Agreed, most home security isn't great, but for the most part it could be as secure as it needs to be. Investment (time, cash, resources) into security above the level of the value of the protected assets doesn't provide a good ROI.

It's easy for use as security people to scoff at the inability of 'normal' users to secure their systems, but this is what we do. On the flipside; I drive a car, but have no (indepth) idea of how it runs, or how to fix if it breaks. Despite the mechanics that I know telling me that it's simple. There just isn't enough time to know all topics indepth, and for most, computer security isn't a priority.

Wireless (in)security is rife though, I did some wardriving a while back (and need to re-do to see if there has been any change/improvement), almost 50% of all APs were either running WEP, or completely open (findings here.) I'm guessing one problem may be compatibility issues, from my own experience I have an older Nintendo DS that can only communicate with open or WEP networks.

Whilst increasing home network security is a good goal to work towards, if we did provide average users with greater access to security resources and knowledge, would they be interested enough to take advantage? I'd argue that they already have all the resources they need online...

Alexsp,

I've no experience with Joomla, so apologises if this is overly generic. If you can post what the file should be, or just outline which code is added/modified that will help.

However, whilst this may be a result of a compromise, I'd not expect the code you've found to be the first point of intrusion, as any attacker would already need a foothold on the server to be able to add/alter any of your existing source.

I'd strongly suggest a thorough review of server logs, access, user etc. (basically the usual candidates), as well as a security audit of the code hosted on the site.

Is this site the only web application running on the server, or is it shared? If shared, it could be that the fault doesn't existing within your application, but a weakness on a different site has allowed a malicious user to system access to modify source code of otherwise secure web apps.

Hope this helps.

I don't use AEBS, but I have seen similar problems when scanning through other devices. Unfortunately only options I've found are:

• Accept that the ports are a false positive (& possibly ignore an actual positive)
• Replace the hardware, as you've tried
• Shift scanning source to outside of the device causing issues (not always an option)

If anyone has a better solution, I'd also welcome the advice.

Sounds like you're already doing a lot.

Might not directly get you a job but I've found it can't hurt, start a blog and write up anything you're are doing whilst studying and learning; new tools & techniques etc. (I know, hated the idea when I started).

As well as helping you retain the info by having to write about your understanding, it can also get you involved in the community and provides a stage to show employers what you are capable of and help you stand out from other applicants.

If getting a security specific role is difficult, look at an admin or support role in a smaller organisation (<250 employees). You'll be amazed at the number of other techies that are delighted to pass off the 'boring' security tasks if you show an interest

Hope this is of some help, good luck out there

(& twitter doesn't hurt either...)

And in hindsight, I shouldn't have. I've already said I shouldn't have made an off hand comment without thinking it through. It's my own fault for trying to respond quickly before diving out the office after a long day.

If I've caused any offense, that wasn't my intention, hopefully if you look at my posts you'll see the same. Suggest we draw a line and move on (sorry for jacking the thread), truce?

Pookie,

in my experience trying to 'learn' Linux never works, as I can't retain anything I learn for when I actually need to use the knowledge in real life. Only way I can improve my Linux skills is to actually use it.

If you're mostly using the GUI, don't (I know, sorry) try running on a system without a GUI (all my servers are CLI only), for example take advantage of one of the many free/cheap virtual service hosts and use that to setup something that you're interested in. Or if you don't have a project in mind, setup a LAMP system to run a wiki/blog for you to record the skills/knowledge you're learning whilst doing it.

The knowledge comes with time, in my case I was working on a system (throwing commands at it, seeing what it does) and had an out of body experience, "when did I learn to do that?". It's easier to learn when you don't know you're learning.

J0rdy, didn't mean to cause offense (should think twice before posting off the cuff comments), just a post complaining about typos (and more) having typos made me chuckle.

Mostly typos don't bother me, but I agree that large organisations should probably be held to a higher standard than the rest of us. I know EC-Council used to have detractors complaining about some of the readability of both course material and exams, but I had thought that this was improving over time. Judging the comments in this thread I think I'm being fed incorrect info.

unfortunately we're all human (I'm assuming) and mistakes happen (as you've just proven).

Not ideal, but that's the way things are; there are worse things in life than a typo...

Hardcopy. Sometimes it's just easier to switch off and read a book than to work online.

(and I get less grief from the missus for sitting reading a book, than sitting with a laptop on my knee 24/7 )

H1t M0nk3y,

If you're looking for more info; @digininja just sat, passed and reviewed the Check Team Member exam here

Mirrored as promised

I think this will be the problem, I own several similar resources (Metasploit toolkit for penetration testers and Penetration Testers Open Source Toolkit) but find the material quickly becomes obsolete with continuous development on tools and frameworks.

This is one area that I think the Metasploit Unleased site really thrives, being able to keep up with the latest development within the framework.

I'll probably still add the book to my bookshelf (can't help myself), but don't expect it to stay relevant for too long with the current pace of development within the MSF.

Really? Data_Raid's rapidshare link worked for me. I can mirror elsewhere if you're still having problems...

NothingElse,

I'm hoping someone will correct me if I'm out of date, OSCP was version 2 when I was on the course.

To me the programming requirements were fairly minor, if you've coded in the past and can understand the concepts of loop, conditional statements etc. then you should be fine. I felt that the labs and videos did a good job of gently introducing the requirements, and the examples were easy to follow along with and use as a basis for the exercises.

If you've done some Python/Perl in the past then you should have enough experience to be able to work through the OSCP requirements.

Hope this helps, good luck on the course. Just make sure you enjoy it (you will) and that you TRY HARDER (you'll have too )

Don't know the Scottish market too well (just South of border), but I know from colleagues that the market isn't too strong at present.

However, this could be to your favour, if you can pitch your services either to companies looking to decrease wage bills of full-time staff but still need the skills/knowledge you provide, or organisations who are expanding despite the economic climate and find themselves in need of expertise but can't justify/need fulltime resource you could be a perfect fit.

Good luck in the hunt