Welcome to cissp CISSP training Certified Information Systems Security Professional
Search
Nickname Password Security Code Security Code Type Security Code  

Best training in the world

CCCure Quiz Engine

Rated #1 Training

Best hacking and penetration testing magazine in the world

Library of Documents

Forum Postings

CISSP's Blogs

Here is a list of Blogs maintained by CISSP's.

SECURITY JOBS

- Information Security Jobs

ISC2 BLOGS

- Official ISC2 Blog

CISSP's BLOGS

- Allen Baranov
- Andy Willingham
- Anton Aylward
- Benjamin Tomhave
- Bob Johnston
- Chad McDonald
- CSCI Blog
- Daniel Accioly Rosa
- Dave Lewis
- Donald Glass
- Gary Hinson
- Martin McKeay
- Michael Ehart
- Michael Santarcangelo Security Catalyst
- Peter Gregory
- Rebecca Herold
- Shaun Balkum
- Vijay Upadhyaya
- Vincent Arnold 

LEGAL INFO BLOGS

- Bow Tie Law's Blog
- Chilling Effects Clearinghouse
- Cyber Law Update
- Digestible Law
- Law.Com Daily Alerts
- Law.Com Technology News
- Law.Com
- International Legal News
- Lessig Blog
- Michael Overly
- NCSL info site
- The Gray Blog

ISO 27001 & BS 25999

- Dejan Kosutic

You know of a blog that is not listed, please Click Here to send us the link

Recommended Podcasts

MISC Menu

Security Books

Surveys

Where do you find the best price for books?

Amazon.Com
Bookpool.Com
The ISC2 webstore
CISSPS.COM
Cheapbooks.com
Ecampus.com
Other (Please leave a comment with name of site)



Results
Polls

Votes 1758

Top10 Links

Top10 Downloads

Who's Online

There are currently, 47 guest(s) and 2 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
The CCCure Family of Portals is strictly supported by our Sponsors below and Donations.

Core Impact your compliance best friend Best security training in the world -- Forging IT security Experts

FITSP the Federal Government Certification
Home of CORE Impact
Click Here to visit.		 SecureNinja Dojo
SecureNinja Classes		 CLICK HERE
to get more details

Calendar of Upcoming Classes and Events


Great supplements to help you reach your certification goals


Security Kaizen Magazine Issue 4 is released
Posted by boss on Friday, 03 February 2012 @ 14:52:58 EST (37 reads)
Topic Training News

cdupuis writes "
Security Kaizen Magazine Yearly issue.
An issue that you shouldn't miss
In Egypt : 30 % discount Coupon for EC council Courses inside the Printed Copy.

Printed Copy Request
Coming Soon : Arabic Version


"

(Read More... | Score: 0)


Modeling Security Pentests - New Issue of WebAppPentesting is Out!
Posted by boss on Wednesday, 25 January 2012 @ 12:54:16 EST (132 reads)
Topic Hakin9

Anonymous writes "

Inside Web App Pentesting:

Open Source Web Application Security Testing Tools by Vinodh Velusamy

Author shows the significance of Open Source Web Application Security Testing Tools. As he claims „When you choose and use good tools, you’ll know it. Amazingly, you’ll minimize your time and effort installing them, running your tests, reporting your results – everything from start to finish.

Most importantly, with a good web vulnerability scanner you’ll be able to maximize the number of legitimate vulnerabilities discovered to help reduce the risks associated with your information systems.
At the end of the day and over the long haul, this will add up to considerable business value you can’t afford to overlook”.

More Articles:

- Modeling Security Penetration Tests with Stringent Time Constraints by Alan Cao
- The puzzlepices by Daniel Clemens
- WebAppSecurity for Newbies part 2 Herman Stevens
- Web Application Common Vulnerabilities – Part I by Bryan Soliman
- CYBER STYLETTO by Mike Brennan and Richard Siennon


SUBSCRIBE NOW AND GET 2 AMAZING E-BOOKS !

1. CISO's Guide to Penetration Testing: A Framework to Plan, Manage, and Maximize Benefits details the methodologies, framework, and unwritten conventions penetration tests should cover to provide the most value to your organization and your customers.

2. In his new book "Save the Database, Save the World!" John Ottman captures the essence of the threats we face to the information that drives business. Organized crime, underhanded competitors and even foreign governments are looking to gain any financial, competitive or operational advantage and these enemies are going directly after the databases and the applications that access data.

After subscribing contact katarzyna.zwierowicz@software.com.pl with "WAPT" in the tittle of the message.

You can visit us at: http://www.pentestmag.com

"

(Read More... | Score: 0)


Sykipot variant hijacks DOD and Windows smart cards
Posted by boss on Monday, 23 January 2012 @ 09:49:17 EST (112 reads)
Topic Virus

cdupuis writes "
January 12th, 2012 | Posted by jaime.blasco 

Defenses of any sort, virtual or physical, are a means of forcing your attacker to attack you on your terms, not theirs. As we build more elaborate defenses within information security, we force our attacker’s hand. For instance, in many cases, implementing multi-factor authentication systems just forces the attacker to go after that system directly to achieve their goals. Take the breach at RSA, for example. It has been attributed to attackers who needed the SecurID information to go after their real targets in the defense industry.

