Has Enigma Group Helped You? Then Help Us By Advertising For Us. Place One Of The Following Images On Your Site.
Mission Statement
“ Since 2004, Enigma Group has been providing its members a legal and safe security resource where they can develop their pen-testing skills on various challenges provided by this site. These challenges teach members the many types of exploits that are found in today's code; thus, helping them to become better programmers in the mean time. By knowing your enemy, you can defeat your enemy. ”
Open Source Software - Rational or Risky Business?
I received quite a few comments this past week following the publishing of California IT Policy Letter 10-01 which formally establishes "the use of Open Source Software (OSS) in California state government as an acceptable practice." While many of my security colleagues offered words of caution following the announcement (and...
Howard Schmidt gets the nod from President Obama
It's official, we finally have national cybersecurity leadership. Fulfilling the commitment he made in May of this year, it was announced on The Whitehouse Blog this morning that President Obama has selected Howard Schmidt as the White House Cybersecurity Coordinator. Rumors have been swirling for months now of...
Sabotaging The System
Did you happen to see the CBS 60 Minutes episode this past Sunday titled "Sabotaging The System?" It seems like every time there's a TV story or newspaper article about cyber security, I spend the next few days answering questions from people who either want to know if it...
New Social Media "Guidelines"
The Federal CIO Council's Information Security and Identity Management Committee (ISIMC), Web 2.0 Security Working Group just released a document that will come as a boon to government security folks struggling to develop social media policy. The "Guidelines for Secure Use of Social Media by Federal Departments and Agencies" "Guidelines"...
Cyber Confusion
What the heck is going on? Melissa Hathaway resigns as the White House's acting cybersecurity czar on Monday and today, only four days later, Mischel Kwon resigns as Director of US-CERT. As I noted in SANS NewsBites today, http://www.sans.org/newsletters/newsbites/newsbites.php?vol=11&issue=62 this new resignation is regrettable because it appears that the...
Leaving Las Vegas ... and DefCon
One thing those of us who've spent any time in the security business know is that you either learn to deal with a flexible schedule or you change professions. Dilbert called them "unplanned emergencies" but whatever you call them, they are a fact of our life. So here I am,...
Another Year @ Black Hat
So, another year at Black Hat in Las Vegas has come and gone. While attendance may have been down a little and there wasn't any legal gunslinging' like in past years when talks were pulled or moderated as a result of legal threats from the vendor community, there were...
Does a DDOS Equal a Cyber-War?
It's been a pretty interesting week on the cybersecurity front with the DDOS attacks on South Korea and the United States making the most headlines. I've been trying to keep up with all of the regular media and blogs and quite frankly, it's a bit overwhelming. There's a lot...
When the Walls, Come Tumblin' Down
John Mellencamp sang about the walls tumbling down and this week's press release by the U.S. Army telling bases to stop blocking Twitter, Facebook, and Flickr Army Allows Access To Social Media Websites should be proof enough for anyone. Following the US Navy US Navy Web 2.0: Utilizing New...
President Obama and Cybersecurity, A New Comprehensive Approach
Last Friday, President Obama followed up on a promise he made last July during a speech at Purdue University when, as then-candidate Obama, he said "As President, I'll make cybersecurity the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and...
Cyber Dollars in the ARRA
$787B. $787,000,000,000.00. Seven hundred and eighty seven billion dollars. However you say it or write it, that's a lot of dough. That's the amount of the federal stimulus package called the American Recovery and Reinvestment Act (ARRA) of 2009.The mission of the ARRA has several components but one of them...
Vulnerabilities in the U.S. Power Grid
The article released by the Wall Street Journal on Wednesday has created quite a stir and I've spent a considerable amount of time the past two days asking and answering questions about it. I think I can say without stepping too far out on a limb that the details in...
Escape from Conficker-geddon
So here we are again, a couple of days post-Conficker Armageddon and some people are feeling like they missed the party. No one has said it yet but I can already see it in some eyes, "Looks like another over-blown security event, hyped by the media and exploited by...
Have a Conficker-Free Week
I got a call from a reporter this week asking me about the Conficker virus. "Are you prepared?" "What do you think is going to happen?" "How widespread is the virus?" "Why is April Fool's Day important?"I went through all of the mechanics of how we get A/V signature updates...
Technical Innovation in America
I attended the IT Security Entrepreneurs' Forum III http://publicprivatepartnerships.org/itsef/ at Stanford University yesterday where I was part of a panel discussing the current and future cybersecurity threat environment. Moderated by the always popular and entertaining Bob Bragdon of CSO Magazine, the forum was both insightful as well as informative.The purpose of...
