Welcome to The Professional Security Testers Warehouse for the GPEN GSEC GCIH GREM CEH QISP Q/ISP OPST CPTS
Search
Nickname Password Security Code Security Code Type Security Code  
FITSI the certification program for the federal workforce
You are certified but are your qualified? Become qualified today.

Video Library

Skimming for ID theft
5 / 2
Views: 179
Comments: 1
11-01-2008 00:18

Latest version of ATM skimmer hidden behind a speaker looking device
5 / 2
Views: 193
Comments: 0
11-01-2008 00:11

ATM Scam, do check your ATM machine before using it
5 / 1
Views: 180
Comments: 1
10-31-2008 23:59

CyberSecurity NBISE

Forums Posts

Methodologies

Recommended PodCasts

Recommended Sites

Security Blogs

Security Forums

Best Downloads

Best Web Links

Survey

Whic of the following certifications would you like to get?

GPEN
GCIH
CEH
QEH
GREM
GSEC
CISSP
Security+
Other (please leave a comment)



Results
Polls

Votes: 217
Comments: 0

Who's Online

There are currently, 77 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
The Professional Security Testers Warehouse for the GPEN GSEC GCIH GREM CEH QISP Q/ISP OPST CPTS: Training

Search on This Topic:   
[ Go to Home | Select a New Topic ]

2nd. OWASP Ibero-American Web-Applications Security conference 2010 (IBWAS 10)
Posted by cdupuis on Friday, 03 September 2010 @ 14:32:58 EDT (37 reads)
Topic Training

2nd. OWASP Ibero-American Web-Applications Security conference 2010 (IBWAS’10)
ISCTE – Lisbon University Institute
25th – 26th November 2010
Lisboa, Portugal
http://www.ibwas.com

Call for Papers

Introduction
There is a change in the information systems development paradigm. The emergence of Web 2.0 technologies led to the extensive deployment and use of web-based applications and web services as a way to developed new and flexible information systems. Such systems are easy to develop, deploy and maintain and demonstrate impressive features for users, resulting in their current wide use.
As a result of this paradigm shift, the security requirements have also changed. These web-based information systems have different security requirements, when compared to traditional systems. Important security issues have been found and privacy concerns have also been raised recently. In addition, the emerging Cloud Computing paradigm promises even greater flexibility; however corresponding security and privacy issues still need to be examined. The security environment should involve not only the surrounding environment but also the application core.
This conference aims to bring together application security experts, researchers, educators and practitioners from the industry, academia and international communities such as OWASP, in order to discuss open problems and new solutions in application security. In the context of this track academic researchers will be able to combine interesting results with the experience of practitioners and software engineers.

Conference Topics
Suggested topics for papers submission include (but are not limited to):
• Secure application development
• Security of service oriented architectures
• Security of development frameworks
• Threat modelling of web applications
• Cloud computing security
• Web applications vulnerabilities and analysis (code review, pen-test, static analysis etc.)
• Metrics for application security
• Countermeasures for web application vulnerabilities
• Secure coding techniques
• Platform or language security features that help secure web applications
• Secure database usage in web applications
• Access control in web applications
• Web services security
• Browser security
• Privacy in web applications
• Standards, certifications and security evaluation criteria for web applications
• Application security awareness and education
• Security for the mobile web
• Attacks and Vulnerability Exploitation

Paper Submission Instructions
Authors should submit an original paper in English, carefully checked for correct grammar and spelling, using the on-line submission procedure (http://www.easychair.org/conferences/?conf=ibwas10). Please check the paper formats so you may be aware of the accepted paper page limits (12 pages, in accordance to a supplied template: ftp://ftp.springer.de/pub/tex/latex/llncs/word/LNCS-Office2007.zip).
The guidelines for paper formatting provided at the conference web site must be strictly used for all submitted papers. The submission format is the same as the camera-ready format. Please check and carefully follow the instructions and templates provided.
Each paper should clearly indicate the nature of its technical/scientific contribution, and the problems, domains or environments to which it is applicable.
Papers that are out of the conference scope or contain any form of plagiarism will be rejected without reviews.
Remarks about the on-line submission procedure:
1. A "double-blind" paper evaluation method will be used. To facilitate that, the authors are kindly requested to produce and provide the paper, WITHOUT any reference to any of the authors. This means that is necessary to remove the author’s personal details, the acknowledgements section and any reference that may disclose the authors identity
2. Papers in ODF, PDF, DOC, DOCX or RTF format are accepted
3. The web submission procedure automatically sends an acknowledgement, by e-mail, to the contact author.

Paper submission types

Regular Paper Submission
A regular paper presents a work where the research is completed or almost finished. It does not necessary means that the acceptance is as a full paper. It may be accepted as a "full paper" (30 min. oral presentation), a "short paper" (15 min. oral presentation) or a "poster".
Position Paper Submission
A position paper presents an arguable opinion about an issue. The goal of a position paper is to convince the audience that your opinion is valid and worth listening to, without the need to present completed research work and/or validated results. It is, nevertheless, important to support your argument with evidence to ensure the validity of your claims. A position paper may be a short report and discussion of ideas, facts, situations, methods, procedures or results of scientific research (bibliographic, experimental, theoretical, or other) focused on one of the conference topic areas. The acceptance of a position paper is restricted to the categories of "short paper" or "poster", i.e. a position paper is not a candidate to acceptance as "full paper".

Camera-ready
After the reviewing process is completed, the contact author (the author who submits the paper) of each paper will be notified of the result, by e-mail. The authors are required to follow the reviews in order to improve their paper before the camera-ready submission.

Publications
All accepted papers will be published in the conference proceedings, under an ISBN reference. Conference proceedings will be published by Springer in the Communications in Computer and Information Science (CCIS) series.

