CESG Homepage CESG launches Certified Cyber Security Consultancy CESG is pleased to announce a new approach to providing cyber security consultancy services for government and industry. Published on Monday 01 Jun 2015 New Certified Cyber Security Consultancy The newsletter describes the new scheme in detail, including proposed membership requirements, benefits and fees. Published on Tuesday 19 May 2015 New guidance on securing Industrial Control Systems New ICS guidance has been released by CPNI and CESG. Published on Monday 18 May 2015 More Items GCHQ Certified Masters Degrees - Calling Notice Academic Briefing Event 14th January 2015 GCHQ Certified Master's Degrees - Calling Notice Academic Briefing Event 14th January 2015 Published on Monday 08 Dec 2014 IA Practitioners' Event - York Racecourse 2015 Agile IA: Breaking the Chains and Responding to Change - Call for Speakers Published on Wednesday 26 Nov 2014 ACE-CSR Annual Conference 2014
Des outils pratiques pour les hackers Bonjour les ami(e)s, nous avons déjà vu comment devenir un bon hacker, aujourd’hui je vais vous présenter une liste des logiciels et outils qui sont utiles pour les hackers et les auditeurs en sécurité . Pour cela, il est préférable d’avoir la distribution Backtrack installé sur une machine virtuelle. Alors sans plus attendre voici quelques outils nécessaires pour scanner et exploiter les vulnérabilités d’une application web : 1. The Mole est un outil automatique d’exploitation des injections SQL. C’est en fournissant un lien vulnérable ou bien une adresse valide du site ciblé que l’on pourra tester l’injection et pourquoi pas l’exploiter. Cet outil fonctionne sur les bases de donnée de type MySQL, SQL Server, PostgreSQL et Oracle. 2. Est un scanner de vulnérabilités spécialement conçu pour WordPress. Pour en savoir plus, lisez notre article sur WPScan 3. 4. Uniscan est un scanner open source de vulnérabilités pour les applications web. 5. 6. havij
Is Security Awareness a Waste of Time? How do you know what devices are accessing your network? How do you detect a rogue device? What can you do to prevent a threat in your network and minimize the risk? With workforce mobility, bring your own device (BYOD) into the workplace, and guest access into your network, enterprises are realizing how important it is to track and monitor who and what is accessing the network. We’ve recently seen examples of how rogue devices have caused significant damage through gaining access to corporate infrastructure through network vulnerabilities. The panelists will look at how Network Access Control (NAC) or Endpoint Visibility, Access, and Security (EVAS) is being implemented by enterprises worldwide to address network security while continuing to support current infrastructure and the expanding mobile workforce. Topics of discussion will include: How to gain complete network visibility and control of all network devices from a cost effective, centralized deployment
Le navigateur web des hackers [ MANTRA ] Publié le 13 août, 2011 par Ahmed Mantra, le navigateur des hackers, est une collection d’outils libres et open source intégrée dans un navigateur web, il est très pratique pour les testeurs de pénétration, les développeurs d’applications Web et les hackers. Il s’agit en fait d’une version portable du navigateur Web Firefox regroupant une collection de modules utiles lors de tests d’intrusions. En effet ce navigateur jouit de plus de 40 extensions embarquées par défaut pour garder sous la main les outils indispensables à l’exécution de batteries de tests. Parmi les extension qui contient Mandra on trouve : Mantra est Téléchargeable ici (Windows, Linux, Mac)
start [VERIS Community] The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is a response to one of the most critical and persistent challenges in the security industry - a lack of quality information. VERIS targets this problem by helping organizations to collect useful incident-related information and to share that information - anonymously and responsibly - with others. The overall goal is to lay a foundation from which we can constructively and cooperatively learn from our experiences to better measure and manage risk. This site serves as a central hub for all things VERIS. overview: A brief summary of VERIS and what it can do for you. schema: The latest VERIS schema files are available on GitHub. documentation: This wiki is the primary source of supporting documentation pertaining to the VERIS Community schema.
