Slashdot Mirror
Security Gatherings for the Little Guys
NeedaFirewall writes: "With all of the recent vulnerability announcements and increased concern about terrorism, a lot of folks are starting to take security and privacy more seriously, both at the network and node levels. Large companies can afford to send their IT people to detailed technical security conferences offered by the likes of SANS, Blackhat, and others. Some of these cost thousands of dollars for a single seminar, class, or other event. Small companies and individual programmers, network admins, etc (like me!) often can't afford these. Where can they go to learn more about security? Are there quality security conferences, seminars, trade shows, and the like out there that the little guys can afford? Particularly broad-scope gatherings that can teach these 'security newbies' the basics and alert them to the most pertinent threats?"
i did rub-con last year, it was quite interesting in a wide variety of ways http://www.rubi-con.org . check it out
And if you're cought, pretend that you were testing their security procedures.
http://www.h2k2.net/ is about to happen in NYC. I wish I could afford to go (time and money probably don't permit). Listening at places like that can help in strange ways in the future...
JMR
Speaking ONLY for myself, as always.
Try e-gold - (contact me). I'm NOT e-
It's rather sophomoric, but it's cheap and fun if you like that sort of thing.
DefCon is run every year at the same time as Black Hat, by the same people, with half of the same speakers. It costs about $40 (or did in 1998). Most of the cmopanies that send people to Black Hat tell them to stay for DefCon as well.
If you're that concerned about getting info from Black Hat, talk to one of the people at DefCon who went and ask if you can photocopy his or her notes. They're the best thing you get for your $1000 Black Hat registration anyway.
Post if you have questions, post if you have solutions.
[humor]
Just get yourself on an older copy of redhat, install, turn on as much as possible, then site back and enjoy! Within 15/20 minutes you should be able to learn many interesting things from your new box!
[/humor]
go there. Get learned, llama'd, and laid
Mike.
Mmmm......sacrelicious.
Computer (esp. network) security isn't really something that can be learned in a class. It's more of an ongoing awareness of what the threat of the week is. If history has shown us anything, it's that any useful networked system has flaws and can be broken into. As such, it's important to always keep on the forefront of what the enemy is up to.
Irritatingly time-consuming? You bet. A pain in the ass to keep up with? Oh yeah. The only effective way to keep systems and networks secure? Unfortunately.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
To answer your question, how about asking a nearby college or computer company? I hit up SCO once about security (many, many years ago), and was invited to one of their "internal" security classes for under $500.
Click here or here.
Or try your local Windows/NT and Unix/Linux user groups. Security is a frequent theme of these groups' meetings.
defcon is becoming more 'mainstream' every year and is a good conference on the cheap. for $75 you get many tracks from newbie to uberhax0r. its also a good excuse to get out of the office and spend a weekend in vegas.
Why not attend a 2600 meeting? They take place all over ther world and are free for anyone to attend. Despite what you may think some intellegent life is often present at the meetings.
They take place on the first Friday of every month and there is a list of them all here.
Just subscribe to mailing lists like bugtraq and the lists at securityfocus, that will give you everything you need.
Or if you're really desperate, you could try #hack, #2600 and #trolls on IRC.
http://www.ecst.csuchico.edu/~dranch/LINUX/index-l inux.html#trinityos
Will help you secure your network.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
I'm in the same boat. I've taken responsibility for computer security at my little company, but there is no training budget at all. I was pleasantly surprised to find that DallasCon had a student price of 40 dollars for their security conference. I got a ton of good information there. Otherwise I rely on web sites like SecurityFocus.com for information.
www.cgisecurity.com
www.owasp.org
These are good sites with documentation on web security threats along with prevention and detection.
Using the free Nessus tool can be very, very valuable towards securing your external IP-addressable presence if you don't have thousands of dollars to blow on security.
Note this will only identify some potential holes in your firewall, and won't secure you against other vectors like email worms, malicious employees, nuclear weapons, hair gel, etc.
In my neck of the woods (Phoenix metro area), I often hear ads on the local NPR station for networking and security seminars at the local community college.
These are typically touted as free or very inexpensive. Not being a security guy I can't really comment on how good they are, but it probably could'nt hurt to check one out.
My guess would be many small community colleges offer something like this.
The Internet is generally stupid
But try Google, search for 'White Hat tutorial', or 'Network Security'.
........
Also, keep up to date on CERT warnings.
Same as everything else though, the best tool is the machine you want to secure.. go play.
-Gih
The number you have dialed 9..1..1.. has been changed to an unlisted number, thank you
The key to learning more about security and making connections is to get involved with your local scene (or generate one, if necessary).
Find your local ISSA chapter (issa.org),and in Canada there is the CIPS Security Interest Group (through cips.ca). Also, talk to your local VARs and express an interest in security products. Usually they'll invite you to free morning seminars pushing security products.
The point of going to these meetings is to find peers. Once you know a few people, swap email addresses and war stories, that kind of thing, you'll get a base.
I've used these groups to meet colleagues, put together CISSP study groups, discuss issues, and share job opportunities and the like. Once you get a critical mass of people, it becomes very useful and interesting. It's not the same as a conference, but it is far better than working in a vacuum.
