I passed the ISSMP
Current mood: ecstatic

I got word today that I passed the ISSMP exam, which I took this last Saturday. I actually failed the first attempt (missed it by one question) and it was a bear. But the second time was a charm.

For those curious about what that means for me in the long term, here's the salary breakout:

http://www.certmag.com/images/CM1206_salSurveyFig1.jpg

All I know is I better be getting a raise next year!! Cheap bastards.

>:(

9:23 AM - 2 Comments - 2 Kudos - Add Comment

A day in the life of a tired man
Current mood: busy

I wanted everyone to know that I am having a hard time keeping up with the emails and posts.  Not only am I working 40+ hours a week, doing the school thing, as well as getting ready for my speech and CtF at DefCon, I picked up a writing gig for a book (only doing one chapter of many) and a magazine article.  So, I'm sorry if I haven't been able to give my complete concentration to this site.  I am still checking the groups to make sure spammers stay away, but I'm lacking so much sleep it's hard to do much else.

I've changed my travel plans for the DefCon trip.  I will be arriving Sunday, the 29th, instead of Thursday, the 2nd.  Anyone interested in getting together for a beer or three, let me know and I will give you contact info.  The extra days will be sort of a working vacation, so if anyone has suggestions for entertainment, I would be happy to hear them.

Anyway, things should calm down soon.  Until then, if I mutter something unintelligible, please pardon my incoherences.

11:10 AM - 1 Comments - 2 Kudos - Add Comment

DefCon schedule is out
Current mood: surprised
Category: Web, HTML, Tech

For those who are attending DefCon this year and interested in viewing my presentation, I'm speaking on the first day - third round.  It looks like I'll be in the big room - going on right after Bruce Schneier.

I'll have CDs I'll be passing out at the end of the talk, and would love to speak with anyone who has questions afterwards.

I hope to meet those who are in my discussion groups and on my friends list (especially those who I haven't met in person), so if you do make it, by all means let's hang out and have a beer or two.  Cheers!

WHH

6:17 AM - 4 Comments - 4 Kudos - Add Comment

Capture the Flag (DefCon)
Current mood: Exhausted and exhilarated
Category: Exhausted and exhilarated Games

This weekend was the qualifier for the DefCon 15 Capture the Flag event (where the 31337 go to play), so I haven't been online.  It was very grueling, I got very little sleep, and the experience made me quite humble - there are some amazing guys both in the team I'm on and in those teams we played against, and by the end of the qualifier I felt like a total n00b.  We kept bouncing from 4th place all the way down to 17th place, only to have us crawl back up... and when we finished, we ended up actually qualifying!!  I'm totally stoked.

Anyway, it's been a very hectic weekend, and I'm exhausted and exhilarated.  I'm glad this phase is over, and can't wait until DefCon to get totally pwned!! 

10:40 PM - 3 Comments - 4 Kudos - Add Comment

I'm speaking at DefCon this year
Current mood: excited
Category: Goals, Plans, Hopes

Last night I got word I"ve been selected to be a speaker at DefCon 15 this year.  I'll be speaking on the PenTest Lab LiveCDs I made recently.

For those who aren't familiar with DefCon, it's one of the first and better hacker conference that goes on the first week of August over in Las Vegas.  It occurs immediately after BlackHat.

If anyone is going to be there this year, I'd love to get together and have a beer or two!

8:04 AM - 2 Comments - 4 Kudos - Add Comment

How to get a PenTesting job
Category: Jobs, Work, Careers

7:12 PM - 2 Comments - 4 Kudos - Add Comment

Certification Wars - CEH vs SCSA

I decided to check on Monster.com to see how popular my current certifications are. I also checked out how popular the relatively-new cert Certified Ethical Hacker... I was a bit surprised.

My favorite certification is the Sun Certified System Administrator, mostly because it was my first one and it's usually a very popular and well-paid "beginner" cert. After doing a query, I found 12 job openings nationwide for SCSAs. Granted, if I opened up my query to something broader, like "solaris system administrator" I get thousands of hits... but I prefer to talk to those people who know what a SCSA is; otherwise, my cert becomes pretty useless since they tend to just look for warm bodies to fill positions and don't give any weight to certifications.