Microsoft Releases March Security Bulletin
Microsoft has released an update to address vulnerabilities in Microsoft Windows and Office as part of the Microsoft Security Bulletin Summary for March 2010. These vulnerabilities may allow an attacker to execute arbitrary code.
US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied.
Energizer DUO USB Battery Charger Software Allows Remote System Access
US-CERT is aware of a backdoor in the software for the Energizer DUO USB battery charger. This backdoor may allow a remote attacker to list directories, send and receive files, and execute programs on an affected system. The software, which has been discontinued, was available for both Windows and Apple Mac OS X versions. Only the Windows version is affected by this vulnerability.
US-CERT encourages users and administrators to review Vulnerability Note VU#154421 and apply the recommended solutions.
Security advisory cisco-sa-20100303-cucm, addresses multiple vulnerabilities in the Cisco Unified Communications Manager which affect the Session Initiation Protocol (SIP), Skinny Client Control Protocol (SCCP), and the Computer Telephony Integration (CTI) Manager services. Successful exploitation of these vulnerabilities could result in a denial-of-service condition and an interruption of voice services.
Security advisory cisco-sa-20100303-dmm, addresses multiple vulnerabilities in the Cicso Digital Media Manager (DMM). Successful exploitation of these vulnerabilities could allow for information disclosure, unauthorized settings or system configuration changes, and disclosure of default credentials. There are no workarounds for mitigation, and US-CERT will alert users and administrators as updates are made available.
Security advisory cisco-sa-20100303-dmp, addresses a vulnerability that exists in the Cisco Digital Media Player. Successful exploitation of this vulnerability may allow and attacker to inject video or data content into a remote display.
US-CERT encourages users and administrators to review security advisory cisco-sa-20100303-cucm and cisco-sa-20100303-dmp and apply any necessary updates or workarounds to mitigate the risks.
According to the U.S. Census 2010 website, they began delivery of the printed census forms to every resident in the United States on March 1, 2010. The only way to complete the census is by filling in the form using pen and ink; in some instances, census takers will be visiting households to complete the form face-to-face. It is important to understand that the U.S. Census Bureau will not, under any circumstances, be providing an online option to complete the 2010 census form.
US-CERT encourages all residents in the United States to take the following measures to protect themselves:
Review available information about the 2010 U.S. Census on the website.
Familiarize yourself with what information the U.S. Census Bureau is collecting on the census form.
Do not follow unsolicited web links of attachments in email messages.
March 2010 Free Giveaway Sponsor - Offensive Security
5 Free Seats in OffSec Online Training!
Offensive Security has carved out a place in the pen testing field that is quite rare. They offer not only high quality training but also at some of the lowest price points in the industry. For an insider's look at Pentesting With BackTrack (PWB), check out Ryan Linn's review of PWB and the associated exam, OSCP (content/view/299/24/). But as well know as PWB is becoming, let's not forget they also have 3 other courses. For you wireless pen testers, there's OffSec Wireless Attacks AKA WiFu (http://www.offensive-security.com/backtrack-wifu-online-training.php), for Windows environments there's Advanced Windows Exploitationand (AWE... Feb 2010 Free Giveaway Winners - Syngress Publishing
We Have Our Winners!
Registration Is FREE! (index.php?option=com_smf Itemid=35 action=register)
Final Course and Exam Review: Pen Testing with BackTrack
Ryan Linn's Column Page (content/category/7/40/24/) for Parts 1 - 4 as well as several other contributions to The Ethical Hacker Network and our community of security professionals.
del.icio.us
Discuss in Forums
Interview: Joe McCray of LearnSecurityOnline
Review by Jason Haddix
Have you ever seen Man on Fire? If you haven’t and you like watching kick-ass, kick-you-in-the-teeth, relentless, Denzel-Washington-type of-action-flicks… you might want to Netflix that one. Our interview this week is kind of like Denzel in Man on Fire but with less guns and more SQLi strings meticulously crafted to pwn your databases.
Enter Joe (j0e) McCray of LearnSecurityOnline… Joe is a long standing friend of both Security Aegis and The Ethical Hacker Network, and, after wanting to keep the limelight off of himself and his teaching projects, we have finally pestered him enough to agree...
