Thomas over at De-ICE.net has launched a cool new project forming an open source community for pen testers called Hackerpedia. This is like all the many different types of wikipedias out there but this is hacker and pen test specific. The Hackerpedia project started from the De-ICE pen test LiveCD's that Thomas created and the need for a documentation repository. Hackerpedia is (from De-ICE.net):

Centralized
Hackerpedia is an attempt to share knowledge in an easy-to-read format. Certainly, there is a lot of information gathered within various forums, but none of it is centralized.

Hacker-specific
While there are other wikipedias, Hackerpedia focuses on information from a hacker perspective. While others may have entries for Nepenthes, here you won't find anything on plants.

All things to all people
Designed for beginner and expert alike, there is something for everyone.

I know I haven't found anything quite like this out on the net and usually finding pen test related information can be a tedious experience. As with any new community, this needs lots of volunteers to get the word out and to get pen test and security professionals to contribute content to the wiki. I would love to see this take off and become a great resource for pen testers.

What can you do?
Please help spread the word about this resource by linking to the Hackerpedia and contributing content! Hopefully the community will quickly grow around this project.

Some of you may have seen the new reality TV show on CourtTV over the holidays called "Tiger Team". This show is about a team of penetration testers hired to break in to some high profile companies using some pretty cool techniques. While you won't see anything technically earth shattering (as Grumpy Security Guy mentions), you will see how easy it is to breach the physical security of places you would think have good security controls in place. Again, this summarizes that that weakest link will always be humans (social engineering) and that with enough time and ingenuity, you will get in. As a pen tester it's worth watching, even if some of it is done up a bit too much for Hollywood.

You can watch the episodes via CourtTV. There are also Torrents available...

I came across a good interview with Johnny Long over on Computer Defense this morning. If you don't know who Johnny Long is...well...he is pretty well known in the hacker and security community. More about him on his web site and by doing some Google searches (he wrote a very good book called "Google Hacking" BTW).

Anyway, when I was at Defcon 15 this past summer I sat in on his "No Tech Hacking" presentation and remember Johnny talking about a charity organization that he started called "I Hack Charities" or better known as "Hackers for Charity". While honestly at the time I was more interested in the talk he was about to give, I had thought that this was a really cool idea. Hackers for Charity basically gives hackers an outlet to use their skills for good and to also help build their resumes. Basically, you help them out with a technical project, they will give you a job reference (via a LinkedIn connection and resume reference). In addition, Hackers for Charity accepts all sorts of donations from old hardware to swag you may have been collecting over the years from all those security conferences (I know I have tons of this stuff). They collect this swag and send it to needy people over in Africa and other underdeveloped countries. I am thinking about getting all my co-workers to dig out all of their swag and we could send them a big box of this stuff...think of the possibilities if several big corporations did the same thing...something we should all think about.

Great stuff, right? How can you get involved? Check out the web site here. Sign up for the mailing list here. You can donate time, money, swag, or any skill set that you may have. They are even looking for people with soft skills as well (business, management, etc...). Let's help spread the word and get other security professionals to support this worthy cause.

Once again SANS has released it's "Top 20" security risks for 2007. This is always a good report and I recommend all security professionals read it. This year they give highlight to two increasing attack vectors, users who are easily misled (aka: Social Engineering) and custom built web applications.

Either of these should be of no surprise. I know I have seen a major increase over the last year in "spear phishing" types of targeted attacks in my organization as well as your typical PayPal and Ebay phishes. Until users become more security aware I am not sure how this will decrease. All an attacker needs to do is get a user to click a link or visit a web site and it's pretty much game over!

Custom built web applications is not a huge surprise either. Most of the time internal developers are not using secure coding practices and usually have no idea their applications are even vulnerable to simple things like SQL injections. Again, it all starts with education and making users and developers more security aware.

Two scenarios they mention highlight this risk. From the executive overview:

"Scenario 1: The Chief Information Security Officer of a medium sized, but sensitive, federal agency learned that his computer was sending data to computers in China. He had been the victim of a new type of spear phishing attack highlighted in this year's Top 20. Once they got inside, the attackers had freedom of action to use his personal computer as a tunnel into his agencys systems."

and

"Scenario 3. A hospitals Web site was compromised because a Web developer made a programming error. Sensitive patient records were taken. When the criminals proved they had the data, the hospital had to choose between paying extortion or allowing their patients health records to be spread all over the Internet."

You can read the entire 2007 SANS Top 20 article here.

I have been trying to find a better way to manage passwords for web sites, application login's, email, etc...I have been using OS X's Keychain application for this in the past but I was concerned with the security of the application and the fact that I couldn't move my password "database" to another non-OS X computer (Windows or Linux). I needed something portable and easy to use as well...once again, I go back to the "could my Mom use it" analogy. After doing some research I found a program that was developed by my security hero Bruce Schneier called "Password Safe". From the project web site:

"Password Safe allows you to manage your old passwords and to easily and quickly generate, store, organize, retrieve, and use complex new passwords, using password policies that you control. Once stored, your user names and passwords are just a few clicks away.

Using Password Safe you can organize your passwords using your own customizable references—for example, by user ID, category, web site, or location. You can choose to store all your passwords in a single encrypted master password list (an encrypted password database), or use multiple databases to further organize your passwords (work and home, for example). And with its intuitive interface you will be up and running in minutes."


So I gave it a try and I am happy to report that Password Safe is my new password management program. Things I like about this program:

- Java client available for OS X, Linux and Windows. This gives you the ability to use your password database on multiple OS's.
- Portable Installation. The database can be placed on a USB thumb drive for portability.
- Secure encryption of the database.
- Random password generator built in.
- Ability to choose your own password policy and set expiration for your passwords.
- "Auto Type" feature.
- Easy to use, free, and open source!

Here is a screen shot of the easy to use interface when creating a new password entry:



You can check out and download the application here. Now let's see how my Mom likes it...I will share those results with you later.