Web-site:  http://www.ibwas.com

Secretariat:  E-mail: secretariat@ibwas.com

Important Dates
Submission of papers and all other contributions due: 8th October 2010
Notification of acceptance: 22nd October 2010
Camera-ready version of accepted contributions: 29th October 2010
Conference: 25th – 26th November 2010

Conference Chairs
Vicente Aguilera Días, Internet Security Auditors, OWASP Spain, Spain
Carlos Serrão, ISCTE-IUL Instituto Universitário de Lisboa, OWASP Portugal, Portugal

Organization Committee
Fabio Cerullo, OWASP Global Education Committee, Ireland
Dinis Cruz, OWASP Board Member, UK
Paulo Coimbra, OWASP Project Manager, UK
Miguel Correia, Universidade de Lisboa, Portugal
Paulo Sousa, Universidade de Lisboa, Portugal
Lucas C. Ferreira, Câmara dos Deputados, Brasil
Arturo Busleiman, OWASP Argentina, Argentina
Martin Tartarelli, OWASP Argentina, Argentina
Paulo Querido, Portugal

Conference Program Committee
André Zúquete, Universidade De Aveiro, Portugal
Candelaria Hernández-Goya, Universidad De La Laguna, Spain
Carlos Costa, Universidade De Aveiro, Portugal
Carlos Ribeiro, Instituto Superior Técnico, Portugal
Eduardo Neves, OWASP Education Committee, OWASP Brazil, Brazil
Francesc Rovirosa i Raduà, Universitat Oberta de Catalunya (UOC), Spain
Gonzalo Álvarez Marañón, Consejo Superior de Investigaciones Científicas (CSIC), Spain
Isaac Agudo, University of Malaga, Spain
Jaime Delgado, Universitat Politecnica De Catalunya, Spain
Javier Hernando, Universitat Politecnica De Catalunya, Spain
Javier Rodríguez Saeta, Herta Security, Spain
Joaquim Castro Ferreira, Universidade de Lisboa, Portugal
Joaquim Marques, Instituto Politécnico de Castelo Branco, Portugal
Jorge Dávila Muro, Universidad Politécnica de Madrid (UPM), Spain
Jorge E. López de Vergara, Universidad Autónoma de Madrid, Spain
José Carlos Metrôlho, Instituto Politécnico de Castelo Branco, Portugal
José Luis Oliveira, Universidade De Aveiro, Portugal
Kuai Hinojosa, OWASP Global Education Committee, New York University, United States
Leonardo Chiariglione, Cedeo, Italy
Leonardo Lemes, Unisinos, Brasil
Manuel Sequeira, ISCTE-IUL Instituto Universitário de Lisboa, Portugal
Marco Vieira, Universidade de Coimbra, Portugal
Mariemma I. Yagüe, University of Málaga, Spain
Miguel Correia, Universidade de Lisboa, Portugal
Miguel Dias, Microsoft, Portugal
Nuno Neves, Universidade de Lisboa, Portugal
Osvaldo Santos, Instituto Politécnico de Castelo Branco, Portugal
Panos Kudumakis, Queen Mary University of London, United Kingdom
Paulo Sousa, Universidade de Lisboa, Portugal
Rodrigo Roman, University of Malaga, Spain
Rui Cruz, Instituto Superior Técnico, Portugal
Rui Marinheiro, ISCTE-IUL Instituto Universitário de Lisboa, Portugal
Sérgio Lopes, Universidade do Minho, Portugal
Tiejun Huang, Pekin University, China
Víctor Villagrá, Universidad Politécnica de Madrid (UPM), Spain
Vitor Filipe, Universidade de Trás-os-Montes e Alto Douro, Portugal
Vitor Santos, Microsoft, Portugal
Vitor Torres, Universitat Pompeu Fabra, Spain
Wagner Elias, OWASP Brazil Chapter Leader, Brazil

(Read More... | Score: 0)


nullcon GOA Dwitiya (2.0) The Jugaad (hacking) Conference
Posted by cdupuis on Wednesday, 01 September 2010 @ 09:57:29 EDT (99 reads)
Topic Training

NOTE FROM CLEMENT:

GOA is a magical place with amazing beaches in the North.  You have miles and miles of beaches to yourself.  Not to mention that GOA is a hub for tourism and it is very inexpensive.   A great place at great price,  do entend your stay a bit to visit the area.  February is one of the best month of the year to visit as well.

nullcon Dwitiya (2.0)
The Jugaad(hacking) Conference

nullcon is an initiative by null - The open security community.

Website:  http://nullcon.net

Calling all Jugaadus(hackers)
It's the time of the year when we welcome research done by the community as paper submissions for nullcon.  So, sip your coffee, dust your debuggers, fire your tools, challenge your grey cells and shoot us an email.

Tracks:
---------------
- Bakkar:         1 Hr Talks
- Tez:              5-30 min Talks
- Karyashala:    2-4 Hrs Workshop
- Desi Jugaad    (Local Hack): 1 Hr

Submition Topics:
------------------------------
1. One of the topics of interest to us is "Desi Jugaad"(Local Hack) and has a separate track of it's own. Submissions can be any kind of local hacks that you have worked on (hints: electronic/mechanical meters, automobile hacking,  Hardware, mobile phones, lock-picking, bypassing procedures and processes, etc, Be creative  :-D)

2. The topics pertaining to security and Hacking in the following domains(but not limited to)
- Hardware (ex: RFID, Magnetic Strips, Card Readers, Mobile Devices, Electronic Devices)
- Tools (open source)
- Programming/Software Development
- Networks
- Information Warfare
- Botnets, Malware
- Web
- New attack vectors
- Mobile, VOIP and Telecom
- VM
- Cloud
- Critical Infrastructure
- Satellite
- Wireless
- Forensics
- Cyber Laws

Submission Format:
------------------------------
Email the cfp to: cfp(_at_)nullcon.net
Subject should be: CFP Dwitiya
Email Body:
- Name
- Handle
- Track & Time required
- Paper Title
- Country of residence
- Organization
- Contact no.
- Have you presented/submitted this talk at any other conference(s)?
- Why do you think your paper is different/innovative?
- Brief Profile ( <= 500 Words)
- Paper Abstract ( <= 3000 Words)

NOTE: The Abstract should clearly mention the techniques and hacks in
detail and merely mentioning that it works will not help in
understanding the research to it's full extent.