So, on to the CEH. There were 20 positions available for people with the CEH certification, making it more popular than the Sun cert. But the real question is which is more valuable to have in the long run...

One would expect a Certified Ethical Hacker to have a broad range of skills, to include one or more Operating Systems, tools, techniques, laws, business methodologies, familiarity with multiple programming languages, networking, and more, in order to be proficient at hacking into systems. In fact, the outline of the CEH includes things like Ethics and Legality, processes (footprinting, scanning, etc.), social engineering, web server hacking, password cracking, sql injections, wireless networking, physical security, firewalls, IDSs, honeypots, buffer overflows, and cryptography, among others. That's a huge body of knowledge, and if someone is good at all of these, it would make sense this cert would be for a Senior Engineer or better.

Compare that to someone with a SCSA - one OS, specific solaris tools, a bit of programming, very little networking, and ability to skip out on sleep. The tests cover things like software installation, managing file systems, perform system bootup and shutdown, some user and system security functions, printer management, backup and restore, network basics, virtual machines, naming services, and some advanced installations (like jumpstart, dhcp server setup, etc.). In my opinion, something a CEH should already be familiar with.

So, we have determined that the CEH cert is more popular (today, at least), than the SCSA certification. In addition, it (should) require a broader and higher level of knowledge. So what's the difference in pay?

According to Microsoft, the salaries break out as follows:
Sun Solaris Cert (any): $75,192
EC-Council Cert (any): $63,750

O_o

So, the cert with a lower level of knowledge gets a higher salary. How does this make sense?

I can think of a few possible answers:
1) Companies don't give a lot of weight or respect to the CEH cert
2) Companies don't give a lot of weight or respect to Ethical Hackers
3) Hackers are a dime-a-dozen


Let's deal with each one seperately:

Companies don't give a lot of weight or respect to the CEH cert
If this was the case, why would companies actually ask for the cert on a job posting? By doing so, the limit their pool of applicants, so it doesn't make sense to ask for a cert that you don't like.

Companies don't give a lot of weight or respect to Ethical Hackers
I doubt this is true, as well. When someone realizes they need a hacker to work for them as opposed to against them, it's usually a reaction to fear - fear that if they don't get someone on-board quickly, they will suffer some horrific loss that will make their investors flee from their sides (not really likely, but it's fun to watch the deer-in-headlights look when high-level management realizes the threats out there). So, to most of them, we're wizards and they are in awe with our skills.

Hackers are a dime-a-dozen
Great hackers are rare, and deserve to be called "Wizards." Good hackers are out there and aren't quite as scarce; but there are also a lot of those who want to be hackers who have tripped across a working exploit or tool (like Metasploit) and feel they are qualified to do this sort of work for a living. Whether they can or not is another question.

I have seen similar discrepencies in other certs as well. The ones that jump to mind are the Microsoft certifications. Things like MCSE only pull in $40k-ish, yet in my opinion require more knowledge than the SCSA. The reason for the disparity is the number of people willing to do the job. So many people grew up on windows, it's naturally the first platform they dive into. But this gives employers a huge pool of applicants to choose from, and as the laws of supply and demand dictate, the greater the supply, the less the demand (or in this case, the lower salary).

So, what does this all mean? Is the CEH a worthless cert? I don't think so, but it shouldn't be your primary focus if you actually want to do the job and get paid well. I can only suggest from personal experience that a person should focus on a niche (in my case, Solaris... but it could include cisco, AIX, wireless, etc.), and then focus on security after you have achieved mid- to high-level certs in your speciality.

My two cents.

