By Robert J. Shaker II, CISSP, CCSK, CGEIT, CRISC

Since the dawn of man there has been intelligence. Hunter gatherers would venture out and learn from the world around them what each sound, smell, and taste meant. The growl of a large predator would alert them to prepare for a defensive effort or to change paths. The smell of smoke meant other humans were nearby, and the taste of bitter meant something wasn’t edible. As time marched forward, needing to learn more about the other packs of humans around them became more important. There was competition or cooperation for resources but this required getting to know the other pack. Sometimes the best way to do that was to spy on them, to gather intelligence about the way they behaved, the way they interacted with each other and to determine how strong or weak they were.

Regardless of the point in history, this has always proven to be true. We can see it as we progress through our modern era. In fact, this became so important that commercial intelligence companies began forming. The Age of Exploration saw a boom in this industry as the colonial armies grew. Their need for intelligence required outside parties, whether to help with the sheer volume of work, geographic disbursement or to give plausible deniability.  Is it so different now?

Today, we are up against countless adversaries. They’re nameless, faceless and shrouded behind false information. The ships that are on the horizon, the spies in our midst and the fortress we protect are all in the digital domain. The virtual skies are foggy and visibility is low. Today’s environment is much more difficult to navigate. The one commonality between these two vastly different times is the importance of human intelligence, and I’d argue that today it’s even more important than ever. A couple scenarios below will illustrate just how important it is for our innately human talents to remain a vital part of cyber security.

Discuss in Forums (1)

We Have a Winner!

In a slight twist but not completely out of the ordinary, I have an announcement. As most of you know, I pick the winners not only based on participation but also on the ability to utilize the prize. I have also in the past taken special requests and rearranged winners to meet the needs of those who contribute the most. This usually takes place behind the scenes and is often the reason it looks as though someone who didn't participate the most wins. Because many others couldn't utilize the prize, and I thus had to keep going down the list. That being said, I want to continue to be fair. Last month's winner was absolutely deserving but couldn't use the prize. So I'm making an executive decision and announcing that UNIX will receive the seat at SANS CyberCon beginning April 22 with his choice of the following:

- SEC401: Security Essentials Bootcamp Style ($4,645)
- SEC504: Hacker Techniques, Exploits & Incident Handling ($4,845)
- SEC575: Mobile Device Security and Ethical Hacking ($4,845)
- FOR408: Computer Forensic Investigations - Windows In-Depth ($4,845)
- MGT414: SANS +S Training Program for the CISSP Certification Exam ($3,995)

SANS is also offer two NEW Audit courses at CyberCon, running back-to-back.
- AUD444: Auditing Security and Controls of Active Directory and Windows ($2400)
- AUD445: Auditing Security and Controls of Oracle Databases ($2400)

So yes, this means that there's still a chance to win last month's prize of a full version of Metasploit Pro with 1 year of support. I will be contacting deserving EH-Netters very soon to give this prize away. I'll make the announcement in the forum thread for the Holiday Giveaway. Congrats and good luck to all of you as the prizes continue throughout 2013.

PS - If you didn't win, you still get a prize of 5% Off w/ Coupon Code: EHN_5

Discuss in Forums (13) Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; help a newbie... quality is more important than quantity. Only members are eligible! Registration Is FREE!

By Jason Haddix

Love it or hate it, crowdsourcing is here to stay. While it’s been mostly confined to development and design, eventually it was going to come to security.  Two such gentlemen trying to pioneer the space are Casey Ellis and Sergei Belokamen. Being long-time hackers and having seen how the security space works, they decided to start Bugcrowd. Here’s a description directly from the source:

“Bugcrowd is by far the most comprehensive and cost-effective way to secure websites and mobile apps. We’ll do a brief consultation and help you set the budget, the duration, and which websites or apps you’d like our curated crowd of researchers to test. The Bugcrowd researchers get to work finding security flaws in your applications. All testing can be routed through Bugcrowd’s crowd-control system, providing control and accountability. Any bugs are submitted to our Secure Operations Centre as soon as they are found. We validate the flaws and, at the end of the bounty, reward the first researcher to find each unique flaw. We provide you with an easy to understand report for you to hand to your developers… We can even recommend partners to help you fix what we find!”

Join me as I interview them both about their new venture and uncover some interesting information about security testing on a massive scale, as well as how to start. For example, if you are a tester looking to participate, it couldn’t be easier. Fill out the “Ninja” form and create an online profile (public or private) in which you provide Bugcrowd with your PayPal email address. Then you wait until you receive an email message announcing a new bounty… and it looks a little something like this…

Discuss in Forums (1)

By Todd Kendall

Security professionals are often tasked with the unenviable position of wading through millions of bits of data, the review of thousands of systems, or the evaluation of hundreds of applications.  At the end of the day it is their job to provide the ten thousand foot view of an organization and the highest rated findings that put it at risk.  Information overload is a common theme in today’s society, and management requires the presentation of this material in a digestible manner of typically one page or less.  The ability to provide this service requires what is often referred to as “seeing the forest for the trees.”  In other words, don’t get distracted or bogged down by the minutiae of your discoveries at the risk of overlooking the big picture.