Tools for creating TCP/IP packets | Linux Blog hping ( hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn't only able to send ICMP echo requests. Features include: * Firewall testing * Advanced port scanning * Network testing, using different protocols, TOS, fragmentation * Manual path MTU discovery * Advanced traceroute, under all the supported protocols * Remote OS fingerprinting * Remote uptime guessing * TCP/IP stacks auditing * hping can also be useful to students that are learning TCP/IP Hping works on the following unix-like systems: Linux, FreeBSD, NetBSD, OpenBSD, Solaris, MacOs X, Windows. Nemesis ( Nemesis is a command-line network packet crafting and injection utility for UNIX-like and Windows systems. Nemesis can natively craft and inject ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP packets. Scapy ( Yersinia (
Cloud - Taking Simplicity Even Further Do Your Negotiating Techniques Create Value? - INSEAD It’s no longer a game of hard-ball. Today’s negotiations are about more than just money. In the late 1990s, a European beverage company, number one in its market, squeezed suppliers so hard on price that a glass manufacturer with a strong supply links to the company went bankrupt. Not unusual in the cut-throat world of business but this time the tough stance backfired. When the market took an upturn a few months later the beverage company, with limited bottle supply, couldn’t feed demand and fell from number one to number two in a market of just three or four players. The company, according to Horacio Falcao, INSEAD Affiliate Professor of Decision Sciences who was brought in to look at what went wrong, lost more money in that one year than its aggressive procurement techniques had saved in ten. “By squeezing everything you have you can get results very quickly,” says Falcao. Negotiating in a crisis A second trend Change of approach Companies don’t have to overpay to win. Negotiation skills
Information Security « The Notepad It doesn’t need self-promoted heavyweights like Anonymous or LulzSec to have a go. It doesn’t need a lot of phishing, complex technical network probing and testing, or other geeky effort to penetrate your IT estate and steal critical inoformation. It just needs an understanding of the publicity machine and the underpinning culture of journalism. Or, more accurately, speculation and sensationalism. An example, ‘a guest’ posted this into PasteBin: Within hours of its discovery, commercially troubled retailer GAME is on the back foot as banner headlines are raised, starting a chain-reaction of ‘me too’ RSS feeds and reaching the online gaming news sites with unhelpful speculation and surprising speed. Game.co.uk Hacked, Data Leaked Softpedia January 16th, 2012, 12:49PM “…the hackers managed to obtain email addresses and passwords in clear-text… the site contained a shell injection vulnerability that allowed the hackers to access its databases and expose their customers.” So what? Whodunnit?
The Official BackTrack Blog The time has come to refresh our security tool arsenal – BackTrack 5 R3 has been released. R3 focuses on bug-fixes as well as the addition of over 60 new tools – several of which were released in BlackHat and Defcon 2012. A whole new tool category was populated – “Physical Exploitation”, which now includes tools such as the Arduino IDE and libraries, as well as the Kautilya Teensy payload collection. Building, testing and releasing a new BackTrack revision is never an easy task. Various Social Engineering Laws and Principles “It is very important to understand exactly what everyone else already knows.” -The Founder Hendrickson’s Law: If a problem causes many meetings, the meetings eventually become more important than the problem. Saul Lavinsky’s Observation: Education is what you get from reading the small print. Kavanaugh’s Maxim: Necessity never made a good bargain. Rodney’s Rule: Never let your studies interfere with your education. The First Afghan Law of Education: No amount of poor schooling can spoil a good student. Sander’s Rumination: Life is a game, the object of which is to discover the object of the game. Cornuelle’s Law: Authority tends to assign jobs to those least able to do them. Mullin’s Observation: Indecision is the key to flexibility. Sousa’s Principle of Lecture: If you can’t baffle them with brilliance, befuddle them with bullshit. Utvich’s Observation: Education is the process of moving from cocksure ignorance to thoughtful uncertainty. H. Dr. Ben Franklin’s Wisdom:
Social Engineering Demonstration I often get asked for demonstrations of social-engineering. This is how it usually goes… After giving a very little, very simply presentation entitled ‘Social Engineering Basics’, I found some of the faces in the little conference room… unconvinced, to say the least. This is normal and to be expected, and it happens to me quite often (so often…). It’s difficult for intelligent people to accept that one of the basic facts about being Homo Sapiens Sapiens, about being us, is that no matter how intelligent we are, we are extremely easy to manipulate. Harder still for some to accept is that someone out there is claiming to have turned human manipulation techniques into something as crazy sounding as social engineering. Most people were leaving the room, a conference room with 4 rectangular tables arranged in a ‘semi-circle’ doughnut. Nothing works on everyone, but something works on everyone (figuring out this man was child’s play). He began, “You’re wrong, my friend (ahem). “Honestly?
On Castles: Moats, Machicolations, Burning Oil and Berms Vs. The Trebuchet (or DMZ’s teh Sux0r!) Check out the comments in the last post regarding my review of the recently released film titled "Me and My DMZ – ‘Til Death Do Us Part" Carrying forward the mental exercise of debating the application of the classical DMZ deployment and it’s traceable heritage to the concentric levels of defense-in-depth from ye olde "castle/moat" security analogy, I’d like to admit into evidence one interesting example of disruptive technology that changed the course of medieval castle siege warfare, battlefield mechanics and history forever: the Trebuchet. The folks that advocated concentric circles of architectural defense-in-depth as their strategy would love to tell you about the Trebuchet and its impact. The Trebuchet represented a quantum leap in the application of battlefield weaponry and strategy that all but ended the utility of defense-in-depth for castle dwellers. To review the basics, a castle is a defensive structure built around a keep or center structure. Enter the Trebuchet. /Hoff