|
Ethical Hacker Community Forums
|
|
January 08, 2009, 05:35:59 PM
|
 Show Posts
|
|
Pages: 1 2 [3] 4 5 ... 164
|
|
31
|
Features / Book Reviews / [Article]-Hacking: The Art of Exploitation 2nd Edition
|
on: December 22, 2008, 12:55:37 PM
|
In talking to a few people about this book earlier in the year, it was expressed to me that it seems as though it is way over the head of most. What Ryan does well in this review is explain how effectively the author can take readers of widely varying skill levels through the same material. Some may go faster than others, while some may need to do a little research on the side and then come back. Either way, if you are not a master coder and that has prevented you from picking up this book... read on my friend. Permanent link: [Article]-Hacking: The Art of Exploitation 2nd EditionReview by Ryan Linn, CISSP, MCSE, GPENHacking: The Art of Exploitation 2nd Edition (HTAoE) by Jon Erickson is frequently considered a "must read" for those wanting to understand exploits and exploit development. So when I wanted to understand more about the exploit development side of security this was the first book I picked up. When talking about a book that involves programming, it is often beneficial to know where the reviewer is coming from. I do Windows, Unix, and network security, and I am pretty comfortable with programming although by no means a professional programmer. I have worked some with assembly programming, albeit in the days of Windows for Workgroups, and I really wish that I'd paid better attention in that class in college. Although I do have some experience in these areas, I'm going to point out what areas may cause individuals who haven't been exposed to much programming challenges, and also what areas should be understandable by everyone. Free Sample Chapter Available Below
"0x300 EXPLOITATION" Leave comments below or suggest other book reviews for Mr. Linn. Don |
|
|
|
|
32
|
Ethical Hacking Discussions and Related Certifications / Hardware / RFID's Security Problem - Are New Passports and Drivers Licenses Secure?
|
on: December 22, 2008, 11:04:48 AM
|
Nice read in MIT's Technology Review by Erica Naone:
Are U.S. passport cards and new state driver's licenses with RFID truly secure?
Starting this summer, Americans will need passports to travel to Canada, Mexico, Bermuda, and the Caribbean--unless they have passport cards or one of the enhanced driver's licenses that the states of Washington and New York have begun to issue.
Valid only for trips by land and sea, these new forms of identification are a convenient, inexpensive option for people who don't need to travel by plane. U.S. passport cards, which were introduced in July, cost about half as much as a full passport, and the extra cost of getting an enhanced driver's license rather than a regular one is even lower. Enhanced licenses have been available in Washington since January 2008 and in New York since September; other border states, including Michigan, Vermont, and Arizona, intend to offer them as well.
But not everyone is convinced that the new IDs are a good idea. The passport card and the enhanced licenses contain radio frequency identification (RFID) tags, which are microchips fitted with antennas. An RFID reader can radio a query to the tag, causing it to return the data it contains--in this case, an identification number that lets customs agents retrieve information about the cardholder from a government database. The idea is that instant access to biographical data, a photo, and the results of terrorist and criminal background checks will help agents move people through the border efficiently. RFID technology, however, has been raising privacy concerns since it was introduced in product labels in the early 2000s.
Meanwhile, although experts say that some RFID technologies are quite secure, a University of Virginia security researcher's analysis of the NXP Mifare Classic (see Hack, November/December 2008), an RFID chip used in fare cards for the public-transit systems of Boston, London, and other cities, has shown that the security of smart cards can't be taken for granted. "I think we are in the growing-pains phase," says Johns Hopkins University computer science professor Avi Rubin, a security and privacy researcher. "This happens with a lot of technologies when they are first developed."
Borderline Security
The first of the new ID cards to be introduced, the federal passport cards and the Washington driver's licenses use similar technology, which has been reviewed and approved by the U.S. Department of Homeland Security. The cards' RFID devices, called electronic product code (EPC) tags, are much like bar codes. The tags are inexpensive and can, in ideal conditions, be read from about 150 feet away--an unusually long range for RFID, says Ari Juels, director and chief scientist at RSA Laboratories in Bedford, MA, which collaborated with researchers from the University of Washington to evaluate both cards.