Recently, our lab has been talking about Sykipot:

 

As we discussed, this malware has been used to launch targeted attacks via “spear phishing” campaigns against targets mainly in the US, since around 2007. According to our research, these attacks originate from servers in China with what appears to be the purpose of obtaining information from the defense sector: the same sector that makes extensive use of PC/SC x509 Smartcards for authentication.

Smartcards have a long history of usage in the Defense Sector, for both physical and information access management, and historically have merely forced attackers to route around the smartcard authentication system through other, more vulnerable attack vectors.

It should come as no surprise, then, that we recently discovered a variant of Sykipot with some new, interesting features that allow it to effectively hijack DOD and Windows smart cards. This variant, which appears to have been compiled in March 2011, has been seen in dozens of attack samples from the past year.

Like we have shown with previous Sykipot attacks, the attackers use a spear phishing campaign to get their targets to open a PDF attachment which then deposits the Sykipot malware onto their machine (the attackers here took advantage of a zero-day exploit in Adobe). Then, unlike previous strains, the malware uses a keylogger to steal PINs for the cards. When a card is inserted into the reader, the malware then acts as the authenticated user and can access sensitive information. The malware is controlled by the attackers from the command & control center.

Click Here to get a whole lot more details on the attack

"

(Read More... | Score: 0)


SOPA and PIPA -- What`s in it for you
Posted by boss on Thursday, 19 January 2012 @ 14:20:31 EST (227 reads)
Topic Law & Legalities

cdupuis writes "

As seen on one of my hosting company mailing list:

Greetings Site5 Customers!

The U.S. Congress is currently considering two bills -- one in the House of Representatives called SOPA (Stop Online Piracy Act) and another in the Senate called PIPA (Protect IP Act). These bills both attempt to use similar methods to further criminalize and police intellectual property infringement. Although protecting intellectual property is important, these bills would use heavy-handed tactics that would censor and splinter the Internet.

SOPA and PIPA would grant the U.S. government the ability to block almost any website on the Internet if the site is perceived to be an "infringing site." Search engines would be required to remove the site from their search listings, payment processors and advertisement networks would be forbidden from doing business with the site, and ISPs could be forced to block access to the site for Americans. The bill provides little detail about what would constitute an infringing site, which makes the potential for abuse far greater. We have already seen how these kind of systems can be abused. In 2010, ICE (Immigration and Customs Enforcement) mistakenly seized a domain name belonging to a music blog and labeled it as a "rogue site" — the domain name was not returned until a year later (source: http://nyti.ms/uF73mZ). If you would like to see a video explanation of how the bill works and its dangers, please go here: http://vimeo.com/31100268

Site5 has publicly declared our opposition to both bills, and we encourage you to do the same. Contact your representatives in Congress to let your opposition to these bills be known! To locate the contact information for your representatives, visit one of the following websites:

http://www.contactingthecongress.org
http://www.grassroutes.us/sopa

If you're located outside the United States, you can let your voice be heard as well by sending your thoughts via this website:

http://americancensorship.org

Another way to get involved in the fight against SOPA and PIPA is to join in on the blackouts. Many well-known websites such as Wikipedia, Google, and Reddit are demonstrating their opposition, and you can too. Site5 has sponsored a WordPress plugin for participating in blackouts, and it features an easy setup and configuration options within the WordPress admin area:

http://wordpress.org/extend/plugins/sopa-blackout-plugin/

We feel very strongly that the future of the Internet is at stake, and we urge everyone to get involved!

Thanks,

The Site5 Management Team

"

(Read More... | Score: 0)


DARPA set to develop super-secure "cognitive fingerprint"
Posted by boss on Wednesday, 18 January 2012 @ 10:26:03 EST (211 reads)
Topic Cryptography

cdupuis writes "
By Layer 8
Created Jan 17 2012 - 12:54pm

 

Developers at the Defense Advanced Research Projects Agency want to build information technology security [1] that goes beyond simply recognizing complex passwords but rather gets in your head to confirm your identity before you get access or continue to have access to important information.

Specifically, the agency's Active Authentication program looks to develop what DARPA calls "novel ways of validating the identity of the person at the console that focus on the unique aspects of the individual through the use of software-based biometrics."

More security news: From Anonymous to Hackerazzi: The year in security mischief-making [2]

Biometrics is defined as the characteristics used to uniquely recognize humans based upon one or more intrinsic physical or behavioral traits. Active Authorization focuses on the computational behavioral traits that can be observed through how we interact with the world. Just as when you touch something with your finger you leave behind a fingerprint, when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a "cognitive fingerprint," DARPA said in officially announcing the contracting process for the program.

DARPA had talked about Active Authentication [3] at its Colloquium on Future Directions in Cyber Security meeting last October.   "Active Authentication program to tie identity to level of access within system. You're the key to your system.  Want to make machine aware of its operator and are working towards systems managing authentication invisibly in the background," Such new systems might look at the unique words a user types or examine length of sentences and use of punctuation to determine user authenticity, said DARPA program manager Richard Guidorizzi at the meeting. 

