Last week I was in Amsterdam for an intensive three days of conferencing, talks and social events. On the first evening, I was kindly invited to join the OWASP Netherlands Chapter Meeting to present the work we recently did together with the KULeuven guys about the (in)security of File Hosting Services. In this research we explain why hosting providers do not put enough effort in providing security aware services. If you are interested in this topic, you can take a look at the report of The Register.
On the second day, I was attending DIMVA 2011, a popular european conference in security, where I could meet many well-known people. This year, the conference was hosted by Herbert Bos, VU University, who did his best for bring security experts together, in a friendly and relaxed atmosphere. The social event was organized on a 40meter sailing boat where we had our dinner. DIMVA was featuring as well a Capture the Flag (dCTF). 40 teams from universities and the underground participated. Our team from EURECOM played well and we were 7th: a good result when considering that more than half of the team was composed of students.
My talk at DIMVA (slides) was about a new attack against Social Network users that we call Reverse Social Engineering. Basically the idea is to feed victims with a pretext to get back to the attacker instead of the attacker contacting the victims. By running this experiments on three different vulnerable providers, we showed that a single honeypot profile can easily attract thousands of unsuspicious users. Compared to his “little brother”, the reverse flavor of social engineering can potentially reach millions of victims easily, and can by-pass current behavioral and filter-based detection.