The conference lineup features some great members of the Security community such as John Strand, Paul Asadoorian, Lee Kushner, Scott Moulton, Adrian “IronGeek” Crenshaw.

Check out Securabit Episode 38 where we talk to Conference Chair, Brian Blankenship and tune in live Wednesday, September 23 with special guest Scott Moulton.

The Official Social Engineering Framework is set to launch on Wednesday, September 16th. The goal is to gather some of the community to produce the web’s first and only true social engineering framework.  This framework is being developed by Jim “Elwood” O’Gorman,  Mati “muts” Aharoni, and LoganWHD along with many contributors from the SE and Security community.  Check out their site, blog, and also hop onto their IRC channel, #social-engineer, on irc.freenode.net.

Metasploit Unleashed – Mastering the Framework will be launching next week on Tuesday, September 22nd.  This framework is brought to us by the members of the Offensive Security Team along with several active members of the security community.  This course will cover the Metasploit Framework in full detail with topics such as:

• Social Engineering attacks
• Advanced port scanning
• Writing your own MSF plugins
• Auxiliary modules kung fu
• Vulnerability Scanner Integration
• Writing simple MSF fuzzers
• Pivoting, Tunneling
• Exploit Development
• Egghunter mixins
• Mastering MSF Payloads
• Post Exploitation techniques
• Practical Fast Track Usage
• MSF Backdoors
• Advanced AV avoidance
• Much more!

Best of all, the PDF guides for this course will be FREE with the videos and PDF (in typical Offensive Security style) available for a small fee. All proceeds going towards feeding children in Kenya and Uganda with the Hackers for Charity project.  This looks to be a great course for a great cause!  Go check out the site next week and get ready to get some MSF Kung-fu!

Penetration Testing with BackTrack

“Pentesting with BackTrack” (previously known as Offensive Security 101) is an online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. This penetration testing course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students.

This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern computer with high speed internet.

The cost for the course is $550 for training videos and documents and 30 days of lab time.  For $150 more, you can get 60 days of lab time or purchase 30 extra days after the fact for $200.  I have heard great things about Offensive Security Courses and would expect this to be top notch.

Heorot.net

Heorot.net offers two penetration courses ranging from fundamentals to intermediate:

Penetration Testing Fundamentals Course

For those just starting out in the field of professional penetration testing, the Fundamentals course will provide a thorough understanding of how a professional penetration test is conducted and the methodologies behind performing an attack. It is suggested you already have a familiarity with basic Linux commands and file structure.

Intermediate Penetration Testing Course

For those individuals familiar with hacker tools who have some penetration testing experience, the Intermediate course will provide a comprehensive understanding of how to run a penetration test in a real-world environment. Students should have a solid understanding of Linux and the ability to effectively use commercial and Open Source hacker tools.

Heorot.net was founded by Thomas Wilhelm who has contributed to the Security community with a number of great books such as Netcat Power Tools and Professional Penetration Testing along with providing the De-Ice PenTesting Live CD’s.  You get access to the online videos for 30 days, two live CD’s that are downloadable,  and an autographed copy of Thomas’ new book Professional Penetration Testing.  The cost of the Fundamentals course is $395 and is currently discounted to $295 until October 1.  The Intermediate course comes in a little more at $595 and is currently discounted to $445 until October 1.  You also get access to version 2.0 of the courses that come out after Oct 1.  The Fundamentals course looks very intriguing since at $295, you get some decent training and an $80 text book.  Quite a good deal.

So You Wanna Be A Pentester

This was one I never heard of, until MattJay commented on it on Twitter.  This course will cover some of the newer aspects of penetration testing such as Open Source Intelligence Gathering with Maltego and other Open Source tools.   Advanced Scanning, Enumeration, Exploitation (remote and client-side), and Post-Exploitation relying heavily on the features included in the Metasploit Framework will also be covered.

How the course is run is quite different from the ones mentioned above.  You will receive courseware and lab manual PDF’s, but you also get three 30 minute phone calls with Joe McCray to walk you through specific lab exercises and/or answer questions.  This seems like a very interesting way to run it with the chance of interacting with a what appears to be personal phone calls with a trainer.  You also get 30 Day Unlimited Access to LSO Lab Network from the day of course registration. The cost of the course is $300 and is currently discounted to $200 until Oct 1st. They also have a So You Wanna Be A Web App Pentester course for $450 but currently discounted to $300.

This is one of the more unknown trainings to me, so if anyone has comments on it or any training, we would love to hear them.  If there are any other cheap ones out there, drop that in the comments too.

Pittsburgh Information Security Users Group (PittSUG) Capture the Flag Event – September 17, 2009

BrucCON 2009 – September 18-19, 2009 – Speakers: Chris Gates, Chris Nickerson, Jayson Street, and many more!

Louisville Metro Infosec Conference – October 8, 2009 8am – 5pm – Speakers: John Strand, Lee Kushner, Scott Moulton, Adrian “IronGeek” Crenshaw, and many more!

ToorCon -  October 23-25, 2009

Rochester Security Summit – October 28-29, 2009 – Speakers: Rob Fuller (Mubix), Larry Pesce, Bruce Potter, Ed Skoudis and many more!

Phreaknic 13 – October 30 – November 1, 2009

DojoCon – November 6-7, 2009 – Speakers: Marcus J. Carey, Marcus J. Ranum, Richard Bejtlich, Ron Gula, and many more!