When it comes to computer forensics, however, the tables are flipped.  When an event turns into an incident and management must answer to a board or the company’s shareholders, the ten thousand foot level is no longer adequate.  At this point, every packet that ever crossed your company’s domain becomes suspect, and expectations are set whereby the answers to the questions such as, how did it happen, what damage did it do, where did it come from, when exactly did it occur, and who did it, requires the puzzle to be unravelled and presented in such excruciating detail it would make Melville  take up skim-reading.

Discuss in Forums (1)

Win 4 Prizes Worth $7550!

Our friends at Mile2 always seem to outdo themselves, and this month continues that positive trend. And they usually have some good news to go along with it. They're proud to announce their new collaborative partnership with Merit Network, Inc. to provide cyber security courseware and certifications through the Michigan Cyber Range, an unclassified, air-gapped system (sponsored by NIST, Juniper and the US Dept. of Homeland Security as well as several major universities) that enables students and professionals to practice, "live fire" cyber security exercises in a secure, monitored environment without impacting everyday network activity. Sounds like fun, but what can you win!?!? How about 1 of 4 prizes:

- 1 seat in a live, instructor-led course for Mile2's C)PTE course (NSA CNSS accredited in April) with "Live Fire Exercises" from April 29 - May 3 at the Michigan Cyber Range. Value - $5000
- 3 CBT Video & Certification Packages each worth $850. Winners can choose either C)PTE (Certified Penetration Testing Engineer), C)ISSO (Certified Information Systems Security Officer), or C)DFE (Certified Digital Forensics Engineer).

If you don’t win, don’t worry. You can still take advantage of the EH-Net Exclusive March Madness 50% discount on a Mile2 C)PTE combo with Code: marchmad2013 You know the drill. You do good for us, we do good for you. So get out there and start participating in our forums, spreading the word of EH-Net, RTing, helping newbies, sharing your war strories... we'll be watching. ;-)

Discuss in Forums (4) Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; help a newbie... quality is more important than quantity. Only members are eligible! Registration Is FREE!

Review by Andrew Johnson OSCE, OSCP, GWAPT, GPEN, et al

As stated in its tagline, Violent Python is A Cookbook for Hackers, Forensic Analysts, Penetration Testers, and Security Engineers. This is a relatively broad scope and demonstrates how Python can be used to automate and assist with tasks across a variety of diverse InfoSec disciplines. However, breadth does not preclude depth in this case; the exercises build up to a fairly advanced level. Violent Python is authored primarily by TJ O’Connor, with Rob Frost contributing a chapter on Web Reconnaissance, and Mark Baggett acting as the Technical Editor. A quick glance at their collective credentials and experience undoubtedly creates high expectations for this title.

For those unfamiliar with cookbook-style resources, the contents are made up of dozens of short, self-contained “recipes.” The objective is not to comprehensively teach Python from the ground-up, but rather present scripts that focus on a specific task. The end result is that the book demonstrates how powerful just a few dozen lines of Python code can be (even the longest of recipes rarely exceed 100 lines). However, while the aim is not to teach Python programming in general, useful tips and tricks will surely be acquired simply by working through the exercises. The recipes were created in a modular fashion, with code reusability in mind, and they can easily be incorporated into larger projects. Let’s take a closer look.

Discuss in Forums (13)

We Have a Winner!!

The folks at Rapid7 have continued to support numerous community activities including EH-Net. One hard working EH-Netter has been chosen to win a full license of Metasploit Pro with one entire year of support included for a total value of $15,000! For a little more on the Pro edition:

"Metasploit Pro helps enterprise defenders prevent data breaches by efficiently prioritizing vulnerabilities, verifying controls and mitigation strategies, and conducting real-world, collaborative, broad-scope penetration tests to improve your security risk intelligence."

As with every giveaway, all you have to do is participate on EH-Net. Since this is such a large prize, in determining the winner, I went right to those with the largest number of posts (1000+). And the deserving winner this time around is UNIX. Congrats!! For those who did not win, don't stop participating now as the prizes keep on coming with a SANS giveaway in February, Mile2 in March and much more throughout 2013. Keep up the great work.

Discuss in Forums (4) Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; help a newbie... quality is more important than quantity. Only members are eligible! Registration Is FREE!

By Jason Andress

The field of forensics used to be the ugly step-child of the ethical hacking world. In fact, it wasn’t even in the InfoSec category at all for the longest time. It was a realm populated by one of two types - the lonely IT guy hired by law enforcement to handle general tasks or the unlucky law enforcement officer who admitted that he knew something about computers. My have we come a long way. Not only is there now multiple disciplines, network forensics and file system forensics, but also each has its own sub-specialties for a given technology. Thus file systems forensics break into mobile and desktop varieties, and further areas of specialization for OSX, Linux and Windows. And with any maturing industry, there are a slew of training options available.

The SANS FOR408 Computer Forensic Investigations – Windows In-Depth class covers the needed skills for proper forensic acquisitions and analysis of devices with this operating system. While many classes focus largely on forensic acquisitions and on a single or just a few tools, FOR408 goes into great depth on the analysis side and covers a multitude of tools: some pay and some free, some open source, and quite a few that will make the hair stand up on the back of your neck. The class also plumbs the depths of a number of operating system artifacts that lurk in the crevices of Windows and is generally a great deal of fun for the forensically-minded. This course and review is slightly different, as I attended the SANS vLive version of this class. Let’s take a look at the specifics.

Discuss in Forums (2)