It was a good time, talks are up on their ustream links.  We had a great panel discussion on whether the problem with Information Security is our fault or the users - "InfoSec or InfoSuck" was the title.  Sadly there was no coverage on uStream. 

I learned to Lockpick for the first time   That will be my new "get away from the keyboard" stress reliever. 

InfoSecJanitor talked about our appliances taking over with the increasing sale of "Smart" Appliances.  Also touched upon the automotive industry implementing Wi-Fi/Bluetooth based censors in cars and that cars are no longer cars but rolling computers just like our phones are no longer phones.  So soon everything will be hackable!  Hack the planet indeed!

It was a good time and full of thought inducing topics!

Anything is possible, but the question is why would you be sending traffic to servers you don't own?  This is, afterall, an ETHICAL hacker forum. 

If a TRUE penetration test is conducting, all aspects of security should be considered for scope.  SE should be part of the test regardless since it can be used as viable method into the system regardless if they tester comes through the front door posing as a fire marshal or if they send an email to a user posing as help desk.  SE should be on the table. 

My last job, they ran an internal and external test but they didn't want to use SE because they didn't want to alarm users.  Really???  Don't you want to know if your Security awareness is working??  I just shook my head.  The external network had a very limited attack surface.  Only VPN and a Citrix portal was available.  No OWA or any other web services were allowed in.  Mail was filtering through our spam/av hosts so those ports weren't open directly.  Granted if you compromised those anti-spam hosting provider you might be able to sneak in that way, but it is another hurdle for the attacker.

Needless to say, a well placed phishing email would most likely be the entry way in.  No one will come to the front door.  Even a phone call may work.  Well regardless they CIO thought it was a good idea to outsource everything, including security so not my problem anymore.  :-p 

But yes, SE should be done, if not during the main test, then at least a couple times a year to test your security awareness training. 

Today at BsidesDE we had a great panel discussion on why Info Sec sucks and if it was the fault of the users or us.  We agreed that it was a little of both.  And a point came up about testing the users to know if your message is really getting through.

Sorry for the long post.  been up for 16 hours so... yeah, I need sleep.

Has anyone ever worked for Symantec in their Managed Security Services division?  Just curious on your opinion, shoot me a PM to discuss further.

True Jamie, I can't play dumb now since I did contact them.  No biggy, I have other things filling my time at the moment. 

I was thinking about that (running it anyway).  I suppose if you are running something like a web server then how would they know you are deliberately running a honeypot behind it?  Their free EC2 instance for linux is a bit hoaky though so navigating it to install apps and hunting down the appropriate log files is a bit more convoluted than what I am used to.  At this time I've put a hold on the little project until I can get some other items done. 

I would look into GPEN and OSCP and to make the HR people happy, CEH.  I personally would love to go for the OSCP.  It sounds fun and challenging and it really lets you get your hands dirty.

Is your goal to become a good pen tester?  If so, look at OSCP and maybe GPEN.  CISSP will not make you a good pen tester, it will qualify you more for managing a sercurity infrastructure but not actually testing it.

Also what other background experience do you have?

Anyone else heading down?  We should have an EH meetup   Last year I checked on Ironside Brew Pub in Wilmington.  It was pretty good.  There doesn't seem to be much around the New Castle area though or if there was I didn't find it last year.

For some decent videos, check out SecurityTube's Wireless LAN security Megaprimer:
http://www.securitytube.net/groups?operation=view&groupId=9

For protection research WPA2 Enterprise solutions.

The traditional methods of finding talent are not quite working.  Big companies want to hire the paper certs to make HR happy.  If they want true talent, they need to check out the security conferences, the OWASP groups and other similar tech groups.  The talent is out there but either they are happy with their current situation or they don't have the degrees or certifications to get them on the radar. 

In this day an age when college grads with masters degrees are working at Subway, well kinda deters the high school student from wasting the money on a college education if the ROI won't be there when they get out. 

Granted I saw the writing on the wall in college and went into MIS.  You need to learn to predict where the job focus will be when you get out.  But I digress.  Basing your hiring on certs such as CEH or CISSP might get you some qualified applicants, but anyone worth there salt with those certs is probably hired and happy.  The relative experience should support the cert as well.  Another item to consider is the material the certs cover.  CISSP is not a technical cert so to require that for a technical job is a but wasteful.  CEH material is older and not always up-to-date.  Educate HR on what technical certs you want from applicants.  If you want a real savvy pen tester or blue team type, look for those OSCPs, GPEN or other GIAC related pen testing certs.  Only problem is some of the courses are a bit expensive for the individual to go for and the cert tests aren't cheap either compared to say an MCSE related test. 

So there are talented people out there but they may lack the big corporate dollars to get them up to snuff on paper.

The De-ICE images are pretty cool.  They start "easy" and become much more difficult. 

Jamie are you looking more for finding 0 day type stuff?  For instance... you are surfing say... Target's website, and you find a flaw in the site that could allow for leaking of PII or the ability to perform an SQLi or XSS exploit.  You want to notify them but you do not want to be brought up on charges for breaching the site and stealing any information.  You looking for something like that? 

Otherwise, yes the best method is the lab environment.  If you want to research malware, the lab also applies.  Getting live samples can be a bit of a chore but there are sites out there.  I would advise putting on the invisibility cloak when hunting for them.

Understandable Ps_107.  And yes I do not know your situation.  As we all have a wealth of information behind us, we can only speculate at what you are ultimately trying to do and protect.  I do understand your hightened awareness due to past issues.  If you have intellectual properly that needs protecting, you should also insure you have some legal protection going forward with your new project.  I understand the costs involved with protecting intellectual properly could be high, but so are penetration tests. 

In most cases a Pen tester is not looking for other people breaking in, but looking for a way in themselves and telling you about it after.  The goal of the pen test could vary from simply breaking the perimeter to obtaining access to critical company data.  But it is all in the scope.

I would highly recommend you create a relationship with a local IT firm that can better understand your situation and recommend a solution that will best suit you.  We can only speculate and rather than give you information overload, it is much easier to make recommendations and answer your questions when we actually know what needs protecting.  Obviously I am not asking you to divulge that information to us.  But working with someone directly may give you better answers than posting on a forum.  If anything you can always pass the recommendations by us and hear our opinions on them. 

Another thing to think about for the future, hopefully this type of situation doesn't happen again... but if it does, nip it in the bud quickly, quietly and fairly.  Try to keep it from getting this far for public review.  Also realize that this will hurt business for a while.  InfoSecI will be under the microscope for anything that is offered from here on in as well as past offerings.  There are plenty of other training providers out there and those of us serious about Info Sec training will seek them out.  It doesn't come down to cost but quality and if you can offer top quality at a reasonable cost, well that is a huge plus.

Both parties at this time should just a sit down try to agree to keep this between the parties and refrain from additional posts online until a reasonable agreement can be made. 

hmm, I like Powershell..  Damn these guys, there is not enough time in the day to play with all the cool toys!!!