In case you didn’t see it, Rob Ragan (HP security) had an awesome presentation on filter evasion and his tool  on the IronGeek.com website. Check it out. The audio is a little low, might need to turn up the volume ;)

Just a reminder to all followers that the discount for Heorot.net Penetration Testing Fundamentals Course (and advanced course) will run out soon! Save a hundred bucks on already awesomely priced training =)

http://heorot.net/discounts/

Anyone who knows training (or InfoSec for that matter) knows SANS is probably THE most recognized name in InfoSec training. While the foundation of SANS is Stephen Northcutt and Alan Paller, his superstars are the InGuardian’s crew. Call them security divas, we don’t care. We know that Ed Skoudis, Kevin Johnson, Mike Poor, and Joshua Wright are instructors with whom we’d give the whole of our security budget to train. We can’t decide what we like best: their stellar tool development, their helpful whitepapers, their nifty cheat sheets, their open source projects, or the fact that their courses are the most interesting and engaging we’ve seen.

Web application pen testing is a huge focus for the security space right now, and SANS just turned their 4-day SEC542 – Web App Penetration Testing and Ethical Hacking into a 6-day class. We had the chance to pick the brain of its instructor/creator Kevin Johnson, InGuardian pen tester, father, and all around great guy.

Read on as he answers our questions on a wide array of our web-app security queries ;) (clicky clicky)

“Everyone is a pentester these days…”

In a new age of computer security the above is a cynical statement I hear all the time. It is
also incorrect. Although compliance and our own security hype may have made
pentesting an every-mans job, not everyone is a skilled pentester. Thomas Wilhelm
breaks into systems and documents their security holes for Verizon and he does one of
the things I think differentiates pentesters from the masses, he contributes back to the
scene.

Thomas runs three projects that are geared towards teaching pentesting from start to
finish with practical exercises. In addition he holds MSCS, MSM ISSMP, CISSP
SCSECA, SCNA, SCSA, NSA-IEM, and NSA-IAM certs. Two of his projects are
completely free ( De-ICE cd’s and Hackerdemia) and the third is so competitively cheap
it makes for a “best value” in the training space (Heorot.net pentest video training). I
wanted to pick Thomas’s brain about his vision, opinions, and projects in offensive security. Here’s what he had to say….

Don’t miss out on a discount link for his pentest courses at the end of the interview!

Seth Misenar recently did some videos for pauldotcom.com on the w3af framework which were really good. w3af is the Web Application Attack and Audit Framework. The project’s goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. Check below and also head to:

http://w3af.sourceforge.net/videos/video-demos.php

for more w3af goodness.

PDC Episode 151 – Part I – w3af GUI – Seth Misenar from PaulDotCom on Vimeo.

PDC Episode 151 – Part II – w3af Console – Seth Misenar from PaulDotCom on Vimeo.

They also did a short on SQLmap, and SQLi testing tool:

Testing SQL injection with SQLMap from PaulDotCom on Vimeo.

xXxKrisxXx over at Ethicalhacker.net reminded me that I need to keep up on John Strands Vimeo page… good stuff is always found there!

SSLStrip from John Strand on Vimeo.

also check out Ryan Linn’s Pass the Hash presentation!

Hey Guys!

Exciting news,  albeit a little old, I won the sponsored contest for offensivesecurity.com’s Pentesting with Backtrack training. Don over at EthicalHacker.net liked my contribution to the forums and chose me as 2nd place for the content of my posts. I’m about 50% of the way through and when I’m done expect a full review and article.

Also Coming soon (we have been a little busy lately, sorry!):

Offensive Security 101 Review

Interview with Thomas Wilhelm of Hereot.net and review of his pentesting courses!

Review of the NEW CEH version 6 training by SecureIA and Wayne Burke!

Review of the CBTNuggets CEH version 5 Training!

Multiple reviews of new and upcoming security products

And, barring a disaster, an interview with one of webapp pentesting’s greatest hero’s (to be un-named until i hear back from him lol)

Tomorrow is phone home day for Conficker…

I went over today’s links from security people I follow on twitter. Dan Kaminsky (of last years DNS fame) has one of the best interview articles I’ve seen on Conficker at a high level and new tools related, but here are some additional docs:

http://isc.sans.org/conficker – SANS ISC Entry of third party removal tools

http://www.honeynet.org/papers/conficker/ – Know Your Enemy: Containing Conficker.

http://seclists.org/nmap-dev/2009/q1/0870.html – Nmap Scripting Engine script for detection.

http://securitylabs.websense.com/content/Alerts/3329.aspx – Some Technical nitty gritty of it by websense.

http://www.doxpara.com/?p=1294 – Packaged, updated, stand alone scanner by Kaminsky (rebuild the py2exe, Tillmann and Felix’s scs code, now with Core’s impacket library safely embedded); as well as more links for windows (nmap) scanning.

http://blog.tenablesecurity.com/2009/03/detecting-conficker-with-nessus.html – nessus plugin blog update

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx – Microsoft’s “Protect yourself from the Conficker computer worm” entry.