Escaping from the Keyboard and Survival Books
On days when I have spend too many hours on the keyboard, straining my eyes staring at the beautifully lit pixels, I escape by heading out to the wilderness to my survival skills. Sometimes Mother Nature is kind on these endeavours, and then other times, well they become unpleasant. No matter if the last escape was sunny and warm, or wet, frigid and miserable; the call of the wild continues to calls me back. To ensure that my skills always increase, I continually add books to my ever growing library, before each adventure.
One of the books I have and recommend as good Survival basics book is The Complete Wilderness Training Manual by Hugh Manners. This book is only 190+ pages; however there are good explanations and coloured pictures covering a number of topics ranging from Basic Equipment, Finding Water, Creating Fire and Finding Food in a range of environments. One of the sections that stand out with this book, is the Using Vehicles section which covers truck selection and other modes such as Motorcycles and Bicycles and animals. Over all this a a great primer for survival and is sponsored Boy Scouts of America Guide.
Remember, once you read the book, you must get out and practice.
Support of the Hackers for Charity
Show your support of the Hackers for Charity on Twitter.
If you are unfamiliar with Hackers for Charity, HFC is an non-profit organisation that proves hackers who have the essential skills that charitable organisations need to maintain an electronic front.
For more information or to get involved, please visit http://www.hackersforcharity.org
- Matthew
The US Cyber Security “Call To Arms”
Quick post about the recent news headlines of ranging from Conficker, Twitter Worms and China Attacks against everything from the Electric Grids, Spy Planes and NYPD, both the US and the Information Security World is sounding a “CALL TO ARMS” or Hackers Wanted.
- FoxNews – Feds Seeking Computer Hackers to Secure Nation’s Network
- Both Sandia National Labs and General Dynamics have both recently posted Red Team Positions, with the anticipation of more to come.
- IMDB has listed an unofficial Hackers 3:
- Ed Skoudis stated that “”We need to really encourage young people, high school kids, college students, to embrace cyber security as a field.”
What can you do to help?
Bringing in the New Year with Certification Advise
A lot has been happening since my last post, between holidays, college, training and work, I have not been able to find too much time to add any valuable content.
To hopefully help this, I have finalized an article that I drafted last year but never had time to finish it. It’s intend is to provide some insight and thoughts around the Information Security Professional Certifications that are currently being offer. It is not an inclusion list of all the certification, nor is it a debate which certification is better. It simply is a holistic view of the certification paths and a way to help add value.
Please feel free to provide feedback.
Happy New Year
Matthew S. Becker
Career Advise For Penetration Tester/White Hat Hacker
Last week, a common question was posted on the seclist.org website where Chip Panarchy ask which tools and certifications would be beneficial in learning to help to become a “white hat hacker/pen tester”. (Which a great in itself to see the interest of this field continue to grow.) This post received several great replies that ranges from a very specific tool listings to check out the Top 100 Network Security Tools Listing. Each post gave a valuable amount resources that not only helped Mr. Panarchy, but also other Penetration Testers alike.
The most interesting (and could be argued the most valuable) post was by a member named J. Oquendo, who did not follow the suit of list any tools at all, instead raised some very significant points of value in regards to becoming distinguished Penetration Tester.
I have highlighted some of the most valid points and added some commentary below:
Take the time to learn the protocols, how things work, learn how intercommunications work before attempting to just download every tool you can find.
In the “hacker” world, this is what differentiates a “5(R1P7 |<1DD13″ from the “L337″ or “UB3R” H4X0R5.
Understand how processes communicate with each other, how and why things happen. Its easier down
the road to understand what is going on in terms of security. One doesn’t need uber tools if one knows what they’re doing from the protocol level on up.
It has been in my experience that this is one the most crucial items, without understanding how each device communicates can you fully understand how the exploit works? Could you advise a remediation act?
Suggestion: Learn networking, learn systems, learn protocols otherwise you end up devaluing the works Understanding the entire range of the what you are doing is better in the long run, think about it, if I hired you to perform a pentest on my network and you couldn’t explain to me what it is you intend on looking for, how it works in my network, what functions my vulnerabilities perform, why I should remove these functions, I’d sit back in my desk and think the script kiddiot in you.
This comment can be looked at in two ways, first if you are hired for a pen test, your understanding of the technology is a direct representation of yourself. Secondly, what if you are the first penetration tester that a company has hired, and you have not taken the time to learn the essentials. The image that you represent is not only the your reputation, but it can represent the entire field of penetration testers.
Too many (quote) professional pentesters have been taking this attitude: “I use Cenzic!@$” that it makes me wonder where this industry is headed. It also makes me think about how many vulnerabilities unclued pentesters can bring into an environment.
Lastly, there is not one school or certification that can be taken that will turn you into a penetration tester/white hat hacker within a week and a test. They can only be used a stepping stones toward a long and laborious journey.
In closing… Becoming a distinguished Penetration Tester/White Hat Hacker is laborious journey and hours and hours of learning and sacrifice, that is both challenging and rewarding. This is the reason why some of the biggest and brightest minds are among the Penetration Testing/White Hat Hacker “Society”.
Matthew S. Becker
Multiple Uses for WinPcap
In a search to find an automated tool that will build network topologies from saved packet capture, I ran across this web site that is a partial list of the many uses of the neighborhood friendly WinPcap.
I am still on my search for a way to automate a topology build from a packet capture (Windows or Linux). If you have any ideas, please post your comments.
Matthew “The Security Zealot” Becker
Linkedin Will Allow Group Discussion Forums
To revisit an post that I posted called A Need for More Features in LinkedIn Groups which I sent an e-mail to Linkedin asking to allow for the groups to send questions to one another, it has just been announced that it has finally happened.
Dear Matthew,
First, thank you for managing your group on LinkedIn. We sincerely appreciate the time and effort you devote to your members, and we know they value it. Together you have made Groups one of the top features on LinkedIn.
This Friday, we will be adding several much-requested features to your group:
- Discussion forums: Simple discussion spaces for you and your members. (You can turn discussions off in your management control panel if you like.)
- Enhanced roster: Searchable list of group members.
- Digest emails: Daily or weekly digests of new discussion topics which your members may choose to receive. (We will be turning digests on for all current group members soon, and prompting them to set to their own preference.)
- Group home page: A private space for your members on LinkedIn.
We’re confident that these new features will spur communication, promote collaboration, and make your group more valuable to you and your members. We hope you can come by LinkedIn on Friday morning to check out the new functionality and get a group discussion going by posting a welcome message.
Sincerely,
The LinkedIn Groups Team
Great Job.
Matthew “The Security Zealot” Becker
Ultimate Penetration Testing Lab Kit (UPTLK)
In an attempt to build Ultimate Penetration Testing Lab Kit (UPTLK), I have started a list of tools, Live CD, Penetration Testing Labs and websites. After looking at it I decided that this maybe a good list for a penetration testing at any level. I am sure that I have not covered every item or I may have missed something; if you see something I missed please add to by commenting.
Sexy Hacking?
Odd as it may sound but a company Edgeos has put every geeks (well a large percentage) together Nmap and womanly curves. Check it out the “Damsels Causing Distress” here.