I'd definitely love to hear Chris's comments on the subject.

Thanks to all of you who came on today!   We had a blast and we hope that you guys got a lot out of it.

If you're at ChicagoCon, come introduce yourself and let's chat. 

Hey all,

So, Foreground is looking for strong pen-test/risk management consultants.  We're putting together a new online test to evaluate skills.

I'm looking for some guinea pigs with some skills to take the test.  I'll warn you now - it's a BRUTALLY hard test.  45 minutes, and we expect the median to be somewhere in the 40% range.

If you've got some time to spare and would be interested in taking the test just for the heck of it, I'd love to run you through it.  Also - if you're looking for a gig as a pen tester, we are looking for people.

Drop me an email at mike@foregroundsecurity.com, or send me a message on twitter:  @mmurray

-Mike

This is why I always make the argument that SE attacks are really attacks of the imagination - this is the kind of thing that makes SE very difficult to defend against.  Predictable controls are easily circumvented by an unpredictable attacker.

Evil and incredibly amusing. 

Might be fun to create one, market it as "100% reliable" and then have it go off only at random.

Could create endless confusion.

I'm late to the party, but I just couldn't help throw a few more thoughts into here.



For this function, I'd suggest checking out Dradis.  http://dradis.nomejortu.com/

It's a work in progress, but at Foreground we've already started testing it and we're thinking about putting it in production.



Since traditional pen-tests aren't highly complex projects, you don't need a full-scale PM.  Here's where a student intern can really help out - I'm a big fan of finding someone in a local college who is looking to become a project manager... they can learn to PM, track data, track progress, etc.  And you get a resource appropriate for the level required. 

Depends on the project, of course. 

Those toys have been shown to be less accurate than chance at detecting lies - they work by attempting to analyze "voice stress", which isn't a reliable predictor in most people.

That said, kind of amusing and will have to watch.

Apollo - definitely, on all 3 of those counts.  :-)

Beyond just MITM, I want to get in to a more detailed treatment of VLAN hopping than I've seen.  I just don't see anyone talking about how to use Mausezhan often enough, and that has been a particularly interesting one for me, esp. when talking about UDP.

-Mike

RR,

Awesome!  Good to know I anticipated... We're planning on the last module being about reporting to executives.

While there are some out there that are already doing some of that (and ECSA has some content on it), you nailed it - most of what's out there isn't doing a good job of actually explaining the risk to executives. 

It's something I've been working hard on myself with Foreground's pen-test team - gong from simply presenting data in the reports to actually presenting real, useful, and actionable information.

When I was on the other side, having to dig through a 100 page report to figure out that we needed to do 3 things drove me INSANE.

-Mike

First, I'm announcing that I was really sick and tired of the sad state of affairs that passes for training of penetration testers these days.  So, I'm working with some friends to try and fix it.  We are launching a new class that we hope not only prepares people for certs, but actually makes them great penetration testers.

Blog post: http://episteme.ca/2008/12/17/getting-information-security-training-right/
Press Release: http://www.prweb.com/releases/2008/12/prweb1759624.htm

Now, for the question: I certainly have (a huge number of) my own thoughts on the matter.   But I want to ask, because my goal is to make a curriculum full of what is being used in the real world.

If you could add one thing that you use in the real world that is left out of the CEH/pen test classes that you have seen/taken, what would it be?

Sorry Jason.. I've been slow on the writing.

I've got a bunch of upcoming articles based on the stuff in the initial one - it's a matter of cleaning it up for EH.net consumption, not just my crazy scribbled notes in margins of book.  (Sometimes, I feel like Fermat.  Though I doubt anybody would spend hundreds of years trying to prove my random ideas).

Look for a new one soon... :-)

It's probably not fair that I've been using METT to train for years.

Ekman's work is brilliant.  I want to meet the guy... he's scary (as I understand the folklore, he spent 2 years learning to consciously control every muscle in his face)

Beating a trained polygraph operator is more difficult than all of this (though I admit I didn't read through all of this - it's 1AM and I'm waiting for a scan to finish)

I did a background check for a pen-test recently that required an interview with a 20-year veteran CIA polygrapher.

I, being the curious sort, asked my interviewer once we were done whether the lack of the machine had any impact. 

The answer?

"When you've been doing this for as long as I have, you don't need a machine."

It's one thing to beat a biofeedback machine, but a machine with a trained operator is going to be much more difficult...

In a lot of ways, the Nigerian scam resembles the Pigeon Drop.

It's always been one of my favorites - the thing about a good PD is that it doesn't take much sophistication to run, and can be done with just about any level of mark.

There was a good variant on this one in a Western Union office in the classic Mamet movie "House of Games".  Not exactly the Pigeon Drop, but many of the same elements (except focusing on reciprocity as the exclusive impetus, rather than the third party element).

The best information on the Placebo effect that I've seen bar none is in the recent and incredibly cool book "13 Things that Don't Make Sense".

http://www.amazon.com/Things-That-Dont-Make-Sense/dp/0385520689