Recent Articles

Exclusive First Look: ImmuniWeb by High-Tech Bridge

| July 19, 2013 | 1 Comment

Exclusive First Look: Logo of Immuniweb by High-Tech BridgeEver since the Internet took off from its humble beginnings as a simple connection between the two networks of UCLA and Stanford for educational purposes, it has increasingly been used by the global population as a means of communication, commerce, charity and much more. The myriad ways of utilizing the Internet backbone all require software engineering of web-enabled applications (webapps). A new product from High-Tech Bridge SA called ImmuniWeb® performs webapp security assessments. If you’re like me, you’re probably thinking that this is just another webapp vulnerability scanner but hang on! It provides an innovative hybrid approach along with some really creative additional modules for assessing security beyond just the webapp. Why would we need such a hybrid approach?

Critical systems are being moved to the Internet by every industry, each of which now requires diligence to ensure their own existence. Education uses the Internet to evolve learning platforms and make enrollment more efficient. The media industry uses the Internet for everything from personal blogs to content delivery of every type. Commercial industry utilizes it from customer service to revenue collection. Banking from account management to funds transfer. Communication from voice and data. Government is using technology to… well let’s not turn this into a political argument. Let’s just take a detailed look at this unique new offering and how it can help the security posture of your entire organization regardless of the industry to which you belong.

Continue Reading

July 2013 Free Giveaway Sponsor – MIS Training Institute

| July 15, 2013 | 0 Comments

Win Ticket to Cloud Security Alliance Congress 2013 = $1295!

MIS Training Institute - Cloud Security Alliance LogoIn EH-Net’s continuing effort to get our readers involved in the many events on EH-Net’s Global Calendar, we have another free ticket to a conference. This time, it is not tied to one specific event. This month we have partnered with MIS Training Institute (MISTI), “the international leader in audit and information security training, with offices in the USA, UK, and Asia. MIS’ expertise draws on experience gained in training more than 200,000 delegates across five continents.” They’ve agreed allow the winner of this month’s prize to choose free admission to any conference they produce within the next twelve months such as Cloud Security Alliance Congress 2013 being held in Orlando, FL from December 4-5:

The CSA Congress is the industry’s premier gathering for IT security professionals and executives who must further educate themselves on the rapidly evolving subject of cloud security. In addition to offering best practices and practical solutions for remaining secure in the cloud, CSA Congress will focus on emerging areas of growth and concern in cloud security, including standardization, transparency of controls, mobile computing, Big Data in the cloud and innovation.

Other MISTI events include Audit World 2013, ITAC 2013, Mobile & Smart Device Security 2013 and InfoSec World Conference & Expo 2014. All of these conferences and more (seminars not included) will be on the list of events from which our winner can choose. All you have to do is become a member of EH-Net and contribute here on the site, our LinkedIn Group, Tweet about us… and you could be networking with other professionals and advancing your career at one of these respected industry events.

Only members are eligible!
Registration Is FREE!

Continue Reading

June 2013 Free Giveaway Winner of Black Hat USA Ticket

| July 15, 2013 | 9 Comments

We have a winner of Black Hat USA 2013 Briefings Pass = $2195!

Black Hat USA 2013 Logo

Hard to believe it’s that time of year again, but here we are. Time to start gearing up for the madness that is the annual trek to Vegas for Black Hat USA and DEFCON. As we do with most of our prizes, we kindly ask that if someone can’t utilize the prize, then kindly decline. We’d always prefer someone benefiting from a prize instead of it sitting unused. So after several tries, I found someone who fit the bill – participates on the site and can make it to Vegas. To make it even better, this will be his first BH! I love my job. Here’s a short description of what EH-Net member, caissyd, will get to enjoy:

Black Hat USA is the most intensely technical and relevant global information security event in the world, encouraging collaboration between academia, leaders in the public and private sectors, and world-class researchers. Nowhere else in the world will you experience the same caliber of conversations and continuing education, within a strictly vendor-neutral and friendly environment. Each year, the brightest minds in security come together in Las Vegas for six days of learning, networking and high-intensity skills building. Back for its 16th year, the Black Hat USA Briefings and Trainings will take place July 27-August 1, 2013.

Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; spread the word of EH-Net to your social networks; help a newbie… quality is more important than quantity.

Only members are eligible!
Registration Is FREE!

Continue Reading

Hacking WordPress with XSS to Bypass WAF and Shell an Internal Box

| July 3, 2013 | 4 Comments

Hacking WordPress with XSS to Bypass WAF and Shell an Internal Box - WordPress LogoWordPress is by far the most popular Content Management System (CMS) in the world today.  According to W3 Techs, “WordPress is used by 58.2% of all the websites whose content management system we know. This is 18.6% of all websites.”  As with most modern, popular CMSs, the WordPress application itself is hardened and secure out of the box.  But to get all of the cool ‘stuff’ to make your site memorable and engaging, WordPress site owners often use 10 – 20 plugins for each installation.  As of July 2013, WordPress.org lists 25,700 plugins with more than 475 million downloads, and that doesn’t include those outside of the WordPress repository.  It’s these third party plugins that leave a tight framework vulnerable to exploitation and attempts at hacking WordPress common.  Many installed plugins remain unpatched or overlooked, and even those not activated through the WordPress Dashboard provide an excellent attack surface.  With shared hosting plans and consolidated corporate data centers, it is more often than not that your instance of WordPress is not the only web application residing on your server.

For the sake of brevity, I won’t “beat a dead horse” and talk about why Cross-Site Scripting (XSS) is dangerous.  There still is some confusion surrounding XSS and its role in network breaches, how it is used, and how it can be utilized over and over to do the same thing.  An attacker cannot leverage an XSS flaw to directly “hack” into a server.  Instead, by chaining vulnerabilities together and socially engineering personnel, an attacker can move from XSS to an internal compromise fairly quickly. This tutorial shows how hacking WordPress with a simple XSS flaw can be crafted into a vehicle to intrude on internal networks.

Continue Reading

Course Review: eLearnSecurity Penetration Testing Student v2

| June 21, 2013 | 13 Comments

Course Review: eLearnSecurity Penetration Testing Student v2 LogoShrinking budgets and geographical diversity are pushing educational trends out of the classroom and into online learning opportunities. But, hands-on training and skills evaluation is a trickier problem to solve in that paradigm. Information Security training is no exception. Yet, many students seeking training in Information Security face barriers of entry involving their prior knowledge, and how to get it. Many offerings assume a level of proficiency above what a beginner may have, especially one who has not already worked in Information Security. To add to the beginner’s frustration, most training organizations don’t offer the background learning necessary to get to that level. Enter the eLearnSecurity (eLS) Penetration Testing Student course.

The eLearnSecurity Penetration Testing Student v2 course addresses the need for online, hands-on education for the beginner. The flexible and self-paced, browser-accessible online course teaches basic foundational concepts for students who wish to enter the field of penetration testing while allowing hands-on application through the Hera Student Lab and, optionally, the Coliseum Web Application Testing Framework. The course provides an ordered and appropriately broad basic introduction into foundational concepts for the beginner. While this course alone will not produce a qualified penetration tester, it provides a guided hands-on opportunity to become familiar with some of the basic concepts. It is effective for those who are exploring the possibility of penetration testing as a career path, or for those who simply want to know more about what penetration testers are capable of doing.

Continue Reading

June 2013 Free Giveaway Sponsor – Black Hat USA

| June 5, 2013 | 1 Comment

Win Black Hat USA 2013 Briefings Pass Worth $2195!

