Verzeichnis
Suchen und blättern in Computer · Sicherheit
The Ethical Hacker Network RSS News FeedMost Recent Additions to The Ethical Hacker Network, the best, single source of educational content for forensics, pen testing and incident response. Hacker Challenges with prizes, free monthly giveaways, tutorials, articles, forums, certification info and more.
By Chris Hadnagy
I want you to picture this scene: It is a warm day in sunny Maryland, my phone rings. I answer it.
Me - "Chris speaking…"
Voice - "Hello Sir, this is Special Agent Smith (name changed) from the FBI, I would like to speak to you about this social engineering contest…"
Me - "Nice Dave, not falling for it. Good try sucker!"
Voice - "Sir, I already mentioned my name is Special Agent Smith, not Dave. It is important that we…
Me - "Blah, Blah Blah.. right Dave. You are always trying to get me....
We Have Winners!!
On March 21, 2012 eLearnSecurity released a drastically improved verion of the course materials for their professional-level training course, Penetration Testing Course Professional. PTP2 now looks highly more sophisticated, polished and advanced than before with 4 hours of new up to date videos, 800 new slides and completely new modules. PTP2 aims at becoming the most hands-on training course on penetration testing with extremely in-depth course material and two different and highly advanced Virtual Labs integrated within the course itself: Coliseum for web application security and the newly announced Hera Lab. The Professional training course leads to the...
Win 1 Free Training Seat at iSWAT 2012 Worth $3995!!
Our friends at FishNet Security are putting on an all-inclusive security event this September 17 - 21 in Vegas with a focus on your infosec career. Not only will there be plenty of activities like all conferences have, but iSWAT will also include a huge number of training courses with certification exams given on the spot. Expert instructors from FishNet Training Services will be conducting courses from well-known organizations such as 7Safe, BlueCoat, CheckPoint, ISC2 (CISSP), CompTIA, F5, EC-Council, Juniper, McAfee, Palo Alto Websense. FishNet invites you to become...
second release of Penetration Testing Professional (affectionately known as PTP2) (http://www.elearnsecurity.com/course/penetration_testing/), which most notably contains expanded content and new lab environments.
The course is delivered through a web-based Flash interface. The presentation will be familiar to anyone who has experience with the first iteration of the course, but at the same time the overall feel is cleaner and more polished. A colleague was recently considering web app training, and he was torn between a book and this course. He stated something along the lines of, "My brain is telling me to be economical and just get a book, but my...
Bringing the Unsexy Back: The Process of Selling SE Penetration TestsFri, 27 Apr 2012 14:45:00 +0100
By Chris Hadnagy
For the past few months, I've brought you articles on launching your career as a social engineer, the psychology and history behind hacking humans and even some scams you can pull on your clients for their own good. As wonderful as it is to talk about the methods, the tricks and the sexy stories of social engineering pwnage, we need to take a step back and discuss the business end of this spectrum.
Yes, I said it… business side. After all, most of us reading this article either are in IT/Security or want to be....
"Metasploit - The Penetration Tester's Guide" (http://nostarch.com/metasploit) by David Kennedy, Jim O'Gorman, Devon Kearns, and Mati Aharoni is perhaps the most enjoyable book I have come across regarding the uses and functionality of Metasploit (http://www.metasploit.com). There were so many concepts it refreshed me on, many functions I didn't know existed and other functions I did not correctly understand even with my years of using Metasploit. Let's take an in-depth look into this stellar publication by No Starch Press.
Initially I skipped through the first chapter of the book, "The Absolute Basics of Penetration Testing." However, I went back to the...
We Have a Winner!!
Recently, EH-Net published an interview with CompTIA's Product Manager of CASP, where we wondered if this was The Evolution of Technical Security Certifications (content/view/400/24/)? Since then, this new credential has been officially released. Here's your chance to get in early as this month's sponsor writes:
Be one of the first to earn this new CompTIA advanced-level security certification. With Training Camp (http://www.trainingcamp.com/global/itandmanagement/comptia/casp.aspx?refer=EH-net), you will receive CompTIA authorized courseware and expert instruction while learning to conceptualize, design, and engineer secure solutions across complex environments. Our course is designed to provide the maximum amount of material over the...
