Charl Van Der Walt
Hacking By Numbers – South Africa – September ’10
From the team that won the world’s first Soccer Hack Cup, we bring you the latest and the greatest in computer hacking training – SensePost Hacking By Numbers Extended Edition – a local course that combines two of the brand new courses we just finished presenting at Black Hat Las Vegas.
The training will be offered in Brooklyn Pretoria from 14 – 17 September 2010. Here’s how it will work:
14 – 15 September: Cadet Edition 16 – 17 September: Bootcamp Edition Ok ok ok, so Pretoria is not exactly Vegas, but the courses are fresh and updated and packed full of exciting new content, tools and techniques.
New SensePost Website – check it out
Sigh. We’ve never been much good at marketing or advertising, and I guess we still aren’t. But we have tried to give our old website a bit of a face-lift, and it’s starting to feel like we’re finally making some progress.
Certainly most of the content is new and accurate and and certainly its much more comprehensive than our previous one. We’ve also gone to some effort to implement a more user-friendly CMS that will allow us to keep the content more current and interesting.
SensePost Ten Years Old
After ten fascinating years, during which many people have contributed in so many ways to the place that is SensePost, by strange coincidence it falls on me to pen the words that mark our first decade in existence. To quote Robert Hunter: “What a long strange trip it’s been”. SensePost was officially founded on February 14, 2000. Of everyone who was involved at that time, I’m the only one still working here, which earns me the dubious honor of ‘oldest employee’. Do I get a gold watch? I meant to think much more over the last few weeks and months about how we should celebrate this day, or what I would write in a letter like this, but in the end (business being business) I’m writing this in a rush on a Sunday evening, with another three big things to complete before I allow myself to go to bed. Then again much of our success (in so far as we’ve been a success) happened in hurry on a Sunday night, so let’s not write this little piece off too soon, shall we?
Open Patch Management Survey
Rich Mogull (who’s stuff I really quite dig) has launched an ‘Open Patch Management Survey’ via the SecurityMetrics blog. Its an interesting idea, and they plan to release both their analysis *and* the raw data, which might be really insightful for our VMS stuff.
Corporations can take the SurveyMonkey survey at http://www.surveymonkey.com/s.aspx?sm=SjehgbiAl3mR_2b1gauMibQw_3d_3d, and there’s some nice material already available at http://securosis.com/projectquant.
Here’s the rest of Rich’s message (pls forgive the cross-post):
Our goal here is to gain an understanding of what people are really doing with regards to patch management, to better align the metrics model with real practices. We’re doing something different with this survey. All the results will be made public. We don’t mean the summary results, but the raw data (minus any private or identifiable information that could reveal the source person or organization). Once we hit 100 responses we will release the data in spreadsheet formats. Then, either every week or for every 100 additional responses, we will release updated data. We don’t plan on closing this for quite some time, but as with most surveys we expect an initial rush of responses and want to get the data out there quickly. As with all our material, the results will be licensed under Creative Commons.
Hack Like You Mean It – we’re taking PCI to Vegas
We’ve been busying ourselves with the PCI DSS in one way or another for more than a year now here at SensePost. Its been a frustrating exercise of mixed messages, politics, tokenism, mixed in with a healthy dose of mixed feelings about what the standard offers and whether that’s good for anyone at all. Now, finally, we’re accredited to do this that and the other under the standard so we feel its time to start speaking our minds on the subject.
Attack Vector based Risk Management?
Interesting post by Michael Dahn at pcianswers.com discussed (again) the difference between compliance and security. Do you know the joke about the difference between a canary? Apparently, its one leg is the same. Well, according to the post, the difference between compliance and security is… there is no spoon. I’m sounding facetious, but the post is actually not bad. Read more…
But actually, there was another part of the post that caught my eye. Its the comments about ‘Attack Vector based Risk Management’ or ‘AVRM’. Not much is said about this except:
ITWeb Security Summit 2009 – CFP Deadline
I just wanted to remind everyone that the CFP for the 2009 ITWeb Security Summit closes on 26 Jan. We’re hoping to see much more in the way of submissions from local infosec people (especially from corporates) but there’s also still room for international submissions. So far I know of 11 ‘international’ submissions. ITWeb is really good to its international speakers so non- South Africans shouldn’t be put off by the long distances. The conference is at an excellent location, South Africa is beautiful at that time of year, you’ll stay in a swanky hotel (this is the one they used last), the food and beer are cheap and ITWeb will take good care of you. You can check out the conference home page and CFP here.
SensePost Training @ Black Hat DC
So… Black Hat DC is rushing at us like a speeding big… speeding thing. This is just a friendly a reminder about the show (Hyatt Regency Crystal City • February 16-19). We have two courses on offer at the DC show this year – Bootcamp (a highly practical course that teaches method-based hacker thinking, skills and techniques) and Combat (all hack, no talk – our flagship course).
One small change to our usual approach this time is that we’re requesting Combat students to bring their own laptops. On Bootcamp and our other courses we provide pre-configured XP boxes but Combat participants are generally already quite experienced and comfortable on their own platforms.
Hacking By Numbers Online – your thoughts?
We often get asked by students of our Hacking By Numbers courses if the course environments or at least the VMWare images are available after the training is over. As a result we’ve started to experiment with a model for offering our courses in an online environment. The idea would be to maintain the full numbers of labs and technical work, maintain the high standard of trainers and materials, but make the training available via the internet to people at various diverse locations. The approach we’ve been testing appears to show some promise, so we’re hoping to ask some of you for your input and opinions.
More Conn News – PCI Johannesburg
I got contacted the other day (via LinkedIn actually, which is a 1st for me) about a PCI conference some folks are trying to organize here in Johannesburg in January next year. I don’t really know the people (or the conference) but it seems like something that’s sorely needed here and maybe worth making a small investment in.
Here’s where you can get the lowdown – http://www.pci-portal.com/events/event-info/event/pci-johannesburg