Something I plan to do is post items relating to my maintaining my CEH status here, so that I can then point the EC2 to this blog to verify my on-going efforts.
Saturday 14 May 2016
Certified (and Certifiable?)
As I wrote last time, I sat (and passed) the exam for the CEH. I wanted to share to the 0 other people who follow this blog a piccie of something that arrived in the snail-mail this week.
Something I plan to do is post items relating to my maintaining my CEH status here, so that I can then point the EC2 to this blog to verify my on-going efforts.
Something I plan to do is post items relating to my maintaining my CEH status here, so that I can then point the EC2 to this blog to verify my on-going efforts.
Sunday 21 February 2016
Certified Ethical Hacker
Late last year my (now former) employer, TAFE NSW, advertised a bunch of courses in a wide variety of areas, including many in Info Tech. Oh, one other important point – they were "free – as in beer".
As well as a few that I could have skipped the classes, sat and passed the exam – such as the Microsoft 70-410 (Installing, Configuring and Managing Servers) & 70-411 (Administering Windows Servers) – and a couple of others that may have been interesting were the CCNA 1 & 2 courses, but what really caught my eye was the EC-Council Certified Ethical Hacker (v9).
I threw my hat in for the course, and was advised in January that I would be doing that course in April.
I contacted the co-ordinator on the day the first session started and asked if there was any space due to "no-shows" in that. There were. So I moved from April to February.
I sat the exam last weekend – and passed. Not "brilliantly", but there were two of us (out of a class of about 12) that sat, and there was a 100% pass-rate :) There was the option of taking the exam voucher (valid for 12 months) and studying an sitting later – but knowing me, if I didn't do the exam there and then, it probably wasn't going to happen ;)
So, there you have it – I am Certified (and probably 'certifiable' ;)
That's the first of a few certifications I wanted to get under my belt. The GWAPT: GIAC Web Application Penetration Tester and maybe the (ISC)2 CISSP – although I'm not 100% sure that the latter is the direction I wish to head in.
We shall see. In the meantime, I have taken on a Technical Project Management role, which, not really the direction I wanted to take, looks really interesting, and can lead to some real long-term benefits to thousands of people across Australia.
As well as a few that I could have skipped the classes, sat and passed the exam – such as the Microsoft 70-410 (Installing, Configuring and Managing Servers) & 70-411 (Administering Windows Servers) – and a couple of others that may have been interesting were the CCNA 1 & 2 courses, but what really caught my eye was the EC-Council Certified Ethical Hacker (v9).
I threw my hat in for the course, and was advised in January that I would be doing that course in April.
I contacted the co-ordinator on the day the first session started and asked if there was any space due to "no-shows" in that. There were. So I moved from April to February.
I sat the exam last weekend – and passed. Not "brilliantly", but there were two of us (out of a class of about 12) that sat, and there was a 100% pass-rate :) There was the option of taking the exam voucher (valid for 12 months) and studying an sitting later – but knowing me, if I didn't do the exam there and then, it probably wasn't going to happen ;)
So, there you have it – I am Certified (and probably 'certifiable' ;)
That's the first of a few certifications I wanted to get under my belt. The GWAPT: GIAC Web Application Penetration Tester and maybe the (ISC)2 CISSP – although I'm not 100% sure that the latter is the direction I wish to head in.
We shall see. In the meantime, I have taken on a Technical Project Management role, which, not really the direction I wanted to take, looks really interesting, and can lead to some real long-term benefits to thousands of people across Australia.
Sunday 25 October 2015
Talk about TalkTalk
The latest hot news is the budget telecoms provider in the UK "TalkTalk" and their latest (third this year) hack.
There are many excellent discussions on the whole thing from people such as Brian Krebs (http://krebsonsecurity.com/), Paul Moore (https://paul.reviews/) and of course Troy Hunt (http://www.troyhunt.com/) - although admittedly, most of the discussion has been on Twitter.
There are many excellent discussions on the whole thing from people such as Brian Krebs (http://krebsonsecurity.com/), Paul Moore (https://paul.reviews/) and of course Troy Hunt (http://www.troyhunt.com/) - although admittedly, most of the discussion has been on Twitter.
Sunday 11 October 2015
1Password - losing the battle
As I wrote yesterday, I am looking at bailing on LastPass.
I am still playing with 1Password, and becoming less and less impressed.
The sync via DropBox (which I was not impressed with having to use) is going slowly.
I thought "I'll use the 'WiFi-sync' option!" This uses (I found) Apple's "Bonjour" service - which I had to download and install, restarted 1Password on WinOS, started the WiFiSync - and it gave me a magic number and instructions to start the client on the mobile device.
Guess what?!
The Android version doesn't have the WiFi Sync option.
