In Egypt : 30 % discount Coupon for EC council Courses inside the Printed Copy.

Printed Copy Request
Coming Soon : Arabic Version

Open Source Web Application Security Testing Tools by Vinodh Velusamy

Author shows the significance of Open Source Web Application Security Testing Tools. As he claims „When you choose and use good tools, you’ll know it. Amazingly, you’ll minimize your time and effort installing them, running your tests, reporting your results – everything from start to finish.

Most importantly, with a good web vulnerability scanner you’ll be able to maximize the number of legitimate vulnerabilities discovered to help reduce the risks associated with your information systems.
At the end of the day and over the long haul, this will add up to considerable business value you can’t afford to overlook”.

More Articles:

- Modeling Security Penetration Tests with Stringent Time Constraints by Alan Cao
- The puzzlepices by Daniel Clemens
- WebAppSecurity for Newbies part 2 Herman Stevens
- Web Application Common Vulnerabilities – Part I by Bryan Soliman
- CYBER STYLETTO by Mike Brennan and Richard Siennon


SUBSCRIBE NOW AND GET 2 AMAZING E-BOOKS !

1. CISO's Guide to Penetration Testing: A Framework to Plan, Manage, and Maximize Benefits details the methodologies, framework, and unwritten conventions penetration tests should cover to provide the most value to your organization and your customers.

2. In his new book "Save the Database, Save the World!" John Ottman captures the essence of the threats we face to the information that drives business. Organized crime, underhanded competitors and even foreign governments are looking to gain any financial, competitive or operational advantage and these enemies are going directly after the databases and the applications that access data.

After subscribing contact katarzyna.zwierowicz@software.com.pl with "WAPT" in the tittle of the message.

You can visit us at: http://www.pentestmag.com

Contents of ClubHACK Magazine January 2012:

• Tech Gyan: One Link Facebook
  Can Facebook accounts be hacked? Is it be possible to access your account without your permission and without knowing your username and password? Unfortunately “YES” is the answer.
• Legal Gyan: Powers of Government under the Information Technology Act, 2000
  Internet Censorship is today‘s hot topic with the passage of statements by our Honorable Ministers. But the billion dollars question is ?Can online activities of individuals be censored/monitored in India?
• Tool Gyan: SQLMAP – Automated Sql Injection Testing Tool
  Sql injection is one of the most common vulnerability found in web applications today. Exploiting SQL Injection through manual approach is somewhat tedious. Using flags like ?or 1=1–? , ?and 1>2? we can find out if vulnerability is present but exploiting the vulnerability needs altogether different approach. Tools like Sqlmap, Havij and Pangolin are helpful in exploiting sql injection.
• Matriux Vibhag: Setting up and Getting started with Matriux Krypton
  Wish you a very happy and prosperous new year from team Matriux. 2011 has been a great year for us where we along with CHmag have made it possible to reach you better. A special thanks to CHmag team for making it with us. It has been noticed that due to a custom and special installer MID used in Matriux Krypton, many users are confused on how to get Matriux setup on their Hard disk or VirtualBox, so this month we bring you with how to setup and get started with Matriux Krypton, a better way to start 2012.
• Mom’s Guide: Social Networking and its Application Security
  Social Networks have been an important part of our life, yes, we tweet for photos we click, every moment of happiness, sadness and the news around, we update our status if we start a relationship or end one, or even travel itinerary and hotel check-ins, movie moments, fun with friends, in fact everything that we do every moment in our life is open to the world we want to share. Play games with friends and make new friends.

Download ClubHACK Magazine January 2012:

ClubHACK Magazine Issue 24, January 2012 – jan2012.pdf – http://chmag.in/issue/jan2012.pdf

Get it directly from the project at:  http://www.sptoolkit.com/download/

Hey, what is this thing?

spt is a simple concept with powerful possibilities.  It is what it’s name implies:  a simple phishing toolkit.

The basic idea we (the spt project) had was that wouldn’t it be cool if there were a simple, effective, easy to use and free (most importantly!) tool that information security professionals could use to evaluate and train what we all know is the weakest link in any security minded organization:  the people.  Since the founders of the spt project are themselves information security professionals by day (and possibly either LOL cats or zombies by night), they themselves faced the frustration of dealing with people within their own organizations that claimed to know better, but 9 times out of 10 fell for the most absurdly obvious phishing emails ever seen.  A malware outbreak here, a stolen password and loss of critical organizational data there and the costs of dealing with the results of phishing can get to be astronomical pretty darn quickly!

