Has Enigma Group Helped You? Then Help Us By Advertising For Us. Place One Of The Following Images On Your Site.
Mission Statement
“ Since 2004, Enigma Group has been providing its members a legal and safe security resource where they can develop their pen-testing skills on various challenges provided by this site. These challenges teach members the many types of exploits that are found in today's code; thus, helping them to become better programmers in the mean time. By knowing your enemy, you can defeat your enemy. ”
Open Source Software - Rational or Risky Business?
I received quite a few comments this past week following the publishing of California IT Policy Letter 10-01 which formally establishes "the use of Open Source Software (OSS) in California state government as an acceptable practice." While many of my security colleagues offered words of caution following the announcement (and...
Howard Schmidt gets the nod from President Obama
It's official, we finally have national cybersecurity leadership. Fulfilling the commitment he made in May of this year, it was announced on The Whitehouse Blog this morning that President Obama has selected Howard Schmidt as the White House Cybersecurity Coordinator. Rumors have been swirling for months now of...
Sabotaging The System
Did you happen to see the CBS 60 Minutes episode this past Sunday titled "Sabotaging The System?" It seems like every time there's a TV story or newspaper article about cyber security, I spend the next few days answering questions from people who either want to know if it...
New Social Media "Guidelines"
The Federal CIO Council's Information Security and Identity Management Committee (ISIMC), Web 2.0 Security Working Group just released a document that will come as a boon to government security folks struggling to develop social media policy. The "Guidelines for Secure Use of Social Media by Federal Departments and Agencies" "Guidelines"...
Cyber Confusion
What the heck is going on? Melissa Hathaway resigns as the White House's acting cybersecurity czar on Monday and today, only four days later, Mischel Kwon resigns as Director of US-CERT. As I noted in SANS NewsBites today, http://www.sans.org/newsletters/newsbites/newsbites.php?vol=11&issue=62 this new resignation is regrettable because it appears that the...
Leaving Las Vegas ... and DefCon
One thing those of us who've spent any time in the security business know is that you either learn to deal with a flexible schedule or you change professions. Dilbert called them "unplanned emergencies" but whatever you call them, they are a fact of our life. So here I am,...
Another Year @ Black Hat
So, another year at Black Hat in Las Vegas has come and gone. While attendance may have been down a little and there wasn't any legal gunslinging' like in past years when talks were pulled or moderated as a result of legal threats from the vendor community, there were...
Does a DDOS Equal a Cyber-War?
It's been a pretty interesting week on the cybersecurity front with the DDOS attacks on South Korea and the United States making the most headlines. I've been trying to keep up with all of the regular media and blogs and quite frankly, it's a bit overwhelming. There's a lot...
When the Walls, Come Tumblin' Down
John Mellencamp sang about the walls tumbling down and this week's press release by the U.S. Army telling bases to stop blocking Twitter, Facebook, and Flickr Army Allows Access To Social Media Websites should be proof enough for anyone. Following the US Navy US Navy Web 2.0: Utilizing New...
President Obama and Cybersecurity, A New Comprehensive Approach
Last Friday, President Obama followed up on a promise he made last July during a speech at Purdue University when, as then-candidate Obama, he said "As President, I'll make cybersecurity the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and...
Cyber Dollars in the ARRA
$787B. $787,000,000,000.00. Seven hundred and eighty seven billion dollars. However you say it or write it, that's a lot of dough. That's the amount of the federal stimulus package called the American Recovery and Reinvestment Act (ARRA) of 2009.The mission of the ARRA has several components but one of them...
Vulnerabilities in the U.S. Power Grid
The article released by the Wall Street Journal on Wednesday has created quite a stir and I've spent a considerable amount of time the past two days asking and answering questions about it. I think I can say without stepping too far out on a limb that the details in...
Escape from Conficker-geddon
So here we are again, a couple of days post-Conficker Armageddon and some people are feeling like they missed the party. No one has said it yet but I can already see it in some eyes, "Looks like another over-blown security event, hyped by the media and exploited by...
Have a Conficker-Free Week
I got a call from a reporter this week asking me about the Conficker virus. "Are you prepared?" "What do you think is going to happen?" "How widespread is the virus?" "Why is April Fool's Day important?"I went through all of the mechanics of how we get A/V signature updates...
Technical Innovation in America
I attended the IT Security Entrepreneurs' Forum III http://publicprivatepartnerships.org/itsef/ at Stanford University yesterday where I was part of a panel discussing the current and future cybersecurity threat environment. Moderated by the always popular and entertaining Bob Bragdon of CSO Magazine, the forum was both insightful as well as informative.The purpose of...