SecurityTubeCon – November 6-8, 2010

SANS Cyber Defense Initiative – December 11 – 18, 2009

Shmoocon – Feburary 5-7, 2010

NOTACON – April 15-18, 2010

There are also lots of great free webcasts coming up in the next few months (some posted on the EDUCAUSE Security List):

WhatWorks in Intrusion Detection and Prevention: Securing Servers for PCI Compliance with The White Company
WHEN: Friday, September 11, 2009 at 1:00 PM EDT (1700 UTC/GMT)

Stop Cache Poisoning Attacks With DNSSEC
WHEN: Monday, September 14, 2009 at 1:00 PM EDT (1700 UTC/GMT)

SIEM and DLP – Strength in Integration
WHEN: Tuesday, September 15, 2009 at 1:00 PM EDT (1700 UTC/GMT)

Staying Ahead of the Latest Endpoint Security Threats Featuring highlights from the IBM X-Force 2009 Mid-year Trend and Risk Report
WHEN: Thursday, September 17, 2009 at 1:00 PM EDT (1700 UTC/GMT)

Building the Business Case for Penetration Testing
WHEN: Thursday, September 17, 2009 at 1:00 PM EDT (1700 UTC/GMT)

It All Starts with Log Management: Leveraging the Best in Database Security, Security Event Management and Change Management to Achieve Transparency
WHEN: Thursday, September 24, 2009 at 1:00 PM EDT (1700 UTC/GMT)

WhatWorks in Firewalls, Enterprise Antivirus and Unified Threat Management: Virtualizing Server Security with the U.S. Army Human Resource Command
WHEN: Monday, September 28, 2009 at 1:00 PM EDT (1700 UTC/GMT)

Identity-Aware Networking Done Right
WHEN: Tuesday, September 29, 2009 at 1:00 PM EDT (1700 UTC/GMT)

Is Your Organization Losing the Cyber-War?
WHEN: Wednesday, September 30, 2009 at 1:00 PM EDT (1700 UTC/GMT)

Transparent Data Encryption: New Technologies and Best Practices for Database Encryption
WHEN: Thursday, October 1, 2009 at 1:00 PM EDT (1700 UTC/GMT)

Finding the Root Cause of Any Security Alert – Fast
WHEN: Wednesday, October 7, 2009 at 1:00 PM EDT (1700 UTC/GMT)

IT Audit for the Virtual Environment
WHEN: Thursday, October 08, 2009 at 1:00 PM EDT (1700 UTC/GMT)

Automated Malware Threat Analysis: Getting actionable intelligence on attacks effectively and efficiently
WHEN: Wednesday, October 21, 2009 at 1:00 PM EDT (1700 UTC/GMT)

Post any others that you know in the comments and we will add them to the list!

Chris Eng (guest on Securabit Episode 7) has posted some commentary on what he thinks might have happened to the account.  What are your thoughts on this matter?  Is this all fair game and the whole mailbox should be released or just despicable?

UPDATE: Apparently ‘Anonymous’ might not be too anonymous for long.  The screenshot posted listed almost the whole proxy address, which will make it much easier to find in a log.  Unless they used their neighbors wi-fi.

Controversial EULA:

Google Chrome debuted with an extremely controversial EULA that basically says everything you do with the Chrome browser belongs to Google.  They have since adjusted the EULA to remove some of the strongly worded sentences, but this might just have given us a peak into Google’s world domination plot?

Vulnerabilities:

It seems that only mere hours after the Chrome browser was available for download, vulnerabilities started showing up.  Some of them as simple as a browser crash, others as serious as carpet-bombing.  This is actually not too surprising since Chrome is based off the same version of WebKit, 525.13, that the vulnerable Safari 3.1 emanates from.

Incognito Mode:

The Chrome browser has a stealth browsing mode called Incognito which will not leave any tracks of where you browse in your history or store any cookies.  This appears to be very similar to the IE8′s InPrivate browsing mode.

Independent Tabs:

Every tab opened in Chrome runs as an independent instance of the browser.  Apparently, if you experience trouble in one tab, the rest of your Chrome environment is safe from the misbehaving tab.  I guess this only works if you don’t browse to the vulnerability mentioned above that crashes your whole browser.

So what is your take on the new Chrome browser?  Mubix suggests power users should stick with Firefox or will Chrome make the internet less frustrating” as Walt Mossberg declares?

White House Imposes New Security Mandate for Federal Agencies (Washington Post) – All government agencies will be required to implement DNSSEC by January 2009.

Apple to fix hole in password-protected iPhones (Cnet) – Apple announces that it will release an update in September to fix a hole that allows users to bypass the unlock screen.

Dan Kaminsky Soundboard (0×000000.com) - Can’t get enough Dan Kaminsky, now have him talk to you all the time, any time.

MIT working on network vulnerability analysis (Slashdot) – Researchers at MIT are working on detecting exploitable vulnerabilites by graphing attacks in near real time.

As a security precaution, Red Hat has changed the signing keys for Fedora, updated OpenSSH packages and also issued OpenSSH blacklist scripts that allow admins to check to see if any of the affected packages are installed on their systems.

If you are running any Fedora or Red Hat systems, you might want to check them out just to be safe.