Important Dates:
------------------------------
CFP End Date:         30th November 2010
Speakers List Online: 10th December 2010
Conference Dates:     25th - 26th February 2011


Venue:
----------------
Goa, India
(Exact Venue TBD)


Speaker Benefits:
------------------------------

--
For Tracks "Bakkar", "Desi Jugaad" and "Karyashala"
1. Free Accommodation for 3 nights
2. Travel (One way or Return depending on the Sponsorships :-) )
3. Free access to the conference.
4. Invitation to Mehfil-E-Mausiqi (null party)

For Track "Tez"
1. Free access to the conference.
2. Invitation to Mehfil-E-Mausiqi (null party)

* Only one speaker will be eligible for the benfits in case there are two or more speakers for a talk.

(comments? | Score: 0)


Call for Papers for HITB Security Conference 2010 Malaysia
Posted by cdupuis on Thursday, 20 May 2010 @ 02:03:53 EDT (978 reads)
Topic Training

Forwarded from: Hafez Kamal hackinthebox.org>

The Call for Papers for HITB Security Conference 2010 Malaysia is now open!

Talks that are more technical or that discuss new and never before seen attack methods are of more interest than a subject that has been covered several times before. Submissions are due no later than 9th August 2010.

HITB CFP: http://cfp.hackinthebox.org/

===

Date: October 11th - 14th 2010
Venue: Crowne Plaza Mutiara Kuala Lumpur

Keynote 1: Chris Wysopal (CTO/Co-Founder, Veracode)
Keynote 2: Paul Vixie (President, ISC)

Day 2 (14th Oct) Special Keynote Panel Discussion
"The Future of Mobile Malware & Cloud Computing"

Keynote Panelist 1: Mikko Hypponen
Keynote Panelist 2: Paul Ducklin
Keynote Panelist 3: Andrey Nishikin
Keynote Panelist 4: Dr. Jose Nazario

Moderator: Dr. Dinesh Nair

Event Website:
http://conference.hackinthebox.org/hitbsecconf2010kul/

===

TOPICS

Topics of interest include, but are not limited to the following:

#  Next generation attacks and exploits
#  Apple / OS X security vulnerabilities
#  SS7/Backbone telephony networks
#  VoIP security
#  Data Recovery, Forensics and Incident Response
#  HSDPA / CDMA Security / WIMAX Security
#  Network Protocol and Analysis
#  Smart Card and Physical Security
#  Virus and Worms
#  WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security
#  Analysis of malicious code
#  Applications of cryptographic techniques
#  Analysis of attacks against networks and machines
#  File system security
#  Side Channel Analysis of Hardware Devices
#  Cloud Security
#  Exploit Analysis

PLEASE NOTE:

We do not accept product or vendor related pitches. If your talk involves an advertisement for a new product or service your company is offering, please do not submit.

Your submission should include:

#  Name, title, address, email and phone/contact number
#  Short biography, qualification, occupation (limit 250 words)
#  Summary or abstract for your presentation (limit 1250 words)
#  Technical requirements (video, internet, wireless, audio, etc.)

Each non-resident speaker will receive accommodation for 3 nights / 4 days. For each non-resident speaker, HITB will cover travel expenses up to USD 1,200.00.

===

On a related note, the first set of speakers for HITB2010 - Amsterdam have been announced with the following presentations lined up:

JIT-SPRAY Attacks & Advanced Shellcode
http://conference.hackinthebox.org/hitbsecconf2010ams/?page_id=803

Having Fun with Apple's IOKit
http://conference.hackinthebox.org/hitbsecconf2010ams/?page_id=814

Attacking SAP Users Using sapsploit
http://conference.hackinthebox.org/hitbsecconf2010ams/?page_id=817

Breaking Virtualization by Switching to Virtual 8086 Mode
http://conference.hackinthebox.org/hitbsecconf2010ams/?page_id=800

 From Russia with Love 2.0
http://conference.hackinthebox.org/hitbsecconf2010ams/?page_id=812

Owned Live on Stage: Hacking Wireless Presenters
http://conference.hackinthebox.org/hitbsecconf2010ams/?page_id=820

The Travelling Hacksmith 2009 - 2010
http://conference.hackinthebox.org/hitbsecconf2010ams/?page_id=382

===

The final set of speakers will be announced week of 24th May 2010. See you guys in Amsterdam!

---
Hafez Kamal
HITB Crew
Hack in The Box (M) Sdn. Bhd.
Suite 26.3, Level 26, Menara IMC,
No. 8 Jalan Sultan Ismail,
50250 Kuala Lumpur,
Malaysia

Tel: +603-20394724
Fax: +603-20318359

(Read More... | 1 comment | Score: 0)


New Cybersecurity Orders -- Stop writing report and do something instead
Posted by cdupuis on Sunday, 25 April 2010 @ 22:50:34 EDT (1554 reads)
Topic Training

Anonymous writes "

As seen on the great Infowarrior mailing list from Attrition.org:

White House Updates Cybersecurity Orders

The three-pronged approach should help federal agencies do away with wasteful compliance spending and encourage improved security, say White House officials.