In any field, find the strangest thing and then explore it. -John Archibald Wheeler
Greetings sir.
A
B
don't bend over for the soap at linux conference.
who live and administer networks in the periphery, are there any net resources ?
there is no spoon
http://www.securityfocus.com/
Join your local ISSA group. Yes, they local chapters may vary, but on the whole I have found that is is worthwhile. In the Denver chapter we had some great speakers this past year. Plus, you get a couple of hours away from the office every lunch to network with others in your same position.
Who is John Galt?
I work with SANS so I know more about SANS than other organizations.
SANS offers courses online so you would save on travelling fees. And yes, I would agree on the fact that travelling is expensive. I am going to a SANS conference next month and the hotels + travel + food is going to cost $2000+ and it's coming out of my own pocket.
Aside from that, SANS also have volunteer program that you can go for a conference for free (will be $500 in October) but they require you to do all the setup and monitoring for them (hard work, trust me). But you will still have to pay for your lodging and food.
In the end, just like anything else, there's really no free lunch. But if you are determined enough to learn, you will pay out of your own pocket to go. (like me)
Those of us who are hi-ed IT people would like to know as well. Funny how schools that charge >$30k year per student don't want to drop a few thousand on training for those who support the IT those students rely on! Oh, of course, if there were ever a disaster (such as someone hacking the presidents or other VIP's computer)... Sigh.
Sadly it appears the username/password has been stripped from my links. My apologies.
One important link is NSA Infrastructure security page Sure they focus here mostly on Windows, but the litterature is good and many of the ideas are pertainent to other environments.
LedgerSMB: Open source Accounting/ERP
CanSecWest is a great conference in Vancouver every year. It's cheaper than Blackhat or SANS, has much more technical content, and if you're coming from the US the difference in currency makes all the incidentals (hotel, food, etc) much cheaper.
Well I work for a small company TIM Computer Systems Inc. and we do offer security training for Unix/Linux systems every once in a while. Other then going to those big guys that Cost huge amount of dollars try smaller companies in your areas. Just open the Yellow Pages and call a bunch of computer companies up and ask them if they do computer security training. You may be suprised on the skills you can learn from these small companies.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
why go to expensive seminars when you have such a great resource right here at your fingertips
free, learn it yourself. It's not like sys admins really work all day anyways..
Look into IPCop or come out to a local user group (LUG). Both have people with skills to and they want help out. At the same time, they and you will give back, by helping bring others up to speed with both knowledge and questions. So do a presentation, or start a security SIG.
Yes, joining CERT notices or Bug Track will be your first information feed, but it is putting into action by talking to friends, testing firewalls, and helping others gets the information in use.
I've found some of the monthly 2600 meetings helpful. They're a good place to go to to meet new people (beats sitting in front of the computer all day), and who knows, you just might learn something useful (or useless).
I'm in Guyana, South America so the cost of the conferences with airfares etc is way outside the budget.
I agree that the literature is a good starting point - the reading room at SANS is a mighty fine
resource.
When I'm ready (read "can do no more without expert help") I'll look into courses/conferences.
Backward%20compatibility%20is%20over-rated
Unfortunately, those expensive seminars you speak of are more of a reactionary result of big companies wanting to do something about security, but not knowing what to do. It makes them feel better to send their techs out to them, they see value in how much they spend. The high prices are just a result of this. Enconomics.
This thinking simply doesn't hold any water when speaking of security. Security is simply a way of life, there is no starter pack. I don't mean to sound negative, but the best resources are already at your finger tips (irc [irc.openprojects.net #security], securityfocus.com, counterpane.com[Bruce Schneier has an excellent monthly], and on and on).
Security awareness is obtain by involvement.
I've gone the last two years and though the price is quite good, from year to year the quality can vary a lot. Two years ago it was really quite good. A decent number of interesting speakers, got to hang out a bit with Bennett Haselton, the guy who runs peacefire.org. Overall had a good time.
:)
:). While certainly there's something inherently anti-establishment about a hacker convention in the first place, that energy can be channeled into mindless destruction or it can be channeled into creative/constructive efforts. Seems that this varies from year to year :)
The last year though the topics really didn't seem to be quite as good and there were endless mindless pranks going on. I'm all for clever interesting pranks, but this was dumb stuff like smashing hotel lights, etc. I mean, the prank hilight was dry ice in the pool. Neat effect, but hardly breaking new ground
That's the only problem with Defcon is that it tends to attract a certain anti-establishment sophmoric crowd (because unlike most similar cons, they can afford to get in
It's sorta well suited to vegas. You put down your money and take somewhat of a gamble on what you are going to get. I'd suggest checking the website for the speaker list and see if they have things that interest you. If it looks good, then go for it, give or take airfare and hotel it's a bargain.
This sig has been temporarily disconnected or is no longer in service
I'm assuming you are using UNIX... I consider Windows insecure and don't use it myself...
Start out by getting and reading a copy of "Practical UNIX & Internet Security" Oreilly Simson Garfinkel and Gene Spafford.
