2011
From the International Conference on Cyber Conflict
The text that follows is a short statement I prepared for the press ahead of my presentation at the ‘The International Conference on Cyber Conflict’ (http://www.ccdcoe.org/ICCC/) in Tallinn, Estonia. It felt like I had very mixed response, so I’d be interested to hear what others think…
My background and context Any opinion can only be understood if you also understand its context. Therefore, in order to understand the thinking that follows, you also have to understand my perspective. Three aspects of my context effect my thinking here:
Hacking By Numbers: W^3 Edition
Well, we’re ramping up with the new Hacking By Numbers W^3 edition course we will be presenting at BlackHat Vegas this year. This course is a replacement for the Web2.0 course we successfully presented over the past three years and sports a whole bunch of new and improved practicals. We’ve also upped the technology being used and the presentation is chock-full of ASCII sheep… :)
The new course is an intermediate web application hacking course, and will deal with the following topics
Hacking by Numbers: BlackOps Edition
The brand new BlackOps HBN course makes its debut in Vegas this year. The course finds its place as a natural follow on from Bootcamp, and prepares students for the more intense Combat edition. Where Bootcamp focuses on methodology and Combat focuses on thinking, BlackOps covers tools and techniques to brush up your skills.
This course is split into eight segments, covering scripting, targeting, compromise, privilege escalation, pivoting, exfiltration, client-side and and even a little exploit writing. BlackOps is different from our other courses in that it is pretty full of tricks, which are needed to move from the methodology of hacking to professional-level pentesting. It’s likely to put a little (more) hair on your chest.
Incorporating cost into appsec metrics for organisations
A longish post, but this wasn’t going to fit into 140 characters. This is an argument pertaining to security metrics, with a statement that using pure vulnerability count-based metrics to talk about an organisation’s application (in)security is insufficient, and suggests an alternative approach. Comments welcome.
Current metrics Metrics and statistics are certainly interesting (none of those are infosec links). Within our industry, Verizon’s Data Breach Investigations Report (DBIR) makes a splash each year, and Veracode are also receiving growing recognition for their State of Software Security (SOSS). Both are interesting to read and contain much insight. The DBIR specifically examines and records metrics for breaches, a post-hoc activity that only occurs once a series of vulnerabilities have been found and exploited by ruffians, while the SOSS provides insight into the opposing end of a system’s life-cycle by automatically analysing applications before they are put into production (in a perfect world… no doubt they also examine apps that are already in production). Somewhat tangentially, Dr Geer wrote recently about a different metric for measuring the overall state of Cyber Security, we’re currently at a 1021.6. Oh noes!
Hacking by Numbers: Bootcamp Edition
Salut à tous,
It’s that time of the year again and like every year, we’ll once again be running our ever-popular “BOOTCAMP EDITION” at the BlackHat Briefings in Las Vegas this July-August. This course is part of our established Hacking by Numbers series. BUT, this year, only the name remains the same. We are slaving away at making this course cutting edge, providing you with a hands-on hacking experience on the latest operating systems, application frameworks and programming languages utilizing the latest tools and techniques. Gone are the days of IIS 5.0, Windows XP and we truly understand that [ed: for Bootcamp, maybe… Combat certainly contains an OS older than Win95].
Rhodes MSc Information Security Weekend
An education isn’t how much you have committed to memory, or even how much you know. It’s being able to differentiate between what you know and what you don’t.
– Anatole France
Jobs within Information Security, and indeed Information Technology, are often more than a 9-5 affair for many who choose them as their career. There is a wealth of different technologies, frameworks, approaches and information that you need to understand to perform your job to a suitable level. In IT security specifically, with the pace of technology constantly growing, keeping abreast is often easier said than done.
Cadet Training
You’ve seen the movies. You’ve seen the cooler than life characters hacking systems using obscure keyboards and operating systems that seem to float through the network, so how about now really learning how it’s done?
Hacking by Numbers, Cadet Edition is being presented at Black Hat USA this year by two super star SensePost hackers. This entry-level course will delve into the following topics:
• Understanding the hacker mind-set.
• Method based approached of understanding the penetration testing life cycle.
ITWeb Security Summit
The ITWeb Security Summit is creeping up on us again and will be happening on the 10-11th of May. This year ITWeb went with something slightly different, and are asking for people to suggest who they’d like to see on day 2. These suggestions will then be voted on. So, if there’s someone you’re dying to see present or a topic you really want someone to spend some time researching, head over to their community portal and write it down.
To understand the battlefield, you need a broad view
It is always a little bemusing to hear that we only provide pentests. Since 2001, SensePost has offered a very comprehensible vulnerability management service that’s evolved through multiple generations of technologies and methodologies into a service we’re very proud of. The Managed Vulnerability Scanning (“MVS”) service makes use of our purpose-built BroadView scanning technology to scan a number of high profile South African and European clients. More information can be found here, but the purpose of this post is to introduce it with a basic overview of its deployment.
BlackHat Barcelona Training
Hola amigos,
We will be running our elite “Combat Training” at the BlackHat Briefings in Barcelona this March (talk lineup) and this course is the flagship of our established Hacking by Numbers series. From the first hour to the final minutes students are placed in different attacker scenarios as they race the clock to “capture the flag”. The trainers are highly skilled (as well as having the standard Southern African humour, looks, and charm) and the course is full of new hacks.