By J. Nicholas Hoover

http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=224500173

The White House issued new cybersecurity marching orders to government agencies Wednesday, which top officials say will help redirect government efforts from wasteful paperwork compliance toward continuous monitoring and patching and more effective cybersecurity spending.

Many observers both inside and outside government have come to the conclusion that the government’s cybersecurity reporting requirements, as currently implemented, have created an environment in which expensive annual compliance reports that cut into real cybersecurity have become the norm. “These reports ended up being more secure in the cabinets they were living in than were the systems they were meant to protect,” federal CIO Vivek Kundra said in a conference call with reporters and White House cybersecurity coordinator Howard Schmidt.

Agencies have been spending as much as $1,400 per page on those reports under requirements of the Federal Information Systems Management Act. The Department of State alone has spent $133 million in the last six years just on FISMA compliance. However, numerous questions continue to arise about the effectiveness of agencies’ cybersecurity efforts. That kind of waste has led to simultaneous moves by the White House, the National Institute for Standards and Technology (which has power to set FISMA standards), and Congress to overhaul or refocus FISMA and other federal cybersecurity requirements.

The new policy outlines what Kundra described as a “significant departure” from the way cybersecurity has been measured and managed in government. It is contained in an Office of Management and Budget memo penned by federal chief performance officer Jeffrey Zients, Kundra, and Schmidt, and developed with input from federal CIOs.

Kundra and Schmidt said on the conference call that the new policy points toward continuous monitoring and patching of federal systems, and also toward the deployment of cybersecurity systems that better position the government against constantly evolving threats.

The guidance takes a “three-tiered approach” to FISMA that includes automatic reporting of cybersecurity data feeds directly from agency security and management tools to a tool hosted by the Department of Homeland Security; government-wide benchmarking on agencies’ security postures; and agency-specific interviews to help determine the needs and proper metrics for individual agencies.

First, agencies will be required to feed cybersecurity information directly and in near real-time from their own security management tools into the recently implemented Cyberscope security reporting tool, which DHS is now operating. The White House is convening with agencies on May 7 to discuss how they will move forward with this plan, and what new metrics will be included in the new reporting.

This automated reporting should both decrease the amount of money agencies are spending on cybersecurity reporting, and also help the White House best determine where and how resources should be spent on cybersecurity across government, said Kundra and Schmidt. “Capital can and should be used to invest in systems that will be actually enhancing security,” Kundra said.

Agencies will begin feeding this data to Cyberscope by June of this year, but Kundra admitted that some agencies will have to make investments in order to get tools like asset management systems and security information management systems in place to feed data to Cyberscope. Some agencies, like the Departments of Justice, Treasury, State, Veterans Affairs, and NASA are already able to report to Cyberscope, and will be among the first to do so. The due date for reporting through Cyberscope is November 15, and those agencies which can’t yet directly feed information into Cyberscope will be able to provide a data feed as an XML upload to Cyberscope.

Along with this new reporting structure will also come new metrics for agencies to use. Those metrics have been developed in concert with the private sector, academic community, and federal CIOs and CISOs. The new data feeds will include summary information about inventory, systems and services, hardware, software, external connections, security training, and identity management and access.

In terms of government-wide benchmarking, CyberScope will be asking agencies a set of questions on their security posture online, rather than in the submission of an annual signed letter to do the same task. The White House will also be carrying out agency-by-agency interviews on cybersecurity. “We recognize not all agencies perform the same mission and function,” Kundra said. “Historically it was just a lowest common denominator approach, but the nature of the threat can be unique to each agency.”

Finally, in addition to the three-pronged approach to overhauling FISMA reporting, the White House memo answers dozens of potential agency questions about FISMA, including some issues outside the scope of the new approach, like whether national security systems fall under this guidance (not typically), who should have the ultimate say over an agency’s security posture (the agency head), and whether SAS 70 compliance audits often used by private sector to determine whether third-party systems are secure is sufficient for FISMA compliance (it depends).
_______________________________________________
Infowarrior mailing list
Infowarrior@attrition.org
https://attrition.org/mailman/listinfo/infowarrior

"

(comments? | Score: 0)


Presentation Materials from HITB Dubai is available for Download
Posted by cdupuis on Saturday, 24 April 2010 @ 14:35:06 EDT (1449 reads)
Topic Training

Anonymous writes "

Presentation materials from the 4th annual Hack In The Box Security Conference in Dubai are now available for download!

http://conference.hitb.org/hitbsecconf2010dxb/materials/

KEYNOTE 1 - John Viega - A/V Vendors Aren't As Dumb As They Look
D1 - Daniel Mende - Attacking Cisco WLAN Solutions
D1 - Laurent Oudot - Improving the Stealthiness of Web Hacking
D1 - Dimitri Petropoulos - Attacking ATMs and HSMs **
D1 - Dino Covotsos - Analysis of a Next Generation Botnet
D1 - The Grugq - Crime, Kung Fu and Rice ##

KEYNOTE 2 - Sourcefire - Near Real Time Detection
D2 - Mariano Di Croce - SAP Penetration Testing with Bizsploit
D2 - Fred Raynal + Sogeti - Gathering and Exploiting Information
D2 - Marc Schoenefeld - Examining Android Code with undx2
D2 - Saumil Shah - Web Security - Going Nowhere?
D2 - Gynvael Coldwind - A Case Study of Recent Windows Vulnerabilities

Notes:

** - Speaker changed due to the Iceland ash cloud mess!

## - Grugq was stopped by his employer COSEINC from presenting his
original 'Attacking GSM Base Stations and Mobile Phone Basebands'
presentation - WTF?! #fail!!!

