ddonzal writes: InfoSec veteran, Paul Jaramillo, CISSP, EnCE writes, "So as we are about to close out 2012, many of us in the IT Security community look around and try to assess where we were, what we have accomplished this year, and what is next. I’ve been working in IT since the late 90s with a focus on security for much of that time. Most of my work has been in large private-sector companies with a brief but very rewarding stint working for the government. To me while much has changed, many of the core issues remain today as they were back then. Our security condition has actually worsened in many cases. While that is up for debate, no one can argue the pace, sophistication, and impact of major cyber events related to nation-sponsored, organized crime. Hacktivism threats have increased exponentially in the last 4-5 years as well. This new normal has been applicable to the government and defense industrial base for a long time but really surfaced in the private sector around 2007. You would assume that with all that increased attention, dollars and executive support at the highest levels, it would be making things happen. To a certain extent they are, but we as an industry are still losing in the never-ending cat and mouse game with our adversaries. Why?
Over the years, I have sat through countless “you’re doing it wrong” or “we’re screwed’ type of presentations. Some of them were very informative, and I absolutely respect anyone that publicly voices their opinions and ideas, knowing they will be criticized and nitpicked for things taken out of context. However, I often leaving conferences with a desire for a way to fix what we all know has been broken. So what is stopping us? That is where I would like to focus some energy. What are the key road blocks and stumbling points that are keeping the security industry from truly raising the bar as opposed to being stuck in a continual state of catch up?"
ddonzal writes: Imagine a security virtual lab that is run by the community for the community... Free of charge! This is Hack.me. Hack.me allows web application security researchers and instructors to create and share vulnerable web applications for testing and educational purposes. Users will be able to run and practice offensive techniques against always new vulnerable web applications provided by the community. Practicing the OWASP Top 10, testing vulnerabilities against CMSs, verifying the latest exploits against COTS will be just a click away. Hack.me is completely FREE for all to use, accessible online and hosted in the cloud. Based on the Coliseum Framework, every vulnerable application created on hack.me is run on the fly in an absolutely safe and isolated sandbox. Join this webinar where Armando Romeo, founder of eLearnSecurity backing the Hack.me project, and Thomas MacKenzie, web application security specialist, will unveil the project and launch it to the world. Register for the webinar here: https://www2.gotomeeting.com/register/366762738 or join the conversation here: http://www.ethicalhacker.net/content/view/443/2/
ddonzal writes: "EH-Net's newest columnist and smartphone expert, Georgia Weidman, M.S., CISSP, NIST 4011, OSCP, starts with a primer to mobile hacking. "Next item on the board meeting agenda: the war on smartphones! For some time now, smartphones have been quietly creeping into our society and slowly infiltrating our families and companies. It started off simply enough: the CEO's husband bought her an iPad for Christmas, and she thought it would be pretty savvy to be able to answer work email on it at a business meeting half way around the world. The fashion slowly trickled down the food chain until everyone wants to put their smartphone devices on the company network. While vacations used to be a time of relaxation, when the pressures of everyday life at the office could be forgotten, now it can be a serious career hazard to be unable to answer emails during the few minutes at the beach when your laptop is out of Wi-Fi range. Gone are the days of parents hovering around the living room praying teenagers will make it home from their dates in one piece and by curfew. In the age of smartphones there's voice chat, video chat, text messaging, picture messages, and email continuously available to worried parents. Special smartphones are even being marketed to the under 13 crowd.