The Tangled Web: A Guide to Securing Modern Web Applications, (http://www.nostarch.com/tangledweb) an incredible and highly technical book published by No Starch Press. Since the browser is the portal of choice for so many users, its inherent security flaws leave the user at a significant risk. This book details the issues surrounding insecure web browsers and what developers can do to mitigate those risks.
Mr. Zalewski writes about modern web applications which are built within a tangled mess of technologies, developed over time and then slapped together into a confusing monstrosity. This in turn leads to inconsistent operation...
By Chris Hadnagy
As a professional social engineer, it is beneficial to study the methods of scamming that the bad guys have used in the past, compare it to modern tactics and see what can be learned. Experts have agreed that the motivation for most scams is greed. Although that is true, it is also found that fame, attention or just the need to maliciously hurt and steal from others are strong motivators for scamming people. This month, let's analyze some old scams, compare them to a modern-day equivalent and see what we can learn as Social...
We Have a Winner!!
Hopefully most of you not only have the technical side of your brain in your plans, but also the management skills that are more and more expected of us geeks as we advance in our careers. Enter terms conditions (http://www.globalknowledge.com/training/generic.asp?pageid=2816 country=United+States)) worth $2895! This course includes all the tools you need to prepare for the updated (ISC)2 Certified Information Systems Security Professional exam. Prepare with confidence with this course and these exciting tools:
• Custom study guide containing summary charts, insightful data, and practice exams
• A free copy of McGraw-Hill's CISSP Certification All-in-One Exam Guide,...
By Jason Andress (content/category/7/44/24/)
A commonly posed question, particularly among people looking to get into the information security field, is "how do I get into information security?" This is an excellent question, and one we can find answered in a variety of ways, although, perhaps, it is not really the right question to ask. A better question might be "what do I need to do to build myself into an information security professional?" The distinction between the two questions is narrow, but definitely present.
We might think of this as the difference between looking for a job and looking...
Look Mom, I'm a Thespian: How to Use Acting Skills as a Social EngineerFri, 24 Feb 2012 14:00:00 +0100
Chris Hadnagy
Social Engineering is a complex beast. It is not simply lying or telling someone a deceitful story to get them to give over their passwords. Social Engineering (SE) is defined, well at least by me, as any act that influences a person to take an action that may or may not be against their best interest. With that definition in mind there are many different principles that influence SE and the skills needed both physically and psychologically.
The concept behind this column is to provide the tools, techniques and direction to the readers that would...
With the changing landscape of warfare away from nation-states only utilizing conventional means to the addition of mobile rogue outfits utilizing cyber-attacks, not only countries but also organizations of all shapes and sizes now need to concern themselves with a new threat. Slowly but surely, the real vulnerability to the power grid is starting to grab the attention of both the public and private sectors. Along with that comes more media attention and in turn pressure to make sure these systems don't come crashing down affecting hundreds of millions citizens dependent on today's modern conveniences.
With the need to secure...
By Thomas Wilhelm, ISSMP, CISSP, SCSECA, SCNA
One of the more frequent questions I see on EH-Net pertains to creating pentest labs. Individuals new to the topic of hacking often have a limited understanding of what type of equipment is required, or how to go about setting up a lab to practice all of the cool attacks they have watched on YouTube. Details on how to get started using a single system and virtual machines are numerous - including some I have done. However, I think there is one question not being asked enough when discussing hacking labs… "Why...
Chris Hadnagy
Over the last year social engineering has gotten a lot of press. From the attacks on companies like Sony, HB Gary, PBS, Citibank et al to contests like the Social Engineering CTF at Defcon, it seems that social engineering has taken the front page. And rightfully so, as it is still the easiest and often most effective vector of attack. With that in mind, many people are interested in learning what it will take to either add social engineering skills to their tool chest (either personally or as part of their red team) or even become...
We Have a Winner!!
SANS Event Simulcast (http://www.sans.org/info/92539). Simply log in to a virtual classroom to see, hear, and participate in the class as it is being presented LIVE at the event. The Event Simulcast option is available for many classes offered at our largest training events. And EH-Net member Agoonie just won his choice of the following courses at SANS 2012 starting March 25 (component/option,com_smf/Itemid,54/topic,8201.0/):
- SEC401: Registration Is FREE! (index.php?option=com_smf Itemid=35 action=register)
Discuss in Forums
Eli Sowash, CISSP
As an information security professional, the task of communicating InfoSec concepts and concerns to executive management can sometimes be challenging. That security breaches like Sony, RSA, and Lockheed are grabbing mainstream media attention means security ideas and concerns are increasingly making their way to the boardroom. Since executive support can be one of the most valuable tools in the InfoSec professional's toolbox, using these case studies with your own management can be a great starting point in letting them know that the security team understands the risks to the business.