US-CERT encourages users and administrators to review the Oracle security alert and apply any necessary updates to help mitigate the risks.
Microsoft Releases Advance Notification for February Security Bulletin
Microsoft has issued a Security Bulletin Advance Notification, indicating that its February release cycle will contain 13 bulletins. Five of them will have a severity rating of Critical and will be for Microsoft Windows. The remaining eight bulletins have an Important rating and are for Microsoft Windows and Microsoft Office. Release of these bulletins is scheduled for Tuesday, February 9, 2010.
US-CERT will provide additional information as it becomes available.
Apple Releases iPhone OS 3.1.3 and iPhone OS 3.1.3 for iPod touch
Apple has released iPhone OS 3.1.3 and iPhone OS 3.1.3 for iPod touch to address vulnerabilities in the CoreAudio, ImageIO, Recovery Mode and WebKit packages. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or obtain sensitive information.
US-CERT encourages users and administrators to review Apple article HT4013 and apply any necessary updates to help mitigate the risks.
Microsoft Releases Security Advisory 980088
Microsoft has released Security Advisory 980088 to alert users of a vulnerability in Microsoft Internet Explorer. The advisory indicates that exploitation of this vulnerability may allow an attacker to harvest user credentials and other sensitive information by enticing users to visit a maliciously crafted web page.
US-CERT encourages users and administrators to review Microsoft Security Advisory 980088 and apply the suggested workarounds of running Internet Explorer in Protected Mode and setting the Internet zone security setting to High to mitigate the risk of unwanted information disclosure.
Cisco Releases Security Advisory for Unified MeetingPlace
Cisco has released a security advisory to address multiple vulnerabilities in Unified MeetingPlace. These vulnerabilities may allow a remote, unauthenticated attacker to obtain sensitive information, manipulate configuration data, create unauthorized accounts, operate with elevated privileges or cause a denial-of-service condition.
US-CERT encourages users and administrators to review Cisco security advisory cisco-sa-20100127-mp and apply any necessary updates to help mitigate the risks.
Feb 2010 Free Giveaway Sponsor - Syngress Publishing
2 Winners Get Next 5 Released Books!
Dissecting the Hack: The F0rb1dd3n Network, Revised Edition (http://rcm.amazon.com/e/cm?t=thedigitalcon-20 o=1 p=8 l=as1 asins=1597495689 fc1=000000 IS2=1 lt1=_blank m=amazon lc1=0000FF bc1=000000 bg1=FFFFFF f=ifr) by Jayson E. Street and Kent Nabors, the 2 winning EH-Net members will each be put on the list of those to automatically receive copies of the new releases immediately upon becoming available. What a great way to increase the volumes in your technical library with the latest and greatest tomes from topic areas like Certification, Digital Forensics, Hacking Penetration Testing and more. Good luck to all EH-Net Members.
Registration Is... Jan 2010 Free Giveaway Winner - Black Hat DC
We Have a Winner!!
Black Hat DC (http://www.blackhat.com) on us. The Washington, DC version of the world's premier technical event for security experts is being held January 31 - February 3, 2010. One Passport Admission Ticket worth $1995 allows our winner entry into the 2-Day Briefings portion of the event. The event is described as, Understanding the increasingly complex threats posed to an enterprise can be a daunting task for today’s security professional. Knowing how to secure an enterprise against those threats can be overwhelming. Black Hat is the premier information security event for senior-level professionals to learn the latest...
EH-Net January 2010 Newsletter
As a courtesy to our members, we try to keep you informed of some of the more interesting items that have been published in our online magazine by sending out an electronic newsletter by email. But not everyone interested in our content is a member. For that reason, we have decided to also publish the newsletter in article format for all to see. Each EH-Net newsletter features the major articles of the past month such as our Free Monthly Giveaways, reviews of books, courses and products as well as other newsworthy items. The newsletters also includes updates on our Hacking... Interview: Ferruh Mavituna on Netsparker
Review by Jason Haddix
Today we showcase a new web application scanner called Netsparker (http://www.mavitunasecurity.com/), and believe us when we say that we put this app through the ringer.
There's a big distinction between testing a tool against dummy apps in a lab and using it first hand against a large environment. Luckily for us we got to do both.
Over the course of a month we ran several engagements and specifically watched Netsparker’s performance compared to other tools we normally use in the assessment process (w3af (http://w3af.sourceforge.net/), Grendel Scan (http://www.grendel-scan.com/), Nikto (http://cirt.net/nikto2), Wikto (http://www.sensepost.com/research/wikto/), Websecurify (http://www.websecurify.com/), Paros (http://www.parosproxy.org/index.shtml), Burp...