Whether it's bringing your own device or special company BlackBerrys handed out at company meetings, chances are smartphones are able to access emails, deliverables and reports, and other sensitive data in your company environment. How secure are those smartphones? What sorts of attacks are common against the various smartphone platforms? What user behaviors open up your sensitive data to attack? What information could someone who has access to the data on your smartphone learn about you, your family, and your workplace? There are many paths attackers can take to interfere with your smartphone’s intended operation. Jailbreaking, malware, text messages with malicious links, and client-side attacks (like the Safari webkit vulnerability) are a few of the paths discussed in this first entry in a series of articles on hacking mobile devices serves as a primer to the EH-Net crowd. Read on to get a better idea some of the different ways your phone can be compromised along with some of the scenarios attackers are using to make this happen." For entire article: http://www.ethicalhacker.net/content/view/438/24/"
ddonzal writes: "This articles by security veterans, Rick Howard and Steve Winterfeld, starts,"As Steve and I were eating dinner at DEFCON last year, the usual topics came up: What were the best talks of the day? Who were the completely lame speakers? What was the best hacker outfit so far? What is the best T-Shirt slogan of the day? What parties are we going to crash tonight? What were the best hacker books (both fiction and non-fiction)? And of course, we debated about which hacker movie is the best of all time. Steve and I have been arguing for years about this one, and, although we never agree, it does not stop us from spending hours rehashing the subject. And we are not alone in this endeavor. This is a favorite subject for hackers of all sorts. It turns out that there are so many ways to look at the question, that I am sure that Steve and I, and all nerds, will continue to ponder it for years to come.
Many hackers have a movie that is near and dear to their heart; a gateway drug so to speak that introduced the idea that hacking was a “thing” that loner losers like us could do it, was cool and could make hot chicks like us. That last part never really came true for me or Steve or anybody we hung out with, but it gave us hope.
What gives you hope? What inspired you? What was your gateway drug in the hacking culture? Please help our research efforts by reading the rest of this article and then taking part in the Best Hacker Movies Survey http://svy.mk/Mpgvvg. Also be sure to visit the dedicated forum thread for this topic for more discussions. Results and further articles are sure to follow.""
ddonzal writes: Regular columnist for The Ethical Hacker Network, Chris Hadnagy of www.social-engineer.org, offers advice of how to be a better human hacker by utilizing tricks not found in normal tech books as he writes,"Social Engineering is a complex beast. It is not simply lying or telling someone a deceitful story to get them to give over their passwords. Social Engineering (SE) is defined, well at least by me, as any act that influences a person to take an action that may or may not be against their best interest. With that definition in mind there are many different principles that influence SE and the skills needed both physically and psychologically.
The concept behind this column is to provide the tools, techniques and direction to the readers that would like to either incorporate more SE into their current work or to become a full-time social engineer. I would like to take this month’s article to talk about at least one of the psychological principles involved in SE that should be considered foundational and required. It makes a huge difference in your ability to be successful."
ddonzal writes: With the changing landscape of warfare away from nation-states only utilizing conventional means to the addition of mobile rogue outfits utilizing cyber-attacks, not only countries but also organizations of all shapes and sizes now need to concern themselves with a new threat. Slowly but surely, the real vulnerability to the power grid is starting to grab the attention of both the public and private sectors. Along with that comes more media attention and in turn pressure to make sure these systems don’t come crashing down affecting hundreds of millions citizens dependent on today’s modern conveniences.
With the need to secure such systems also comes the need for expertise and education. Enter Justin Searle, Managing Partner at UtiliSec. UtiliSec provides security consulting services to utilities and vendors in the energy sector. Some of the services offered include security assessments, guidance on regulatory issues like the NERC CIPs, participation in standards work and security training services. So who better to interview in order to shine a light on some of the many aspects of this burgeoning field of security? Here’s several questions to get us all up to speed.
ddonzal writes: Author, instructor and professional hacker, Thomas Wilhelm, writes, "One of the more frequent questions I see on EH-Net pertains to creating pentest labs. Individuals new to the topic of hacking often have a limited understanding of what type of equipment is required, or how to go about setting up a lab to practice all of the cool attacks they have watched on YouTube. Details on how to get started using a single system and virtual machines are numerous – including some I have done. However, I think there is one question not being asked enough when discussing hacking labs “Why do you want a lab?”