Enter spt.  spt was made from scratch, like a baby (or maybe a zombie) with the goal of giving over-worked and under-staffed information security professionals a simple tool (more like a framework, as we hope to add more features over time) that could be used to identify and train those weakest links.  spt is a fully self-contained phishing email toolkit that can be installed, configured and phishing in less than 15 minutes.  Its design is modular and open-ended allowing for future expansion and additional features via easy to snap-in modules that are simply uploaded in the administration dashboard.  Why not try out spt today and see who your weakest link is?

Why do we care about phishing?

Simple answer:  phishing has become one of the easiest ways to remotely separate people from that which is important to them.

These articles give some good insights into why phishing is on the rise and why you, as an information security professional, should be worried about it.

• Phish Tastes Better Than Spam
• RSA Online Fraud Reports (click to download the various reports for each month)
• Crooks opt for spear phishing despite higher upfront cost
• M86 Labs:  Phishing Scam in an HTML Attachment
• Imperva finds master hacker who dupes thousands into phishing army
• Travel, education sectors most vulnerable to phishing

Some quotes to drive the point home perhaps.

 - Travel, education sectors most vulnerable to phishing

Researchers sent simulated phishing messages to employees at more than 3,500 small and midsize enterprises (SMEs) and found that recipients at nearly 500 companies, or 15 percent, clicked on a link contained in the message.

 - Imperva finds master hacker who dupes thousands into phishing army

A recently released, next-generation phishing toolkit promises to automate the tedious task of tricking people into visiting websites designed to steal their financial information. Even better, the toolkit is free. The only hitch: the creators added a backdoor, allowing them to also amass all of the data captured by their phishing toolkit, no matter who uses it.

 - Phish Tastes Better Than Spam

A major source of survival for spammers is consumer spending. With the recession eroding world economies, consumer spending has taken a major hit. Spammers, who thrived on luring consumers to spend money, have definitely been dealt a severe blow. After all, who is going to be lured by spammed products during tough financial circumstances? What logically follows in the worldview of a spammer is the money in your bank account rather than that in your purse. Or, in other words, spammers will shift to baiting consumers with phishing emails to try and steal banking credentials when they know their spam campaigns aren’t working.

The problem is big, and getting bigger.  Protect your network, your organization and your people…from your people

Get it directly from the project at:  http://www.sptoolkit.com/download/

Greetings Site5 Customers!

The U.S. Congress is currently considering two bills -- one in the House of Representatives called SOPA (Stop Online Piracy Act) and another in the Senate called PIPA (Protect IP Act). These bills both attempt to use similar methods to further criminalize and police intellectual property infringement. Although protecting intellectual property is important, these bills would use heavy-handed tactics that would censor and splinter the Internet.

SOPA and PIPA would grant the U.S. government the ability to block almost any website on the Internet if the site is perceived to be an "infringing site." Search engines would be required to remove the site from their search listings, payment processors and advertisement networks would be forbidden from doing business with the site, and ISPs could be forced to block access to the site for Americans. The bill provides little detail about what would constitute an infringing site, which makes the potential for abuse far greater. We have already seen how these kind of systems can be abused. In 2010, ICE (Immigration and Customs Enforcement) mistakenly seized a domain name belonging to a music blog and labeled it as a "rogue site" — the domain name was not returned until a year later (source: http://nyti.ms/uF73mZ). If you would like to see a video explanation of how the bill works and its dangers, please go here: http://vimeo.com/31100268

Site5 has publicly declared our opposition to both bills, and we encourage you to do the same. Contact your representatives in Congress to let your opposition to these bills be known! To locate the contact information for your representatives, visit one of the following websites:

http://www.contactingthecongress.org
http://www.grassroutes.us/sopa

If you're located outside the United States, you can let your voice be heard as well by sending your thoughts via this website:

http://americancensorship.org

Another way to get involved in the fight against SOPA and PIPA is to join in on the blackouts. Many well-known websites such as Wikipedia, Google, and Reddit are demonstrating their opposition, and you can too. Site5 has sponsored a WordPress plugin for participating in blackouts, and it features an easy setup and configuration options within the WordPress admin area:

http://wordpress.org/extend/plugins/sopa-blackout-plugin/

We feel very strongly that the future of the Internet is at stake, and we urge everyone to get involved!

