Book Review: Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground
Review by RichM
Kevin Poulsen has worked tirelessly to become a respected expert in the information security field and is a senior editor for Wired Magazine. Kevin edits the Threat Level Blog covering various topics mostly intersecting between law enforcement and hacking, but there are other relevant posts like the latest goings on with Wikileaks. The now white hat was not always on the straight and narrow and made a name for himself as his alter ego, "Dark Dante."
The legend of his "exploits" is well known and has him counted amongst America's most infamous hackers. Dark Dante's most impressive hack was when he used his phreaking skills to win a Porsche 944. He rigged the phone lines of an LA radio station, guaranteeing he would be their 102nd caller! Kevin Poulsen and Max Butler, the person on whom the book is based, have many similarities. Both are very skilled and have a natural ability, but while one was able to find legitimate work after a conviction, the other was not. It is because of Kevin's past that he can bring to life such a fascinating topic. Most mainstream reporters would (at best) turn this story into a 5-page magazine article, whereas Mr. Poulsen has created a suspenseful page-turner in Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground.
Read on...
Oracle applications are not what you’d call simple. I think any DBA or Oracle Application Server Administrator will be the first to attest to that fact. Oracle, with its great products, comes with some un-pleasantries. These are:
1. Oracle applications are complicated (hopefully we all agree on this).
2. They come with loads of default content and no clear way to remove that content. There is no IISLockdown equivalent for Oracle applications. Content you don’t want must be removed manually. Some of this content can be used to run database queries, read documents, gather information via information leakage on the pages or perform XSS attacks.
3. Users have to pay for patches and extended advisory information (even then, no Proof of Concept code is released by Oracle).
4. And lastly, you have a fairly complicated patch/upgrade process which leads to an "it’s working, don’t touch it" mentality by a fair amount of admins.
This provides a target rich environment for pentesters and bad guys. Let’s take a look.
Read on...Entire hour and a half video of the webcast and complete slide deck now available.
On March 22 last month, EH-Net presented a webcast with James "egyp7" Lee who took the participants on a technical deep-dive through the new features of the free and open source Metasploit Framework version 3.6, focusing on techniques valuable to professional penetration testers in red teams and consulting firms. This included post exploitation modules (a more powerful replacement for Meterpreter scripts) and using platform-agnostic payloads for increased pwnage. Before the lengthy Q&A, he also covered some of the feature highlights in the commercial editions, Metasploit Pro and Metasploit Express. Webcast participants and now viewers of this video should be familiar with the concepts of Metasploit and penetration testing.James "egyp7" Lee has been contributing to the open source Metasploit Framework as a core developer and project manager since April 2008. Before joining Rapid7 to work on Metasploit in a full-time position, he discovered numerous vulnerabilities in SCADA and Industrial Control Systems at Idaho National Laboratory. James has presented at DEF CON, Black Hat USA, Black Hat DC, SANS Process Control & SCADA Security Summit, and other events.
Read on... Stay Tuned:
- The Failure of Hypnosis in Social Engineering by Mike Murray- RUaNinja? - Winners & Analysis
- Course Review: Hacker Training Online by InfoSec Institute
- Oracle Web Hacking Part II by Chris Gates
- Course Review: The Hacker Academy Online Curriculum
- More Course & Book Reviews
SANS vLive! 542 Web App Pen Testing & Ethical Hacking with Johnson & Misenar Starts May 16 - Advertisement
Giveaway Corner
Win Metasploit Express Worth $3000!!
OK... so you've seen the great videos by Ryan Linn, the webcast by James "Egyp7" Lee and the numerous forum discussions. Now it's time to get your very own copy of Metasploit Express that includes the full license & support for 1 year. And for your viewing pleasure, be sure to check ourMetasploit's newly redesigned website. For those not in the know or unfamiliar with the Express Edition:Metasploit Express builds on the power of the Metasploit Framework, the gold standard for penetration testing with more than one million unique downloads in the past year and the largest public database of quality assured exploits. Unlike the Metasploit Framework, which offers only a command-line interface, Metasploit Express provides an easy-to-use graphical user interface that guides the user through the steps of discovery, gaining access, taking control, and collecting evidence. In addition to the features available in the Metasploit Framework, Metasploit Express automates many common penetration testing tasks and provides the ability to launch advanced attacks without the need to develop custom scripts. Individuals whose role does not permit them to conduct penetration tests can still verify exploitability with a dry run that only shows the exploit information but does not execute the exploits.