It's the job of an organization's executive...
A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security (http://nostarch.com/bughunter.htm) by Tobias Klein focuses on helping different levels of security professionals understand the approaches used to uncover vulnerabilities, testing the vulnerabilities found and finally reporting on those vulnerabilities. It is short and to the point and offers nothing but valuable content with little to no fluff content.
The book was written as though Tobias was writing in a journal as he was progressing through his research of a particular application. Each chapter is a separate journal entry focused on a single application into which he...
We Have a Winner!!
Black Hat Events was the sponsor last month of EH-Net's Free Monthly Giveaway with a very flexible offering of a free pass for full conference admission to the Black Hat event of your choice between now and the end of 2013. As we mentioned, this one was going to be a little different as winning depended on particpation in the poll and not our normal participation on EH-Net. With that, we used the trusty services of random.org to help pick EH-Net member elwellj as our winner. Congrats!
For those unfamiliar, The Black Hat Briefings are a series...
CompTIA has been a stalwart in the IT certification arena for quite a number of years. They have dominated the space with such recognized credentials as A+, Linux+, Security+ and many others. Their certifications have been highly recommended by The Ethical Hacker Network (EH-Net) as well as countless others as an entry-point into a given area of IT. But can CompTIA help advance the careers of those already in the field of their choice within IT?
Enter CompTIA's newest line of industry credentials, the Mastery Series of Certifications. The first offering from this new line is the CompTIA Advanced Security...
Chris Gates, CISSP, CISA, GCIH, GPEN, C|EH
In the first article, Oracle Web Hacking Part I (content/view/363/24/), I talked about scanning Oracle Application Servers for default content and how to use that content for information gathering. A pentester can utilize that information to run SQL queries and to gain a foothold into the network. I also talked about iSQLPlus and some fun things you can do with that application, if you are able to guess credentials for it. I also showed some Metasploit modules to help you accomplish all of it.
In Part 2 of 3 of this...
We Have Lots of Winners!!
Mile2's course offerings (http://mile2.com/mile2-courses.html). And the winners are:
- Two online live seats (http://mile2.com/live-online-training.html) ($3000 per seat) and free exams ($250) for cd1zz a player to be named later.
- 10 video and examination combos (http://mile2.com/security-videos.html) ($800 per seat) is awarded to 3xban, alucian, billv, eth3real, hayabusa, Joshsevo, Negrita, p0et, rance YuckTheFankees.
- And ALL EH-Netters Win 50% Off Anything Everything Mile2 Offers (component/option,com_banners/task,click/bid,131/)
As with every month, all you have to do is participate on EH-Net. Write some reviews or tutorials, spread the word of EH-Net to the wider security community,...
Dan Honkanen, GCIH, Security+, ITIL, et al
Keyloggers are usually one of the top picks for a hacker or a spy's best friend. They basically serve as the eyes and ears of the attacker. They can be based on software or hardware and send detailed reports including the user's passwords, chat logs, all typed text, launched applications and visited websites. They can even send screenshots to visually show what the user was viewing as well as any webcam and microphone activity. Most laptops today come with a built-in webcam and microphone and don't usually give any signal that they...
Rafal Los, Security Strategist for HP Software, Down the Security Rabbithole (http://podcast.wh1t3rabbit.net/) Podcast
It's no secret that web applications are at the center of the ongoing conflict between malicious hackers and those defending the applications. As more and more critical business functions migrate to an Internet presence, web applications play an extremely vital role in business. Hackers know this well and have been exploiting weaknesses in web applications at an alarmingly high rate.
While age-old issues like SQL Injection and authentication weaknesses continue to plague developers, there is another class of security defects that has been flying under...
We Have a Winner!!
EH-Net Exclusive video with HD Moore (content/view/385/2/) giving a guided tour of the newest release of Metasploit Pro with a sneak peak at v4. For a little more on the Pro edition:
Metasploit Pro (http://www.rapid7.com/products/metasploit-pro.jsp) helps enterprise defenders prevent data breaches by efficiently prioritizing vulnerabilities, verifying controls and mitigation strategies, and conducting real-world, collaborative, broad-scope penetration tests to improve your security risk intelligence.