After that read the documentation on your tools, apache, bind, sendmail, etc and watch www.securityfocus.com
/* TODO: Spawn child process, interest child in technology, have child write a new sig */
Well these Seminars are free, and sponsered by the CERIAS (Center for Information Assurance and Security) here at Purdue. Many are webcast to.. so even cheeper then flying out to a conference.
Read your log files! You do have log files don't you? They contain the best and latest information on the most common attacks in use today. If you see something there, and you don't know what it is Google it!
"I'm just here to regulate funkyness." - James Gandolfini, as Winston in The Mexican
- Plan 9 security
- How to 0wn the Internet in your spare time
- Felten presents SDMI Research last year
The deadline for discounted registration is this Wednesday. See http://www.usenix.org/sec02/ to register.I personally don't have the budget to attend any of these expensive conferences either. And my company, although with an annual revenue of $5B, would not pay for that, as I'm in the consulting division, and the manager does not believe that the cost would justify any benefits to the company (weird logic, I know, but I can't fire the manager, can I?).
... and a bunch of security related commercial company to see what they are doing, sometimes they have white papers that are quite good.
So, my low budget solution is the following:
- Lurk around in the newsgroups like alt.computer.security, alt.hacker, alt.security.pgp, alt.sources.crypto, comp.lang.java.security, comp.os.linux.security, etc, just a bunch of security newsgroups.
- Subscribe to security related mailing lists, like Bruce Schneier's Cryptogram.
- Buy and read a lot of security related books
- Download and play around with free and/or commercial (if available) softwares
- visit frequently security related web sites, e.g. linuxsecurity.com,rootprompt.org (they do have some security related articles),
Sure, sometimes I wish I could attend some of the training sessions at the conference, that'd have saved me a lot of time.
And this requires a lot of personal commitment, and a lot of time. But I've learned a lot, thanks to a lot of people who are willing to share their tricks of trade and their knowledge.
Note that this also takes up a lot of my time at work, but the manager is not clued enough to know that, just like she does not know that a lot of people would spend time doing what she tries to disapprove at work (like spending time learning a new tools/prog.lang/etc). Cost-effective-wise and employee-satisfaction-wise, it is better to spend $5K to send an employee to a conference/seminar/training. Unfortunately, most managers and executives can't figure that out, although they would throw at you all these buzzwords like ROI, CBA (cost benefit analysis), and other craps.
Gene Kan Dead
http://www.dnscon.org runs in Blackpool England every year and is slowly expanding, entrance is very cheap about 20UKP. This is a great place to go to talk techy about security because most of the people attending and speaking actually work on the frontline.
When it comes to security, I have found that training classes and seminars are "cool" and "fun" to watch, but have very little applicability to the configuration at my local site.
I share the same opinion of others. The best way to stay on top of security is to subscribe to Bugtraq. Other subscription lists like CERT and vendor specific lists, are always lagging behind (sometimes as much as WEEKS) since they tend NOT to announce a security issue until the vendor has a fix/patch available. Bugtraq is pretty close to zero day disclosure and is not vendor specific, thus you have to wade through the subjects to see if anything applies to your site. Additionally, BUGTRAQ is moderated which cuts down on the quantity and noise, unlike other sources which can become excessive.
To subscribe to the list, send a message to:
bugtraq-subscribe@securityfocus.com
This is my securty mantra, "security is an illusion".
If you are connected to the Internet, you can be hacked. All humans make mistakes and all code is written by humans. The best you can do is manage your risk and increase your odds of not being a hackable target by staying informed and being proficient in application configuration.
My advice is to spend your training money on the specific applications that are Internet facing e.g. (RedHat, Apache, Sendmail, DNS, POP3S, IMAPS, Oracle, MySQL, CISCO IOS), make sure you understand the security configuration and hit it hard in the class. Application Security Mis-configuration and weak passwords are probably the number one source of Internet compromises. Often times if you have your applications locked down and secure, the security exploit of the day may be a non issue.
Good Luck!
The proper link is http://nsa1.www.conxion.com/ WOW that is just plain amazing thanks!!
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
The most up to date security list in the world and it's free.
BugTraq
To make a pun demonstrates the highest understanding of a language
For a mere $5 a head I will personally hold a seminar in a local auditorium explaining how to NOT open email attachments. Company sponsoring the event must pay all of my travel expenses (food, hotel, escorts, etc...)
There's always the smaller, less formal things put together by folks like securitygeeks. They often have big names speaking at them, and they usually discuss some pretty cool topics. I really need to get out to the DC area securitygeeks meetings myself one of these days. You may also want to look up your local 2600 meetings.
i've seen a lot of excellent suggestions
to go to local small community colleges
for help, but might i also add, as student
of a large state university: come sit in
on one of our security classes too.
No one knows who the hell is supposed to be there anyway.
i do see a bit of an issue if the class is
small, but the feeling i get from most of
my professors is that the more people they
can speak to: the better (ego sometimes).