See you guys at HITBSecConf2010 - Amsterdam (June 29th - July 2nd at the
NH Grand Krasnapolsky)

http://conference.hitb.org/hitbsecconf2010ams/


---
Hafez Kamal
HITB Crew
Hack in The Box (M) Sdn. Bhd.
Suite 26.3, Level 26, Menara IMC,
No. 8 Jalan Sultan Ismail,
50250 Kuala Lumpur,
Malaysia

Tel: +603-20394724
Fax: +603-20318359

"

(comments? | Score: 0)


Hack In The Box HITB eZine Issue 2 has been released
Posted by cdupuis on Saturday, 24 April 2010 @ 14:28:54 EDT (608 reads)
Topic Training

Anonymous writes "

The second quarterly HITB eZine (issue 002) has been released! Grab your copies from here:

https://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=35995

===

3 months ago, our newly 'reborn' ezine was a completely new experience to our small team and we didn't expect it to have a lot of followers considering its absence for many years.

But to our surprise, we received over 20K downloads just weeks after its re-launch!

Despite all this, there are still many things for us to work on and improve upon. Our team is still working hard to make sure our ezine will not only become a resource our readers love to read, but also something they would like to keep. Our promise is that every issue will have something unique to offer. You can be a CSO or a hardcore security geek, we're confident our content offers something for everyone.

For the second issue, all the articles are now in high resolution. We hope by doing this it will increase the quality and and clarity of the materials. In addition, the articles are now organized into their respective sections and the code listings in them have been improved and are now easier to read. Also, a new "Interviews" section has been added and for this issue, we have interviewed two well known experts from France for their thoughts on the state of computer security.

Finally, we are always looking for feedback from our readers. It's very important for us to know how we can improve in terms of content and design. Please feel free to drop us an email if you have some constructive feedback or ideas that will help us to raise the bar even higher.

See you in the summer (Issue 003 will be released at HITBSecConf2010 -
Amsterdam)

---
Hafez Kamal
HITB Crew
Hack in The Box (M) Sdn. Bhd.
Suite 26.3, Level 26, Menara IMC,
No. 8 Jalan Sultan Ismail,
50250 Kuala Lumpur,
Malaysia

Tel: +603-20394724
Fax: +603-20318359

"

(comments? | Score: 0)


Taking Penetration testing In-House
Posted by cdupuis on Monday, 19 April 2010 @ 19:53:22 EDT (859 reads)
Topic Training

Anonymous writes "Another great article from DarkReading:

darkreading

Taking Penetration Testing In-House

Weighing the risks and benefits of do-it-yourself pen testing

By Keith Ferrell, Special To Dark Reading,  DarkReading
April 16, 2010
URL:http://www.darkreading.com/story/showArticle.jhtml?articleID=224400589

Conducting penetration testing in-house rather than using an outside consultant is worth considering for reasons of both cost and security expertise -- but it's also a step not to be taken lightly.

"The advantage of having in-house penetration testers is the focus they provide," says Chris Nickerson, founder of security firm Lares Consulting. "They're able to keep track of the latest exploits and vulnerabilities, constantly monitor systems, and practice and sharpen their skills. But in order to achieve those benefits, they have to be focused. "

Nickerson points out that while some really large enterprises are fielding teams wholly dedicated to testing, for most companies pen tests are only part of the testers' responsibilities. "It's all too common to find penetration tests delayed or put off because the tester has too many other open tickets to deal with," he says.

While even a part-time pen-test specialist on staff can be a step in the right direction, it can also be risky. "The variety of tools available for pen tests today is remarkable, and I pretty much applaud them all," he says. "Metasploit, Canvas, Core, Nessus, and others have spent a lot of time ensuring that installing their agents don't blow the boxes that are being tested. That's the default: Once the agent is installed and it's determined whether or not the exploit works, the agent is uninstalled."

The problem is, the tools also offer high levels of tuning and customization, which in inexperienced hands can lead to problems, Nickerson notes. "The tools themselves aren't a particular danger, but with an inexperienced tester driving and tuning those tools, there's some risk of something going wrong," he says.

Steve Stasiukonis, vice president of Secure Network Technologies, makes a similar point. "Hit a critical server too hard and you can create all sorts of problems," he says. "Even a telnet or pingsweep needs to be run with extreme caution when you're testing the most sensitive systems."

That sort of caution comes as a result of both experience and acquired expertise, Stasiukonis suggests, neither of which are included in off-the-shelf testing products. "Working your way up the ladder takes time, and there's no way around that," he says.

It's best to stage the introduction of internal penetration tests, Nickerson says. "The most business-critical systems should only be approached by the most experienced testers, whether they're internal or consultants from outside the organization."

Can even the most experienced and expert in-house pen tester mount fair tests? Does their unavoidable knowledge of the company they work for automatically compromise their ability to approach their tests as an outsider would? "No question," Stasiukonis says. "But more than that, there's the risk that an internal tester will be too easy on some aspects of the company. Strict password rules, for instance, are one area where in-house testers are sometimes too lenient on the people they work with."

More troubling for him is the potential for in-house testers to overestimate their knowledge of the company they work for. "It's too easy for a staff tester to assume they know everything about the company and its systems, particularly with larger companies. They test against the numbers they know and end up overlooking whole segments or even whole networks."

And company awareness that a pen tester is on staff can compromise the tests, too. "The point of pen testing is to see if your defenses are effective against real-world threats," Nickerson says. "Making the company aware that tests are going on [takes] away that real-world aspect."

He suggests testers notify only those personnel who must know of tests for business and operations criticality reasons.

Perhaps the most frequently touted benefit of in-house testing is cost savings. But there are levels of consideration to take into account here, as well. Nickerson argues that cost must be approached not only from the standpoint of in-house personnel dedicated to pen testing versus the cost of outside pen testers, but also the return on investment of the in-house investment. That investment's return, he says, can extend far beyond the tests themselves and even the security benefits of having skilled testers on staff.