In its current announcement [4] DARPA stated: "The current standard method for validating a user's identity for authentication on an information system requires humans to do something that is inherently difficult: create, remember, and manage long, complex passwords. Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard. Thus, unauthorized individuals may improperly obtain extended access to information system resources if a password is compromised or if a user does not exercise adequate vigilance after initially authenticating at the console."

More news: 25 tech touchstones of the past 25 years [5]

DARPA said the current Broad Agency Announcement will address the first phase of what it says will be a three phase development program.  In the first phase, the focus will be on researching biometrics that does not require the installation of additional hardware sensors. Rather, DARPA will look for research on biometrics that can be captured through the technology already in use in a standard DoD office environment, looking for aspects of the "cognitive fingerprint." A heavy emphasis will be placed on validating any potential new biometrics with tests to ensure they would be effective in large scale deployments.

Some examples of the computational behavior metrics of the cognitive fingerprint include:

  • - keystrokes
  • - eye scans
  • - how the user searches for information (verbs and predicates used)
  • - how the user selects information (verbs and predicates used)
  • - how the user reads the material selected
  • - eye tracking on the page
  • - speed with which the individual reads the content
  • - methods and structure of communication (exchange of email)

The later planned phases of the program will focus on developing a system that integrates any available biometrics using a new authentication platform suitable for deployment on a standard desktop or laptop. The authentication platform is planned to be developed with open Application Programming Interfaces (APIs) to allow the integration of other software or hardware biometrics available in the future from any source, DARPA stated. 

The Active Authentication program is just one of DARPA's many plans to improve system security. At its Colloquium meeting the agency reminded everyone that it had a big hand in creating the Internet and now its wants to get serious about protecting it.  DARPA Director Regina Dugan said that since 2009, the agency has steadily increased its cyber research efforts and its budget submission for fiscal year 2012 increased cyber research funding by $88 million, from $120 million to $208 million. In addition, over the next five years, the agency plans to grow its top-line budget investment in cyber research from 8% to 12%.

Follow Michael Cooney on Twitter: nwwlayer8 [6]  and on Facebook [7]

Source URL: http://www.networkworld.com/community/blog/darpa-set-develop-super-secure-cognitive-fingerprint

Links:
[1] http://www.networkworld.com/community/blog/who-really-sets-global-cybersecurity-standard
[2] http://www.networkworld.com/slideshows/2011/120111-security-layer8.html?ap1=rcb
[3] http://www.networkworld.com/community/blog/darpa-detail-program-radically-alters-securit
[4] https://www.fbo.gov/index?s=opportunity&mode=form&id=093ec9cdad8d8dc49e08855eae680084&tab=core&_cview=1
[5] http://www.networkworld.com/slideshows/2011/050911-anniversary-timeline.html?ap1=rcb
[6] http://twitter.com/NWWlayer8
[7] http://www.facebook.com/pages/Layer-8-By-Michael-Cooney/133875286655670
[8] http://www.networkworld.com/slideshow/25895
[9] http://www.networkworld.com/community/blog/nasa's-alternative-space-station-rocks-your-smartphone
[10] http://www.networkworld.com/community/blog/x-prize-offers-10m-competiton-build-star-trek-medical-tricorder
[11] http://www.networkworld.com/community/blog/who-are-go-cybersecurity-help-groups
[12] http://www.networkworld.com/community/blog/quick-look-creation-computer-language-translation-efforts-58-years-ago-month
[13] http://www.networkworld.com/community/blog/nasa-set-mars-bound-spacecrafts-biggest-thruster-blast
[14] http://www.networkworld.com/community/blog/epa-wants-your-environment-pictures-issues-public-photo-challenge
[15] http://www.networkworld.com/community/blog/thick-martian-dust-makes-nasa-pick-sunnier-locale-mars-rover
[16] http://www.networkworld.com/community/blog/dept-energy-developing-project-reinforce-grid-cybersecurity
[17] http://www.networkworld.com/community/blog/nasa-2012-its-really-not-end-world-we-know-it
[18] http://www.networkworld.com/community/blog/murder-it-security-and-other-mysteries-stories-layer-8-2011

"

(Read More... | Score: 0)


New Issue of PenTest Extra Magazine is available
Posted by boss on Monday, 16 January 2012 @ 11:34:15 EST (167 reads)
Topic Hakin9

cdupuis writes "
New Issue of PenTest Extra Magazine is available! Download the Free Sample Issue to check the content and read Free article, just click here.

Read free article "XSS & CSRF: Practical exploitation of post-authentication vulnerabilities in web applications" by Marsel Nizamutdinov The goal of this article is to demonstrate the real danger of post-authenticated vulnerabilities. The author will not explain the basics of web application attacks in this article, as that has already been done many times before by others. He will focus on a practical way to exploit post-authentication XSS's and CSRF, which remain a highly underestimated attack vector in the security scene.