Thanks,

The Site5 Management Team

Adelphi University, Garden City, New York

You are invited to the OWASP Long Island chapter meeting.  In a continuation of the previous meeting; we have once again organized a lab to demonstrate and discuss various OWASP top 10 vulnerabilities.  Please register by using the link below...

When: Thursday, February 16, 2011; 7:00pm - 9:30pm

Where:
IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right)
Adelphi University, Garden City, NY 11549-1000.
Google map.  Campus Map
Once at the building, enter the building from the North and go down the stairs, knock on the door to be let in.

How Much: Free.  Pizza and beverages will be provided.  This event is supported 100% by OWASP Long Island volunteers.   RSVP required:     

Registration Details: 
This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 18 people.

Who Are We:  We are volunteers of OWASP, a worldwide charitable organization focused on improving the security of application software.  Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

Meeting Agenda: Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.  

Topics: Overview of BackTrack Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit) Overview of the lab challenge (covers multiple owasp top 10 vulns)

Bring your own laptop: Laptops are needed if you wish to participate in the lab exercise.  Each participant will be provided a copy of Backtrack 5 R1, laptops should be capable of booting off a DVD.  Cables, power strips, etc ... will be provided; but make sure you have your own power adapter.

About the Speaker:
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer.
He blogs at http://www.leune.org and can be found on Twitter as @leune.
Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.

To view past meetings, go to https://www.owasp.org/index.php/Long_Island or click here.

To subscribe to the the chapter mailing list, go to https://lists.owasp.org/mailman/listinfo/owasp-longisland or click here. 

Your email address will be used for OWASP related notifications only.  We will not share it with any third party. 

You can cancel your subscription anytime you want.

_______________________________________________
Owasp-LongIsland mailing list
Owasp-LongIsland@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-longisland

Helen Gao, CISSP
Chapter leader of OWASP

• XSS & CSRF: Practical exploitation of post-authentication vulnerabilities in web applications by Marsel Nizamutdinov
• Discovering Modern CSRF Patch Failures by Tyler Borland
• Business Logic Vulnerabilities via CSRF by Eugene Dokukin
• XSS Using Shell of the future by Sow Ching Shiong
• Cross-Site Request Forgery by Jamie
• Security Resolutions for 2012 by Rishi Narang
• Interview with Peter N. M. Hansteen by PenTest Team

• Free Ebook "The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall" worth $30.00 Today's system administrators face increasing challenges in the quest for network quality, and The Book of PF can help by demystifying the tools of modern *BSD network defense. But, perhaps more importantly, because we know you like to tinker, The Book of PF tackles a broad range of topics that will stimulate your mind and pad your resume, including how to:
  • Create rule sets for all kinds of network traffic, whether it is crossing a simple home LAN, hiding behind NAT, traversing DMZs, or spanning bridges
  • Use PF to create a wireless access point, and lock it down tight with authpf and special access restrictions
  • Maximize availability by using redirection rules for load balancing and CARP for failover
  • Use tables for proactive defense against would-be attackers and spammers
  • Set up queues and traffic shaping with ALTQ, so your network stays responsive
  • Master your logs with monitoring and visualization, because you can never be too paranoid

• PenTest (release date: 1st of each month) – 50 pages of content dedicated to penetration tests, few regular columns written by specialists
• PenTest Extra (release date: 15th of each month) – 50 pages of strictly topical content dedicated each time to different hot topic
• Mobile Pentesting (release date: 7th of each month) – 40 pages of content dedicated to latest mobile topics
• Web App Pentesting (release date: 22nd of each month) – 40 pages of content dedicated to web application topics

Contact PenTest team!
Please spread the word about PenTest magazine!

Enjoy reading!
Krzysztof Marczyk & PenTest team
mailto:olga.glowala@software.com.pl
PenTest Magazine

I created a music video about Crypto using Wireshark to sniff a SSL handshake with Google.  I got some good comments from some Sharkfest presenters and it looks like I am going to present this at Sharkfest 2012 in June!

http://www.youtube.com/watch?v=1dHsj1ZxDto

All Long Island chapter meetings are free. Please water our calendar for up coming events.

For more info contact:  Helen Gao  (helen.gao@wasp.org)

https://www.owasp.org/index.php/Long_Island