SSHliders - Answers
Hello challenge fans. Sorry for the long delay, but better late than never, right? Actually this one caused a little debate, because we did not have anyone that gave a completely accurate answer on either the technical or creative sides. But in considering that these challenges are not just contests but also great ways to learn, we decided to release the answers without any winners. So although there are no signed copies of Ed Skoudis' book, Counter Hack Reloaded (http://www.amazon.com/exec/obidos/ASIN/0131481045/thedigitalcon-20?creative=327641 camp=14573 adid=0W0TMYWJ6BXR5RPTG9N8 link_code=as1), a couple of you still get your name in lights as we mention some of your good... Jan 2010 Free Giveaway Winner - Black Hat DC
We Have a Winner!!
Black Hat DC (http://www.blackhat.com) on us. The Washington, DC version of the world's premier technical event for security experts is being held January 31 - February 3, 2010. One Passport Admission Ticket worth $1995 allows our winner entry into the 2-Day Briefings portion of the event. The event is described as, Understanding the increasingly complex threats posed to an enterprise can be a daunting task for today’s security professional. Knowing how to secure an enterprise against those threats can be overwhelming. Black Hat is the premier information security event for senior-level professionals to learn the latest...
EH-Net January 2010 Newsletter
As a courtesy to our members, we try to keep you informed of some of the more interesting items that have been published in our online magazine by sending out an electronic newsletter by email. But not everyone interested in our content is a member. For that reason, we have decided to also publish the newsletter in article format for all to see. Each EH-Net newsletter features the major articles of the past month such as our Free Monthly Giveaways, reviews of books, courses and products as well as other newsworthy items. The newsletters also includes updates on our Hacking... Interview: Ferruh Mavituna on Netsparker
Review by Jason Haddix
Today we showcase a new web application scanner called Netsparker (http://www.mavitunasecurity.com/), and believe us when we say that we put this app through the ringer.
There's a big distinction between testing a tool against dummy apps in a lab and using it first hand against a large environment. Luckily for us we got to do both.
Over the course of a month we ran several engagements and specifically watched Netsparker’s performance compared to other tools we normally use in the assessment process (w3af (http://w3af.sourceforge.net/), Grendel Scan (http://www.grendel-scan.com/), Nikto (http://cirt.net/nikto2), Wikto (http://www.sensepost.com/research/wikto/), Websecurify (http://www.websecurify.com/), Paros (http://www.parosproxy.org/index.shtml), Burp...
Book Review: PCI Compliance
Review by Joel Dubin, CISSP
The Payment Card Industry Data Security Standard (PCI DSS) has taken it on the chin recently. With several high profile breaches of credit card numbers, some critics of the industry standard have said it either isn’t strong enough, or should be abolished altogether. But as Dr. Anton Chuvakin and Branden Williams correctly point out in the second edition of their book, PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance (http://www.amazon.com/dp/1597494992?tag=thedigitalcon-20 camp=14573 creative=327641 linkCode=as1 creativeASIN=1597494992 adid=1SBDGWTPQJD15XH1E75W ), PCI is here to stay.
This is no ordinary field manual to the PCI... Miracle on Thirty-Hack Street
Merry Christmas, challenge fans! As you know, my friends and I write several challenges per year for EthicalHacker.net. But, we've made it a bit of a tradition around here of reserving the December challenge slot for me, an honor which I sincerely appreciate. During past holiday seasons, you got to tangle with the Santa himself (content/view/218/2/).
This year, Kevin Johnson and I worked together on a challenge in which you'll get to save Santa Claus from the insane asylum! We call it Miracle on Thirty-Hack Street , after the classic 1947 movie. In this tale, you'll get to analyze...
Review: SANS SEC550 Information Reconnaissance
SANS Security 550 - Information Reconnaissance: Competitive Intelligence and Online Privacy (http://www.sans.org/info/51609)
A pessimistic view of the Internet: A network that enables every human to be within a few milliseconds from every psychopath and criminal on earth.
Bryce Galbraith of Layered Security (http://blog.layeredsec.com/), a SANS certified instructor, has authored a new one-day course titled “Information Reconnaissance: Competitive Intelligence and Online Privacy.” The course is designed to educate IT professionals on the risks associated with information disclosure. It also teaches the students tools, tips, and techniques that assist in discovering information.
The amount of our personal information... What Do I Really Need To Do To STAY PCI DSS Compliant?
PCI DSS (Payment Card Industry Data Security Standard) (https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml). The conversation ranges from practical advice on “how to get compliant” all the way to branding PCI as a devilish invention (Google for “PCI is the devil”). Fiery debates aside, PCI DSS guidance helped countless organizations to see the light of security where there was none before. It goes without saying that it didn’t magically make them “become secure” – no external document can.