Sounds like a great deal? All you have to do is participate on EH-Net. It's not easy getting all of these monthly prizes for EH-Net members, but the knowledge you provide the security communityis priceless. And the more knowledge you provide, the greater your chances of winning the thousand of dollars of prizes EH-Net gives away each and every month. So get at it!!
March Winner!
Live, online courses by top instructors without the need for travel expenses... That's SANS vLive! Be sure to take advantage of this SPECIAL OFFER! Attend Josh Wright's Wireless Course, SEC617, use Coupon Code 'WISPY_EH'and get a FREE Wi-Spy DBxportable spectrum analyzer from Metageek (retail value $599). Students will also receive a coupon code to upgrade Wi-Spy from Chanalyzer 4 to Chanalyzer Pro for only $200 instead of $400, an additional $200 savings. This offer will be good until class starts on April 19th. Students outside of the US will be responsible for paying any duties, customs or import fees imposed by their country of residence. And now the drum roll... SephStorm is our deserving winner this month and gets a free seat worth $3500 in either:
Live, online courses by top instructors without the need for travel expenses... That's SANS vLive! Be sure to take advantage of this SPECIAL OFFER! Attend Josh Wright's Wireless Course, SEC617, use Coupon Code 'WISPY_EH'and get a FREE Wi-Spy DBxportable spectrum analyzer from Metageek (retail value $599). Students will also receive a coupon code to upgrade Wi-Spy from Chanalyzer 4 to Chanalyzer Pro for only $200 instead of $400, an additional $200 savings. This offer will be good until class starts on April 19th. Students outside of the US will be responsible for paying any duties, customs or import fees imposed by their country of residence. And now the drum roll... SephStorm is our deserving winner this month and gets a free seat worth $3500 in either:- Security 542: Web App Penetration Testing and Ethical HackingMonday, May 16, 2011 - Monday, June 27, 2011
- Security 504: Hacker Techniques, Exploits & Incident Handling Monday, June 13, 2011 - Wednesday, July 27, 2011
- Security 504: Hacker Techniques, Exploits & Incident Handling Monday, June 13, 2011 - Wednesday, July 27, 2011
Upcoming Events
IANS New York Metro InfoSec Forum May 2 - 3
Secureworld Expo Atlanta 2011 May 3 - 4
SANS Security West 2011 May 3 - 12
Belnet Security Conference 2011 May 5
BSidesROC 2011 May 7
EICAR Annual Conference 2011 May 9 - 10
Secure360° 2011 May 10 - 11
Secureworld Philadelphia 2011 May 11 - 12
Rocky Mountain InfoSec Conf (RMISC) 2011 May 12 - 13
TakeDownCon 2011 May 14 - 19
AusCERT2011 May 15 - 20
BSides Australia 2011 May 15
IFSEC 2011 May 16 - 19
HITBSecConf2011 Amsterdam May 17 - 20
India Computer Security Conference 2011 (ICSC 2011) May 19 - 21
* Add your event to EH-Net's Global Calendar: events(at)ethicalhacker(.)net
Secureworld Expo Atlanta 2011 May 3 - 4
SANS Security West 2011 May 3 - 12
Belnet Security Conference 2011 May 5
BSidesROC 2011 May 7
EICAR Annual Conference 2011 May 9 - 10
Secure360° 2011 May 10 - 11
Secureworld Philadelphia 2011 May 11 - 12
Rocky Mountain InfoSec Conf (RMISC) 2011 May 12 - 13
TakeDownCon 2011 May 14 - 19
AusCERT2011 May 15 - 20
BSides Australia 2011 May 15
IFSEC 2011 May 16 - 19
HITBSecConf2011 Amsterdam May 17 - 20
India Computer Security Conference 2011 (ICSC 2011) May 19 - 21
* Add your event to EH-Net's Global Calendar: events(at)ethicalhacker(.)net
No comments:
Post a Comment