Black Hat USA 2013 Logo

Hard to believe it’s that time of year again, but here we are. Time to start gearing up for the madness that is the annual trek to Vegas for Black Hat USA and DEFCON. We have a number of readers that come to EH-Net looking to be educated in the ways of professional hacking. Not everyone is a seasoned pro. I hate to assume that everyone knows of these security events. So, for you newbies, here’s the official description:

Black Hat USA is the most intensely technical and relevant global information security event in the world, encouraging collaboration between academia, leaders in the public and private sectors, and world-class researchers. Nowhere else in the world will you experience the same caliber of conversations and continuing education, within a strictly vendor-neutral and friendly environment. Each year, the brightest minds in security come together in Las Vegas for six days of learning, networking and high-intensity skills building. Back for its 16th year, the Black Hat USA Briefings and Trainings will take place July 27-August 1, 2013.

Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; spread the word of EH-Net to your social networks; help a newbie… quality is more important than quantity.

Only members are eligible!
Registration Is FREE!

Continue Reading

April 2013 Free Giveaway Sponsor – eLearnSecurity

| April 5, 2013

Win 3 Prizes Worth $1700!

eLearnSecurity LogoShhhh… Don’t tell anyone, but there’s a new course coming from eLearnSecurity on webapp pentesting. And before it even goes live, all you EH-Netters have a shot at winning a free seat. If their past courses and projects like Coliseum and Hack.Me are any indication of the quality, this should be a very well received online class and practical exam. Of course we’ll be the judge of that as EH-Net Columnist, Jason Haddix, is working on the review as we speak. If you’d like to get info immediately when it’s made available, please fill out the webform for the New eLearnSecurity Training and Certification Path on Web Application Security, and you will also get a whopping 30% OFF at launch! But don’t say anything!

In addition to the behind-the-scenes work on the new webapp course, eLearnSecurity has also been busy lately updating Penetration Testing - Student. We’ll share our thoughts on this course as well in an upcoming review by appropriately enough a new writer for EH-Net, Heather Pilkington. So with that, I’m sure all you hackers out there have figured out that members can win 1 of 3 prizes listed below:

- 1 seat in the soon-to-be-released eLearnSecurity WebApp Professional Course worth $900
- 2 seats in the Penetration Testing – Student v2 Course worth $400 each

You know the drill. You win by participating in the EH-Net Community. So get at it!

Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; spread the word of EH-Net to your social networks; help a newbie… quality is more important than quantity.

Only members are eligible!
Registration Is FREE!

Continue Reading

Human Intel to Navigate the Security Data Deluge

| April 2, 2013

computer_evolution_th.jpgBy Robert J. Shaker II, CISSP, CCSK, CGEIT, CRISC

Since the dawn of man there has been intelligence. Hunter gatherers would venture out and learn from the world around them what each sound, smell, and taste meant. The growl of a large predator would alert them to prepare for a defensive effort or to change paths. The smell of smoke meant other humans were nearby, and the taste of bitter meant something wasn’t edible. As time marched forward, needing to learn more about the other packs of humans around them became more important. There was competition or cooperation for resources but this required getting to know the other pack. Sometimes the best way to do that was to spy on them, to gather human intel about the way they behaved, the way they interacted with each other and to determine how strong or weak they were.

Regardless of the point in history, this has always proven to be true. We can see it as we progress through our modern era. In fact, this became so important that commercial intelligence companies began forming. The Age of Exploration saw a boom in this industry as the colonial armies grew. Their need for intelligence required outside parties, whether to help with the sheer volume of work, geographic disbursement or to give plausible deniability.  Is it so different now?

Today, we are up against countless adversaries. They’re nameless, faceless and shrouded behind false information. The ships that are on the horizon, the spies in our midst and the fortress we protect are all in the digital domain. The virtual skies are foggy and visibility is low. Today’s environment is much more difficult to navigate. The one commonality between these two vastly different times is the importance of human intel, and I’d argue that today it’s even more important than ever. A couple scenarios below will illustrate just how important it is for our innately human talents to remain a vital part of cyber security.

Continue Reading