Inside:
  • XSS & CSRF: Practical exploitation of post-authentication vulnerabilities in web applications by Marsel Nizamutdinov
  • Discovering Modern CSRF Patch Failures by Tyler Borland
  • Business Logic Vulnerabilities via CSRF by Eugene Dokukin
  • XSS Using Shell of the future by Sow Ching Shiong
  • Cross-Site Request Forgery by Jamie
  • Security Resolutions for 2012 by Rishi Narang
  • Interview with Peter N. M. Hansteen by PenTest Team
Get For Free "The Book of PF" by Peter N. M. Hansteen! Buy annual subscription of PenTest and receive:
  • Free Ebook "The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall" worth $30.00 Today's system administrators face increasing challenges in the quest for network quality, and The Book of PF can help by demystifying the tools of modern *BSD network defense. But, perhaps more importantly, because we know you like to tinker, The Book of PF tackles a broad range of topics that will stimulate your mind and pad your resume, including how to:
    • Create rule sets for all kinds of network traffic, whether it is crossing a simple home LAN, hiding behind NAT, traversing DMZs, or spanning bridges
    • Use PF to create a wireless access point, and lock it down tight with authpf and special access restrictions
    • Maximize availability by using redirection rules for load balancing and CARP for failover
    • Use tables for proactive defense against would-be attackers and spammers
    • Set up queues and traffic shaping with ALTQ, so your network stays responsive
    • Master your logs with monitoring and visualization, because you can never be too paranoid
If you buy PenTest annual subscription, you will receive 48 Issues of PeneTest per year and get:
  • PenTest (release date: 1st of each month) – 50 pages of content dedicated to penetration tests, few regular columns written by specialists
  • PenTest Extra (release date: 15th of each month) – 50 pages of strictly topical content dedicated each time to different hot topic
  • Mobile Pentesting (release date: 7th of each month) – 40 pages of content dedicated to latest mobile topics
  • Web App Pentesting (release date: 22nd of each month) – 40 pages of content dedicated to web application topics
Buy annual subscription and contact us at krzysztof.marczyk@software.com.pl. We will take care of everything for you!


Contact PenTest team!
Please spread the word about PenTest magazine!

Enjoy reading!
Krzysztof Marczyk & PenTest team
mailto:olga.glowala@software.com.pl
PenTest Magazine

"

(Read More... | Score: 0)


Sniffing an SSL Handshake using Wireshark -- Crypto Song
Posted by boss on Sunday, 15 January 2012 @ 13:00:23 EST (312 reads)
Topic Cryptography

cdupuis writes "

My good friend Larry Greenblatt an instructor extraordinaire and a men of many talents has created a great song about SSL sniffing using Wireshark.  Listen to it on UTube.  See his note below:

I created a music video about Crypto using Wireshark to sniff a SSL handshake with Google.  I got some good comments from some Sharkfest presenters and it looks like I am going to present this at Sharkfest 2012 in June!

http://www.youtube.com/watch?v=1dHsj1ZxDto

"

(Read More... | Score: 0)


OWASP Long Island Chapter
Posted by boss on Saturday, 14 January 2012 @ 11:43:00 EST (216 reads)
Topic Vulnerabilities

cdupuis writes "

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

All Long Island chapter meetings are free. Please water our calendar for up coming events.

For more info contact:  Helen Gao  (helen.gao@wasp.org)

https://www.owasp.org/index.php/Long_Island

"

(Read More... | Score: 0)


Live Online CISSP Boot Camp at 1/2 the price of our Live Classroom Boot Camp
Posted by boss on Wednesday, 21 December 2011 @ 21:45:54 EST (439 reads)
Topic Training News

cdupuis writes "
CISSP ® LIVE OnLine
Secure Ninja cccure.org
Get Certified and Save Big with Secure Ninja's Buy One Get One Promo
  • Accessible from any Location
  • No Daily Commute in traffic
  • No Airfare Fees
  • No Hotel fees
  • Same quality of delivery as a brick and mortar class
  • All sessions are recorded
  • Listen as many times as you wish
  • Do it from the comfort of your home
  • Let Clement guide you to success (pre-present-post mentoring)
  • 5 Day CISSP Immersion Training
  • Award Winning Proprietary Curriculum
  • Highest CISSP Exam Pass Rates
  • Day, Evening,Weekend & Live Online classes to meet your busy schedule
  • Pre/Present/Post Class Paid Account to CCCure Quiz Engine (World's best CISSP 2000+ exam questions)
  • Exclusive CISSP Scenario Based Exam Questions
  • Get DoD 8570.1-M CISSP Compliant
  • WIA (Workforce Investment Act) Approved
  • Veterans Benefits & GI Bill Approved - Welcome Military!
  • Option to resit  Live Online CISSP class for up to one (1) year
Clement Dupuis, CD
Your Live Online mentor Before, During & After class
Secure Ninja @ Linkedin See Us @ Youtube Like us on Facebook Fallow us Twitter

Get Live Online Instructor Led Learning for 1/2 the price of our Classroom Based Boot Camps.
Book it Now
Class is filling fast. Call Enrique to secure your seat today.

Phone: +1 703 535 8600 x16
Mobile: +1 305 467 7436

Enrique@secureninja.com
Secure Ninja
901 North Pitt St. Suite 105
Alexandria, VA 22314
 Phone: 703.535.8600
Fax: 703.535.8656
Email : info@secureninja.com
"

(Read More... | Score: 0)


WebApp Pentesting for charity
Posted by boss on Wednesday, 21 December 2011 @ 11:47:12 EST (296 reads)
Topic Hakin9

Anonymous writes "
WebAppPentesting Magazine - new December issue is out!

