Python is a good language.   It's clean, powerful, and you can develop apps quickly with it.   I used to build all of my small or one-shot apps in Perl, but I switched to Python a while back.  It's easier to read/maintain which is particularly important to me since I don't code on a daily basis anymore. 

You should also learn enough C  that you can at least read basic code with some proficiency; it will be helpful for solving compilation problems, understanding exploit code, and reading some articles. 

As far as understanding the enemy, you should check out the papers from the Honeynet project titled "Know Your Enemy":

http://www.honeynet.org/papers

I didn't mean to imply that general IT skills weren't necessary. I was only commenting that  your tutorial assumes that someone is starting from the beginning rather than from a strong networking/sysadmin skill base.


No argument there.  I think the road you laid out would be a little hard-going for a beginner and many people would be better served by reading a book or two first to give them a bit of a foundation.  I wouldn't expect anybody to become a professional anything just by reading a book.

Most of that guide is about building IT skills generally rather than pentesting skills specifically.

There is a big jump in difficulty from Step One (learn the OSI layer) to Step 2 (read five non-introductory Cisco books).  I'd recommend getting the CCNA study guides from Cisco (two volumes) and also Practical Packet Analysis (once you get further in).  Once your Cisco and TCP/IP skills are solid, pick up the Cisco security titles the guide author mentions.

I don't know what Linux books are considered good right now, but get Absolute BSD if you want to learn FreeBSD.  For programming, check out http://programming-motherfucker.com/become.html .  Learn Python or Perl to start.  Along the way, plan to learn C and SQL to a basic degree.  You need to understand how to read code, craft SQL statements, and automate basic tasks.  If you want to be a good programmer and develop complex tools, put aside everything else and just program for a couple of years.

The guide author suggests building a lab and learning to hack them from Bugtraq posts, but I think you should start with a book so that you have a little more structure.  I've read several Hacking Exposed volumes and enjoyed them.  Others have recommended Counter Hack, and Professional Penetration Testing Vol. I by Thomas Wilhelm.  Professional Pen Testing is probably your best bet to start: it actually focuses on setting up a lab and learning with it.  After you've read one book, read another and spend more time reading the mailing lists.  Read lots of articles, Google, play.

You say that you're new to information security, but you don't say what your other skills are.  The advice that people can give you really depends on the CS/IT background that you already have.  If you're also new to IT, you should start with books on system/network administration and programming.  If you're already an accomplished programmer, Cisco guru, or sysadmin, you can pick a security book that relates to your existing experience and jump right in. 

If you're already strong in networking concepts you might want to grab Network Intrusion Detection by Stephen Northcutt (a little dated, but good), The Tao of Network Security Monitoring by Richard Beijtlich, or Snort IDS and IPS Toolkit by Jay Beale.  If your interest is in Cisco, the Hacking Exposed: Cisco book may suit you.

If you have system administration experience, you may want to grab one of the Hacking Exposed volumes or Counter Hack as recommended above (I haven't read that one).

If you're interested in application security, check out this reading list by Dino Dai Zovi (one of the top appsec researchers):

http://www.amazon.com/A-Bug-Hunters-Reading-List/lm/R21POHD6Y2DOLQ

I read comments here and there about people looking at online information security/assurance programs, but I haven’t seen anyone do a really thorough write-up.  I’m currently attending Capella University (one of the NSA listed IA programs) and will graduate with a BS in IT with a specialization in Information Assurance this December.   I’ve decided to post this for anyone who may be considering Capella or another online IT/Infosec program.   These are my opinions based on my experience.  Others may have a different take.

I would be interested in any feedback from others who have done online Infosec programs.  I’m especially interested in details regarding the various MS programs; I’m planning to begin pursuing an MS in January, possibly at UMUC.  I’ve also considered Norwich, Lewis University, James Madison University and Northeastern (expensive).

