|
 Review by Zoher Anis, TerpSys
I had the opportunity to attend SANS 2009 in Orlando, once again as a facilitator. This time it was to tackle the toughest course SANS has to offer, SANS SEC709 Developing Exploits for Penetration Testers and Security Researchers, currently their only 700-level course. As described on SANS web site:
"In this course, we bridge the gaps and take a step-by-step look at Linux and Windows operating systems and how exploitation truly works under the hood. This four-day course rapidly progresses through exploitation techniques used to attack stacks, heaps, and other memory segments on Linux and Windows. This is a fast-paced course that provides you with the skills to hit the ground running with vulnerability research."
I would like to begin by saying that the above description is very accurate and should be taken word-for-word. It is a very tough course and very fast-paced. It does require you to know intermediate level x86 assembly programming, basic level C and python to get the most out of the course. Here’s a quick day-by-day account of my experiences.
|
|
Read more...
|
|
We Have A Winner!!
 I did offer this to a couple members who were gracious enough to decline, because they wouldn't be able to use the ticket. Thanks again for proving that the EH-Net Community truly is a unique one. That being said, the winner this time around surely isn't a third choice. He absolutely deserves it as his contributions to EH-Net over the past year far outweigh his post count. Thanks to Ryan Linn AKA Apollo as he will be attending Black Hat USA on us, EH-Net.
The world's premier technical event for ICT security experts is being held July 27 - 28, 2009. Featuring hands-on training courses and Briefings presentations with lots of new content. Network with thousands of delegates and review products from leading vendors in a relaxed setting, including Sustaining Sponsors Core Security, IOActive, Microsoft, Norman, Qualys and SAINT. At stake is a Passport Admission Ticket worth $1595 ($1995 at the door) that allows entry into the Briefings portion of the event. This year's venue is again Caesars Palace in Las Vegas.
Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; help a newbie... quality is more important than quantity.
|
|
|
Review by Ryan Linn, CISSP, MCSE, GPEN
| “Gray Hat Python” by Justin Seitz, one of the latest releases from publisher, No Starch Press, focuses on using the Python programming language for reverse engineering. This book is subtitled “Python Programming for Hackers and Reverse Engineers” which is fitting as Justin is a member of Immunity Security, makers of the Canvas penetration testing platform and the Immunity Debugger. The foreword by Dave Aitel, Immunity's CEO, is an excellent introduction to why the content of this book is important. It focuses on the short time span that is required from discovery of a bug to exploit, and the necessity for flexible, fast, and collaborative vulnerability discovery and exploit development. Dave does an excellent job in setting the tone for why the information in the book is relevant and what the drive is for these types of tools in the industry. |
Download 2 Free Chapters Below
|
|
|
Read more...
|
|
|
 This review is long overdue. My apologies to EH-Net readers, SANS and especially Joshua Wright, developer and instructor of SEC 617 - Wireless Ethical Hacking, Penetration Testing, and Defenses. Its lateness is more due to my inability to comprehend exactly what I experienced than to a lack of desire to complete the task. I honestly sat down at the keyboard multiple times, but each time I felt I wasn’t doing the course or Mr. Wright justice. OK… so like every other SANS course, it had quality courseware, the instructor was top-notch, and I walked away with much more knowledge than when I arrived. So I could simply state the above sentence, report on each and every day of the course offering endless details, recommend it to the masses and be done with my job. But even that felt like empty rhetoric.
As with the review of SANS 560 – Network Pen Testing and Ethical Hacking entitled "Ed Skoudis and the Pen Testing Factory," and many other articles, I felt the writer’s need to have a theme. And it doesn’t have to be a movie, but something that weaves a thread through the words to keep the reader engaged. Just the right connection or idea can make all the difference in the world. And as many do when faced with writer’s block, I let it sit for a while knowing that inspiration would hit me when not looking. But even with pressure and anxiety to produce, it wasn’t coming. Forcing it made for poor results. Suddenly during the minutia of daily life, a bright red spine from one of many bookshelves in my basement caught my eye. I had found my theme.
|
|
Read more...
|
|
|
 After more than 10 years in the information security industry and a significant amount of time running a lab that tests products, I’m a pretty difficult guy to impress with technology. And I’m NEVER nice to vendors. They hate me. As an example, when running said test lab, we once had a vendor give a client six-figures worth of software when the client told them that we’d be testing it before they purchased. The client was happy, so we did our jobs even though we never tested a thing.
The only product I have ever had a net positive review of was the Safeboot disk encryption product, and even then, it was a case of being damned with faint praise. I believe that the entire positive part of our assessment was: “the product works as advertised.”
