Context Security

Just wanted to let you all know that I will be a guest on the PaulDotcom Security Weekly podcast tonight.  I will be leading a technical segment on w3af, which is a very nifty free/open source tool for web application scanning/exploitation.  Should be loads of fun!

The live stream should go up around 1845 EDT with the show starting around 1900EDT.  Further details can be found here: http://pauldotcom.com/security-weekly/

Hope to see you there.

Seth Misenar

Below is information regarding a webcast I will be leading for SANS on 03/18/2009 at 10 AM EST.  Should be fun.

Build Your Own Army of Darkness: XSS Frameworks for Zombies and Profit

Featuring: Seth Misenar

In this preview to the newly updated SEC542 Web Application Penetration Testing course being offered in Amsterdam, you will learn how build and control your very own zombie battalion/Army of Darkness. The discussion will start with a whizz|bang overview of the new 6 day version of SEC542, and quickly move to XSS Frameworks and, of course, zombies galore. Whether you are excited or petrified by the prospect of zombies, join Seth Misenar for this hour long webcast. As Bruce Campbell/Ash of Evil Dead fame would say, “Groovy”.

Speaker Bios:

Seth Misenar:

When not watching zombie films, Seth Misenar serves as Founder/Lead Consultant for Context Security, which provides information security though leadership, independent research, security training, and security consulting services. His background includes network and web application penetration testing, vulnerability assessment, regulatory compliance efforts, security architecture design, as well as general security consulting. He has previously served as both a physical and network security consultant for Fortune 100 companies as well as the HIPAA and Information Security Officer for a state government agency.

In his former life, Seth received a B.S. in Philosophy from Millsaps College where he was twice selected for a Ford Teaching Fellowship. Also, Seth is no stranger to certifications and thus far has achieved credentials which include, but are not limited to, the following: CISSP, GSEC, GCIA, GCIH, GCWN, GCFA, GHTQ, GWAS, and MCSE credentials. He has previously taught numerous SANS classes including SEC401: Security Essentials, SEC504: Hacker Techniques, and SEC542: Web Application Penetration Testing. In addition to serving SANS in an teaching capacity, Seth also serves as both Virtual Mentor and Technical Director for SANS OnDemand.

Shortly after flipping through Ed’s slide deck for Secrets of America’s Top Pen Testers yesterday, I noticed a fortuitous tool annoucement come across the SANS GIAC Alumni mailing list.  Robin Wood emailed to announce the release of a tool called CeWL: Custom Wordlist Generator (which is of course pronounced ‘cool’).

http://www.digininja.org/cewl.php

CeWL “spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper” (from the website).

Very nice. This tool dovetails nicely with Ed’s first tip from SATPT, “Build Password Guessing and Cracking Dictionaries”.  In fact, it turns out that the tool was based on a PaulDotCom discussion, http://pauldotcom.com/2008/11/creating-custom-wordlists-for.html, which was in turn based upon content provided in Ed’s SEC560: Network Penetration Testing, which I will be teaching in Atlanta in February, https://www.sans.org/atlanta09_cs/description.php?tid=1717.

Wshew…did you follow all that.  Regardless of its origins, CeWL definitely looks like something I will be adding to my tool arsenal.  Check it out.

Ed Skoudis sent a tweet yesterday announcing the immediate availability of his presentation from SANS CDI: Secrets of America’s Top Pen Testers. Obviously you will not get the full effect without Ed’s contagious excitement, but the 38 slides do stand on their own well. He is quick to point out (via the subtitle) that he did not name the presentation…

10 nicely presented tips (with Ed’s signature black hat red screened goodnes) at no charge…

http://www.inguardians.com/research/docs/Skoudis_pentestsecrets.pdf

Seth Misenar will be teaching SANS 401: Security Essentials and 538: Web App Pen Testing Immersion at SANS Phoenix 2009.

SEC401: Security Essentials
3/23/2009-3/28/2009

SEC538: Web Application Pen Testing Immersion
3/29/2008-3/30/2009

Seth Misenar will be teaching SANS 542: Web Application Penetration Testing at SANS Secure Europe 2009 – Amsterdam

SEC542: Web Application Penetration Testing
5/11/2009-5/16/2009