Among the chief returns derived from having an in-house penetration tester or team is education -- the testers' ability to communicate clearly and pointedly why pen testing is a vital component of an aggressive security posture, Nickerson says. Another point to be made: why testing, whether in-house or outsourced, trumps vulnerability assessments.

"Automated vulnerability scans generate a lot of information that may not be 100 percent accurate, may not apply to the company's most critical processes, and may not mean a lot to a not particularly tech-savvy CFO or other executive," he says. "The information is at a lower level of resolution than an effective pen test provides."

An experienced penetration tester, he says, can show the executive exactly why penetration testing is a worthwhile investment.

For example, tell an executive that you have X number of vulnerabilities, and the message may or may not get through. "But show the CFO how those vulnerabilities allow the company's general ledger to be altered and, in doing so, fundamentally alter the history and course of the company, and you've delivered a driver that they can really understand," Nickerson says. "You've provided a clear picture of the real-world impact that vulnerabilities can have, and you've increased the company's security education at the same time."

Nickerson believes the constantly evolving and mutating threat environment will have more and more companies considering the addition of internal penetration testing. "The important thing is to provide the testers with the time and focus that lets them concentrate wholly on testing and on keeping their skills and knowledge up-to-date," he says. "Companies need to keep an eye on the tipping point where leveraging external expertise costs more than investing in having an expert penetration tester on the inside."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

 

Copyright © 2007 CMP Media LLC

"

(comments? | Score: 0)


HITB Amsterdam final call for Paper
Posted by cdupuis on Thursday, 08 April 2010 @ 14:53:52 EDT (1209 reads)
Topic Training

This is the FINAL CALL to submit your talk / presentation proposals for the inaugural HITB Security Conference in Europe!

Submissions are due by 19TH APRIL 2010.

HITBSecConf2010 - Amsterdam takes place at the Grand Krasnapolsky
From the 29th of June till the 2nd of July (Tuesday - Friday)
With keynote speakers Anton Chuvakin and Mark Curphey
This is our first ever QUAD TRACK conference.

To submit your presentation proposals and for further details on our submission process, please see:

http://cfp.hackinthebox.org/

On a related note, online registration for HITBSecConf2010 - Dubai is closing on the 14TH OF APRIL - Walk in registrations are still accepted thereafter.

http://conference.hitb.org/hitbsecconf2010dxb/register/

See you there!

---
Hafez Kamal
HITB Crew
Hack in The Box (M) Sdn. Bhd.
Suite 26.3, Level 26, Menara IMC,
No. 8 Jalan Sultan Ismail,
50250 Kuala Lumpur,
Malaysia
Tel: +603-20394724
Fax: +603-20318359

(comments? | Score: 0)


The Honeynet Project Forensic Challenge 2010
Posted by cdupuis on Sunday, 28 February 2010 @ 09:42:45 EST (621 reads)
Topic Training

The Honeynet Project has revived an successful program from the past: The Honeynet Project Forensic Challenge 2010. The purpose of the Forensic Challenges is to take learning one step farther. Instead of having the Honeynet Project analyze attacks and share their findings, Forensic Challenges give the security community the opportunity to do so. In the end, individuals and organizations not only learn about threats, but also learn how to analyze them. Even better, individuals can access the write-ups from other individuals, and learn about new tools and techniques for analyzing attacks. Best of all, the attacks of the Forensic Challenge are attacks encountered in the wild, real hacks, provided by our members.

It has been several years since we provided Forensic Challenges and with the Forensic Challenge 2010, we will provide desperately needed upgrades. Currently, we are running our second challenge provided by Nicolas Collery from the Singapore Chapter and Guillaume Arcas from the French Chapter. It deals with client-side attacks and is titled browsers under attack. (accessible at https://www.honeynet.org/challenges/2010_2_browsers_under_attack)

The deadline for submissions is Monday, Match 8th 2010 and results (including a sample solution) will be posted on Monday, March 22nd 2010. The top 3 submissions will be awarded with prizes.

Christian Seifert

Chief Communications Officer
The Honeynet Project

(comments? | Score: 0)


REC0N 2010 MONTREAL CANADA JULY 9-11
Posted by cdupuis on Friday, 05 February 2010 @ 09:29:31 EST (1450 reads)
Topic Training

R E C O N 2 0 1 0 .

Call For Papers (C F P)

REC0N 2010
MONTREAL
JULY 9-11

+ RECON returns for 2010

- Training sessions + conference

+ We are accepting submissions

- Single track
- 45-60 minute presentations, or longer, we are flexible
- There will be time for short, informal lightning talks

+ Especially on these topics

- Reverse engineering (Software, Protocols, Hardware, Human)
- Exploit development and vulnerability assessment
- Data analysis and visualization techniques
- Crypto and anonymity
- Physical security countermeasures
- Anything elite

+ Please include

- Speaker name(s) and/or handle
- Contact information (e-mail and cell phone)
- Brief biography
- Any presentation Supporting materials
- Why it is cool and/or why you want to present it

+ You want to speak!

- Please send the above information to  cfp2010 (at) recon.cx by 15 May, 2010

You can visit the main site at:  http://www.recon.cx/2010/index.html

(Read More... | Score: 0)


STRATEGIC SECURITY TESTING WEBCAST by Dr. Eric Cole
Posted by cdupuis on Thursday, 21 January 2010 @ 22:03:37 EST (835 reads)
Topic Training

STRATEGIC SECURITY TESTING WEBCAST 

Cutting-Edge Attack Techniques” – featuring Dr. Eric Cole,
SANS fellow and senior scientist with Lockheed Martin Information Technology.
Dr. Eric Cole, SANS fellow and senior instructor
Host: Core Security Technologies Date: Wednesday, January 27, 2010
Time:  2pm EST / 11am PST (GMT -5:00, New York)
Register: http://www.coresecurity.com/Form/generic/campaign/cuttingEdge

A recording of the webcast will be sent to everyone who registers, so be sure to sign-up even if you can’t make the live session.

