data to our server, and then explore the data in both the website and in Maltego. We've built TDS transforms to query the remote data.


Here's a video which may explain it all better:


ShadowLightly Demo


We're looking forward to working with you!

Mon, 3 Nov 2014

Are you the intern we've been looking for?

intern


 


We're looking for an intern to join our newly formed 'Innovation Centre' arm of SensePost/SecureData. Have a read below for some more information, and drop us a mail if you're interested or would like some more info (glenn@sensepost.com).




The purpose of the Innovation Centre is to offer an incubation hub through which new ideas, concepts and other technical and business innovations can be collected & captured and then rapidly described, prioritised researched, prototyped, tested, advocated and transitioned into the business.


About the Intern Position:


The ideal candidate should have a computer science or similar background, but equivalent work experience or self taught candidates will also be considered. The following specific requirements are required:


* Familiarity with at least one scripting language, preferably Python
* Fundamental understanding of networking
* Linux experience
* A positive attitude with a capable problem solving capabilities


The following points would be seen as a bonus:
* Strong computer science degree
* Industry experience (e.g. holiday internship).
* Web development capabilities
* Security knowledge / experience
* Experience with embedded or similar systems (e.g. Pi, Arduino, etc)


Whilst SensePost is an information security company, this specific internship does not directly relate to an info-sec position, but the projects worked on will relate to info-sec. The internship is for placement in the Innovation Centre. Day to day tasks are likely to include:


* Writing PoC scripts
* Providing support to InnoCentre analysts (e.g. writing Maltego plugins, debugging issues, testing new hardware/software).
* Liaising with partners/clients

Sun, 17 Aug 2014

DefCon 22 - Practical Aerial Hacking & Surveillance

Hello from Las Vegas! Yesterday (ed: uh, last week, my bad) I gave a talk at DefCon 22 entitled 'Practical Aerial Hacking & Surveillance'. If you missed the talk the slides are available here. Also, I'm releasing a paper I wrote as part of the talk entitled 'Digital Terrestrial Tracking: The Future of Surveillance', click here to download it.


Whiskey shot!
Whiskey shot!


The Snoopy code is available on our GitHub account, and you can join the mailing list here. Also, congratulations to @AmandersLPD for winning our #SnoopySensor competition! You can see the output of our *amazing* PRNG in action below:

defConWinrar
I'll update this post to point to the DefCon video once they're released. In the meantime, the specifications of my custom quadcopter I had on stage are below:


Part    Type    Link
Frame DJI F450 http://www.uavproducts.com/product.php?id_product=25
Flight Controller APM 2.6 https://store.3drobotics.com/products/apm-2-6-kit-1
ESCs DJI 30A http://www.dronesvision.net/en/dji-f330-f450-f550/365-dji-esc-30a-opto-brushless-speed-controller-for-f330-f450-f550.html
Motors DJI 920KV http://www.ezdrone.com/product/dji-2212920kv-brushless-motor/
Radio Turnigy 9x http://www.hobbyking.com/hobbyking/store/__8992__turnigy_9x_9ch_transmitter_w_module_8ch_receiver_mode_2_v2_firmware_.html
Radio TX HawkEye 1W http://www.aliexpress.com/item/433Mhz-HawkEYE-openLRSngTX-UHF-system-JR-Turnigy-compatible-and-433MHz-9Ch-Receiver/1194330930.html
Radio RX HawkEye 6ch http://www.aliexpress.com/store/product/DTF-UHF-6-channel-long-range-receiver-By-HawkEYE/933311_1511029537.html
FPV Camera Sony 600 http://www.tecnic.co.uk/Sony-600-TVL-CCD-Mini-Camera.html
Video TX 600mw http://www.hobbyking.com/hobbyking/store/__17507__immersionrc_5_8ghz_audio_video_transmitter_fatshark_compatible_600mw_.html
OSD Minimosd https://store.3drobotics.com/products/apm-minimosd-rev-1-1
HD Camera GoPro3+ Black http://gopro.com/cameras/hd-hero3-black-edition
Goggles SkyZone http://www.foxtechfpv.com/skyzone-fpv-goggles-p-1218.html
FC GPS uBlox GPS https://store.3drobotics.com/products/3dr-gps-ublox-with-compass
Lost quad GPS Fi-Li-Fi http://uavision.co.uk/store/index.php?route=product/product&product_id=54
Payload BeagleBone Black https://github.com/sensepost/snoopy-ng

Tue, 5 Aug 2014

SensePost partners with Paterva to offer improved security intelligence

SENSEPOST PNG on clear
We've been big fans of Maltego and the team at Paterva for a very long time now, and we frequently use this powerful tool for all kinds of fun and interesting stuff, like

We go way back with Andrew and Roelof, who was in fact a founder of SensePost, so today we're super excited to be able to announce a new, strengthened partnership with them under which we have been accredited as an Approved Maltego Solutions Provider. Basically this means the that with Paterva's help we plan to use the powerful Maltego toolset to become better at our job - that is to provide information and information systems to our customer with which they can make sound security decisions. Here's the official news:
SensePost today is proud to announce the completion of a contract that will see the company recognized as the world's first “Approved Maltego Solution Provider” (AMSP) and the exclusive provider of this kind in the UK and Southern Africa.