Why don't we start thinking of those who really need help? Please consider help to those who don't have warm home to spend Christmas in, who suffer hunger when our tables are full of delicious food, who sleep alone in the shelter, or who spend their holidays in hospital.
Download the Free Teaser Issue to check the content and read Free Article, just click here
What's more you can find inside is:
  • Web Application Security for Newbies part 1. By Herman Stevens
  • Web Session Management – reality is a nightmare! By Rishi Narang
  • A chance to ease automated Web Site testing. By Marek Zachara
  • Cyber Security War – ofensive vs defensive. By Jatin Jain
  • Web Application Security – Preservation and Hacking. By Priyanka Tomar
  • E-banking ghosts. By Sebastien Bischof and Jean-Marc Bost
  • Mike Brennan and Richard Stiennon “Cyber Styletto”
SUBSCRIBE NOW!
Christmas offer! Receive Ebook, coupon for Cyber Styletto for 99 cents, 6 months Subscription For Free!

If you buy PenTest annual subscription, you will receive 48 Issues of PenTest per year and get:
  • PenTest (release date: 1st of each month) – 50 pages of content dedicated to penetration tests, few regular columns written by specialists
  • PenTest Extra (release date: 15th of each month) – 50 pages of strictly topical content dedicated each time to different hot topic
  • Mobile Pentesting (release date: 7th of each month) – 40 pages of content dedicated to latest mobile topics
  • Web App Pentesting (release date: 22nd of each month) – 40 pages of content dedicated to web application topics
Sounds good? Isn't it?
1. FIRST FIVE subscribers will get a free e-book "Network your Computers and Devices" by Cyprian A. Rusen. Don't let the others take them from you!

Have you ever wondered about the book which not only can help you to step by step network you computer and devices, but also can be useful for your relatives? New Step by Step Network your computers and Devices book is best useful tutorial for whole your family.

Visit 7 Tutorial Website
2. For all interested readers we have prepared special coupon for "Cyber Styletto" by Mike Brennan. Get your ebook just for 99 cents!
Special Offer! If you buy 1 Year Subscription, you will get from us Additional Six Months for Free!
CLICK HERE TO SUBSCRIBE
After subscrinig contact katarzyna.zwierowicz@software.com.pl with "Subscription" in the tittle of the message


Buy one year PenTest Subscription until December 25th, 11:59 pm GMT+1, and you’ll get one year of Hakin9 Subscription for free!

Don’t wait for Santa, all is in your hands!

 

 
"

(Read More... | Score: 0)


Clement Dupuis, CLO of Secure Ninja on you tube
Posted by boss on Friday, 16 December 2011 @ 19:46:28 EST (389 reads)
Topic OISSG

(Read More... | Score: 0)


PenTest Extra Physical Security Issue 4 of 2011
Posted by boss on Thursday, 15 December 2011 @ 20:45:16 EST (438 reads)
Topic Hakin9

cdupuis writes "

New issue of PenTest Extra is out!

Physical Security

 

Guaranteed Access
by Jon Derrenbacker
Everyone has different ideas of what physical security is, what it encompasses, and how to exploit it. It can include a wide range of exploits, many being surprisingly simple. Regardless of method, going after physical security in a PenTest often proves one of the easiest ways to gain access to a network. Sometimes physical exploits are almost looked on as cheating, simply because some of them are so simple, so obvious, and yet completely unprotected.

Let’s Get Physical
by Kent Blackwell
Your boss calls you into his office to inform you a penetration test has been requested by one of your clients. Unlike the bi-annual vulnerability sweeps Company Inc. has previously requested, they have also asked for a physical security assessment as well. You’ve never preformed this kind of test before and by the time you’ve made it back to your desk your imagination is already running wild with scenarios that wouldn’t look out-of-place in a Mission Impossible movie.

The Process Explained from Start to Finish
by Alex Horan
If a security tester, for example, has only a couple of days to test and report on the security posture of a web application, the tester needs to ensure that manual efforts are only devoted to areas of the web application that deserve manual attention. It would be highly inefficient for the tester to spend a third of his or her time simply crawling the application and recording all of the unique URLs associated with the application.

Anatomy of Attack Detection, Without Data!
by Rishi Narang
There has been a constant evolution in the threat landscape and attack vectors. New attacks, malware, malicious packets traverse our network every now and then. The industry has deployed the measures on perimeter, host and virtually anywhere in between. We have IPS, AV, Firewalls and other protection, and detection tools but most of them look for patterns, or as the standards say, do a DPI (Deep Packet Inspection). But the bottleneck hits when these wares start morphing or a slight change in the code, enables the signature writers to add exorbitant amount of code in the product. The overhead on signature writers and pattern matchers is increasing exponentially.

Intelligent Video Surveillance
by Theofanis Kontos
Intelligent video comprises any solution where the video surveillance system automatically performs an analysis of the captured image. Hence, the central idea behind it is that observation and alarm detection do not burden the human personnel any more, but are assigned to computers.

Now What am I forgetting
by Justin Rogosky
The article below details the exploits of a diamond thief who didn’t use a weapon or threat of violence, he came in everyday as a client and became a trusted individual. Normally, engagements don’t allow you to build up the kind of relationship required for this level of access, but being friendly can get you a lot farther than most people realize.