Most people create a lab containing a single host system and include virtual images of various Operating Systems. Unknowingly they have just restricted themselves to a very finite portion of real-world hacking – system attacks. I’m not even sure I can classify these “system attacks” as internal (within the corporate network) or external (Internet-facing services), due to a lack of support systems typically found in corporate networks. Absent are the routers, firewalls, IDS/IPSes, windows networks, switches, etc. Without these, we don’t really have a good example of what someone might face during a real pentest, nor do we create an effective learning environment."
ddonzal writes: New Monthly Columnist for The Ethical Hacker Network, Chris Hadnagy of www.social-engineer.org, pens his first article,"Over the last year social engineering has gotten a lot of press. From the attacks on companies like Sony, HB Gary, PBS, Citibank et al to contests like the Social Engineering CTF at Defcon, it seems that social engineering has taken the front page. And rightfully so, as it is still the easiest and often most effective vector of attack. With that in mind, many people are interested in learning what it will take to either add social engineering skills to their tool chest (either personally or as part of their red team) or even become a full-time, professional social engineer.
And that was the impetus behind Chris Hadnagy's new monthly column exclusively at The Ethical Hacker Network, how to become a professional social engineer. So to get the ball rolling, I compiled this Top 5 List to help each person make this a career path or at least add it to their present security practices. As we move through the coming months, we’ll explore the history, methodologies and practical experiments in attacking the human. It will not only be educational but eventually lucrative for you and your organizations."
ddonzal writes: Article on The Ethical Hacker Network by Eli Sowash, CISSP, "As an information security professional, the task of communicating InfoSec concepts and concerns to executive management can sometimes be challenging. That security breaches like Sony, RSA, and Lockheed are grabbing mainstream media attention means security ideas and concerns are increasingly making their way to the boardroom. Since executive support can be one of the most valuable tools in the InfoSec professional’s toolbox, using these case studies with your own management can be a great starting point in letting them know that the security team understands the risks to the business.
It’s the job of an organization’s executive management to set the strategic direction, and building a relationship with the management team can mean incorporating proper security practices into the business process at the highest level. InfoSec professionals can then parlay this seat at the table with the baby step of an awareness program, which is a great way for management to lead by example.
We are all being called upon to answer to and collaborate with senior management differently than in years past. Here are three tips I’ve found that help to explain our world to the businesses we’re protecting."
ddonzal writes: CompTIA has been a stalwart in the IT certification arena for quite a number of years. They have dominated the space with such recognized credentials as A+, Linux+, Security+ and many others. Their certifications have been highly recommended by The Ethical Hacker Network (EH-Net) as well as countless others as an entry-point into a given area of IT. But can CompTIA help advance the careers of those already in the field of their choice within IT?
Enter CompTIA’s newest line of industry credentials, the Mastery Series of Certifications. The first offering from this new line is the CompTIA Advanced Security Practitioner, CASP (pronounced C-A-S-P like an acronym as opposed to ‘casp’ like a word). At first glance, it would appear as though CompTIA is taking on ISC2 and the venerable CISSP. After a closer look, this isn’t quite the case. Let’s find out more from Carol Balkcom, CompTIA’s Director and Product Manager for the CASP.
ddonzal writes: New tutorial by columnist for The Ethical Hacker Network, Chris Gates, CISSP, CISA, GCIH, GPEN, "In the first article, Oracle Web Hacking Part I, I talked about scanning Oracle Application Servers for default content and how to use that content for information gathering. A pentester can utilize that information to run SQL queries and to gain a foothold into the network. I also talked about iSQLPlus and some fun things you can do with that application, if you are able to guess credentials for it. I also showed some Metasploit modules to help you accomplish all of it.