SensePost was founded in 2000 and has developed into one of the worlds leading Information Security Services companies with offices in London, Cape Town and Pretoria. As trusted advisors it has always been our mission to provide our customers with insight, information and systems to enable them to make strong decisions about Information Security that support their business performance. Whilst this mission has traditionally expressed itself in technical security analysis services like Vulnerability Assessment and Penetration Testing we recognise that the threat landscape is constantly changing and that new and more complex realities necessitate the use of sophisticated new skills, tools and techniques with which to support our clients.


“This strategic alliance perfectly fits the ‘Assess-Detect-Protect-Respond' framework that drives the way we design, sell and deliver our service. It's the perfect evolution of our growing services offering.” says Etienne Greef, CEO of the SensePost group holding company SecureData, who's strategy is at the core of this new initiative.


‘Maltego', built by Paterva, is a powerful suite of software tools used for data mining, link analysis and data visualization, giving the user the ability to extract large volumes of data from diverse sources and then analyze it to understand the patterns and relationships it reveals. In the modern digital age these techniques are used to convert data into information and thereby extract concrete value that can be used for effective decision-making.


Maltego is a highly regarded and popular platform used extensively in Open Source Intelligence Gathering, Infrastructure Analysis for Penetration Testing, Cyber Attack Analysis, Fraud Detection and Investigation, Security Intelligence, Information Security Management, Research and more.


This partnership between SensePost and Paterva (who produce the Maltego software) builds on the companies' shared roots and intellectual heritage and will allow both companies to serve their customers and fulfil their respective missions better.


As an AMSP SensePost will be authorised to provide integration, consulting, support and training for the Maltego tools with full endorsement, support and assistance directly from Paterva. This new capability, combined with an existing wealth of information security skills and experience, uniquely positions SensePost to advise and support clients seeking to exploit the unique strategic advantage the Maltego toolset can offer.


More information on our services and capabilities in this space will follow with our official "launch" in a few weeks time. In the mean, here's a brief summary of our new offering.

Fri, 27 Jun 2014

The SensePost Academy: Wrecking Balls

There is a serious skills shortage in our industry. There are just not enough skilled hackers out there to fill all the open positions. In November of last year, I proposed a new approach for us at SensePost to address these concerns. I looked at what we could do as a company to ensure the next generation of hackers were being educated correctly (no, it's not about how you use a tool) and moulded into what we, at SensePost, perceive to be good penetration testers.


I termed this the SensePost Academy and it is a structured training programme for all new recruits looking at a life at SensePost in the Assessment team. It is a combination of basic technical + offensive attack approaches and client interaction skills that provide an excellent stepping stone for those looking at starting a career as a penetration tester. The academy runs for a period of six months, finishing with a final culminating exercise (CULEX) before the decision is made to accept the recruit into the assessment team as an unmonitored penetration tester. The SensePost Academy Review Board (SARB) oversees each recruit and is responsible for grading and testing the recruit on each phase, in addition to mentoring (or should that be tormenting?) them.


Interviews were performed, we wanted the right recruit and had to turn down a lot of people in the process, but we did find two gentlemen, and as a team, decided on our first ever recruits:


wreckingballs
On their first day, we reminded them that they were recruits and as a result, needed a special theme tune:



This theme tune would be played whenever they were addressed and as often as possible.


Over the past six months, they've been on many training courses internally, been shown the ways of the pwnage by the assessment team, presented at conferences and also developed and broken applications. Each phase was carefully monitored by the review board to ensure they were being moulded into a form we felt was right.


Finally, the CULEX week was upon us. A client application assessment (fictitious German company) and client feedback meeting. No hand holding, just perform the test like you've been shown and don't mess up.


After making them sweat, we took a vote this morning and I'm happy to welcome both Johan and Dane to our assessments team as Junior penetration testers.


If you think you'd be a good addition to the next academy intake, we've love to hear from you. Tweet us on @sensepost or email us at jobs@sensepost.com