By Dr. Anton Chuvakin @ Security Warrior Consulting

Do not think of PCI DSS 2.0, that came out this October, as “PCI DSS 1.3!”

Instead, think about is as PCI DSS 1.2.2.  Despite the great fanfare, the changes in PCI DSS are small and tactical.  Don’t get me wrong, a lot of very useful clarifications, reminders and explanations have been added to the standards – both PCI DSS and PA-DSS.  However, a lot of media attention has made it sound as if the PCI Council has “changed everything … again,” and that is simply not the case.  Some of the requirements that are frequently seen by merchants as too specific have been made more generic, while some that have received criticism for being too have vaporous, have been tightened down.

Let’s go through a few of the interesting changes in PCI DSS and try to predict what the impact would be in the coming year of 2011 as PCI DSS 2.0 is put into practice.

del.icio.us

Discuss in Forums (3)

Happy Holidays, challenge fans! Ed Skoudis here, with this year’s holiday hacking challenge. Have you ever seen the classic video A Charlie Brown Christmas, and pondered why Charlie Brown is so upset at the start of the video? Also, have you ever wondered why the rest of the Peanuts gang is so focused on the materialism of the Christmas season? Well, this year’s hacking challenge answers these questions. In our tale, you’ll discover that something happened before the start of the Charlie Brown Christmas video that put these characters into such a state. That something is what we like to call…

The Nightmare Before Charlie Brown’s Christmas

These challenges, which are an annual tradition here at EthicalHacker.net, are designed to help people develop their skills, show off their abilities, and have some fun. During past holiday seasons, you got to tangle with the Grinch, Rudolph, that Messy Marvin kid, Frosty, and even Santa himself. And who can forget last year's Miracle on Thirty-Hack Street. Read this challenge, answer the questions, and send your responses in by January 3, 2011 to skillz1210 (at) ethicalhacker.net. We’ll choose three winners, each of whom will get an autographed copy of my Counter Hack Reloaded book. One prize will go to the best technical answer, another to the most creative answer that is technically correct, and the final prize is based on a random draw from every person who submits an answer. Even if you have no idea whatsoever for how to answer the questions, send in your best shot to be entered in the random draw. And now, without further adieu, the curtain rises on our story…

--Ed Skoudis
EthicalHacker.net Challenge Master
Author of Counter Hack Reloaded, Co-Founder, InGuardians, SANS Instructor

del.icio.us

Discuss in Forums (24)

We Have a Winner!

More great prizes for top EH-Net contributors. The winner is long-time contributor and newest member of the 1000 Post Club, awesec. He receives the highly regarded instructor-led ethical hacking course by InfoSec Institute. This 5-day in-person course includes a lab book, textbook, an ethical hacking toolkit, exam vouchers for both CEH and CPT and even meals! The only thing this doesn't include is travel & hotel, so he has chosen to do the online version of this course. As InfoSec Institute describes it:

"Our most popular information security and hacking training goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to hacking in this network security training course. The goal of this course is to help you master a repeatable, documentable penetration testing methodology that can be used in an ethical penetration testing or hacking situation."

Awesec gets to take this awesome course any time within the next 12 months. For a schedule of times and locations as well as more details on the course itself, click on InfoSec's Institute's logo or links above. While you're there, be sure to inquire about the SPECIAL PRICING for EH-Netters. Due to 8570 regs, we can't tell you the exact discount, but rest assured that the Institute will do their best to take care fo those eager to learn. Congrats and good luck to all members next month.

del.icio.us Discuss in Forums (10) Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; help a newbie... quality is more important than quantity. Only members are eligible! Registration Is FREE!

Cracking the Perimeter (CTP) is the latest course offered by the team at Offensive Security. The course teaches expert level penetration skills including advanced tactics in web exploitation, binary manipulation and exploitation, and networking attacks. Building on material in the earlier course, Pentesting with Backtrack (PWB - Read Review), this offering provides intermediate students with a learning platform that can be used to become advanced practitioners of certain exploit methodologies. This review will attempt to provide a high-level overview of the course and set expectations for students who may be considering it.

Divided into a registration puzzle, five sections, and an exam, the course provides a more in-depth view of common web application exploits, binary analysis and backdoors, anti-virus evasion, techniques for exploitation using memory concepts, exploit writing, and network exploitation techniques. The end-of-course practical exam assures that the student has a true understanding of the course material presented, allowing employers and other security professionals to rely on the certification as a testament of capability, not only authority. 

del.icio.us

Discuss in Forums (9)

By Thomas Wilhelm, ISSMP, CISSP, SCSECA, SCNA

Many people are familiar with John the Ripper (JTR), a tool used to conduct brute force attacks against local passwords. The application itself is not difficult to understand or run... it is as simple as pointing JTR to a file containing encrypted hashes and leave it alone. In a professional penetration test, we don't always have the time to allow JTR to run to completion, and we must rely on some additional techniques to speed things up including the use of wordlists or dictionaries. JTR comes with its own wordlist containing supposedly common passwords, and we can use that dictionary to identify some low-hanging fruit. However, in most cases, the supplied JTR wordlist is woefully inadequate in identifying a wide-range of commonly-used passwords, especially when people prefer to select passwords that have some meaning to them (e.g. hobbies, partner names, child names, and pet names). So how can we improve our use of JTR to catch passwords that have relevancy to the users of our target system? It may be a bit more complicated than it seems.