And thank you for posting this question...
it's the most useful one i've seen here in
quite a while.
cheers.
odium|||nunquam|||obticesco
DNSCON (website is http://www.dnscon.org) is quite a good and affordable computer security conference held every august in Blackpool, UK.
Entrance costs about £15 (around $30 dollars)
It's run by a very knowlegeable guy called Jonathon Wignall.
Its open to all (both security professionals and members of the public.)
Sorry if this doesn't help you.
**Peace, love and linux!**
Well, first you must know tcp/ip very well. ORA's "Internet Core Protocols" is an excellent start and a very good book.
The "hacking unix exposed" series of books are also very good.
Forget windows. Get yourself a free unix and learn tcpdump and netfilter or ipfilter inside and out.
Talking about learning security by going to conferences is kinda ridiculous, like expecting to learn archeology by going to archeology conferences.
What could be more affordable for Americans than a security con in Canada? Not only is the beer better, but it consistently has top quality presentations
216.218.166.2 you can't hack my site 'cos I'm smarter then you!
Some security consulting firms host free 1-day seminars which combine some useful security information with blatant sales pitches for their security products. Just be cautioned that the speaker giving the talk may mix useful information with a few thinly-veiled attempts to scare you into buying their services. But pick their brains clean if you get a chance to ask questions, it's free.
1 day seminar is worthless! Even three days seminar too... I am telling you that! Get books, read newsgroups, and keep up to date with #1 slashdot.org. You won't regret this!
People who run seminars are laughing at you, the idiots who thinks they'll help you or turn you to pros. They're shitty (but getting rich from idiots) everytime! All you do is to bring notes home. Nothing last that long especially in this kind of field! You will end up use these paper to wipe your shit out of your buttocks two weeks after.
Anyone who atteneded and thought it was good are IDIOTS! They better off staying at home and play with Barbies...
Take my word - FUCK seminars!
--
If you wonder... yeah, I am pissed off. I'm wondering where's "Pissed off" seminars?
This may have been mentioned already...
Subscribe to mailing lists like Bugtraq and NT Bugtraq and any other OS or application specific products you are supporting. Not bleeding edge but not worth ignoring either.
Bad boys rape our young girls but Violet gives willingly.
At work we use a vulnerability notification service to keep up-to-date with the software we are using. It works really good and we don't have to spend our days searching and browsing bugtraq and securityfocus.
:(
/Hubble
We looked at several providers such as Securityfocus ARIS and Vigilinx, but we soon found out those cost very big bucks.
But then we found a cheep alternative at www.securitywarnings.com and it was exactly what we was looking for.
Cheers
If you want quality education go to SANS. I have been to others IT world, NetOP, MIS. None of them compare to SANS. If you pay cheap you get cheap, if you look you will notice that SANS attracts all the leaders in the field.
Pay the money, they offer classes for under 1k that are worth the monet.
From everyone who got their start in learning computer security by reading the Nessus definitions, to the Moderator who marked this gem of pertinent and useful information as "Offtopic", we say:
FAH Q RETARD!
Thanks.
P.S. fuck a dog.
You asked about conferences, but it seems like what you're really looking for is education in general. Especially as a "newbie," conferences aren't going to be your best bet anyway: They tend to cover what's new and particular topics of interest, but can't and don't provide general background knowlege.
You can get a lot of good books for the price of a conference admission, and that's probably a better way to get started, anyhow. Here are a few recommendations from my bookshelf:
- setup a box with default installation of an older distro
- turn on extensive logging
- connect to the internet
- wait...
- when cracked, do forensic analysis
nothing can beat real life practice. it just needs time.http://www.defcon.org
http://www.h2k2.net
If you'll visit IBM's Security Solutions webpage you'll find tons of information in the form of white papers, webcasts, links to other security websites, etc., etc. They also offer computer based training and other resources you may be able to take advantage of at little or no cost.
Registration for that was only $50. I hope to go to blackhat later too.
My $0.02 will always be worth more than your â0.02, so
wonder where the term RTFM came from?
Why is it assumed that if you don't work for a big company, you must be a "newbie" or not know as much?
That's bullshit, as I'm sure many people who consult or work for smaller companies can attest.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
In contrast, USENIX is actual security technology. Take the tutorials for in-depth learning on important issues, and the technical sessions for cutting-edge practical security research. We have a paper this year on the LSM (Linux Security Modules) project.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase
There is really only 1 way to achieve any decent security skills. You need 2 people, say 2 sysadmins, and you play white and black hats.
One of you emulates the attacker, investigating the tools and mindset the intruder may take, and the other, investigate security tools to investigate better lock down policy's.
You then swap notes, and then hats and start again.
Computer and network security is a long and involved process, but perhaps one of the most interesting.
It's also the most misunderstood field and sometimes, profession.
Yea except the lit is giving info w/ a presumption of a base of knowledge, and is covering only a specific part of a subsection of security. W/O a broad-based understanding of the underlying priciples reading lit, while helpful, is not in-and-of-itself enough. It's good, mind you, but if you can find everything you need from books/man pgs/whatever then you have a bigger (or differently wired) brain than mine. That first 10% of knowledge is always the bitch. /. posted this question and will be eagerly reading posts from start-to-finish tonight.