So, when Don approached me to do a review of the IronKey Personal, I knew I was going to rip it apart. I was going to write a scathing review of how terrible their product is and why these “gimmicky” pieces of hardware don’t work. Because they usually don’t.
|
|
Read more...
|
|
|
 Review by Jason Haddix, Security Aegis
Anyone who knows training (or InfoSec for that matter) knows SANS is probably THE most recognized name in InfoSec training. While the foundation of SANS is Stephen Northcutt and Alan Paller, his superstars are the InGuardian’s crew. Call them security divas, we don’t care. We know that Ed Skoudis, Kevin Johnson, Mike Poor, and Joshua Wright are instructors with whom we’d give the whole of our security budget to train. We can’t decide what we like best: their stellar tool development, their helpful whitepapers, their nifty cheat sheets, their open source projects, or the fact that their courses are the most interesting and engaging we’ve seen.
Web application pen testing is a huge focus for the security space right now, and SANS just turned their 4-day SEC542 - Web App Penetration Testing and Ethical Hacking into a 6-day class. We had the chance to pick the brain of its instructor/creator Kevin Johnson, InGuardian pen tester, father, and all around great guy.
Read on as he answers our questions on a wide array of our web-app security queries. 
|
|
Read more...
|
|
|
Review by JP Bourget, CISSP, MCSE, MS
|
Having a process to better understand your logs, be it firewall, packet captures, IDS, web server, or proxy logs, is something that many security professionals strive for. We have seen some interesting software over the past few years, such as OSSIM and Splunk. Some vendor’s provide excellent log visualization for their products, some don’t do enough, or aren’t flexible enough. That brings along Applied Security Visualization (ASV) by Raffael Marty. Marty’s book gives some valuable insight on how to bridge the fields of IT Security and Data Visualization all in one book. While this book provides a wealth of detailed knowledge, I’m going to point out the major features instead of getting really detailed.
Free Chapter Link Below
Chapter 5 - Visual Security Analysis
|
|
|
|
Read more...
|
|
|
Applications are moving away from the desktop and onto the web. With technologies like AJAX and Flash and the popularity of Mash-Ups and social networks, web application penetration testing is becoming increasingly important. Pushes for penetration testing are being driven by compliance, regulation, and a desire to not end up on the evening news, so a quality web application penetration testing class has been long overdue. SANS has stepped up to the plate and re-released SEC542 Web App Penetration Testing and Ethical Hacking as a 6-day course with stronger hands-on exercises and culminating with a final day where students perform a penetration test on the classroom network. The original course was a 4-day version, but Kevin Johnson of InGuardians has updated and enhanced the content to contain many of the cutting-edge web application hacking techniques seen in the field today.
I recently had the opportunity to take the re-born SEC542 course in Orlando, Florida as part of the SANS 2009. SANS 2009 was one of the larger yearly conferences that SANS offers with quality evening talks after classes which offered additional content for no additional cost. Some of SANS higher profile members presented fresh content ranging from Josh Wright's talk on the risks associated with using personal wireless devices such as the Nike +iPod titled "Privacy Loss in a Pervasive Wireless World" to Ed Skoudis' talk on cutting-edge tricks and techniques in "Secrets of America's Top Pen Testers." The secondary benefit of the large conferences was the ability to network with instructors and peers. There were frequent opportunities to hang out and talk with SANS instructors and other students after hours, with impromptu events such as full-contact mini-golf, dinner and karaoke. It is commonly known that an event is what you want to make of it, and SANS 2009 came through in spades in providing an educationally rich environment. So if an attendee didn’t take advantage of networking with those in the industry, then it certainly wasn’t SANS fault.
|
|
Read more...
|
|
|
 In Part I, Modern Social Engineering - A Vital Component of Pen Testing, Chris Nickerson & Mike Murray adeptly covered the generalities of Social Engineering, and how it is a repeatable process perfect for inclusion in penetration testing. So let’s go a little deeper into crafting these attacks. What are some of the tricks of the verbal trade that make people far more likely to fall prey to those phishing attacks or that fraudulent web site? What tools can I use to test and eventually utilize to attack… er… audit my target organization? This 1-hour webcast dives deeper into the process of Electronic SE (eSE) and offers real-world examples of combining the skills of the social engineer with the toolkit of the ethical hacker.
So, please mark your calendars and join us for this continuing series on Social Engineering. You can also meet all of us and many more industry experts at ChicagoCon, the World's Only Ethical Hacking Conference. And at only $100 for 2 days on May 8 - 9 with talks, CtF, breakout sessions, food, swag and more, it's a steal!
Join world-renowned social engineers, Chris Nickerson of TruTV's Tiger Team and noted expert and international speaker, Mike Murray, as they prepare you for the future of pen testing. This webcast on Thursday April 30, 2009 at 12:00 Noon CDT continues your education in the world of "Modern Social Engineering."
|
|
Read more...
|
|
| | << Start < Prev 1 2 3 4 5 6 7 8 Next > End >>
| | Results 27 - 39 of 103 |
|
del.icio.us
(10) 
Career Central : Which publisher?
