Quick post about the recent news headlines of ranging from Conficker, Twitter Worms and China Attacks against everything from the Electric Grids, Spy Planes and NYPD, both the US and the Information Security World is sounding a “CALL TO ARMS” or Hackers Wanted.

• FoxNews - Feds Seeking Computer Hackers to Secure Nation’s Network
• Both Sandia National Labs and General Dynamics have both recently posted Red Team Positions, with the anticipation of more to come.

• IMDB has listed an unofficial Hackers 3:

• Ed Skoudis stated that “”We need to really encourage young people, high school kids, college students, to embrace cyber security as a field.”

What can you do to help?

A lot has been happening since my last post, between holidays, college, training and work,  I have not been able to find too much time to add any valuable content.

To hopefully help this, I have finalized an article that I drafted last year but never had time to finish it.  It’s intend is to provide some insight and thoughts around the Information Security Professional Certifications that are currently being offer.  It is not an inclusion list of all the certification, nor is it a debate which certification is better.  It simply is a holistic view of the certification paths and a way to help add value.

Please feel free to provide feedback.

Happy New Year

Matthew S. Becker

Last week, a common question was posted on the seclist.org website where Chip Panarchy ask which tools and certifications would be beneficial in learning to help to become a “white hat hacker/pen tester”.   (Which a great in itself to see the interest of this field continue to grow.)  This post received several great replies that ranges from a very specific tool listings to check out the Top 100 Network Security Tools Listing.  Each post gave a  valuable amount resources that not only helped Mr. Panarchy, but also other Penetration Testers alike.

The most interesting (and could be argued the most valuable) post was by a  member named J. Oquendo, who did not follow the suit of list any tools at all, instead raised some very significant points of value in regards to becoming distinguished Penetration Tester.

I have highlighted some of the most valid points and added some commentary below:

Take the time to learn the protocols, how things work, learn how intercommunications work before attempting to just download every tool you can find.

In the “hacker” world, this is what differentiates a “5(R1P7 |<1DD13″ from the “L337″ or “UB3R” H4X0R5.

Understand how processes communicate with each other, how and why things happen. Its easier down
the road to understand what is going on in terms of security. One doesn’t need uber tools if one knows what they’re doing from the protocol level on up.

It has been in my experience that this is one the most crucial items, without understanding how each device communicates can you fully understand how the exploit works?  Could you advise a remediation act?

Suggestion: Learn networking, learn systems, learn protocols otherwise you end up devaluing the works Understanding the entire range of the what you are doing is better in the long run, think about it, if I hired you to perform a pentest on my network and you couldn’t explain to me what it is you intend on looking for, how it works in my network, what functions my vulnerabilities perform, why I should remove these functions, I’d sit back in my desk and think the script kiddiot in you.

This comment can be looked at in two ways, first if you are hired for a pen test, your understanding of the technology is a direct representation of yourself.  Secondly, what if you are the first penetration tester that a company has hired, and you have not taken the time to learn the essentials.  The image that you represent is not only the your reputation, but it can represent the entire field of penetration testers.

Too many (quote) professional pentesters have been taking this attitude: “I use Cenzic!@$” that it makes me wonder where this industry is headed. It also makes me think about how many vulnerabilities unclued pentesters can bring into an environment.

Lastly, there is not one school or certification that can be taken that will turn you into a penetration tester/white hat hacker within a week and a test.  They can only be used a stepping stones toward a long and laborious journey.

In closing… Becoming a distinguished Penetration Tester/White Hat Hacker is laborious journey and hours and hours of learning and sacrifice, that is both challenging and rewarding. This is the reason why some of the biggest and brightest minds are among the Penetration Testing/White Hat Hacker “Society”.

Matthew S. Becker

In a search to find an automated tool that will build network topologies from saved packet capture, I ran across this web site that is a partial list of the many uses of the neighborhood friendly WinPcap.

I am still on my search for a way to automate a topology build from a packet capture (Windows or Linux). If you have any ideas, please post your comments.

Matthew “The Security Zealot” Becker

To revisit an post that I posted called A Need for More Features in LinkedIn Groups which I sent an e-mail to Linkedin asking to allow for the groups to send questions to one another, it has just been announced that it has finally happened.

Dear Matthew,

First, thank you for managing your group on LinkedIn. We sincerely appreciate the time and effort you devote to your members, and we know they value it. Together you have made Groups one of the top features on LinkedIn.

This Friday, we will be adding several much-requested features to your group:

• Discussion forums: Simple discussion spaces for you and your members. (You can turn discussions off in your management control panel if you like.)
• Enhanced roster: Searchable list of group members.
• Digest emails: Daily or weekly digests of new discussion topics which your members may choose to receive. (We will be turning digests on for all current group members soon, and prompting them to set to their own preference.)
• Group home page: A private space for your members on LinkedIn.

We’re confident that these new features will spur communication, promote collaboration, and make your group more valuable to you and your members. We hope you can come by LinkedIn on Friday morning to check out the new functionality and get a group discussion going by posting a welcome message.

Sincerely,
The LinkedIn Groups Team

Great Job.

Matthew “The Security Zealot” Becker

In an attempt to build Ultimate Penetration Testing Lab Kit (UPTLK), I have started a list of tools, Live CD, Penetration Testing Labs and websites.  After looking at it I decided that this maybe a good list for a penetration testing at any level.  I am sure that I have not covered every item or I may have missed something; if you see something I missed please add to by commenting.

More»

Odd as it may sound but a company Edgeos has put every geeks (well a large percentage) together Nmap and womanly curves.  Check it out  the “Damsels Causing Distress” here.

Lucky… (Knock on Wood) I have not had to take this advice; however I recently read a fairly detailed blog entry on credit protect in case of a lost wallet or theft.

The blog entry details the alert periods of the three credit reporting agencies as well as the hurdles that Mr. and Mrs. “NCN” had to go through to place a fraud alert on the lost wallet.

There is a new security feature in the setting options of Gmail, an “Always Use https” feature. Not that https is new or that you could use GMail without HTTPS, but no longer will it have to be manually have to type “https://gmail.com”.

To change your settings go to Settings > General > Browser Connection > Always use https .

Even though this is a slow step in the right direction, it still raises some questions? Why isn’t https default? Also, when will https be available the other services that are provide by Google (e.g. iGoogle)? It seems that even if you manual type “https://www.iGoogle.com” it is redirect to http.

As a user of Google, I hope that this is only the beginning of the security features that Google is planning in the NEAR future.

Matthew “The Security Zealot” Becker

A glimpse a hope for the HOPE conference; it has been announced the “Last HOPE” will not truly be the LAST HOPE Conference.

During the closing comments of the “Last HOPE” Emmanuel Goldstein stated the following:

“Despite calling the event this weekend “Last HOPE,” it won’t be the final one; just the most recent one,”

“There will be another one in two years. It will be called “Next HOPE”

So mark your calendars now… and I hope to see you there.

Matthew “Security Zealot” Becker