I'm SO HAPPY
closed minded is as closed minded does
Check out New Dimensions International
:)
at: http://www.newdimensions.net
NDI has been doing information security training since 1985 mainly for the U.S. Government and Military but they will do training for small groups and corporations. Many of their original trainers have gone off in business for themselves,
Chris Klaus to name one.
Farm9.com, Inc: http://farm9.com/content/Company_Info/IRandT
TTL Unlimited: http://www.ttlunlimited.com/
For daily security news: http://www.c4i.org/isn.html
what fubob said: usenix, usenix, usenix.
all tech, no suits, good location, heavy geek flux.
parturiunt montes, nascetur ridiculus mus
If you really want to improve your security skills you should attend Cons. Whether Defcon, Toorcon, Rubicon, etc.
But more important than listening to people, JUST DO IT! Find some like minded people and game among yourselves. It's pretty cheap to set up your own network so what's stopping you?
Play with tools. Play with tools in your environment. Play with tools across the internet against your environment.
Set up a honey pot, Set up a locked down box outside your firewall.... get creative.
I think security is a mindset rather than a technique. Get paranoid.....wait a sec.....GET REAL PARANOID!
Read some of what Bruce Schneier has been writing about the risk management model of security. I think it is a much more useful model than "I protect an asset....if I don't keep the bad guy out I lost" Not all assets are equally valuable....so how do you decide how to allocate limited resources.
Definately think about business recovery planning. Don't have to attend anything to get good information...start with cert.
you can also try infragard (FBI sponsored) meetings and other professional meetings focused on security.
Training is an attitude thing as well. If your company doesn't have the inclination to pay for training....why don't you? If you are interested in security (or for that matter any other specialty) why not budget one training a year? Try your local college or technical school. Many of them offer Cisco classes, etc.
Ok, enough of my ranting..... good luck
I'm not certain that understanding the programming behind exploits is all that useful. I mean yes, knowing how a buffer overflow works is interesting, but if apache has a buffer overflow and I'm a sysadmin for a webserver running it, do I really care how a buffer overflow works? No, I just need to get the patch.
Unless you have the freetime to actively go scrounging through somebody's code that sort of knowledge probably isn't that useful to you. I have never, in my life, met a sysadmin who had freetime. Instead, I think the useful knowledge you need is closely related to the potential vectors of attack.
For example, one common vector is a network based attack. Thus you should have a strong knowledge of how the network works in detail. Knowing how to construct a solid firewall, and knowing how to limit your attack profile are all important. Knowing cisco stuff, yes, is probably useful here.
Another common vector is the inside job which, though less frequent is usually far more destructive. There you need to have a strong knowledge of what system you have, who uses them, etc. You need to actively manage what limits are put on the access of individual users, etc.
None of this really needs a knowledge of C programming. You need to know best practices like keeping your patches up to date, setting up intrusion detection systems, and teaching people the habits of good security (don't EVER tell somebody your password, etc).
This sig has been temporarily disconnected or is no longer in service
The best and free (as in beer with InfraGard) resources is to hookup with your local InfraGard chapter. It's sponsored by the FBI so you get good info, and being a member is free (as in beer) and you get really great security updates and e-mails delivered daily.
For HTCIA (HighTech Crime Investigation Association), the atmosphere is similar as there is a lot of info-sharing between HTCIA and InfraGard. HTCIA does require annual dues and per-meeting dues (self-sponsored organization).
You can visit InfraGard's main site to see where you and your local chapter are. Then find the next meeting time and follow any applicable directions to get there and show up! I'm a member of our local chapter, and we welcome anyone and everyone dealing with InfoSec, Technology, and general Security. InfraGard is a bit more popular due to the local law enforcement participation (at least in our chapter). Our local chapter is here for anyone in the North Carolina RTP area.
I attended the SANS Network Security 2001 conference last fall in San Diego. I didn't initially even want to go, but was pressed into it by management.
I was surprised at the quality of the presentations. I attended Track 5 taught by Jason Fossen, and learned quite a bit that I had not seen before, especially with regards to configuring IIS and PKI.
I went on to complete the GCWN certification, which was also an interesting learning experience. It's one thing to talk about these various ideas, but it's quite another to try to formulate them into a cohesive paper and communicate it to others. I've used a lot of the knowledge from the class and the research I did for my practical to help secure our new desktop images for Windows XP, something that probably wouldn't have happened if I hadn't taken that initiative.
Very worthwhile, and worth every penny. Although I can see where an individual would have a hard time coming up with the cash, as I believe the conference, travel, lodging and so forth resulted in about a $5k reimbursement check. I think if you were in consulting this would be a valuable skill to sell yourself with and make back that $5k pretty quickly.
If you are in San Francisco there is the San Francisco OpenBSD Users Group. Security minded and so-on.
If none exists, start one.
You can learn most of what you need to about computer security by just installing RedHat, leaving it default, and putting it up on your DSL account.
Now, count the hours/days until you're compromised. Watch how they did it so easily, learn how to stop it next time. I couldn't think of a better way to start...
