Open Source Security
Welcome at » 2011 » June

The local chapters of OWASP and ISSA jointly sponsored a 1/2 day Metasploit Training session taught by Raphael Mudge. It was held one Friday afternoon about 10 days ago at the Microsoft campus here in Austin which is a super nice facility and well set up for this type of class.

Metasploit is one of those technologies that is always near the top of my list to try out, but never quite takes that top spot, so I jumped at the chance to take this seminar. It sold out in less than 2 days, so it would seem that a lot of people felt the same way.

Raphael Mudge is the author of the Armitage front-end to Metasploit so he was a great choice to teach the class. He is a very high energy speaker and sprinkles anecdotes and experiences throughout, so the seminar never dragged. The seminar was an excellent mix of labs and presentation. The labs started with the exercise of installing metasploit and Armitage which was provided on a DVD. Virtual images which were vulnerable to attack were also provided and these were the targets of the exercises. Throughout the class, Raphael offered his experience on which exploits were typically the most successful, which payloads are the most valuable and other nuggets of information which are gained through experience. Armitage itself does a great job of lowering the barrier to entry and makes metasploit much easier to use.

This seminar was a great introduction to Armitage and metasploit, enough to make it useful for personal use of metasploit, but it is clear that I could spend many fun hours experimenting with the various exploits and payloads. Raphael made it clear throughout that he was not training crackers. The seminar succeeded brilliantly and so I would like to again thank Raphael Mudge, OWASP Austin and ISSA for making this seminar possible.

Great stuff!

Raphael left us with the following links for more information:
Penetration Testing and Vulnerability Analysis
Metasploit Unleashed
Backtrack Linux

My first experience with Gnome 3 is that it frowns at me for not living up to its expectations.

RSA – hacked
Lockheed Martin – hacked
Northrup Grumman – hacked
L-3 – hacked
Sony – hacked
Nintendo – hacked
Gmail – spear phished
PBS – hacked (and seriously?)

There must be millions of corporate security presentations that start off with the premise that the security apocalypse will soon be upon us if security doesn’t receive premium investment. It feels to me as if the security apocalypse long promised has now arrived. Whether these events are coordinated or independent, whether they are script kiddie cracking or cyber warfare, does this harald a new dawn? The risks which were once deemed remote have now been exploited multiple times. Is this a wake-up call or is everyone still yawning when security is mentioned?