Thursday, March 22, 2012

Hi everyone,

Just thought we would let you know there is much more information available on this site simply by clicking on the link menu above.  There is a ton of information, examples and even videos that you can look at.

Thank you,
The Wetware Group

Wednesday, March 21, 2012

What is Wetware?

Wetware is a play on the terms hardware and software. Hardware refers to the physical components of a computer system (if you can kick it, it's hardware) and software refers to the programs and code that actually do something useful.

Wetware refers to the human brain and the decisions that humans make when they are using the computer. From the point of view of security, it is the "wetware" of the users that is the most important factor. It doesn't matter how many firewalls, honeypots, ID cards, RSA devices you have or how good your "least-privileged" access is set up, if trusted users simply hand over the keys to the system to others.

As Bruce Schneier writes, "Security is a process, not a product."  Real security is hard, since it's not just about plugging in a security widget that will make all your problems go away. It's about processes and training your people to do the correct thing, all the time, no matter what.

What is Social Engineering


Social Engineering is a method used by intruders to manipulate human psychology to collect information and encourage authorized users to divulge confidential information and provide system access. Unlike technical hacks which rely on the exploitation of software and hardware flaws which are often quickly patched, Social Engineers can use the same techniques over and over again.

The risks of Social Engineering are quite small compared to more technical hacks, and they can also enter systems much more quickly and easily. Social Engineers who ALSO know the technical hacking side (like Kevin Mitnick and Frank Abagnale) are especially dangerous.

And yes, Social Engineering can be that easy...




Talk from DEFCON 19 from Jayson E. Street on Vimeo.

What is a Penetration Test?

A penetration test or "pen test" is a method used to test the security procedures, protocols, and response to an attack on the computer network. In a pen-test a security contractor attempts to break into a network using the same techniques that real attackers may use. This may involve checking for unpatched vulnerabilities, absence of anti-virus software, or even the actions of the employees themselves. It is the response of the employees to the Social Engineering based attacks that we are exploring in depth for this project.

When conducting such tests, it is critical that the organization and their security consultant be careful to cover themselves from legal action. As this white paper points out, the actions taken by the security company would otherwise be illegal in any other situation. Proper legal preparation is critical and should include worst-case scenarios (for example, a suspicious employee calls the police) and when on-site, the security company employees/contractors should have a method to have the upper management "rescue" them if something goes wrong.

The job status of any employee who "messes up" during such a test should be clearly laid out - in fact a company should be encouraged to treat employee failures as a positive sign  - those are what helps improve the long term response to a real attack. Firing or otherwise punishing these employees would be a poor decision. In a real attack, the same employees who learned from their mistakes will be the first ones to recognize and respond appropriately to the real intruders. They become much more valuable to the organization.