One of the frequent criticisms of PCI focuses on the misguided view that “PCI is all about passing an ‘audit’.” Many people would be surprised to find...
Review: Penetration Testing with BackTrack by Offensive Security Part 4
'Pentesting with BackTrack.' (http://www.offensive-security.com/penetration-testing-backtrack-online-training.php) As a reminder, PWB is described by Offensive Security as, An online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. This penetration testing course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students. This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern... Review: Penetration Testing with BackTrack by Offensive Security Part 3
'Pentesting with BackTrack.' (http://www.offensive-security.com/penetration-testing-backtrack-online-training.php) As a reminder, PWB is described by Offensive Security as, An online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. This penetration testing course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students. This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern...
SSHliders
Salutations, challenge fans! Ed Skoudis here, ready to introduce our newest challenge. Jim Shewmaker, SANS Instructor and creator of the Netwars Capture the Flag Competition (http://www.sans.org/netwars/), has taken the keyboard this time, creating an awesome challenge for you based on the TV show, Sliders. It's got some fun twists and turns, and includes jumps to parallel universes! What's not to like? Have fun unwrapping this mystery. As always, we'll choose three winners: the best technical one, a creative entry that is also technically correct, and a random draw. Even if you don't know all the answers or can only guess,... August 2009 Free Giveaway Winners - IronKey
IronKey S200 (https://www.ironkey.com/l-secure-flash-drive?ik_c=s200_launch ik_s=ethicalhacker ik_t=banner ik_ad=true), the World's Most Physically and Cryptographically Secure USB Flash Drive!
And the winners are... Negrita, Dengar13, Oyle, ChrisG, Manu Zacharia (-M-), jimbob, blackazarro, slimjim100, dalepearson, BillV, xXxKrisxXx, g00d_4sh, Kev, Andrew Waite, sgt_mjc, awesec, jason, Ketchup, Jhaddix, timmedin. As an extra bonus, I have asked all of the above members to be on our Community Board of Advisors. This is an informal group that I will rely on in matters concerning the growing community we have all created. Each of the winners has devoted a lot of their time and efforts in making this community...
Prison Break - Breaking, Entering and Decoding - Answers and Winners
Hello, challenge fans! This is Raul Siles, author of the “Prison Break - Breaking, Entering and Decoding” (content/view/268/2/) EH-Net challenge, here to announce the answers and winners for this tough competition. BTW, the answers for this challenge were released to The Informer (http://ihackcharities.org/category/informer-blog/) subscribers a few days ago. EH-Net had teamed with The Informer; in Johnny Long words, (It is) a fund raising effort run by Hackers For Charity. It is designed to give subscribers a backstage pass to the world of Information Security. For $54 per year, subscribers get early, exclusive access to all sorts of... Book Review: Professional Penetration Testing
EH-Net Exclusive - Free Download of Chapter 4: Setting Up Your Lab
Review by Andrew Waite, EH-Net Member, InfoSanity.co.uk (http://www.infosanity.co.uk/)
When I first heard about Thomas Wilhelm's new book in my Twitter feed, the title immediately caught my attention, 'Professional Penetration Testing: Creating and Operating a Formal Hacking Lab (http://www.amazon.com/dp/1597494259?tag=thedigitalcon-20 camp=14573 creative=327641 linkCode=as1 creativeASIN=1597494259 adid=0146GHM3FER1CFNJHBXA ).' As I'm currently trying to build up my own training and testing environment, this tome promised to provide answers to all my questions. A quick Google search to learn more and a useful discussion right here in the EH-Net Forums (component/option,com_smf/Itemid,54/topic,4514.0/) left me...
Video Tutorials: New BeEF Hotness with Metasploit and Samurai
A new version of the Browser Exploitation Framework (BeEF) (http://www.bindshell.net) has been released. This new release incorporates both my code from my Security B-Sides update of the ChicagoCon Talk Cain Beef Hash: Snagging Hashes without Popping Boxes as well as RSnake and Jabra's modules presented at Defcon. Enclosed in this update are some videos describing how to use the modules that I created which allow for realtime interaction with Metasploit (http://www.metasploit.org). These modules directly communicate with Metasploit to setup the modules which will be used in further browser exploitation. These videos demonstrate how to use the RSnake... Review: Penetration Testing with BackTrack by Offensive Security Part 2
'Pentesting with BackTrack' (previously known as Offensive Security 101) (http://www.offensive-security.com/penetration-testing-backtrack-online-training.php) is an online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. This penetration testing course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students. This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern computer with high speed...
Back
|
Pause
|
Next