IT Security Books
In recent months on the market appeared a lot of new books in the field of IT Security. We want to introduce you three of them. “Web Application Security” and “Security Metrics” are a part of “Hacking Exposed” series, which has a good reputation and recognition. The last one, “Securing the Clics”, provides knowledge of network security.

Interview with Patrick Bedwell
by Arao
Patrick Bedwell has more than 14 years experience in the network security and network management industries. He is the vice president of product marketing at Fortinet and is responsible for executing the marketing strategy for Fortinet’s network security products. Prior to joining Fortinet, Patrick held product marketing and product management leadership positions at Arcot Systems, McAfee, SecurityFocus, Network ICE and Network General. Patrick earned an MBA with honors from Santa Clara University and a BA degree in English from the University of California, Berkeley.

Physical Security - PenTest Extra 04/2011 - PenTest Teaser

"

(Read More... | Score: 0)


New Christmas Issue of Hakin9 Extra is out!
Posted by boss on Thursday, 15 December 2011 @ 20:09:07 EST (366 reads)
Topic Hakin9

cdupuis writes "
logo
New Hakin9 Extra is out! This issue is about wireless security with a couple of articles on Managed Code Rootkits and Facebook Forensics to spice things up! So don't hesitate and subscribe now! Take a quick look at the list of articles we've prepared for you or scroll down to read fragments of the articles.
Fake Access Point with Airsnarf by Rishabh Mehta
Wireless hotspots are everywhere. A mobile user can obtain connectivity quickly and easily in a wide variety of public locations.  Some of these hotspots are free and some of them require a fee or subscription.  Either way, you will continue to see how being in a public Wi-Fi hotspot poses the greatest security risk you will find.

WPA2-CCMP Known Plain Text Attack by Domonkos Pal Tomcsanyi
Wireless Standards and Practices by Richard C. Batka
Facebook Forensics by Kelvin Wong, Anthony C. T. Lai, Jason C. K. Yeung, W. L. Lee, P. H. Chan
Managed Code Rootkits by Erez Metula
Short URL by Yaser Alosefer

 
SUBSCRIBE NOW
If you buy a year subscription now you'll get a full version of Network Malware Cleaner by EMCO Software. The offer is valid till the stock lasts so hurry up!
SUBSCRIBE NOW
But that's not all! We've got even more! Are you still looking for Christmas presents? This Christmas share Hakin9 with a friend. If you buy a year subscription of Hakin9 for a friend, you'll get a free year subscription to PenTest and an amazing gift from Hakin9. You can choose one of the following books:

Hard copy:
  • Honeypots: A New Paradigm to Information Security – CRC Publishing
  • Introduction to Cryptography with Open-Source Software – CRC Publishing
  • Security and Policy Driven Computing – CRC Publishing
  • Thor's Microsoft Security Bible – Syngress Publishing
E-book:
  • IPhone Application TuneUp – Packt Publishing
Now, let's see what's in the issue.
1. Fake Access Point with Airsnarf

by Rishabh Mehta

Wireless hotspots are everywhere. A mobile user can obtain connectivity quickly and easily in a wide variety of public locations.  Some of these hotspots are free and some of them require a fee or subscription.  Either way, you will continue to see how being in a public Wi-Fi hotspot poses the greatest security risk you will find.
2. WPA2-CCMP known plain text attack

by Domonkos Pal Tomcsanyi

There hasn’t been much up in the field of WiFi security lately because WPA/WPA2 combined with a strong password is truly secure; even nowadays when people use GPUs to accelerate password cracking it is almost impossible to crack an arbitrary random WPA/WPA2 password that contains numbers, letters and capitals in a reasonable timeframe. Or is it though? Is it really impossible?
3. Wireless Standards And Practices

by Richard C. Batka

When it comes to wireless one of the most important areas are frames. This article will cover how to set up a lab environment to explore one of the four types of wireless management frames: The Beacon.
4. Facebook Forensics

by Kelvin Wong, Anthony C.T. Lai, Jason C. K. Yeung, W. L. Lee, P. H. Chan

Facebook is a well-known social networking application and connect people all over the world. We have carried out various test activities in Facebook and identified footprints and evidence could be extracted from memory, browser cache and other spaces; In addition, we have tested it with various technology platforms to provide more detailed and comprehensive forensics analysis.
5. Managed Code Rootkits

by Erez Metula

Influencing source code is not a new idea. Injecting malicious code secretly by the compiler or the IDE was introduced a while ago. Using managed code rootkits (MCRs), we can take this kind of attack a bit further, by changing the actual meaning of the compiled code after it was created.
6. Short URL

by Yaser Alosefer

We all know the story of the Trojan Horse, where the Greeks built it to enter the city of Troy. It was an unimaginable trick used to enter Troy after a 10 year siege. In the computer world, hackers use similar tricks to fool the end-users into running their malware.
SUBSCRIBE NOW

Please spread the word about Hakin9. Hakin9 team wish you good reading!
en@hakin9.org
Hakin9.org
"

(Read More... | Score: 0)


2012 looks super promising for Information Security Pros
Posted by boss on Sunday, 11 December 2011 @ 11:00:50 EST (569 reads)
Topic JOBS

cdupuis writes "