For complete article: http://www.technologyreview.com/computing/21842/?a=fDon |
|
|
|
|
34
|
EH-Net / News Items and General Discussion About EH-Net / [Article]-Dec 2008 Free Giveaway Sponsor - SANS
|
on: December 22, 2008, 10:19:27 AM
|
This one should get you revved up and something to do during the holidays. Of course it might upset the family, but a little extra participation during the next couple weeks could just get you a huge bump in your knowledge and needed boost to your career. Permanent link: [Article]-Dec 2008 Free Giveaway Sponsor - SANSWin Skoudis' Network Pen Testing via SANS @Home!
Once again, SANS is our Free Monthly Giveaway sponsor for the end of the year blowout. This one is awesome and worth over $3500. As you have probably seen in numerous conversations on this site, not only is Ed Skoudis' new course on Network Pen Testing and Ethical Hacking (SANS 560) getting rave reviews, but also it is now being offered in the @Home version. The @Home format is not just recorded webcasts and handouts... You actually get live virtual instruction from Ed Skoudis and John Strand. See below for more details. This is great for a couple reasons. First, and quite obviously, many are feeling the pinch with the economy, and we all know training and travel are the first items to be cut from the budget. We'll provide the training, and with @Home, there is no travel. Secondly, many have said having the extra time that the @Home format affords, allows them a greater ability to absorb the contents of Ed's brain. Take it from me, one week will never be enough. For an in depth look at this course, see the review entitled "Ed Skoudis and the Pen Testing Factory." Thanks to SANS for playing Santa with an incredibly timely gift. Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; help a newbie... quality is more important than quantity. Good luck, Don |
|
|
|
|
36
|
Resources / Career Central / Free Career Workshop with Marcus Buckingham
|
on: December 20, 2008, 12:24:36 AM
|
Take Control of Your Career and Your Life
If you want to know what your strength is, you've got to pay attention to how you feel. It feels like focus. It feels like concentration. You feel invigorated. Energized. - Marcus Buckingham For a little about him, see the wikipedia entry: http://en.wikipedia.org/wiki/Marcus_BuckinghamNow, if you can get over the fact that this was on Oprah and featured a group entirely made up of women (no offense to our female viewers, but I think it's no secret that an IT audience is made up of a high percentage of men), then go to Oprah's site for an entire workshop. This career program basically focuses on what your strengths are, and then eventually how to use that info to move towards the career of your dreams... Hey, that sounds a lot like what I talk about in DIY Career in Ethical Hacking!  Either way, it's free and it may just help you not only weather the current economic storm, but also get your career going in the direction it should... even if you didn't know it. http://www.oprah.com/package/money/career/pkgmarcus/20080401_orig_marcusbuckinghamDon |
|
|
|
|
39
|
EH-Net / Calendar Of Events / NetSecure 2009
|
on: December 16, 2008, 02:05:37 PM
|
IT Security and Forensics Conference and Expo
Wednesday, March 12, 2009
Illinois Institute of Technology
Wheaton, IllinoisIllinois Institute of Technology's Center for Professional Development is proud to host the 7th Annual Systems, Network Security, and Digital Forensics Conference and Expo. We would like to invite you and your organization to participate in this technical and practical conference. The intensive, one-day schedule will include discussion and debate over issues related to ethical hacking, security, digital forensics and steganography, policy and compliance, privacy, security of wireless and cloud computing, identity theft, and much more! General Attendee $100.00 Discounted Price If Registered By February 20, 2009 $75.00 Society Attendee $75.00 Student Attendee $35.00 For more info, Click HERE!Don
|
|
|
|
|
40
|
Ethical Hacking Discussions and Related Certifications / Malware / Re: Microsoft Sees 'Huge Increase' in IE Attacks
|
on: December 16, 2008, 01:10:15 PM
|
|
This is a serious one. As mentioned above, it was first it was thought to just affect IE7, but MS has annoucned it affects all versions of IE. They have daily reports on their progress and workarounds, but there is no patch yet. Expect this one to be off-cycle when it is done.