In this webcast, noted security and penetration testing expert Dr. Eric Cole will share his insight into how organizations can rapidly improve their resiliency to today’s most advanced malware and hacking techniques via more frequent and proactive assessment. Attackers continue to take advantage of widespread security vulnerabilities located throughout the enterprise IT stack to infiltrate sensitive assets and access protected data, perhaps best evidenced by the recent IE zero day attacks that compromised massive companies including Google. Register here: http://www.coresecurity.com/Form/generic/campaign/cuttingEdge

 
From hydra-like botnet campaigns to Trojan attacks and targeted spear phishing campaigns, threats continue to gain in sophistication and volume and defensive controls have never been more challenged to stop emerging attacks. The best method for organizations to empower themselves and level the playing field is to use the same techniques employed by attackers to test where their more critical exposures exist.
 
Among the key points Cole will cover in this webcast will be:
 
·         Which types of attacks are currently most prevalent and dangerous.
·         Why more aggressive testing best addresses cutting-edge threats.
·         How cross-vector testing helps thwart advanced malware and botnet programs.
·         Important issues to consider in planning end user security awareness testing.
 
Even if you are already engaging in regular penetration tests it is crucially important to stay abreast of emerging threat models and the most effective assessment best practices being embraced by leading practitioners.
 
Please join us for this highly informational webcast that can help you continue to build and advance your penetration testing programs.
 


Best Regards,

Core Security Technologies
41 Farnsworth Street Boston, MA 02210
http://www.coresecurity.com
http://blog.coresecurity.com
http://www.twitter.com/coresecurity

(Read More... | Score: 0)


nullcon Goa, India, 2010 International Security & Hacking Conference
Posted by cdupuis on Thursday, 14 January 2010 @ 10:08:12 EST (960 reads)
Topic Training

NOTE FROM CLEMENT:

GOA is an amazing place with georgous beaches and everything is VERY inexpensive.  I was there last spring to deliver training and I had a really great time.   If you have the chance, do combine your training with a few days on the northern beach where you have miles and miles of deserted beaches almost to yourself.  Here is the announcement about the conference:

Hi all,

null is proud to announce the launch of it's security & hacking conference nullcon Goa 2010 nullcon Goa 2010, India's first 'community' driven security & hacking conference will bring together Security Researchers, security professionals, vendors, CXOs, Law Enforcements agencies from all over the country to a common platform to discuss latest research in field of Information Security and in particular the major security threats faced by everyone today.

We are extremely thankful to SANS for providing us a free seat as a prize for the hacking challenge winner at nullcon for their SEC 504: Hacker Techniques, Exploits & Incident Handling class (worth USD 4095) to be held in Feb at the Ramada Bangalore.

Details of the class can be found at: http://www.sans.org/india-2010/
email: AsiaPacific@sans.org

nullcon is one of a kind of conference showcasing the latest research and trends in information security by renowned security researchers/professionals.  Any conference cannot  be successful without the right audience.  That's why your presence is very essential for making nullcon successful.

Website: http://nullcon.net

Legend:
 ** - BONUS Talk
 +  - new(new version)Tool being released

First list of speakers (not in any specific order):


**0. Anonymous - Desi Special(pronounced pay-sul, as in chai) Hacking
+1. Abhisek Datta - Software Fuzzing with Wireplay
2. WhiteKnight - The art of cyber-warfare
3. Veysel Ozer - The evil Karmetasploit upgrade
+4. Anant Kochhar - Malware detection tool for Websites - A proof of Concept
5. Cassio Goldshmidt - Tracking the progress of SDL program
6. Vinoth Sivasubramanian - Defending Industrial espionage in Today's
Environment.
7. Vishwas Sharma & Amandeep - Intelligent Debugging and in-memory fuzzing.
+8. Lavakumar Kuppan - Imposter ke Karnamey: The browser phishing tool
9. Harshad Patil - Botnet mitigation, monitoring and management.
10. Prince Komal Boonlia - Steganography: Data hiding and Data Carving
11. Bhaskar Jain - Incomplete implementation of SAML
12. Navin Pai - Quantum computing: Challenges in the field of security

nullcon Details
--------------
Dates: 6-7th Feb 2010
Venue: The Retreat by Zuri,
           Pedda, Uttor Doxi, Varca, Salcete
           Goa 403 721
           INDIA

Registration:
------------
Conference Pass - INR 2000/- (till 15th Jan 2010, avail the discounted
price now)
Details: http://nullcon.net/register
We are also accepting offline registrations for Conference Pass (and
stay at The Retreat, if required).

About null:
null - The open security community is a non-profit community with
focus on spreading security awareness, advanced research in security
and helping govt. and private institutions with security related issues.
website:    http://null.co.in


Thanks to our sponsors:

Gold Sponsor: SANS  http://www.sans.org/india-2010/
Bronze sponsor: Timblo Group  www.timblos.com
Best Regards,
null Team

(comments? | Score: 0)


26C3 THe world largest hacker conference in Berlin - Recording now online
Posted by cdupuis on Thursday, 14 January 2010 @ 05:55:23 EST (1103 reads)
Topic Training

The 26th edition of the world's largest annual hacker conference, 26C3, took place in Berlin last week.
With about 2,500 attendees, a combined total of 9,000 participants worldwide (via live streams), and
an array of features that no other conference in the world can match, it was very much a milestone.