A few bible-books in my library include:
- "TCP/IP Illustrated Vol.1" by Richard Stevens published by Addison-Wesley
- "Intrustion Detection: An Analysts Handbook" by Stephen Northcutt published by New Riders
- "Unix System Administration" aka The Red Book by Nemeth, et. al. I believe the Purple Book is the 3rd edition (I am open to corrections)
- 2600 The Hacker Quartlery. A quarerly zine that most slashdotters have read, subscribe to, (or in this new-age, have either never heard of it and/or will flame or mod this into oblivion)
- the "Hacking Exposed" series by Stuart McClure, et. al.
Grab any or all of these (ESPECIALLY the Stevens book above!!) and start reading.Install more than 1 linux box (and RedHat, SuSE, Debian [and anything else that's popular] DOES NOT count. Use Slackware so you can have some semblance of control and learn how things work).
Don't install X; tough it out with the shell. <elitism>We all did.</elitism>
Grab your hands on a Solaris machine, x86 will suffice but try to get a Sparc. That way you'll understand how to do things across multiple platforms.
Setup a network and a routing firewall inside (ie: no masquerading). Then learn that and setup a masquerading firewall for all that to get to the Internet through your gateway.
Oh, Get nmap! And learn how to use it SAFELY and WISELY on your own stuff.
Read Read Read Read Read! Drop your girlfriend. Sex is good but if you wanna learn it hard, she'll have to go. If she's a geeky girl, have her help you out. She can learn too.
After that, let us know how you did. Take a security test somewhere. Online or Real World, it don't matter. It's fun shit! We love it. But it's hard work to learn it. Once you do, you'll never be the same again and you'll be very very l33t.
Information Systems Security Association (ISSA) has chapters all over the U.S. and many in International locations. Join your local chapter and participate.
Mhh, let's try... I don't think you a slashdotter can hack this easily: it's a hardened Windows server.
Didn't see anyone mention this one yet. It's damn good, and still small enough that the maturity level is higher than Def Con. Cheap way to spend a couple of days learning and networking. And for everyone that is recommending books: It isn't quite as fun to read in your spare time as it is to socialize, ask questions, network, and interact with peers during business hours, is it? Books, newsgroups, and mailing lists go without saying. Half the fun of a conference is to be able to use your brain to learn when it isn't tired from a day of working.
If you're in the San Francisco East Bay (or don't mind driving there), there's the Tri-Valley Security Group (TVSG) that meets every other Tuesday in Dublin.
www.tvsg.org
-AutoNiN
www.nsa.gov/programs/kids ;)
(OK, I admin-- I find that site somewhat disturbing)
LedgerSMB: Open source Accounting/ERP
I meant to sat "admit" not "admin" Ugghhh
LedgerSMB: Open source Accounting/ERP
In a shameless plug, I'm hosting a BOF at O'Reilly's OSCon 2002 in San Deigo that's geared towards the systems administrator and one of the main topics I hope to cover is security. The conference is pricey, but not as much as others I've been to. If you're coming to O'Reilly, swing by on Tuesday night.
Some people take their .sig way too seriously
DefCon in Vegas, nice thing for some bucks.. Unfortunately I am located in some other part of the world called Europe... The travel costs to the USA(tm) would ruin the whole bargain... Any suggestions for that? (I thought about attending SANE [not particularly 'bout security, but anyway], and it was several hundred Euros too...
So where are the European (or other non-US) cheap (as in beer) alternatives?
teq0
Might want to check into Security Geeks at www.securitygeeks.com . Basically it is a free user group for security geeks to get together and brainstorm, exchange information and contacts.
There are only a couple of chapters so far, DC and Seattle being the first up and running with a Silicon Valley chapter in the works. If you interested in starting other chapters, information is available at the website. The DC meetings have been going quite well, especially for a user group type of thing.
There was also a nice turn out for a VPN duct-tape-a-thon where lots of folks got together and brought various pieces of VPN equipment in. The idea was to pass on knowledge to each other and try and get inter-product IPSec VPNs working. It was reported that the event had good knowledge transfer between everyone and I'm sure other special events are sure to come!
Jay
I asked this once before... Who is responsible? I asked it in response to a question about putting bad programming on a corporate network, but I have to ask it again. Who is responsible?
In an environment where job opportunites are evaporating rapidly, the market of "talent" supposedly narrows down. In other words, only the best should get into a given position.
Let's try a remake of a classic old saying: "If somebody roots your server, but nobody is around to hear it, is the SE responsible?".
It ain't no different than any of the corporate balls up that we have seen lately. When a mistake is made, a fall-person will be found (very pc, eh?). A lack of training? Probably. But whose responsibility is it to know all of this?
I think the company that gets hosed is responsible for providing up to date training to the SE, but all of this finger pointing that I see in the news lately sure makes me nervous!
I think that we are seeing the beginning of a time that will hold anyone, including Engineers (and Admins) responsible as a way out of anything reeking of a financial liability. Not so much because we are the linch-pins to corporate solvability, but because blame deflected doesn't stick to a CEO or CFO or CIO.
the NSA has a set of white papers discussing network security. Worth checking out... http://nsa1.www.conxion.com./
There is no such thing as secure systems, only secure admins.
