Table of Contents

Preface; Audience; Assumptions This Book Makes; Contents of This Book; Conventions Used in This Book; Using Code Examples; We’d Like to Hear from You; Safari® Books Online; Acknowledgments; Chapter 1: Intelligence Gathering: Peering Through the Windows to Your Organization; 1.1 Physical Security Engineering; 1.2 Google Earth; 1.3 Social Engineering Call Centers; 1.4 Search Engine Hacking; 1.5 Leveraging Social Networks; 1.6 Tracking Employees; 1.7 What Information Is Important?; 1.8 Summary; Chapter 2: Inside-Out Attacks: The Attacker Is the Insider; 2.1 Man on the Inside; 2.2 Cross-Site Scripting (XSS); 2.3 Cross-Site Request Forgery (CSRF); 2.4 Content Ownership; 2.5 Advanced Content Ownership Using GIFARs; 2.6 Stealing Files from the Filesystem; 2.7 Summary; Chapter 3: The Way It Works: There Is No Patch; 3.1 Exploiting Telnet and FTP; 3.2 Abusing SMTP; 3.3 Abusing ARP; 3.4 Summary; Chapter 4: Blended Threats: When Applications Exploit Each Other; 4.1 Application Protocol Handlers; 4.2 Blended Attacks; 4.3 Finding Blended Threats; 4.4 Summary; Chapter 5: Cloud Insecurity: Sharing the Cloud with Your Enemy; 5.1 What Changes in the Cloud; 5.2 Attacks Against the Cloud; 5.3 Summary; Chapter 6: Abusing Mobile Devices: Targeting Your Mobile Workforce; 6.1 Targeting Your Mobile Workforce; 6.2 Summary; Chapter 7: Infiltrating the Phishing Underground: Learning from Online Criminals?; 7.1 The Fresh Phish Is in the Tank; 7.2 Examining the Phishers; 7.3 The Loot; 7.4 Infiltrating the Underground; 7.5 Summary; Chapter 8: Influencing Your Victims: Do What We Tell You, Please; 8.1 The Calendar Is a Gold Mine; 8.2 Social Identities; 8.3 Hacking the Psyche; 8.4 Summary; Chapter 9: Hacking Executives: Can Your CEO Spot a Targeted Attack?; 9.1 Fully Targeted Attacks Versus Opportunistic Attacks; 9.2 Motives; 9.3 Information Gathering; 9.4 Attack Scenarios; 9.5 Summary; Chapter 10: Case Studies: Different Perspectives; 10.1 The Disgruntled Employee; 10.2 The Silver Bullet; 10.3 Summary; Chapter 2 Source Code Samples; Datamine.js; Pingback.js; External-datamine.js; XHRIEsniperscope(); Codecrossdomain.java; HiddenClass.java; Cache_Snoop.pl; Colophon;

Nitesh Dhanjani is a well known security researcher, author, and speaker. Dhanjani is currently Senior Manager at a large consulting firm where he advises some of the largest corporations around the world on how to establish enterprise wide information security programs and solutions. Dhanjani is also responsible for evangelizing brand new technology service lines around emerging technologies and trends such as cloud computing and virtualization.

Prior to his current job, Dhanjani was Senior Director of Application Security and Assessments at a major credit bureau where he spearheaded brand new security efforts into enhancing the enterprise SDLC, created a process for performing source code security reviews & Threat Modeling, and managed the Attack & Penetration team.

Dhanjani is the author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O'Reilly) and "HackNotes: Linux and Unix Security" (Osborne McGraw-Hill). He is also a contributing author to "Hacking Exposed 4" (Osborne McGraw-Hill) and "HackNotes: Network Security". Dhanjani has been invited to talk at various information security events such as the Black Hat Briefings, RSA, Hack in the Box, Microsoft Blue Hat, and OSCON.

Dhanjani graduated from Purdue University with both a Bachelors and Masters degree in Computer Science.

Dhanjani's personal blog is located at dhanjani.com.

Billy Rios is currently a Security Engineer for Microsoft where he studies emerging risks and cutting edge security attacks and defenses. Before his current role as a Security Engineer, Billy was a Senior Security Consultant for various consulting firms including VeriSign and Ernst and Young. As a consultant, Billy performed network, application, and wireless vulnerability assessments as well as tiger team/full impact risk assessments against numerous clients in the Fortune 500.

Before his life as a consultant, Billy helped defend US Department of Defense networks as an Intrusion Detection Analyst for the Defense Information Systems Agency (DISA) and was an active duty Officer in the US Marine Corps (deployed in support of OIF in 2003). Billy s thought leadership includes speaking engagements at numerous security conferences including: Blackhat Briefings, RSA, Microsoft Bluehat, DEFCON, PacSec, HITB, the Annual Symposium on Information Assurance (ASIA), as well as several other security related conferences. Billy holds a Master of Science degree in Information Systems, a Master of Business Administration degree, and an undergraduate degree in Business Administration

Brett Hardin is a Security Research Lead with McAfee. At McAfee, Brett bridges security and business perspectives to aid upper management in understanding security issues. Before joining McAfee, Brett was a penetration tester for Ernst and Young's Advanced Security Center assessing web application and intranet security for Fortune 500 companies.

In addition, Brett also is the author of misc-security.com. A blog dedicated to focusing on security topics from a high-level or business-level perspective.

Brett holds a bachelor of science in Computer Science from California State University at Chico.