About me:
I earned an A.A. from a community college in California, attended classes online at another CC, took some courses by distance from the University of Leicester (UK) and attended law school for a year (despite not having a B.A. in hand yet).  I’ve been in IT for ten years full-time and four years part-time before that.  I’ve worked as a programmer, network engineer, and manager.  I’ve never had a dedicated security job, but it’s been a primary interest for me.  I read a lot, I’ve published some papers, and I consider myself knowledgeable in the area.  The only certification I have is the Security+.

Curriculum:
The curriculum is pretty solid.  Currently, it requires lower division courses in databases, programming, networking, and web technologies.  I didn’t have to take any of those because of my prior coursework and work history so I don’t know what those classes are like.  Some of my classmates really had trouble in Software Architecture (which has a weekly programming lab) so my suspicion is that the single programming course just isn’t adequate.  I’d rather see a two-semester lower division programming sequence.  I’d also like to see system administration (Windows, Linux, or both) as a core course in the IT program. 

The upper division coursework is split between general IT courses (communications, software architecture, network architecture, project management, etc) and security courses (forensics, ethical hacking, security management, OS security, application security, etc).  I don’t know that I’d change anything.  It would be nice to have a dedicated course in malware or wireless security, but I don’t think any of the current courses are wasted so this would really be a matter of swapping one elective for another to fit my interests/strengths.

The courses do cover technical material, but there is a strong emphasis on management and procedure.  If you want to be a vulnerability researcher, malware analyst, or application security guru, you’d be better of majoring in CS at another school.  This program is geared toward people who want to be in management or consulting roles that bridge the gap between the business and technical sides, not toward people who want to be in purely technical roles.  I’m in a low-end IT management role right now and am hoping to snag a higher position as a security manager or IT director down the road.

Academic Quality:
You get out what you put in.  The instructors are facilitators.  They participate in and comment on the discussions and are available to answer questions, but most of your learning takes place from assigned readings, labs, and training videos/lectures.  The textbooks are supplemented with outside articles, NIST documents, short video lectures, chapters from other books (available electronically within the class), as well as training materials from courses from Microsoft, EC-Council and others.  I didn’t find the training materials very useful; I learn better from reading on my own and the training tends to provide less detail than a book.  The e-books are nice and help students avoid having to buy a second or third textbook. 

The assigned readings are usually enough for you to do well on assignments and labs, but, as with any class, you’ll learn a lot more if you do additional testing/reading on your own.

A lot of people had trouble with Discrete Math, but the school provides a tutor to lead a live supplemental instruction session every week and that seemed to help people a lot.  I didn’t use the supplemental sessions so I can’t comment first-hand.  I don’t know of any other courses with supplemental instruction.

The labs are too step-by-step and don’t require enough critical thinking/deductive reasoning.  They can teach you some of the features of a tool, but won’t do a lot to help you to understand how to solve real-world problems using the tool.

The papers sometimes focus on a purely academic question, but most of them are tied to a project scenario, i.e. creating an incident response plan for the fictional Mega Corp or designing a network architecture for Happy Health Systems.  There is a grading matrix for each assignment.  If you read those ahead of time you will know what areas your paper needs to cover. 

Academic Difficulty:
The program is more work than I expected.  I already have strong technical skills so learning the material is easy, but the required work output is high.  Most courses require you to write a paper every week and, in most of those, you’ll need to write 5-10 pages for a good grade.  Occasionally, I write papers as short as 3-5 pages, but my average is about 12 pages and my longest single paper was about 20 pages.  The only course I took with consistently shorter papers was a literature course I needed to fulfill a missing requirement.  Most courses require a final paper that is made up mostly of your previous papers with a small amount of new material.  My final papers have ranged from 35 to 68 pages.

At Capella, I write close to 100 pages of original material per course.  By contrast, I don’t think any of my community college classes required a paper longer than five pages.  I might have had to write a ten page paper somewhere along the line, but it was at least a rare event.  The most writing intensive courses I took outside Capella were in archaeology and physical anthropology: I had to write five three-page papers and two in-class essays for both of those.  My wife attended a nearby state university and she says that she probably wasn’t required to write any papers longer than about ten pages and not more than five papers per course.   

If your writing skills are poor or you have trouble organizing your thoughts on paper, this probably isn’t the program for you. 