If you're writing software for Linux/Unix systems, go see my book, the Secure Programming for Linux and Unix HOWTO available at http://www.dwheeler.com/secure-programs. It's freely available and redistributable (GFDL license), and it's got lots of information on how to write secure programs. There's lots of information on the Internet on how to write secure programs, but this book gives a lot of information in one place. Enjoy!
- David A. Wheeler (see my Secure Programming HOWTO)
H.O.P.E. 2002 (Hackers On Planet Earth) It's held in New York. I went to H2K, it was quite good, and if you want to learn alot, it's very good. DefCon is also good, in Las Vegas, ususally goes on the same time as blackhat. Both good conferences from what I hear.
__________________________________________
Take comfort in your ignorance.
Grandmaster Plague
Delivered-To: dcooley@panicdump.org
Date: Wed, 5 Jun 2002 18:34:16 -0400
From: Beth Corcoran
To: dcooley@panicdump.org
Subject: Re: Payment Options
In-Reply-To:
User-Agent: Internet Messaging Program (IMP) 3.0
Quoting Don Cooley
> SANS folks,
>
> I don't know how exactly to ask this so I will just explain my situation.
>
> I currently work at a startup dot com.
>
> They have cancelled all training and let go of everyone in IT except me.
>
> I am the lone Windows/Solaris/BSD/Linux admin. (I am learning wireless/Cisco
> also)
>
> I live in Denver. I would really LOVE to go to SANS this year.
>
> Do you have any scholarships for systems/security admins?
>
> I would also be willing to do data entry, technical reviews, (I have done one
> for O'Reilly)
> etc... "insert odd job" for the chance to go the SANS conference this year.
>
> Please let me know if there is any way I could *work off* the price of the
> tuition.
>
> Thanks for your time.
>
> Don Cooley
> Systems/Security Administrator
> http://www.panicdump.org
Hello! We do have a Volunteer program where you help the SANS staff "run" the
conference. You are required certain things, time, labor, etc., that other
attendees are not obligated to do. For more information, please visit
http://www.sans.org/conference/volunteer.p
Rocky Mountain is July 1. Please let me know if I can be of further
assistance.
Sincerely,
Beth Corcoran
Tuition Office Manager
The SANS Institute
tel: (540)548-0977
fax: (540)548-0957
beth@sans.org
www.sans.org
Just look for a SANS coming to a city near you and be a slave for a week.
Hope that helps
I have been involved in running Science Fiction conferences (we call them "cons" for short) for about 20 years now. We have attendancess between a few dozen, and a few thousand, with some going over the 5 thousand membership mark. We get some of the best people in our community to be guests of honour( GoH), and then stock panels with people both attending and from the local area. How much do we charge? Well, the going rate is around $40 for a weekend pass. That usually includes a program book, access to the hospitality suite (with either free or cheap food/drink). You can usually find crash space one someone's floor for $10 a night. And there are usually lots of open parties.
SF Fans don't have any "sugar daddies" to pay for their memberships, as is expected by the various Computer Conferences, and thus cannot charge large fees. And we are about community, not making money.
About the only event that has crossed the SF con with the Computer con is Andrew Hutton and his Ottawa Linux Symposium. But then again, he has attended a number of SF cons, including a few I helped run (Can-CON). More people need to learn how to run SF style cons, and run Open Source gatherings on the same format. SF fandom has a model that works, and all it takes is a few people in some of the larger population bases to put together SF style cons to get this going. And seek out your local SF con, and volenteer...it's the best way to learn how to run these things!
ttyl
Farrell J. McGovern
Staff for:
Maplecon, Pinekone, I-Con, Ad Astra, Concept, and Can-CON.
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
Here in the good old land of OZ, Nortel has been providing free one day sessions to their channel partners, resellers and major customers on what they call 'Security Solutions'. It was definately an eye opener to see one of their engineers show how easy it was to hack and DoS some of the machines setup in their lab. They spent the first part of the day doing some basic hacking and explaining some major vulnerabilities in systems and architectures. Not only at the network level but even in different OS's, and by the end of the day they've shown us (using their equipment of course) how to build a secure architecture. I'll give them one plug and say their Switched Firewall system is very cool. I've used Checkpoint before but I've never seen a Ckeckpoint firewall do 3.2Gb/s.
Summercon (www.summercon.org) is always fun, and easy on the budget. Last year it was in Amsterdam, this year in Washington DC.
In the UK we have this con called BrumCon(http://brumcon.org) in Birmingham. At the last one, there was a load of stuff on packet radio, breaking GSM and doing wierd things with SMS. There was this guy showing lists and lists of vulnerable php servers and goverment sites with Cross-Site Scripting bugs. There's no way in hell they could do that at somewhere like DefCon! Last time it cost about 5 quid to get in (about $8). No mailing list though, you just have to keep checking the site for updates, although they do announce it on Usenet.