You may want to use another browser until a patch is ready rather than perform the steps of a workaround just to undo them when it is published.
Anyone have reports of being affected by this?
Don
|
|
|
|
|
41
|
Resources / Career Central / IT and the Economy: 2008 Review, 2009 Thoughts
|
on: December 16, 2008, 11:35:02 AM
|
My $.02: We've heard the politicians mention it with every breath for over 18 months, the media replays it over and over... it almost seemed like a self-fulfilling prophesy that we now have horrible economic times. It also doesn't help that the "irrational exhuberance" of the stock market which caused the tech bubble to burst almost a decade ago just simply moved over to the real estate market. So we were bound to see the same results as we repeated our mistakes. Well, no matter to whom we point the finger, we're all stuck in this problem together. So what does this mean for tech and security specifically? Well in my opinion, even in the good times, IT is always first on the chopping block. Even though President-Elect Obama has already mentioned adding to IT as part of his Health Care Plan, what does it mean? Just more money or will his advisors do what most company execs of non-tech companies do... look to "streamline" IT by cutting staff and/or outsourcing. We'll eventually see what the details are of his statement, "How do we gain savings that we can then put into prevention and health IT." At this point, we don't know if his mentioned IT directly is a good or a bad thing. But even if IT as a whole has issues in 2009, I truly believe security will be one of the few growing areas of a down economy. When people are paranoid about money, they look for companies who can protect their interests, so that way they don't lose what little they have. That means choosing services with more security. Add to that the continued push of government regulations mandating certain security measures, and we should be OK. So if it is commonly said that normal investors should focus on where the smart money goes, then will too many people move into security? Once again looking back at history, what happened immediately after the tech bubble burst? It seemed like everyone wanted to get their MBAs. Enrollment was huge, because people decided to take the time to get their advanced degree, and why not. People weren't being hired and the yelling from the mountaintops was that IT professionals need to be more business saavy. So instead of constant rejection or simply staying at home doing nothing, it was back to school for many. Now we have a glut of MBAs and not just in the IT field. So will this trend continue for security? Probably. This means that you really need to bring more to the table than just a resume where you look good on paper. Expand your skills, gain experience, join professional groups like ISSA, Infragrad, OWASP, etc. Hell, in an interview make sure that they know it. Point out to them directly that you have what they need even if they don't know what they're looking for. As for the forecast in 2009... I think we will all see a downturn in the first quarter, but everyone has a point where they feel enough is enough and they begin to force a recovery. I think that will start to happen in the second quarter. Why? Everyone is being told right now to freeze spending to build up the nestegg for these bad times. Eventually they have to spend it. Then it will all come out like a broken dam. At least I hope it's in time for the next ChicagoCon in May. (Thanks Jack) Well, that's enough of my opinions. What are your thoughts on the year that was and the year that will be?Don |
|
|
|
|
42
|
Ethical Hacking Discussions and Related Certifications / Malware / Security Forecast for 2009
|
on: December 16, 2008, 10:48:31 AM
|
2009 is right around the corner, and many are starting to make their predictions of the majors security issues that we will all face in the coming year (See Sophos Report below). What are your thoughts on 2008 and what you think will occur in 2009? SOPHOS
Security threat report: 2009
Prepare for this year’s new threats