AAARRRRGGGGHHHHH!!!!!
So, Bonjour was quickly uninstalled (and maybe I should wash my computer - it's all dirty now ;)
I will keep the sync running until tomorrow (currently about 190 items out of just over 1100) and see if we can evaluate it running on the mobile. But once again, MacOS coders seem to see other systems as "second class" citizens.
The Open Source solution(s) are more and more appealing - at least I can be confident that it will run on _all_ my systems.
I am still playing with 1Password, and becoming less and less impressed.
The sync via DropBox (which I was not impressed with having to use) is going slowly.
I thought "I'll use the 'WiFi-sync' option!" This uses (I found) Apple's "Bonjour" service - which I had to download and install, restarted 1Password on WinOS, started the WiFiSync - and it gave me a magic number and instructions to start the client on the mobile device.
Guess what?!
The Android version doesn't have the WiFi Sync option.
AAARRRRGGGGHHHHH!!!!!
So, Bonjour was quickly uninstalled (and maybe I should wash my computer - it's all dirty now ;)
I will keep the sync running until tomorrow (currently about 190 items out of just over 1100) and see if we can evaluate it running on the mobile. But once again, MacOS coders seem to see other systems as "second class" citizens.
The Open Source solution(s) are more and more appealing - at least I can be confident that it will run on _all_ my systems.
Saturday 10 October 2015
Password Managers
Over the past couple of years I have been using a Password Manager called "LastPass". I have been extremely happy with the product, and when they bought Xmarks (bookmarks sync tool) I was even happier :) So much so, I signed up for an annual subscription to enable it on my Droid.
Access to my passwords - most of which I can't remember (and have no need to) - wherever I am, and all for a reasonable annual fee.
If you want to know more about Password Manager's, Troy Hunt has a blog post from 2011 covering the whole thing much better than I titled "The only secure password is the one you can’t remember".
So, back to today - as I mentioned, LastPass - very happy camper.
Until today.
Access to my passwords - most of which I can't remember (and have no need to) - wherever I am, and all for a reasonable annual fee.
If you want to know more about Password Manager's, Troy Hunt has a blog post from 2011 covering the whole thing much better than I titled "The only secure password is the one you can’t remember".
So, back to today - as I mentioned, LastPass - very happy camper.
Until today.
Monday 5 October 2015
ch...ch...changes...
Change - a part of life. (and then I hear Marvin saying "Life... don't talk to me about life.")
Currently at work there is a process being called "Change Management". In the past I've been through something called "Transitioning", or "Reorganisation", or "Outsourcing" and several other waffly feel-good phrases for what used to be called in a more honest time "Redundancy". i.e. "we don't need / want you anymore."
I've been through at least 4 of these in my career in Information Systems / Technology, and each time God has provided.
Looking around at the workplace as it now is, some 14 (nearly 15) years after I first signed up, I am wondering if I really want to stay. As a result, I am re-evaluating my career direction over the next couple of decades. Ultimately, I think I would like to be a Counsellor, but the reality is that it won't pay the bills I currently have. A nice "retirement" earner, but not really a "full time paying" job - or at least, not the way I want to do it.
So the near-term plan. Initially, if I survive the "Change Management" process (and I am not sure I want to!) I will be doing more of a "work to rule" to free up some time for my career development.
As those who know me will know my passion (in the technical space) is "Web Application Security". And thus it seems wise to start switching the time, effort and energy I use as unpaid overtime to my current workplace to ramping up my knowledge and skills in WebAppSec.
Currently, I will admit, I am like a kiddie (but not a "script-kiddie", or maybe I am) paddling on the shore of the ocean. It is time I learned to surf - metaphorically.
My plan of attack is:
Something I should also start doing is more tutorial videos. Of course, I am torn between my deep desire to make this available for free, and getting some extra coin to accelerate my ultimate goal ;)
It is going to be an interesting ride whichever way I go :D
Currently at work there is a process being called "Change Management". In the past I've been through something called "Transitioning", or "Reorganisation", or "Outsourcing" and several other waffly feel-good phrases for what used to be called in a more honest time "Redundancy". i.e. "we don't need / want you anymore."
I've been through at least 4 of these in my career in Information Systems / Technology, and each time God has provided.
Looking around at the workplace as it now is, some 14 (nearly 15) years after I first signed up, I am wondering if I really want to stay. As a result, I am re-evaluating my career direction over the next couple of decades. Ultimately, I think I would like to be a Counsellor, but the reality is that it won't pay the bills I currently have. A nice "retirement" earner, but not really a "full time paying" job - or at least, not the way I want to do it.
So the near-term plan. Initially, if I survive the "Change Management" process (and I am not sure I want to!) I will be doing more of a "work to rule" to free up some time for my career development.