In Part 2 of 3 of this ongoing series of columns, I’ll dive into attacking the Oracle Application Server Portal (OracleAS Portal). I’ll focus on Oracle 9i and 10g up to Release 2. With 11g (10.3.x) Oracle moved to Weblogic, and it’s completely different and therefore out of the scope of this series. But there are plenty of shops out there still using 9i and 10g, which gives us plenty of opportunity for breaking stuff. So, let’s get to it."
ddonzal writes: Article & Video by Dan Honkanen, GCIH, Security+, ITIL, et al on The Ethical Hacker Network, "Keyloggers are usually one of the top picks for a hacker or a spy's best friend. They basically serve as the eyes and ears of the attacker. They can be based on software or hardware and send detailed reports including the user's passwords, chat logs, all typed text, launched applications and visited websites. They can even send screenshots to visually show what the user was viewing as well as any webcam and microphone activity. Most laptops today come with a built-in webcam and microphone and don't usually give any signal that they have been enabled. Any person who uses that computer will have all their activities monitored and recorded in an encrypted log which only the attacker can access.
In this video, I will present the basics of keyloggers and also demonstrate a couple of my favorite keyloggers, their features, how hidden they are and how to prevent and detect keyloggers in general. At the end of this primer, the viewer should be able to fully understand where keyloggers fit into both sides of the equation."
ddonzal writes: "In an exclusive webinar on Thursday July 28 on The Ethical Hacker Network, a free online magazine for security pros, Metasploit founder HD Moore gives a technical sneak peek of the next version of Metasploit before it is available for download. The webinar includes live demos and will focus on new penetration testing features, including improvements of existing features and completely new functionality. The webinar will focus on the commercial edition of Metasploit Pro, Rapid7's flagship product for penetration testing and vulnerability verification, but also include information on improvements in the free, open source Metasploit Framework."
ddonzal writes: "Dissecting the Hack: The F0rb1dd3n Network, Revised Edition" by Jayson E. Street, Kent Nabors and Brian Baskin is not intended for the average reader of The Ethical Hacker Network, and this is what makes the book so intriguing. The forward specifically points out how hard it is to speak with management about security, and how lost they get. It even comes complete with an explanation of the "glazed over eyes." Talking with decision makers is a topic often overlooked, and something that needs to be explored and dissected. At the end of the day, no matter how great you think your idea is, if you don't get management buy-in, the idea dies and you are forced to re-bury your department's head back in the proverbial sand.
I would imagine that at this point most readers are affirmatively shaking their heads, because by and large most managers/executives know very little about information security. I personally have dealt with this on more than one occasion, painstakingly detailing the largest (most obvious) vulnerabilities and the most cost efficient way to mitigate these risks. After I finished (each time) I was met by the aforementioned blank stares and confused looks. I was thanked for my effort, no changes were made, and I eventually left frustrated and annoyed. My chances of getting through to these decision makers may have improved if "Dissecting the Hack" had been in my arsenal.
ddonzal writes: What does the average security professional know about wireless technology, and wireless security in particular? Sure, it's easy to pwn WEP... but unfortunately, this is the extent of most people's knowledge. Many security testing firms even view wireless security as an "afterthought" or a separate practice entirely.
With the second edition of Hacking Exposed: Wireless, Johny Cache, Josh Wright, and Vinnie Liu aim to teach us all that there's a lot more to wireless security than WEP cracking. For those who follow the wireless world, the names of these three should be immediately familiar. Josh and Johny, in particular, have long been known as thought leaders in the wireless security space and have written or contributed to many of the tools and research used in the field. And with this fully revised and expanded edition of the book, these three great minds have come together, and the end product is an excellent book that covers some of the most cutting-edge technology while remaining very readable and down-to-earth. It's a book that deserves space on any hacker's bookshelf.
The book is arranged into three major sections. About two-thirds of the book is dedicated to 802.11 technology with sections dedicated to attacking both infrastructure and clients. The remaining third of the book is dedicated to three emerging wireless technologies, Bluetooth, ZigBee, and DECT.
Click link below to see entire review by Jon Janego