You can get the conference recording at:

http://events.ccc.de/congress/2009/wiki/Conference_Recordings

(comments? | Score: 0)


ClubHack presentations and photos are now online
Posted by cdupuis on Monday, 04 January 2010 @ 19:01:42 EST (931 reads)
Topic Training

Anonymous writes "

ClubHack2009 presentations and photos are online.

Presentations: http://clubhack.com/2009/presentations


Photos: http://www.flickr.com/photos/tags/clubhack09/

thanks


team ClubHack

 

Presentations
 Rohas Nagpal - Indian IT Act 2000 vs 2009

 Manindra Kishore - Incident Handling and Log Analysis for Web Based Incidents

 

 

 Anant Kochar - Revealing the Secrets: Source Code Disclosure, Techniques and Impacts

  Abhijit Tannu - Facilitate Collaboration with Information Rights Management

 
 

 

 

 Nikhil Wagholikar in abstentia of K K Mookhey - Risk Based Penetration Testing

  Suhas Desai - Open source for securing data with advanced Crypto-Steganography technology

 

 

 Vinoo Thomas & Rahul Mohandas - India Cyber Crime Scene - Caught in the Crossfire

  Lavakumar Kuppan - Lust 2.0 – Desire for free WiFi and the threat of the Imposter

 

 

 Kush Wadhwa - Advance Computer Forensic concepts (windows)

  Gursev Singh Kalra - Mobile Application Security Testing

"

(comments? | Score: 0)


CarolinaCon Call for Paper
Posted by cdupuis on Friday, 25 December 2009 @ 11:53:29 EST (1755 reads)
Topic Training

CarolinaCon is now accepting speaker/paper/demo submissions for its 6th annual event in March 2010!!!


What is this "CarolinaCon"?

CarolinaCon is an annual Technology Conference whose mission/purpose is to:

- Enhance local and global awareness of current technology issues and developments,

- Provide affordable technology education sessions to the unwashed masses,

- Deliver varied/informative/interesting presentations on a wide variety  of InfoSec/hacking/technology/science topics, and

- Mix in enough entertainment and side contests/challenges to make for a truly fun event


When/Where is CarolinaCon?

This year's event will be held on the weekend of March 19th-21st, 2010.

The event will mostly occur at a Holiday Inn in Raleigh, NC.  Raleigh is about 30 minutes from Durham, Chapel Hill, and Research Triangle Park.


Who develops/delivers CarolinaCon?

CarolinaCon is proudly brought to you by "The CarolinaCon Group". 

The CarolinaCon Group is a non-profit organization registered in the state of NC, dedicated to educating the local and global communities about technology, information/network/computer security, and  information rights.

The CarolinaCon Group is also closely associated with various "2600" chapters across NC, SC, TN, VA, LA, DC, and NY.  Many of the volunteers who help develop and deliver CarolinaCon come from those chapters.


What events will be at CarolinaCon?

CarolinaCon is mainly about the talks/presentations/demos.  Alongside of those we'll surely have several other technology-related contests/challenges, as we've had in past years.  Details on other events will be announced soon.


Who will be presenting which topics this year?

That's where YOU possibly come in.  If you are somewhat knowledgeable in some interesting field of technology, hacking, science, etc., and are interested in speaking/presenting at CarolinaCon, we invite you to submit your proposal (in brief) for our review.  If you're interested in presenting please send;

- your name or handle,
- the topic/presentation name,
- estimated time-length of presentation, and
- a brief topic abstract
....via e-mail to:
speakers carolinacon.org

*NOTE:

All submissions are due BY January 29, 2010!  Please be timely in submission if you're committed to being part of the elite cadre of presenters.  We value diversity, so please don't hesitate to propose
your ideas no matter how outlandish.

If you speak at the Con, you will receive;

- free Con admission for you and one guest,
- a free Con t-shirt,
- minimal fame, glory, and possibly notoriety, and
- mad props from our staff and attendees


I'm excited and I want to present!  What do I do know?

If you're interested in speaking, send the 411 requested to:
speakers carolinacon.org
(BY/BEFORE January 29th 2010)

And if you're interested in attending, watch this space for more details:

www.carolinacon.org

...and don't forget to mark the dates on your calendar!

Peace,

Vic

(Read More... | 22 comments | Score: 0)

Our Sponsors

Login

Nickname

Password

Security Code:
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Latest Windows Tools

Latest Linux Tools

Virtual Machines VM's

Hacker's Magazine

Web & Apps Security

Scanning Service

Reverse Engineering

Vulnerabilities Research

Big Story of Today

Old Articles

Sunday, November 29
· Notacon 2009 video files are now online
Saturday, November 28
· Hack In The Box (HITB) Security Conference 2010 Dubai
Thursday, November 12
· Webcast: “SC Magazine’s 20 Influential Security Products of the Past 20 Years”
Tuesday, October 06
· FRHACK01 copy of presentations
Tuesday, July 21
· SC World Congress - Enterprise Data Security, October 13-14 in New York City
· CORE IMPACT SPONSORED WEBCASTS
· Earn Your ECE and CPE Credits By Attending Webcasts!
Thursday, June 11
· EC-Council | Security Channel - The Education Channel for Security Professionals
Tuesday, April 21
· Get a platinum pass and save BIG!
Tuesday, April 07
· Clement is now Security Curriculum Manager at Security University
Thursday, March 19
· uCon Security Conference 2009 Presentation Archive online
· EC-Council Secure aid Program
· EC-Council provides forensics scholarship
Friday, February 20
· The Nature of Modern Malware
Thursday, February 12
· The videos from HITBSecConf2008 - Malaysia are now available for download!

Older Articles

You can syndicate our news using the file backend.php or ultramode.txt


All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2003-2008 by Clement Dupuis and Nathalie Lambert (Site Maintainers).

 


 

 


Page Generation: 0.65 Seconds