As a courtesy to our members, we try to keep you informed of some of the more interesting items that have been published in our online magazine by sending out an electronic newsletter by email. But not everyone interested in our content is a member. For that reason, we have decided to also publish the newsletter in article format for all to see. Each EH-Net newsletter features the major articles of the past month such as our Free Monthly Giveaways, reviews of books, courses and products as well as other newsworthy items. The newsletters also includes updates on our Hacking Challenges in "Skillz Scoop," some links to interesting or eye-catching discussions including job postings in "Hot on the Forum," and a listing of security related conferences happening in the near future from the EH-Net Global Calendar in "Upcoming Events." We also try to keep you up-to-date as to what is coming down the pike in "Stay Tuned." We have made changed and additions based on reader feedback, so keep them coming. Some suggestions include sections for "Tool of the Month" and a "Member Spotlight." Let us know what you think of these and any other ideas you might have.

del.icio.us Discuss in Forums (1)

We Have a Winner!!

EH-Net member, oneeyedcarmen, will attend Black Hat DC on us. The Washington, DC version of the world's premier technical event for security experts is being held January 31 - February 3, 2010. One Passport Admission Ticket worth $1995 allows our winner entry into the 2-Day Briefings portion of the event. The event is described as, "Understanding the increasingly complex threats posed to an enterprise can be a daunting task for today’s security professional. Knowing how to secure an enterprise against those threats can be overwhelming. Black Hat is the premier information security event for senior-level professionals to learn the latest insights from security researchers on defending an enterprise against tomorrow’s challenges. Black Hat events are comprised of multi-day training sessions provided by some of the most respected security experts in the world; as well as of a number of short, topical briefings presentations which highlight the latest research in security." Congrats!! Don't forget to check out Black Hat Europe April 12 - 15 in Barcelona, Spain.

del.icio.us Discuss in Forums (7) Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; help a newbie... quality is more important than quantity. Only members are eligible! Registration Is FREE!

Review by Jason Haddix

Today we showcase a new web application scanner called Netsparker, and believe us when we say that we put this app through the ringer.

There's a big distinction between testing a tool against dummy apps in a lab and using it first hand against a large environment. Luckily for us we got to do both.

Over the course of a month we ran several engagements and specifically watched Netsparker’s performance compared to other tools we normally use in the assessment process (w3af, Grendel Scan, Nikto, Wikto, Websecurify, Paros, Burp, etc). We have to say, we are very impressed. Netsparker not only caught vulnerabilities that other scanners missed but also had excellent remediation and a documentation section for most of its findings.

For injection it does a full-scale attack, testing every parameter it can spider (which it also does very well), and, although this lengthens the testing time, it also awarded us with some valuable injection findings. Netsparker is developed by Mavituna Security, and more specifically our guest, Ferruh Mavituna.

del.icio.us

Discuss in Forums (2)

Review by Joel Dubin, CISSP

The Payment Card Industry Data Security Standard (PCI DSS) has taken it on the chin recently.  With several high profile breaches of credit card numbers, some critics of the industry standard have said it either isn’t strong enough, or should be abolished altogether.  But as Dr. Anton Chuvakin and Branden Williams correctly point out in the second edition of their book, PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance, PCI is here to stay.

This is no ordinary field manual to the PCI standard.  It isn’t a book, for example, that a PCI auditor, called a Qualified Security Assessor (QSA), would have open on their lap as a reference while working with a client.  Instead it carefully weaves together PCI, which is considered compliance, with IT security.  In fact, it also discusses PCI in the universe of other regulatory compliance standards, like SOX and HIPAA, which also give IT managers plenty of headaches.

del.icio.us

Discuss in Forums (2)

Merry Christmas, challenge fans! As you know, my friends and I write several challenges per year for EthicalHacker.net. But, we've made it a bit of a tradition around here of reserving the December challenge slot for me, an honor which I sincerely appreciate. During past holiday seasons, you got to tangle with the Grinch, Rudolph, that Messy Marvin kid, Frosty, and even Santa himself.

This year, Kevin Johnson and I worked together on a challenge in which you'll get to save Santa Claus from the insane asylum! We call it "Miracle on Thirty-Hack Street", after the classic 1947 movie. In this tale, you'll get to analyze some Facebook accounts to see if you can draw out the secrets needed to decrypt a file. Remember, we'll award an autographed copy of my Counter Hack Reloaded book to three winners: the best technical answer, the best creative answer that is technically correct, and a random draw winner from anyone who happens to send in, well, pretty much anything in association with the challenge. Even if you can't answer all of the questions, send us what you've got to try for that random draw slot. Thank you again for reading and participating in these challenges. I hope you enjoy this one! All entries are due by January 11, 2010.

--Ed Skoudis
EthicalHacker.net Challenge Master
Author of Counter Hack Reloaded, Co-Founder, InGuardians, SANS Instructor

del.icio.us

Discuss in Forums (10)

Review by Justin Kallhoff, CISSP, C|EH, GPCI, GCIH et al

SANS Security 550 - Information Reconnaissance: Competitive Intelligence and Online Privacy

A pessimistic view of the Internet:  A network that enables every human to be within a few milliseconds from every psychopath and criminal on earth. 

Bryce Galbraith of Layered Security, a SANS certified instructor, has authored a new one-day course titled “Information Reconnaissance: Competitive Intelligence and Online Privacy.”  The course is designed to educate IT professionals on the risks associated with information disclosure.  It also teaches the students tools, tips, and techniques that assist in discovering information.

The amount of our personal information that exists on the web today is staggering; our governments, corporations, phonebooks, colleges, Facebook, MySpace, and Twitter, are all guilty.  According to Google, it is estimated the Internet grows a billion pages per day.

del.icio.us

Discuss in Forums (3)

By Dr. Anton Chuvakin - http://www.chuvakin.org/

Lately, a lot of security industry discussions have been focused on PCI DSS (Payment Card Industry Data Security Standard). The conversation ranges from practical advice on “how to get compliant” all the way to branding PCI as a devilish invention (Google for “PCI is the devil”). Fiery debates aside, PCI DSS guidance helped countless organizations to see the light of security where there was none before. It goes without saying that it didn’t magically make them “become secure” – no external document can.

One of the frequent criticisms of PCI focuses on the misguided view that “PCI is all about passing an ‘audit’.” Many people would be surprised to find out that PCI DSS lists specific tasks that you have to be doing all the time – NOT just before the assessment. This article focuses on the exact steps organizations must take to actually stay compliant and not just pass validation via scanning, on-site assessment or self-assessment questionnaire (SAQ).

del.icio.us

Discuss in Forums (1)

Ryan Linn continues his insiders look at Offensive Security's online training in Part 4 of this continuing review of 'Pentesting with BackTrack.' As a reminder, PWB is described by Offensive Security as, "An online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. This penetration testing course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students. This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern computer with high speed internet."

Ryan brings it all together for you next month with a complete review of the course as well as the exam experience. Stay tuned.

del.icio.us

Discuss in Forums (3)