As we mentioned when announcing this great prize, we were going to step out a little and open the competition to more than just those who post a lot in the forums....
David Caissy, CISSP, GPEN, GSEC, CEH, PMP, B.Sc.A.
Digital Mobile Forensics Deep Dive is a 3-day course written and taught by Wayne Burke of Sequrit (http://www.sequrit.org). I decided to take this course to expend my knowledge into a field I barely knew. Being a penetration tester with a background in web application development, I was completely new to the forensic world. Since the official web site stated that this was a "highly advanced and technical course," I honestly expected to be completely lost. I thought I would learn more from home after the class, trying to slowly digest what the...
Ryan Linn (content/category/7/40/24/), CISSP, MCSE, GPEN
It seems like yesterday that I was reviewing Chris Eagle's book, but in reality it's been 3 years. So when I had an opportunity to review The IDA Pro Book: The Unofficial Guide To The Worlds Most Popular Disassembler, 2nd Edition, I looked forward to seeing what had changed. And thus a change in the normal extensive EH-Net book review is in order and brevity is the word of the day.
A few things haven't changed since my last review. I am still not a reverse engineer, although I occasionally use the...
We Have Winners!!
CareerAcademy.com (http://www.careeracademy.com/) are utilizing technology to get you the training you need AND access to mentors without ever having to leave your chair. Career Academy's exclusive LearningZone (http://www.careeracademy.com/flash/lzone.swf) live mentor program offers help whenever you need it. Why wait for email support? Chat Live with their Certified Instructors anytime around the clock (24x7). In addition to 6 months of access to LearningZone, 3 EH-Net members, Disneycrack, WCNA, lorddicranius, were chosen to receive one of the following three video-based training courses each valued at $695:
- Advanced VMware Security Training with Tim Pierson Duane Anderson (http://www.careeracademy.com/vmware-training-vmware-advanced-security.aspx)
Thanks...
As most of you know, I do not have a college degree. I'm not alone… Bill Gates, Mark Zuckerberg, Richard Branson and countless others have had great success without this particular piece of paper. A common question in Certified Security Testing Associate (CSTA) (http://certifications.7safe.com/csta-certified-security-testing-associate) ethical hacking certification course by 7Safe. When looking at their website, every page of every course shows the MSc logo and the credits to be earned towards a Master's Degree in Computer Security Forensics… that nagging corpse of an idea kept reappearing telling me, "Don… get your degree or people will die!" OK, so...
Thor's Microsoft Security Bible: A Collection of Practical Security Techniques (http://gan.doubleclick.net/gan_click?lid=41000000012871747 pid=9781597495721 adurl=http%3A%2F%2Fsearch.barnesandnoble.com%2FThors-Microsoft-Security-Bible%2FTimothy-Mullen%2Fe%2F9781597495721%3Fsourceid%3DQ000000630 usg=AFHzDLshXiTQqFbjvdVlnYd7ItrYRY7k5g pubid=21000000000366175) (TMSB) by Timothy Thor Mullen (http://www.hammerofgod.com/Default.aspx) and thought, "Hey that sounds like it could be useful." I work for a Managed Services Provider (MSP) that supports tons of Microsoft servers, so any extra knowledge can always come in handy. Originally, I thought it might be over my head. I held off on buying it, until I found some reviews. Fortunately (or unfortunately depending on how you look at it) TMSB came out and no reviews have been found....
Android und iOS beherrschen die Smartphone - Welt Laut IDC wurden im ersten Quartal 2012 weltweit 152 Millionen Smartphones verkauft. Mehr als die Hälfte davon sind mit Android ausgerüstet, ein knappes Viertel iPhones mit iOS.
(heise)
Elton John Sänger Elton John wurde mit einer schweren Atemwegs erkrankung ins Krankenhaus eingeliefert – der Popstar musste sogar einige Konzerte absagen. Er entschuldigte sich bei den Fans.
(bunte)
SpaceX: Dragon dockt an die ISS an Die Nasa hat das Andocken der privaten Raumfähre Dragon an die ISS erlaubt. Das Manöver hat am frühen Freitag morgen begonnen und soll am Nachmittag abgeschlossen sein.
(golem IT)
Ubuntu 12.04 LTS (Precise Pangolin) zum installieren bereit.