Recent Articles
June 2013 Free Giveaway Sponsor – Black Hat USA
Win Black Hat USA 2013 Briefings Pass Worth $2195!
Hard to believe it’s that time of year again, but here we are. Time to start gearing up for the madness that is the annual trek to Vegas for Black Hat USA and DEFCON. We have a number of readers that come to EH-Net looking to be educated in the ways of professional hacking. Not everyone is a seasoned pro. I hate to assume that everyone knows of these security events. So, for you newbies, here’s the official description:
Black Hat USA is the most intensely technical and relevant global information security event in the world, encouraging collaboration between academia, leaders in the public and private sectors, and world-class researchers. Nowhere else in the world will you experience the same caliber of conversations and continuing education, within a strictly vendor-neutral and friendly environment. Each year, the brightest minds in security come together in Las Vegas for six days of learning, networking and high-intensity skills building. Back for its 16th year, the Black Hat USA Briefings and Trainings will take place July 27-August 1, 2013.
Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; spread the word of EH-Net to your social networks; help a newbie… quality is more important than quantity.
Only members are eligible!
Registration Is FREE!
April 2013 Free Giveaway Sponsor – eLearnSecurity
Win 3 Prizes Worth $1700!
Shhhh… Don’t tell anyone, but there’s a new course coming from eLearnSecurity on webapp pentesting. And before it even goes live, all you EH-Netters have a shot at winning a free seat. If their past courses and projects like Coliseum and Hack.Me are any indication of the quality, this should be a very well received online class and practical exam. Of course we’ll be the judge of that as EH-Net Columnist, Jason Haddix, is working on the review as we speak. If you’d like to get info immediately when it’s made available, please fill out the webform for the New eLearnSecurity Training and Certification Path on Web Application Security, and you will also get a whopping 30% OFF at launch! But don’t say anything!
In addition to the behind-the-scenes work on the new webapp course, eLearnSecurity has also been busy lately updating Penetration Testing - Student. We’ll share our thoughts on this course as well in an upcoming review by appropriately enough a new writer for EH-Net, Heather Pilkington. So with that, I’m sure all you hackers out there have figured out that members can win 1 of 3 prizes listed below:
- 1 seat in the soon-to-be-released eLearnSecurity WebApp Professional Course worth $900
- 2 seats in the Penetration Testing – Student v2 Course worth $400 each
You know the drill. You win by participating in the EH-Net Community. So get at it!
Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; spread the word of EH-Net to your social networks; help a newbie… quality is more important than quantity.
Only members are eligible!
Registration Is FREE!
Human Intel to Navigate the Security Data Deluge
By Robert J. Shaker II, CISSP, CCSK, CGEIT, CRISC
Since the dawn of man there has been intelligence. Hunter gatherers would venture out and learn from the world around them what each sound, smell, and taste meant. The growl of a large predator would alert them to prepare for a defensive effort or to change paths. The smell of smoke meant other humans were nearby, and the taste of bitter meant something wasn’t edible. As time marched forward, needing to learn more about the other packs of humans around them became more important. There was competition or cooperation for resources but this required getting to know the other pack. Sometimes the best way to do that was to spy on them, to gather human intel about the way they behaved, the way they interacted with each other and to determine how strong or weak they were.
Regardless of the point in history, this has always proven to be true. We can see it as we progress through our modern era. In fact, this became so important that commercial intelligence companies began forming. The Age of Exploration saw a boom in this industry as the colonial armies grew. Their need for intelligence required outside parties, whether to help with the sheer volume of work, geographic disbursement or to give plausible deniability. Is it so different now?
Today, we are up against countless adversaries. They’re nameless, faceless and shrouded behind false information. The ships that are on the horizon, the spies in our midst and the fortress we protect are all in the digital domain. The virtual skies are foggy and visibility is low. Today’s environment is much more difficult to navigate. The one commonality between these two vastly different times is the importance of human intel, and I’d argue that today it’s even more important than ever. A couple scenarios below will illustrate just how important it is for our innately human talents to remain a vital part of cyber security.
February 2013 Free Giveaway Winner of SANS CyberCon Training
We Have a Winner!
In a slight twist but not completely out of the ordinary, I have an announcement. As most of you know, I pick the winners not only based on participation but also on the ability to utilize the prize. I have also in the past taken special requests and rearranged winners to meet the needs of those who contribute the most. This usually takes place behind the scenes and is often the reason it looks as though someone who didn’t participate the most wins. Because many others couldn’t utilize the prize, and I thus had to keep going down the list. That being said, I want to continue to be fair. Last month’s winner was absolutely deserving but couldn’t use the prize. So I’m making an executive decision and announcing that UNIX will receive the seat at SANS CyberCon beginning April 22 with his choice of the following:
- SEC401: Security Essentials Bootcamp Style ($4,645)
- SEC504: Hacker Techniques, Exploits & Incident Handling ($4,845)
- SEC575: Mobile Device Security and Ethical Hacking ($4,845)
- FOR408: Computer Forensic Investigations – Windows In-Depth ($4,845)
- MGT414: SANS +S Training Program for the CISSP Certification Exam ($3,995)SANS is also offer two NEW Audit courses at SANS CyberCon, running back-to-back.
- AUD444: Auditing Security and Controls of Active Directory and Windows ($2400)
- AUD445: Auditing Security and Controls of Oracle Databases ($2400)
So yes, this means that there’s still a chance to win last month’s prize of a full version of Metasploit Pro with 1 year of support. I will be contacting deserving EH-Netters very soon to give this prize away. I’ll make the announcement in the forum thread for the Holiday Giveaway. Congrats and good luck to all of you as the prizes continue throughout 2013.
