Posted by Brett Hardin on 26th May 2009
Reading time: 1 – 2 minutes
Photo: stuartpilbrow
A course will be offered this year at Black Hat entitled, “Hacking by Numbers: PCI Edition.” A quote from the appropriate literature:
The PCI Data Security Standard (DSS) has had a huge impact on the information security industry. One effect that it has had is to make annual penetration testing mandatory in some segments, and thereby spawn a whole new class of off-the-shelf penetration testers.
The term “off-the-shelf penetration testers” makes my stomach churn. It is my belief that hacking is more of an art than a science. Hacking is methodical, but takes a specific type of person to do it. Typical hackers are very methodical and analytic. In addition, ever hacker that I have ever met has a never-give-up mentality about them. This attribute is used as a feedback loop into the problem they are working on.
Sure some security work and/or security methodologies can be taught, but to be a “breaker” you have to have a certain personality type.
What are your thoughts on this? Feel free to tweet me about the topic. @miscsecurity
26May
Posted by Brett Hardin on 26th May 2009
Reading time: 1 – 2 minutes
Photo: Pro-Zak
Information gathering on targets is key for attackers. They need to understand their targets to construct more successful attacks.
Recently, I came across http://namechk.com/ I was blown away with the amount of information this site reveals.
The site promotes itself as a way to “check to see if your desired username or vanity url is still available at dozens of popular Social Networking and Social Bookmarking websites.”
From an attackers standpoint, lets say I want to identify all of the resources that Jeremiah Grossman, the CTO of WhiteHat Security uses. I simply type in his blogspot id, “jeremiahgrossman” and I identify that in addition to blogspot he also posts to delicious and youtube. This is great!
For an attacker, this resource provides a way to identify additional paths of research.
26May
Posted by Brett Hardin on 12th May 2009
Reading time: 2 – 2 minutes
Marcus Ranum, credited with the invention of the firewall, publishes very interesting articles on security. He is currently employed as the CTO of Tenable Security. He also will contribute to his own page from time to time also.
Mr. Ranum reminds me of Maddox if Maddox only talked about security and was much more articulate. My first introduction to Mr. Ranum was a rant entitled, “The Six Dumbest Ideas in Computer Security.” One of the key points in this paper was the that penetration testing is not needed (Penetrate and Patch). As a penetration tester I was outraged, but Mr. Ranum made a good point. Ever since reading that posting I have attempted to follow Ranum’s postings. Note: There is also a funny topic that states, “Hacking is Cool”, which Ranum argues isn’t.
Mr. Ranum recently published an article entitled, “The Anatomy of Security Disasters”
Some of the ideas in the paper are:
- Ideas that are bad for security can get legs and then be hard to stop.
- The person in the room who can articulate their idea is always the one who wins the argument, regardless of whether it is the “right” thing to do.
- Management typically blames the security team for not informing them adequately enough even after emails from the security team to that manager are discovered.
- At the end of the day, no new processes are developed to prevent the problems from happening again.
It is a great read and you should take 30 minutes out of your day to read it.
12May