Book Review: PCI Compliance
Review by Joel Dubin, CISSP
The Payment Card Industry Data Security Standard (PCI DSS) has taken it on the chin recently. With several high profile breaches of credit card numbers, some critics of the industry standard have said it either isn’t strong enough, or should be abolished altogether. But as Dr. Anton Chuvakin and Branden Williams correctly point out in the second edition of their book, PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance (http://www.amazon.com/dp/1597494992?tag=thedigitalcon-20 camp=14573 creative=327641 linkCode=as1 creativeASIN=1597494992 adid=1SBDGWTPQJD15XH1E75W ), PCI is here to stay.
This is no ordinary field manual to the PCI... Miracle on Thirty-Hack Street
Merry Christmas, challenge fans! As you know, my friends and I write several challenges per year for EthicalHacker.net. But, we've made it a bit of a tradition around here of reserving the December challenge slot for me, an honor which I sincerely appreciate. During past holiday seasons, you got to tangle with the Santa himself (content/view/218/2/).
This year, Kevin Johnson and I worked together on a challenge in which you'll get to save Santa Claus from the insane asylum! We call it Miracle on Thirty-Hack Street , after the classic 1947 movie. In this tale, you'll get to analyze...
Review: SANS SEC550 Information Reconnaissance
SANS Security 550 - Information Reconnaissance: Competitive Intelligence and Online Privacy (http://www.sans.org/info/51609)
A pessimistic view of the Internet: A network that enables every human to be within a few milliseconds from every psychopath and criminal on earth.
Bryce Galbraith of Layered Security (http://blog.layeredsec.com/), a SANS certified instructor, has authored a new one-day course titled “Information Reconnaissance: Competitive Intelligence and Online Privacy.” The course is designed to educate IT professionals on the risks associated with information disclosure. It also teaches the students tools, tips, and techniques that assist in discovering information.
The amount of our personal information... What Do I Really Need To Do To STAY PCI DSS Compliant?
PCI DSS (Payment Card Industry Data Security Standard) (https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml). The conversation ranges from practical advice on “how to get compliant” all the way to branding PCI as a devilish invention (Google for “PCI is the devil”). Fiery debates aside, PCI DSS guidance helped countless organizations to see the light of security where there was none before. It goes without saying that it didn’t magically make them “become secure” – no external document can.
One of the frequent criticisms of PCI focuses on the misguided view that “PCI is all about passing an ‘audit’.” Many people would be surprised to find...
Review: Penetration Testing with BackTrack by Offensive Security Part 4
'Pentesting with BackTrack.' (http://www.offensive-security.com/penetration-testing-backtrack-online-training.php) As a reminder, PWB is described by Offensive Security as, An online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. This penetration testing course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students. This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern... Review: Penetration Testing with BackTrack by Offensive Security Part 3
'Pentesting with BackTrack.' (http://www.offensive-security.com/penetration-testing-backtrack-online-training.php) As a reminder, PWB is described by Offensive Security as, An online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. This penetration testing course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students. This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern...
SSHliders
Salutations, challenge fans! Ed Skoudis here, ready to introduce our newest challenge. Jim Shewmaker, SANS Instructor and creator of the Netwars Capture the Flag Competition (http://www.sans.org/netwars/), has taken the keyboard this time, creating an awesome challenge for you based on the TV show, Sliders. It's got some fun twists and turns, and includes jumps to parallel universes! What's not to like? Have fun unwrapping this mystery. As always, we'll choose three winners: the best technical one, a creative entry that is also technically correct, and a random draw. Even if you don't know all the answers or can only guess,... August 2009 Free Giveaway Winners - IronKey
IronKey S200 (https://www.ironkey.com/l-secure-flash-drive?ik_c=s200_launch ik_s=ethicalhacker ik_t=banner ik_ad=true), the World's Most Physically and Cryptographically Secure USB Flash Drive!
And the winners are... Negrita, Dengar13, Oyle, ChrisG, Manu Zacharia (-M-), jimbob, blackazarro, slimjim100, dalepearson, BillV, xXxKrisxXx, g00d_4sh, Kev, Andrew Waite, sgt_mjc, awesec, jason, Ketchup, Jhaddix, timmedin. As an extra bonus, I have asked all of the above members to be on our Community Board of Advisors. This is an informal group that I will rely on in matters concerning the growing community we have all created. Each of the winners has devoted a lot of their time and efforts in making this community...