As a former software developer, I thought the programming assignments (for Software Architecture) were really easy.  Some of my classmates who had little or no prior experience had a much harder time.  I think they should add another lower-division programming course so that the upper division programming assignments can be at a more appropriate level.  I don’t think the program would be too challenging for someone with no experience, but I recommend learning some Java ahead of time if your work schedule will limit your study time during school.

Student Services:
Capella’s student services are decent.  I’ve never had a problem with academic advising.  I transferred in units from two different schools, placed out of a few pre-requisite courses based on professional experience (I didn’t get college credit for those), and also completed a “prior learning assessment” for two other courses (which I did get credit for).   All of this went smoothly. 

I had a major financial aid problem one year when Capella insisted that my FAFSA was not completed.  After talking with a couple of financial aid advisers I was told to contact the FAFSA people to get them to fix a problem that was supposedly on their end.  After several more calls with both sides I found an adviser at Capella that was able to figure out the problem (on Capella’s side) and I got the problem resolved.  It was extremely frustrating, but I haven’t had any problems before or since.

Final judgment:
I think Capella has been worth my time.  I haven’t grown my technical skills much, but I didn’t expect to.  For someone just starting out, the technical aspects of the program would be much harder.  I will leave with better management and planning skills.  Management is challenging, but underrated.  It’s hard to plan, coordinate, organize, and document large projects.  Capella has given me a lot of practice developing plans for various information security programs and I think it will come in handy for me.

Don't mistake my bluntness for malice, but you do not understand very much about cryptography and your code is almost certain to be fatally flawed.  First, you don't seem to understand either Kerchoff's principle or unicity distance. 

Kerchoff's principle, a long-held principle in cryptography, is that your system should be secure even if all of the information about how the system works is public.  Only the key is kept secret.  Publish your algorithm and maybe someone can offer feedback.  If your algorithm does not use a key, it is neither secure nor useful per Kerchoff's principle.

Unicity distance is the amount of ciphertext needed to ensure that there is only one meaningful decryption.  You've given us a very large ciphertext that corresponds to a plaintext of only five characters.  You don't give us any information about the key, but given a ciphertext of 60 characters, there are an infinite number of transformations that could turn those 60 characters into 5.  Even, if I knew your transformation (encryption algorithm), there should be a large number of keys that could turn those characters into a valid 5-letter word.

Your ciphertext is very repetitive.  What encoding are you using?

Developing strong cryptographic algorithms is very hard and requires experience breaking algorithms and very strong math skills in algebra, statistics, probability, linear algebra and abstract algebra as well as a working knowledge of concepts in computation and algorithm analysis.  Algorithms are typically published alongside the author's own analysis in order to convince other experts that the new design is worth a look.  If it appears strong/useful/interesting, other cryptographers will spend their own time trying to break the system and publish their results.  If the algorithm is strong, the resulting publications will explain why the algorithm is *not* vulnerable to various attacks or what about the algorithm causes those attacks to fail.

If you want to learn more about cryptography, read this book:

http://www.amazon.com/Understanding-Cryptography-Textbook-Students-Practitioners/dp/3642041000

It's very accessible and doesn't assume any hard mathematical prerequisites. 

That's not quite true and it doesn't tell the whole story.

If I discover an attack technique; I don't know if it's really new or not.  I can look at previously published research, but that still doesn't tell the whole story.  Black hats may have already discovered the technique and could be using it, but not sharing it publicly.  Organized crime or government agencies may already know about the technique and they certainly are not going to share it.  If I publish my results, perhaps after working with vendors, I can help people to move forward and start eliminating the problem.  If I keep silent, I'm not helping and I won't know whether the technique is being used or not.

Even if I knew (through omniscience) that nobody in the world was aware of my technique, it could still be a bad idea to sit on my information.  The problem is that software is vulnerable to my attack technique whether I share the details or not. By the time someone else discovers and publishes it, there may be more vulnerable applications in the world than when I discovered it.  This is especially true if my technique affects an emerging technology or one that is likely to be leveraged by other software.