OverviewOn 2 November 1988 a 22-year old Cornell University student called Robert Morris released an internet worm capable of exploiting vulnerabilities in the UNIX operating system. It is estimated that it infected 10 percent of the internet. Twenty years on, the scale of the malware problem has grown astronomically. Today’s internet attacks are organized and designed to steal information and resources from consumers and corporations. Although there have been instances of attacks driven by politics and religion, the main motivation is financial. The web is now the primary route by which cybercriminals infect computers, mainly due to the fact that increasing numbers of organizations have secured their email gateways. As a consequence, cybercriminals are planting malicious code on innocent websites. This code then simply lies in wait and silently infects visiting computers. The scale of this global criminal operation has reached such proportions that Sophos discovers one new infected webpage every 4.5 seconds – 24 hours a day, 365 days a year. In addition, SophosLabs, our global network of threat analysis centers, is sent some 20,000 new samples of suspect code every single day. 2008 proved that malware is more than just a Microsoft problem. Although the sheer number of Windows threats far outweighs attacks against any other platform, cybercriminals are turning their attention to other operating systems such as Apple Macintosh, and vulnerable crossplatform software. This seems likely to continue in 2009, with the increasing popularity of portable devices such as the iPhone, iPod Touch, Google Android phone and ultramobile netbooks. It remains paramount that organizations defend themselves at all levels of their business, not just at the email and web gateways. Networks, desktops, laptops and mobile devices must be comprehensively secured to defend against the myriad threats posed by the criminal underground. Get the full report here: http://www.sophos.com/sophos/docs/eng/marketing_material/sophos-security-threat-report-jan-2009-na.pdfDon |
|
|
|
|
43
|
Ethical Hacking Discussions and Related Certifications / Malware / New Version of DNS-Changing Malware Detected
|
on: December 16, 2008, 09:40:45 AM
|
A new twist in DNS-changing malware poisons other hosts on a local subnet, and installs a rogue DHCP server. In a blog posting, JM Hipolito, technical communications spokesperson at Trend Micro, explained that once the malware was installed, "The system is turned into a DHCP server that monitors traffic and intercepts request packets from other computers in the network. It then replies to intercepted requests with packets containing malicious DNS servers. This causes the recipients of the malicious packets to be redirected to malicious sites without their consent." Researchers at the SANS Internet Storm Center said that the technique does not have a 100 percent success rate. In his blog posting, SANS Handler Bojan Zdrnja said, "While not too sophisticated, the whole attack is very interesting. First, it's about a race between the rogue DHCP server and the legitimate one. Second, once a machine has been poisoned it is impossible to detect how it actually got poisoned in the first place." Trend Micro Advanced Threats Researcher Feike Hacquebord claimed that as the malware works, advertisements placed in websites are replaced with other advertisements that connect to the IP addresses used by cybercriminals. Also, once a user clicks one of these targeted ads and gets connected to the cybercriminals' crafted site, any personal information they enter into the site can be leaked to this scheme's perpetrator. Hacquebord claimed that the estimated number of victims by this kind of threat have reached more than a million for November alone. Original story: http://www.scmagazineus.com/New-version-of-DNS-changing-malware-detected/article/122800/Don |
|
|
|
|
44
|
Ethical Hacking Discussions and Related Certifications / CEH - Certified Ethical Hacker / Re: Helow... help some tutorials...
|
on: December 15, 2008, 03:33:52 PM
|
|
Hey Steal_Roise,
Although I appreciate your enthusiasm and completely understand your desire to get the most bang for your buck, please keep in mind that this is the "Ethical" Hacker Network. There are plenty of other sites for that. This is not one of them. Giving away free copies of books, vids, etc. would not only be illegal and unethical, but it would also have the following effect:
Imagine if everyone did this, then the publishing houses would make no money, and they would be unable to pay smart, highly technical authors to produce such materials. Then in the long term, there would be no materials whatsoever to either buy or bootleg, because they would never have been made in the first place. Then you would be stuck only having discussion boards to help you learn. Albeit valuable, it would be difficult if it were the one and only way to study.
So as others have mentioned, invest the little bit of money in your career. You won't regret it.
As an aside, most people who look for free rides may eventually find it somewhere, but divide the cost of the material by the number of hours it took to find it, and I'm sure you'll see that you actually wasted money and infinitely more valuable... your time.
Don
|
|
|
|
|
Loading...
|
Forum 
Tools : Core Impact Essentials