Good day everyone,

2012 is at our door and it looks more promising than ever.   All of the latest job surveys are showing an increasing demand for Security Professionals  and this will continue throughout 2012.   Salaries are up for security professionals and the demand is driven by new technologies such as Cloud Security, large scale compromise within both Government and Commercial sites that have become public,  and the realization by some of the largest companies in the world that their system may be compromise without them even knowing about it.  The security lanscape is at it's highest level ever and people who are SKILLED are required to face the threat.    See below an article published on the fantastic website of GovInfo Security at http://www.govinfosecurity.com/p_print.php?t=a&id=4131  It talks about the top five security jobs in the market.   In a separate survey the CISSP was also identified as one of the top five certifications to get in 2012 as well to match with those jobs.   See article below:

5 Hottest Security Jobs in 2012
Security Analyst, Architect Head Top Career Opportunities

Upasana Gupta, Contributing Editor, CareersInfoSecurity
December 9, 2011


Information security is one of those rare fields - it has more job openings than people to fill them. Dice.com, the largest IT job site, confirms this job growth and indicates a 79 percent increase in the total number of information security jobs posted on the site from September 2009 to September 2011.

Based on a review of job postings, here are the five hottest jobs for information security pros in 2012:

Security Analyst

Employers have posted 42 percent more security analyst jobs on Dice in September 2011 than in 2010. This is no surprise, especially when employment among information security analysts soared by 16 percent this year during the second quarter, with the Bureau of Labor reporting no unemployment during the first two quarters of 2011. (see Infosec Joblessness Remains Steady, at 0%).

John Reed, executive director at Robert Half Technology, an IT staffing firm, attributes the high growth to organizations becoming more security aware in light of cyber crimes, and needing hands-on IT security folks to uncover new vulnerabilities in order to keep their environment secure.

"These are individuals on the front lines of security, fighting the fight everyday, and as such are critical for organizations to have," he says.

BLS defines information security analysts as those who plan, implement, upgrade or monitor security measures for the protection of computer networks and information. Information security analysts may ensure appropriate security controls are in place that will safeguard digital files and vital electronic infrastructure, as well as respond to computer security breaches and viruses.

     

  • Average Salary: $84,000 for a security analyst position.
  • Who's Hiring: Demand is high with federal government, state agencies, defense contractors and healthcare organizations.

Security Architect

Forty percent more jobs are posted on Dice this year. The move to mobile, wireless and cloud services by organizations has created a huge demand for this position, says Mano Paul, (ISC)2 software assurance adviser. These services are pushing the need for a "new breed of architects and business- savvy leaders who understand business requirements, and can translate them into functional specifications without compromising on the assurance aspects," he says.

Dice.com defines a security architect as a professional who designs systems, databases, infrastructure and networks to be secure. They provide information security solutions to the architecture of an enterprise ensuring the security of business information at every point.

     

  • Average Salary: $120,000 for a security architect position.
  • Who's Hiring: Large financial institutions, healthcare organizations, technology companies and cloud providers.

Application Security

Thirty-three percent more jobs are posted on Dice in application security this year. The increased focus on customer-facing technologies, use of mobile applications, need for secure software and products within organizations and transitions to electronic health records have led to the demand for these jobs.

"High incidences of application attacks, data breaches and applications that are conduits to the data, combined with surge in tech businesses, is pushing growth for qualified professionals," Paul says.

The Open Web Application Security Project, a not-for-profit organization focused on improving the security of application software, defines application security professionals as those that use software and security methods to protect applications from external threats and vulnerabilities. They are largely involved in building security measures into an application's life cycle including design, development, deployment, upgrade or maintenance.

     

  • Average Salary: $93,000 for an application security position.
  • Who's Hiring: Online companies, technology firms, cloud providers and security vendors.

Security Engineer

Employers have posted 27 percent more security engineer jobs on Dice this year. This field is hot because the role is broad and covers areas from penetration testing, vulnerability assessments, programming, designing systems to testing software. "It's not like a painting on the wall that you hang up and it's done. Organizations need constant assessment of their risk and vulnerabilities, and therefore require such breadth of expertise," Reed says.

BLS defines security engineers as those who securely design, develop, test and evaluate computer applications and system software. Although programmers write and support programs in new languages, much of the design, security and development are the responsibility of security engineers. They also focus in developing algorithms, and analyzing and solving programming problems for specific network systems.

     

  • Average Salary: $94,000 for a security engineer position.
  • Who's Hiring: This position is in demand in all sectors, including government, healthcare, finance, in addition to online and technology companies.

Network Security

Twenty-five percent more jobs are posted on Dice within network security this year. Of the 100 jobs that make Money magazine's and Payscale.com's list, network security was ranked number eight last year as one of the most desirable job positions, carrying an annualized 10-year forecast growth of 27 percent.

"Network security continues to be a pain point for companies," says Alice Hill, managing director of Dice.com. She finds that organizations continue to prioritize investing in these professionals to protect critical infrastructure and keep their technology platforms safe from ongoing cyber threats like malware and hacking. Further, she says that the growing use of sophisticated computer networks, including Internet and intranet sites, and the need for faster, more efficient networking products, are increasing the demand for these professionals.