10:19 PM - 1 Comments - 2 Kudos - Add Comment

New Search Engine for Hackers

Today, I created a new search engine using Google's co-op beta program.  This program allows me to filter and add sites that actually deal with pentesting and hacking.  I got tired of searching for info and exploits only to get links that had no relevance whatsoever.  I could use a couple contributors if anyone is interested to help add relevant sites.  However, if you just want to check it out, go to:

2:48 PM - 0 Comments - 0 Kudos - Add Comment

I passed the Sun Security Administrator exam
Current mood: relieved

I received my results from the Solaris 10 Security Administrator beta exam. I took the test three times, since I was quite paranoid about not passing - turns out I passed all three times. So, now I have all the Solaris OS certifications... I can now add SCSECA to my alphabet soup. =)

6:23 PM - 3 Comments - 2 Kudos - Add Comment

How to be a hacker week 2... Discovery

Ok, so now we're going to start finding out what each of the step are to hacking, starting with the first step: Discovery

For this exercise, I want you to spend the whole week trying to find out all you can about nmap.org. Also, I want you to do it mostly without sending a single packet at nmap.org. Here's how:

First, use the program 'whois'. whois allows you to gather a lot of information about a domain address - this information is stored as a record which can be retrieved by anyone. Sso, go ahead and boot up your backtrack CD and open up a command window. Then type: whois nmap.org

Here's what I got (I'm removing a lot, and sticking with some good items):
Domain Name:NMAP.ORG
Sponsoring Registrar:Go Daddy Software, Inc. (R91-LROR)
Registrant Organization:Insecure.Com LLC
Registrant Street1:370 Altair Way ..113
Registrant City:Sunnyvale
Registrant State/Province:California
Registrant Postal Code:94086-6100
Registrant Country:US
Registrant Phone:+1.5303238588
Registrant Email:hostmaster@insecure.org
Admin Organization:Insecure.Com LLC
Name Server:NS1.LNXNET.NET
Name Server:NS2.LNXNET.NET

Here's what caught my eye:
1) there's another domain name: insecure.com
2) I have phone numbers and email addresses if I want to social engineer. Unfortunately, they used a typical email address for contact. Sometimes the owners include personal email addresses like mjones@whatever.com - this tells me they might use the same pattern when logging into boxes (in this case, "mjones"might be a username).
3) I have an address - good to know if I'm going to do any intrusion attempts or wireless sniffing.
4) I have name servers. These are who hosts nmap.org. I can find out what types of equipment they use for hosting, and more.

So, at this point I'd find out more about lnxnet.net and insecure.org. Go for it.

Next, I would do some googleing... do a seach for 'nmap.org' and you get 16 thousand hits. Too much. Try different things to get better info, like add 'password' or 'insecure.org' or 'error' or 'core dump' or 'link:nmap.org' - in other words, try to find out everything you can about the site, and not just what's listed on the pages everyone always sees. A good book on this is "Google Hacking for Penetration Testers." Swing by the bookstore and grab a copy or take notes. Often, error pages are spidered and saved by google - great pickings.

Also, check out archive.org - they store old information, which can often come in handy as well. For example, maybe there's old employee data and it's happened more than once that old users don't get removed from systems. Just one more potential attack vector.

Once you gather that info, look over what you have gathered, and start back at the beginning - there's probably something you found that needs more discovery.

Next, find out what programs they use - chances are you already have an idea from looking at their hosting service, but try and see if you can identify the web server they use, database server, forum program and versions, etc. At this point, you might be tempted to scan them with nmap. For this demonstration, stick strictly to scanme.nmap.org (they aren't your client, and it's just better to play nice). Make sure if you do scan you hit both TCP and UDP ports (for those who don't know what I'm talking about, you skipped the "Day 2" homework... shame!! >;-) )

Once you've broken down and used nmap, also do a traceroute to scanme.nmap.org and find out see what systems are between you and it. It's possible that there is a router or two of theirs before you get to scanme.nmap.org - perhaps scanme is in a DMZ, maybe not. Find out. Keep records. If this was an actual client, scan them until you know their entire network, or as much as they initially will let you see (once you conduct pentesting, you will probably find out more about their network).

Ok, you got your assignment - get busy, and take the whole week to do it. Also, if you need a mental break, go here: http://quiz.ngsec.com and start game ..1. From what I understand, this site was a pre-qualifier for defcon ..10 Capture the Flag contest. Whether this is true or not, this will start you off learning web hacking. Whatever you do... DON'T CHEAT!!!! I mean it, you screw yourself if you do. Read the notes, and if you get stuck, we can chat - I'm not gonna give you the answers, but I'll give you hints. Also, don't worry about getting them all right away; you're learning, and that's what's really important.

Enjoy!

4:43 PM - 0 Comments - 0 Kudos - Add Comment