We Have a Winner!!

Black Hat Events was the sponsor last month of EH-Net's Free Monthly Giveaway with a very flexible offering of a free pass for full conference admission to the Black Hat event of your choice between now and the end of 2013. As we mentioned, this one was going to be a little different as winning depended on particpation in the poll and not our normal participation on EH-Net. With that, we used the trusty services of random.org to help pick EH-Net member elwellj as our winner. Congrats!

For those unfamiliar, "The Black Hat Briefings are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec world – from the corporate and government sectors to academic and even underground researchers. The environment is strictly vendor-neutral and focused on the sharing of practical insights and timely, actionable knowledge. Black Hat remains the best and biggest event of its kind, unique in its ability to define tomorrow's information security landscape." It's the one trip I do everything I can to make every year, the week of Black Hat and DEFCON in Vegas. You should, too.

Discuss in Forums (9)

CompTIA has been a stalwart in the IT certification arena for quite a number of years. They have dominated the space with such recognized credentials as A+, Linux+, Security+ and many others. Their certifications have been highly recommended by The Ethical Hacker Network (EH-Net) as well as countless others as an entry-point into a given area of IT. But can CompTIA help advance the careers of those already in the field of their choice within IT?

Enter CompTIA’s newest line of industry credentials, the Mastery Series of Certifications. The first offering from this new line is the CompTIA Advanced Security Practitioner, CASP (pronounced C-A-S-P like an acronym as opposed to ‘casp’ like a word). At first glance, it would appear as though CompTIA is taking on ISC2 and the venerable CISSP. After a closer look, this isn’t quite the case. Let’s find out more from Carol Balkcom, CompTIA’s Director and Product Manager for the CASP.

Discuss in Forums (8)

Chris Gates, CISSP, CISA, GCIH, GPEN, C|EH

In the first article, Oracle Web Hacking Part I, I talked about scanning Oracle Application Servers for default content and how to use that content for information gathering.  A pentester can utilize that information to run SQL queries and to gain a foothold into the network. I also talked about iSQLPlus and some fun things you can do with that application, if you are able to guess credentials for it.  I also showed some Metasploit modules to help you accomplish all of it.

In Part 2 of 3 of this ongoing series of columns, I’ll dive into attacking the Oracle Application Server Portal (OracleAS Portal).  I’ll focus on Oracle 9i and 10g up to Release 2.  With 11g (10.3.x) Oracle moved to Weblogic, and it’s completely different and therefore out of the scope of this series.  But there are plenty of shops out there still using 9i and 10g, which gives us plenty of opportunity for breaking stuff.  So, let’s get to it.

del.icio.us

Discuss in Forums (2)

We Have Lots of Winners!!

That's right! With over $14,000 worth of training to give away from last month's sponsor, there are lots and lots of winners. Many thanks to Mile2 for their generosity not only to the members of EH-Net this month, but also their continued support of those in the military and law enforcement. I know the value of the prizes are staggering, and I don't fool myself in thinking that this can continue each and every month, but I'll ride this current wave as long as I can. Mile2 offers quality training for topics ranging from pentesting & forensics to disaster recovery and secure coding. See all of Mile2's course offerings. And the winners are:

- Two online live seats ($3000 per seat) and free exams ($250) for cd1zz & a player to be named later.
- 10 video and examination combos ($800 per seat) is awarded to 3xban, alucian, billv, eth3real, hayabusa, Joshsevo, Negrita, p0et, rance & YuckTheFankees.
- And ALL EH-Netters Win 50% Off Anything & Everything Mile2 Offers

As with every month, all you have to do is participate on EH-Net. Write some reviews or tutorials, spread the word of EH-Net to the wider security community, share in the forums, help someone advance their career, tweet our articles... whatever you think you can do to increase the reach and effectiveness of our growing community gets you noticed. Getting noticed gets you great prizes. It's that simple. Congrats to the winners, and thanks for all you do to make EH-Net THE place for security professionals! 

Discuss in Forums (71) Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; help a newbie... quality is more important than quantity. Only members are eligible! Registration Is FREE!

Dan Honkanen, GCIH, Security+, ITIL, et al

Keyloggers are usually one of the top picks for a hacker or a spy's best friend. They basically serve as the eyes and ears of the attacker. They can be based on software or hardware and send detailed reports including the user's passwords, chat logs, all typed text, launched applications and visited websites. They can even send screenshots to visually show what the user was viewing as well as any webcam and microphone activity. Most laptops today come with a built-in webcam and microphone and don't usually give any signal that they have been enabled. Any person who uses that computer will have all their activities monitored and recorded in an encrypted log which only the attacker can access.

In this video, I will present the basics of keyloggers and  also demonstrate a couple of my favorite keyloggers, their features, how hidden they are and how to prevent and detect keyloggers in general. At the end of this primer, the viewer should be able to fully understand where keyloggers fit into both sides of the equation.

Discuss in Forums (11)

Rafal Los, Security Strategist for HP Software, Down the Security Rabbithole Podcast

Discuss in Forums (2)

We Have a Winner!!

With the help of Rapid7, we have once again set the bar at its highest level for the value of the prizes given away each and every month on EH-Net to top contributors. Back in April, Rapid7 gave you the chance to win your very own copy of Metasploit Express that includes the full license & support for 1 year. This time around, it's a full 1-year license of Metasploit Pro with support included for a total value of $15,000! Check out the EH-Net Exclusive video with HD Moore giving a guided tour of the newest release of Metasploit Pro with a sneak peak at v4. For a little more on the Pro edition:

"Metasploit Pro helps enterprise defenders prevent data breaches by efficiently prioritizing vulnerabilities, verifying controls and mitigation strategies, and conducting real-world, collaborative, broad-scope penetration tests to improve your security risk intelligence."

As we mentioned when announcing this great prize, we were going to step out a little and open the competition to more than just those who post a lot in the forums. So we looked at a number of people who help spread the word of EH-Net as well as help us in ways that simple forum posts can't touch. One such member jumped out. He only has 3 posts in the forums, but has worked tirelessly behind the scenes to help many of my efforts even above and beyond EH-Net. So much so that even a $15,000 prize doesn't even the score. With high praise and many thanks, I'm happy to announce that EH-Net member JustinKallhoff is our winner. Congrats!

Discuss in Forums (12) Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; help a newbie... quality is more important than quantity. Only members are eligible! Registration Is FREE!

David Caissy, CISSP, GPEN, GSEC, CEH, PMP, B.Sc.A.

Digital Mobile Forensics Deep Dive is a 3-day course written and taught by Wayne Burke of Sequrit. I decided to take this course to expend my knowledge into a field I barely knew. Being a penetration tester with a background in web application development, I was completely new to the forensic world. Since the official web site stated that this was a “highly advanced and technical course,” I honestly expected to be completely lost. I thought I would learn more from home after the class, trying to slowly digest what the instructor said. With the site also stating that “about 80% of the course is focused on practical REAL WORLD hands-on lab scenario exercises,” I decided to buy an airplane ticket and give it a try.

I received the lab requirements by email directly from the instructor, Wayne Burke. The email included the laptop specifications and software that had to be installed such as VMware Workstation. The instructor also mentioned needing Backtrack 5 and CAINE (Computer Aided INvestigative Environment) virtual machines. So I cleaned up some space on my laptop, downloaded what I needed and installed the two VMs. I was eager to start the class.

Discuss in Forums (1)