The Information Systems Security Assessment Framework (ISSAF) provides an adequate methodology when focusing on password attacks and includes the suggestion of using dictionaries. For those who conduct penetration testing, the use of dictionaries is only one of two prongs used in attacking a local, encrypted password list; brute force attacks are conducted after we have attempted to break passwords using dictionaries. In this fashion, we can (hopefully) obtain weak passwords to work against during the pentest; anything discovered during the brute force attack (assuming it is too late in our pentest to use then) can simply be added to our wordlist for future penetration test projects.

del.icio.us

Discuss in Forums (15)

We Have Winners!!

Books, books and more books. It seems like us security professionals have 1 of two problems... We can never get enough time to read all of the great books out there or our budgets don't allow us to buy all the titles we want. At least the latter is not a problem for the 5 EH-Net winning members: ethicalhack3r, MicroJay, Synquell, T_Bone, ziggy_567. Congrats! For those who didn't win, we still have a a deal for ALL EH-Netters.

This is where McGraw-Hill Professional comes in. As they put it, "Take the shortest path to get certified in CISSP, CISA, or CompTIA Security+. Get 30% OFF on these books from McGraw-Hill, exclusively for The Ethical Hacker Network." And not just any CISSP books, but...

1. CISSP All-in-One Exam Guide, 5th Edition ($79.99), the new edition of the #1 CISSP book! Written by Shon Harris, the #1 name in IT security certification and training. This exam guide offers complete coverage of all the material on the latest release of the CISSP exam.
2. CISSP Practice Exam From Shon Harris ($39.99). This book provides hundreds of realistic CISSP practice exam questions.

For information, please visit the landing page created by McGraw-Hill specifically for EH-Net. Thanks to everyone for their continued participation in the EH-Net Community Forums!

del.icio.us Discuss in Forums (12) Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; help a newbie... quality is more important than quantity. Only members are eligible! Registration Is FREE!

By Brandon Harms, CISSP, CCNP, FCNSP, et al

SANS vLive! Online Security Training and Courses, promoted as the solution to employers’ lack of travel budget, offers a great alternative to a security conference. The training material and instructors are the same as you’d expect from a SANS conference, par excellence. The material is presented using the typical power point slides with live streaming of the instructor’s head, Max Headroom style, and of course an audiocast.  The instructor will answer any questions posted via a chat window as they are asked.

I recently attended SANS 580 Metasploit Kung Fu for Enterprise Pen Testing via SANS vLive!. The course was taught by one of course authors, John Strand. Typically a two-day course, the vLive! training was broken down into four 3-hour sessions with each session delivered bi-weekly for two weeks, i.e. three hours Monday, three hours Tuesday and the same the following week. Not being a fan of webinars, I was surprised by how well this medium worked. The combination of excellent material and engaging instruction by Mr. Strand provided an outstanding learning experience. The time between sessions gave students a chance to read the course material and do the exercises when they had the time. The instructor was available via email and phone to answer any questions about the material and labs, though I found that the material was written well enough, that I had no trouble completing the labs without additional help.

del.icio.us

Discuss in Forums (9)

To say that Jayson E. Street has done a lot in his lifetime is an understatement to say the least. Jayson has overcome more in his short life than most people could even fathom. Jayson manages to cope with all of these lowlights including homelessness and cancer with a dark and genuinely funny sense of humor. He doesn't come off as someone with such a hard life, and, unless you specifically ask, you would have no idea how far he has come. Join me as I take you on a journey through an eye opening interview with one of the up and coming voices of the information security community. Before we get started, here's Jayson's official bio:

Jayson is an author of the book "Dissecting the Hack: The F0rb1dd3n Network" from Syngress Publishing (Read Rich's Book Review). His consultation with the FBI and Secret Service on attempted network breaches resulted in the capture and successful prosecution of the criminals involved. In 2007 he consulted with the Secret Service on the Wi-Fi security posture at the White House. He has also spoken at DEFCON, BRUCON, UCON and at several other 'CONs and colleges on a variety of Information Security subjects. He also was the co-founder of and a speaker at ExcaliburCon held in Wuxi China. He was an expert witness in two cases against the RIAA. He is a lead trainer for the Incident Handler Certification for the EC Council. He is also a current member on the Board of Directors for the Oklahoma InfraGard Chapter and Vice President for ISSA OKC. Jayson is also a longtime member of the Netragard "SNOsoft" research team. He is a highly carbonated speaker who has partaken of pizza from Beijing to Brazil. He does not expect anybody to still be reading this far, but, if they are, please note that he was chosen as one of Time's Persons of the Year for 2006. ;-) (If you want to know more, just use the Googles).

But it is what's not in his bio that interested me the most. I'm sure you will agree and be inspired.

del.icio.us

Discuss in Forums (3)