Set within a dystopian world that is a collision between technology and humanity, "Reboot" touches upon many of the current social and political concerns that arise from becoming more and more intertwined with the virtual.

In contemporary Los Angeles, a young female hacker (Stat) awakens from unconsciousness to find an iPhone glued to her hand and a mysterious countdown ticking away on the display. Suffering from head trauma, and with little recollection of who she is or what is happening, Stat races against time to figure out what the code means, and what unknown event the pending zero-hour will bring.

Review by Tristan Lawson, CISSP, MCSE: Security, GCIH, OSCP et al

Michal Zalewski, author of 2005’s highly praised Silence on the Wire, is at it again with "The Tangled Web: A Guide to Securing Modern Web Applications," an incredible and highly technical book published by No Starch Press. Since the browser is the portal of choice for so many users, its inherent security flaws leave the user at a significant risk. This book details the issues surrounding insecure web browsers and what developers can do to mitigate those risks.

Mr. Zalewski writes about modern web applications which are built within a tangled mess of technologies, developed over time and then slapped together into a confusing monstrosity.  This in turn leads to inconsistent operation with all kinds of vulnerabilities at several levels. The author goes into great detail taking apart every level of web applications from HTTP communication to browser and server-side scripts and dissects the subtle security consequences and the corresponding dangers of the unorganized conglomeration of web applications and browser code. The author then goes into how developers can work through the current problems and solve them down the road through new and revised code.

This book begins with the observation that the field of information security seems to be a mature and well-defined discipline, but in reality there is not even a rudimentary framework for understanding and assessing the security of modern software. So let’s dive deeper into the book to see how Mr. Zalewski addresses the issues in an attempt to untangle this mess.

After the break, look for a link to a free download of Chapter 3: "Hypertext Transfer Protocol"

By Chris Hadnagy

As a professional social engineer, it is beneficial to study the methods of scamming that the bad guys have used in the past, compare it to modern tactics and see what can be learned.  Experts have agreed that the motivation for most scams is greed.  Although that is true, it is also found that fame, attention or just the need to maliciously hurt and steal from others are strong motivators for scamming people.  This month, let’s analyze some old scams, compare them to a modern-day equivalent and see what we can learn as Social Engineering Pentesters.

Although scams have been around since the dawn of man, this one from 1812 is notable.  A Philadelphia man name Charles Redheffer claimed that he invented a perpetual motion machine, a theoretical device that, after only one initial input of power, will perpetually continue to generate energy.  Even though such a machine would break the laws of thermodynamics, his claim was supposedly backed up by an actual working device.  His next desire was to secure government funding to "build a larger version".  He actually got the money and built a new machine, but he then fled the city when inspectors found that he had hidden the real power source.  Undeterred, he tried the same scam in New York City but was again caught when the inspectors removed a wall of the machine to reveal an old man eating a sandwich and turning a crank.  This machine can still be seen today in the Franklin Institute of Philadelphia.  In analyzing this scam we can see some basic principles at play here.

Hopefully most of you not only have the technical side of your brain in your plans, but also the management skills that are more and more expected of us geeks as we advance in our careers. Enter Global Knowledge and their dedication in helping to support your pursuit of IT security knowledge building.
Global Knowledge offers one lucky EH-Net member the CISSP Prep Course (terms & conditions) worth $2895! This course includes all the tools you need to prepare for the updated (ISC)² Certified Information Systems Security Professional exam. Prepare with confidence with this course and these exciting tools:
   
   • Custom study guide containing summary charts, insightful data, and practice exams

   • A free copy of McGraw-Hill's CISSP Certification All-in-One Exam Guide, 5th Edition

   • CISSP Exam Cram Sheet

   • CISSP certification practice exam
   
To make it even better, Global Knowledge has several ways in which to deliver this course whether it be in-person or online. That kind of flexibility gives this month's winner, TheXero, options when it comes to both budget and travel. Congrats and keep us posted as to your progress. But the prizes don't stop just because a winner has been chosen. Another great prize is up for grabs. So go hit the EH-Net Community Forums and you could be one of the many winners of high cost, high quality prizes offered each and every month.

"Children are made to let them go their own way, while you look at them happy, spying how it will end." This is exactly how I feel right now. The project was born when we were at the University, it grew up for 5 years and then it was put on hold. The job and the family had not left enough free time to code like in the past. Now it's time to let it go and grow in the hands of someone else looking at what it will become. It's time to pass the baton. I'm sure new the developer team will keep up the project and will let it become something bigger than what it's now. The todo i've seen is great, lot of new feature are coming out, stay tuned...

-Alor & Naga-

Short Description:

Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.