As those who know me will know my passion (in the technical space) is "Web Application Security". And thus it seems wise to start switching the time, effort and energy I use as unpaid overtime to my current workplace to ramping up my knowledge and skills in WebAppSec.
Currently, I will admit, I am like a kiddie (but not a "script-kiddie", or maybe I am) paddling on the shore of the ocean. It is time I learned to surf - metaphorically.
My plan of attack is:
- ask someone to be a "mentor" - I know who I would like to be my mentor, I just need to approach them
- work towards some Industry Certifications - specifically the "CompTIA Security+" (which I think I already have enough knowledge to pass) and then something like the "GIAC Web Application Penetration Tester" or some thing similar
- sell my body (and knowledge and skills) to whoever will pay for it :)
Something I should also start doing is more tutorial videos. Of course, I am torn between my deep desire to make this available for free, and getting some extra coin to accelerate my ultimate goal ;)
It is going to be an interesting ride whichever way I go :D
Saturday 4 May 2013
Take 2
I had some other entries that, to be honest, didn't really belong here. They actually should have been in my journal, and so I printed them off, placed them there, and deleted them.
Troy Hunt demonstrated a "Pineapple" hacking unprotected wi-fi clients recently. His article
Pineapple Surprise! Mixing trusting devices with sneaky Wi-Fi at #wdc13 is interesting reading, especially in light of a couple of previous posts he had building up to this.
My paranoia kicked into high-gear. So I have installed a tool on my Droid called "WiFi Auto Turn Off" which disables wifi on the phone after losing contact for 5mins (user settable). So if/when I go out, it will turn off while I am in the car, and hence I won't get the "drive by" attacks described by Troy in his article. Indeed, I used this "in anger" today, and it worked just like a bought one. Well, I didn't time it, but when I checked for WiFi while out, it was turned off - good enough for me :)
Now, the Pineapple is pretty cheap at about $100 - give or take. But it seems that, because it is built on OpenWRT, I can build a 'pineapple clone' for a bit over $20 - Blue for the Pineapple - based on the TP-Link WR703N (http://www.obostore.com/tplink-tlwr703n-150m-wifi-3g-wireless-router-p-7748.html)
I was sort of wondering if I might be able to do "the same" with the eeePC I have sitting around, although it won't run OpenWRT. But OpenWRT is built on BusyBox, which is a Linux, so I may investigate further - although it's not as "cute" as the TP-Link 703.
This has the potential to be included as a short course for building a pentest kit. 3 or 4 weeks?
I am also thinking of putting together a couple of other courses at TAFE on Web Application Security. One, in two forms perhaps - .NET and PHP - using the OWASP Top 10 for Web App Developers - probably 10 weeks (1 term), and another (third? fourth?) on defending web apps using ModSecurity WAF with the OWASP ruleset. This would probably be 5 or 6 weeks.
But there are some other things to be completed first...
have fun,
.h
Troy Hunt demonstrated a "Pineapple" hacking unprotected wi-fi clients recently. His article
Pineapple Surprise! Mixing trusting devices with sneaky Wi-Fi at #wdc13 is interesting reading, especially in light of a couple of previous posts he had building up to this.
My paranoia kicked into high-gear. So I have installed a tool on my Droid called "WiFi Auto Turn Off" which disables wifi on the phone after losing contact for 5mins (user settable). So if/when I go out, it will turn off while I am in the car, and hence I won't get the "drive by" attacks described by Troy in his article. Indeed, I used this "in anger" today, and it worked just like a bought one. Well, I didn't time it, but when I checked for WiFi while out, it was turned off - good enough for me :)
Now, the Pineapple is pretty cheap at about $100 - give or take. But it seems that, because it is built on OpenWRT, I can build a 'pineapple clone' for a bit over $20 - Blue for the Pineapple - based on the TP-Link WR703N (http://www.obostore.com/tplink-tlwr703n-150m-wifi-3g-wireless-router-p-7748.html)
I was sort of wondering if I might be able to do "the same" with the eeePC I have sitting around, although it won't run OpenWRT. But OpenWRT is built on BusyBox, which is a Linux, so I may investigate further - although it's not as "cute" as the TP-Link 703.
This has the potential to be included as a short course for building a pentest kit. 3 or 4 weeks?
I am also thinking of putting together a couple of other courses at TAFE on Web Application Security. One, in two forms perhaps - .NET and PHP - using the OWASP Top 10 for Web App Developers - probably 10 weeks (1 term), and another (third? fourth?) on defending web apps using ModSecurity WAF with the OWASP ruleset. This would probably be 5 or 6 weeks.
But there are some other things to be completed first...
have fun,
.h
Subscribe to:
Posts (Atom)