Prison Break - Breaking, Entering and Decoding - Answers and Winners
Hello, challenge fans! This is Raul Siles, author of the “Prison Break - Breaking, Entering and Decoding” (content/view/268/2/) EH-Net challenge, here to announce the answers and winners for this tough competition. BTW, the answers for this challenge were released to The Informer (http://ihackcharities.org/category/informer-blog/) subscribers a few days ago. EH-Net had teamed with The Informer; in Johnny Long words, (It is) a fund raising effort run by Hackers For Charity. It is designed to give subscribers a backstage pass to the world of Information Security. For $54 per year, subscribers get early, exclusive access to all sorts of... Book Review: Professional Penetration Testing
EH-Net Exclusive - Free Download of Chapter 4: Setting Up Your Lab
Review by Andrew Waite, EH-Net Member, InfoSanity.co.uk (http://www.infosanity.co.uk/)
When I first heard about Thomas Wilhelm's new book in my Twitter feed, the title immediately caught my attention, 'Professional Penetration Testing: Creating and Operating a Formal Hacking Lab (http://www.amazon.com/dp/1597494259?tag=thedigitalcon-20 camp=14573 creative=327641 linkCode=as1 creativeASIN=1597494259 adid=0146GHM3FER1CFNJHBXA ).' As I'm currently trying to build up my own training and testing environment, this tome promised to provide answers to all my questions. A quick Google search to learn more and a useful discussion right here in the EH-Net Forums (component/option,com_smf/Itemid,54/topic,4514.0/) left me...
Video Tutorials: New BeEF Hotness with Metasploit and Samurai
A new version of the Browser Exploitation Framework (BeEF) (http://www.bindshell.net) has been released. This new release incorporates both my code from my Security B-Sides update of the ChicagoCon Talk Cain Beef Hash: Snagging Hashes without Popping Boxes as well as RSnake and Jabra's modules presented at Defcon. Enclosed in this update are some videos describing how to use the modules that I created which allow for realtime interaction with Metasploit (http://www.metasploit.org). These modules directly communicate with Metasploit to setup the modules which will be used in further browser exploitation. These videos demonstrate how to use the RSnake... Review: Penetration Testing with BackTrack by Offensive Security Part 2
'Pentesting with BackTrack' (previously known as Offensive Security 101) (http://www.offensive-security.com/penetration-testing-backtrack-online-training.php) is an online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. This penetration testing course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students. This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern computer with high speed...
Interview: Peter Giannoulis of The Academy Pro on eLearnSecurity
Review by Jason Haddix
If anyone hasn't seen or used The Academy Pro, then you're missing out on an incredibly valuable resource. Peter Giannoulis and friends have put together 400+ videos on setting up and using optimally all our *favorite* security technologies. Need to set up IronPort? They have a video. GFI Languard? They have a video, too. Need pentest tool tips? They have over 70 different VA/Pentest video tutorials. Heck, they have our Security Aegis videos.
Last month, Peter started the buzz on a new training class he will be offering. It’s called eLearnSecurity. So far we know it... Review: Penetration Testing with BackTrack by Offensive Security Part 1
'Pentesting with BackTrack' (previously known as Offensive Security 101) (http://www.offensive-security.com/penetration-testing-backtrack-online-training.php) is an online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. This penetration testing course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students. This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern computer with high speed...
August 2009 Free Giveaway Sponsor - IronKey
IronKey S200 (https://www.ironkey.com/l-secure-flash-drive?ik_c=s200_launch ik_s=ethicalhacker ik_t=banner ik_ad=true), the World's Most Physically and Cryptographically Secure USB Flash Drive!
Granted the Top 10 are pretty much decided, but there is also plenty of room for newcomers to get one as well. To try to make it even more fair (since we got a late start), we are going to extend the deadline. So instead of this Free Monthly Giveaway ending at the close of August, we are going to extend it until Friday the 18th of Sept. At midnight CDT, I will grab the Top 20 List, and that's who wins. If there... July 2009 Free Giveaway Winner of EC-Council's iClass
We Have a Winner!
Certified Ethical Hacker seat delivered via its iClass format (http://iclass.eccouncil.org/index.php?option=com_content view=article id=69 Itemid=102), both concerns have been taken care of for you. iClass is EC-Council’s live, online, instructor-led training modality! There are two delivery formats: 1. FlexClass: This schedule is designed to spread the learning out over a period of time and avoid missing a full week’s worth of work. The times are 4pm – 8pm, MST twice a week for 5 weeks. 2. iWeek: This schedule is similar to the standard 5 day format found at the majority of training centers. The times are 8am –...