PS – If you didn’t win, you still get a prize of 5% Off w/ Coupon Code: EHN_5
Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; help a newbie… quality is more important than quantity.
Only members are eligible!
Registration Is FREE!
Interview: Bugcrowd Founders on Herding Ninjas for Crowdsourced Bug Bounties
By Jason Haddix
Love it or hate it, crowdsourcing is here to stay. While it’s been mostly confined to development and design, eventually it was going to come to security. Two such gentlemen trying to pioneer the space are Casey Ellis and Sergei Belokamen. Being long-time hackers and having seen how the security space works, they decided to start Bugcrowd. Here’s a description directly from the source:
“Bugcrowd is by far the most comprehensive and cost-effective way to secure websites and mobile apps. We’ll do a brief consultation and help you set the budget, the duration, and which websites or apps you’d like our curated crowd of researchers to test. The Bugcrowd researchers get to work finding security flaws in your applications. All testing can be routed through Bugcrowd’s crowd-control system, providing control and accountability. Any bugs are submitted to our Secure Operations Centre as soon as they are found. We validate the flaws and, at the end of the bounty, reward the first researcher to find each unique flaw. We provide you with an easy to understand report for you to hand to your developers… We can even recommend partners to help you fix what we find!”
Join me as I interview them both about their new venture and uncover some interesting information about security testing on a massive scale, as well as how to start. For example, if you are a tester looking to participate, it couldn’t be easier. Fill out the “Ninja” form and create an online profile (public or private) in which you provide Bugcrowd with your PayPal email address. Then you wait until you receive an email message announcing a new bounty… and it looks a little something like this…
Network Forensics: The Tree in the Forest
By Todd Kendall
Security professionals are often tasked with the unenviable position of wading through millions of bits of data, the review of thousands of systems, or the evaluation of hundreds of applications. At the end of the day it is their job to provide the ten thousand foot view of an organization and the highest rated findings that put it at risk. Information overload is a common theme in today’s society, and management requires the presentation of this material in a digestible manner of typically one page or less. The ability to provide this service requires what is often referred to as “seeing the forest for the trees.” In other words, don’t get distracted or bogged down by the minutiae of your discoveries at the risk of overlooking the big picture.
When it comes to computer forensics, however, the tables are flipped. When an event turns into an incident and management must answer to a board or the company’s shareholders, the ten thousand foot level is no longer adequate. At this point, every packet that ever crossed your company’s domain becomes suspect, and expectations are set whereby the answers to the questions such as, how did it happen, what damage did it do, where did it come from, when exactly did it occur, and who did it, requires the puzzle to be unraveled and presented in such excruciating detail it would make Melville take up skim-reading.
March 2013 Free Giveaway Sponsor – Mile2
Win 4 Prizes Worth $7550!
Our friends at Mile2 always seem to outdo themselves, and this month continues that positive trend. And they usually have some good news to go along with it. They’re proud to announce their new collaborative partnership with Merit Network, Inc. to provide cyber security courseware and certifications through the Michigan Cyber Range, an unclassified, air-gapped system (sponsored by NIST, Juniper and the US Dept. of Homeland Security as well as several major universities) that enables students and professionals to practice, “live fire” cyber security exercises in a secure, monitored environment without impacting everyday network activity. Sounds like fun, but what can you win!?!? How about 1 of 4 prizes:
- 1 seat in a live, instructor-led course for Mile2′s C)PTE course (NSA CNSS accredited in April) with “Live Fire Exercises” from April 29 – May 3 at the Michigan Cyber Range. Value – $5000
- 3 CBT Video & Certification Packages each worth $850. Winners can choose either C)PTE (Certified Penetration Testing Engineer), C)ISSO (Certified Information Systems Security Officer), or C)DFE (Certified Digital Forensics Engineer).
If you don’t win, don’t worry. You can still take advantage of the EH-Net Exclusive March Madness 50% discount on a Mile2 C)PTE combo with Code: marchmad2013 You know the drill. You do good for us, we do good for you. So get out there and start participating in our forums, spreading the word of EH-Net, RTing, helping newbies, sharing your war strories… we’ll be watching. 
Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; help a newbie… quality is more important than quantity.
Only members are eligible!
Registration Is FREE!
Book Review: Violent Python
Review by Andrew Johnson OSCE, OSCP, GWAPT, GPEN, et al
As stated in its tagline, Violent Python is A Cookbook for Hackers, Forensic Analysts, Penetration Testers, and Security Engineers. This is a relatively broad scope and demonstrates how Python can be used to automate and assist with tasks across a variety of diverse InfoSec disciplines. However, breadth does not preclude depth in this case; the exercises build up to a fairly advanced level. Violent Python is authored primarily by TJ O’Connor, with Rob Frost contributing a chapter on Web Reconnaissance, and Mark Baggett acting as the Technical Editor. A quick glance at their collective credentials and experience undoubtedly creates high expectations for this title.
For those unfamiliar with cookbook-style resources, the contents are made up of dozens of short, self-contained “recipes.” The objective is not to comprehensively teach Python from the ground-up, but rather present scripts that focus on a specific task. The end result is that the book demonstrates how powerful just a few dozen lines of Python code can be (even the longest of recipes rarely exceed 100 lines). However, while the aim is not to teach Python programming in general, useful tips and tricks will surely be acquired simply by working through the exercises. The recipes were created in a modular fashion, with code reusability in mind, and they can easily be incorporated into larger projects. Let’s take a closer look.