For the researcher personally, if he can't publish there is no point in doing research.  Sure, he could focus on pure defense, but he's mostly ignoring the attack side or taking a passive approach to it.  This leads to a skill imbalance between the white hats and the black hats.  If the black hats are the only ones who know how to break systems, or who can discover new techniques, then the white hats are falling behind.

I wouldn't worry about a thesis topic yet if you're just starting out.  Figure out what general areas you're interested in and try to find an adviser that has done some work in that area or a related area.  Read papers, work on research projects, and try to publish some papers yourself (probably in collaboration with your adviser or other grad students).  Your adviser will help you pick a thesis topic but it will be very specific.  Instead of "web applications security" it would focus on some aspect of static analysis, sandboxing, etc.  Look at other accepted theses at the school you're attending to see what I mean.

Have you read any of the research being published?  Read papers that sound interesting and follow up on the references.  You'll eventually carve out a niche where you can do some research of your own. 

If you're going to do a Ph.D., make sure you really want to do CS research.  There is a huge difference between an IT security job and academic research.  If you just want to work in the field, a masters can be good, but your future employers will be looking for applicable job skills.  Whether you even do a thesis with your masters probably won't matter.  You'll still want to get some certifications to improve your employment prospects.  Whether a Ph.D. will help you at all depends very much on what you want to do.  If you want to be a researcher at Microsoft, the NSA, Google, a Ph.D. would be awesome.  If you want to be an IT security guy, not so much.

I screwed up   I was using multiple test accounts and I mixed up and made one of the accounts a professor instead of a student.

So, the XSS filter functions although I can still bypass it using certain tags.

I would like to know why it blew away a discussion category though; definitely some data corruption at play there.

I think I'm out of luck since I don't have the ability to debug this app.  I do know that it's a global issue since the problem persists on other accounts/machines.  I really wish I had source code so I could see what the hell they are doing.

It wasn't part of a pen-test, just some independent research.  I'm the application admin for the system which is hosted by the vendor.  As far as I know, there isn't a way to turn the filter off (on purpose).

It's a production system, but school is out right now so I'm pretty much the only persson on.  I've always felt comfortable playing with XSS using a test course where there aren't any real users that I can harm.  The side effects I saw today surprised me.

I'm trying to figure out what happened to a web app I was testing today.  I was blackbox testing the forum/discussion feature for an online learning app (written in Java) that allows users to post HTML, but has an XSS filter to block known bad HTML tags.  I've found some ways to bypass this particular filter before and was testing some new things today.  When I input something it doesn't like, I would get an error message like: "Forbidden Content: <evil>Boo</evil>"

Here's the strange part: at some point in my testing, it stopped blocking anything at all.  All of the things that it used to flag as "forbidden content" were allowed through.  I could use any tag I wanted including the obvious <script>.  What would cause this?

One guess is that that the routine is throwing an exception and that the exception is handled by simply returning as if everything is okay, but I don't know why it would do that every time.  Would there be a reason for it to maintain state?  If it does, I could see it getting so screwed up that it can't run without throwing an exception.

Is there something else it could be doing?  I don't have source code to check this and I've never run into a similar error while coding.

Thanks,

Unicityd

You can make it clear that nobody is being invited in.  You can put warning banners on the honeypot(s) prohibiting unauthorized use.  You can also deploy honeypots that are not accessible from the Internet.  These would be useful for detecting someone who already has a foothold on your network and any argument that "the door was left open" would be nullified by the fact that the system isn't publicly accessible. 

Does anyone know of this defense being used successfully?  I'd be curious to see some actual cases where this worked, especially if there were not any exigent circumstances that could have led someone to reasonably believe they were invited in.

A honeypot is a passive tool and doesn't cause damage to anyone else.  The act of deploying a honeypot is legal and, in and of itself, causes no liability to anyone else.  The only potential problem is if someone uses your honeypot to hack others.  Whether you would be liable isn't a settled issue.  Here's what Lance Spitzer had to say:


http://www.symantec.com/connect/articles/honeypots-are-they-illegal

Yes; you would be liable for the damages you caused.  You could also go to jail.