BLS defines network security as those who design and evaluate network systems, such as local area networks, wide area networks and Internet systems. They perform network modeling, analysis, and planning, that deals with the interfacing of computer and communications equipment. Their primary focus is in protecting the computer systems in the network from unwanted intrusions, misuse, access or modifications.

     

  • Average Salary: $93,000 for a network security engineer position.
  • Who's Hiring: An increased demand is coming from government agencies, healthcare organizations, consulting companies and defense contractors.

Editors Note: Salaries cited in the story came from salary tracking websites Indeed.com and Payscale.com

"

(Read More... | Score: 0)


(ISC)2 Election of Directors Voting “Irregularities”
Posted by boss on Wednesday, 16 November 2011 @ 22:37:32 EST (503 reads)
Topic ISC2 Org

Anonymous writes "

Dear Colleagues,

There are a few irregularities in the (ISC)2 Process/System today, as noted in the CISSP Forum.

- the (ISC)2 voting instructions posted today omit mention of the “write-in” candidate procedures

- There are five blank lines for “write-in” candidates but only 4 votes count

- the “VOTE” button is missing. There is a button labeled “button”

As information, there are at least two qualified write-in candidates available:
   - Javed Ikbal 
   - Rolf Moulton

 Rolf Moulton, CISSP-ISSMP
 “Write-In”  (ISC)² Board Candidate
 http://www.boardcandidate.com

"

(Read More... | Score: 0)

Recommended Training

Login here

Nickname

Password

Security Code:
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Recommended

CCCure Partners

BRAZIL

Logical IT

Best Security Training in Brazil

São Paulo
Rio de Janeiro
Belo Horizonte
Fortaleza
Brasilia

USA

SecureNinja.Com

SecureNinja Dojo

CANADA

360 Security Experts

CISSP Montreal
CISSP Ottawa
CISSP Toronto
CISSP Quebec City
CISSP Vancouver
CISSP Winnipeg

MIDDLE EAST

CISSP Dubai
CISSP Abu Dhabi
CISSP Qatar
CISSP Kuwait
CISSP Oman

THE OISSG GROUP
The OISSG serving the Middle East security needs

EUROPEAN UNION

CISSP Dublin, Ireland
CISSP London, UK
ESPION

Best security training you can get in Ireland

AFRICA

Lagos, Nigeria
CISSP and Security Training
Digital Encode

The best security training in Lagos and Nigeria

----------------------------
Cameroon
Security Training
CISSP, CEH, Security+
GETSEC

Best Security Training in Cameroon

Most Active Members

· 1: side_winder
Total points: 15336
· 2: webplu9
Total points: 15228
· 3: Lopezco
Total points: 8514
· 4: cissp_newbie
Total points: 7593
· 5: cdupuis
Total points: 7381
· 6: mikeyoung_fla
Total points: 5526
· 7: Vladimir
Total points: 4611
· 8: damoose
Total points: 3374
· 9: MMM
Total points: 2969
· 10: educk
Total points: 2553

Today's Big Story

There isn't a Biggest Story for Today, yet.

Random Headlines

Past Articles

Wednesday, November 09
· SecureNinja declared co-winner of SC Magazine 2012 Awards
Tuesday, November 01
· Brad Smith (aka TheNurse) donation page
Sunday, October 23
· Abu Dhabi and Kuwait City CISSP training by CCCure & OISSG
Wednesday, October 19
· St. Cloud State University wins OWASP AppSec USA 2011 University Challenge
Thursday, October 13
· The Best of Hakin9 Compilation for year 2010 available for FREE
Sunday, October 02
· I Received My (ISC)2 Decertification Notice Today
Thursday, September 29
· Sad News about Doctor Eugene (Gene) Schultz
Sunday, September 25
· (ISC)2 at a crossroads: CISSP value vs. security industry growth
Thursday, September 15
· CISSP Exam Computer Based testing has arrived, English version not available yet
Sunday, September 11
· 6 Reasons Why You Should NOT Work With Information Security
· ISC2 Board of Directors Ballot -- Put in your vote
Wednesday, September 07
· Attribution Validation
Saturday, August 20
· ISC2® forgot about the meaning of the letter "A" in CIA
Thursday, July 14
· CISSP CIB Clarification
Tuesday, July 12
· ISC2 will release a new version of the CBK as of January 2012
Tuesday, July 05
· How to choose your training provider?
· NATO Cooperative Cyber Defence Centre of Excellence New book released for FREE
Thursday, June 30
· A whole new story in Penetration Testing
Saturday, June 25
· Hacker Halted USA, October 21-27 in Miami
Monday, June 13
· HITB eZine Issue #006 is Released

Older Articles

All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters, all the rest © 2007 by CCCure.Org, and the site maintainers Clement Dupuis and Nathalie Lambert. Reuse is strictly prohibited without written permission of CCCure.Org or it's maintainers.

This web site is not associated directly or indirectly with ISC2, the SANS Institute, ISACA, or other certification authority. The GCFW, CISSP, SSCP, ISSEP, ISSMP, CISA, and CISM are all the property of their respecful owners. The content of this site is provided to you freely due to the generosity of our sponsors.


  • Career
  • Magazines
  • Conferences
  • Study Books
  • Certifications
  • Training
  • Tutorials
  • Quizzes
  • Forums

    • Page Generation: 0.66 Seconds