Check out InfraGard and ISSA there are probably chapters in your area. ISSA has a $100 annual fee and often holds meeting montly that seldom cost anything as a member. Good networking with security people at a minimum. InfraGard also has inexpensive meetings and networking oppotunities.
Ken
>
;)
>"Computer (esp. network) security isn't really something that can be
>learned in a class. It's more of an ongoing awareness of what the
>threat of the week is. If history has shown us anything, it's that any
>useful networked system has flaws and can be broken into. As such,
>it's important to always keep on the forefront of what the enemy is up
>to.
>
>"Irritatingly time-consuming? You bet. A pain in the ass to keep up
>with? Oh yeah. The only effective way to keep systems and networks
>secure? Unfortunately."
>
Are you out of your mind?! Keeping up with stuff is the
best excuse I ever found to lurk on (counts mail filters) Bugtraq,
Incidents-l, ISN, vuln-watch, nanog, SANS newsbytes, CERT, NTBugtraq,
sec-focus, (and even... Slashdot, 'cos you'll hear about the new IE/
IIS hole-du-jour faster here than anywhere
Seriously, I really enjoy following the changing scene, the constant
arms war between the kiddies and the defenders. I just wish *I* could
find someone to pay me to do it. As it is I'm off work this week and
spending most of my time catching up with list backlog. And loving it.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
The UKUUG (see http://www.ukuug.org/) frequently includes a security theme in its conferences. The last conference was last week; the programme for the conference is at http://www.ukuug.org/events/linux2002/speakers.sht ml
Serveral of the "security agencies" in Canada offer courses which are fairly strong overviews. The RCMP technical security branch offers a number of workshops for free. I have taken the 4 day IT security officer and 1 day malacious code course and both were very good overviews.
The Communications Security Establishement (Canada's NSA) offers a number of courses quite cheap. This is a good place to start and often provide a wealth of resources for additional learning. I would look into whether the same exist in your country...
SANS reading room boasts 1300 research papers. Here are some other places for reading off the top of my head:
@Stake
phrack
antionline
securityfocus
There are tons more if you look
Sig, Shmig...who needs one
Please provide links to a sign up location for the listed mailing list. some are obvious( i.e bugtraq) but some like nanog are not.
Besides many useful (and some not so useful) suggestions by others, here's some free online training and the best link for reading material for InfoSec-interested people. Going to seminars is never cheap unless they happen to be in the city you live in. And the free/cheap ones that end up in your city are more often sales pitches than decent education. So I'll reiterate the advice of others and say "READ READ READ".
s ht ml p age.cfm ?p=support (more details on the above)
l
s /
E NE N&clientID=ENEN&dit=0
/ es ecurity/esecurity.html
http://csrc.ncsl.nist.gov
(the best source of InfoSec papers, written by people who "have a clue", just follow the links)
And from the introductory to the more advanced FREE online web seminars:
http://wwwoirm.nih.gov/sectrain/
(from an introductory perspective, this link probably provides the most value, one can click through each web page section (simply read the first page and click "continue" at the bottom until the "course" is complete) OR download a text-only Word document that covers the same sections OR download an "interactive seminar" that needs to be unzipped, installed, and run)
http://www.novell.com/seminars/archive.html
(many security seminars available, does not require registration, in presentation format)
http://rsasecurity.raindance.com/iccdocs/index.
(check for recorded events, registration required, possible future seminars as well)
http://www.placewareforum.com/rsasecurity/
http://www.netiq.com/events/default.asp?view=ca
(site to keep an eye on for future seminars)
http://www.internetworld.com/webseminar/archive
(first selection on page is security-related, requires a few clicks to view, can use fake e-mail address to access if desired)
http://www.netseminar.com/nss/archive?branding=
(one on content security and one on authentication and encryption, requires registration)
http://www.netseminar.com/
(seminar on business continuity/disaster recovery)
http://programs.inktomi.com/mk/get/WEBSECWC
(one seminar, requires registration)
http://www.ignite.com/uk/products/trustservices
(seminars coming soon)
http://www.ciphertrust.com/webseminar/
(several good seminars in the coming weeks, requires registration)
http://www.warriorsofthe.net/
(more technical slideshow on IP, kinda neat)
Good luck, newbie.
Vic
First of all, I am a SANS alumnus, and I doubt that any better security education is available anywhere, for any price.
That said, my friend Ed Sawicki (alcpress.com) puts on some great classes that don't cost much, and once commented to me how expensive he considers SANS to be.
Even though I'm a SANS alumnus, I think Ed still has me beat hands-down for security knowledge. Take a look at his website, then write to him and tell him I said that he should start running some classes in security basics!
It's possible that he might be willing to do it.
In times of universal deceit, telling the truth gets you modded -1 Troll
Of the stuff posted so far I'd say the best advice is subscribe to bugtraq read hacking exposed and the cryptogram news letter. plus.. SANS have shitloads of pretty decent stuff in thier reading room rr.sans.org Old issues of phrack contain really informative stuff like aleph1's 'smashing the stack for fun and profit' And Bruce Schneiers book 'secerts and lies' is quite good in a broad overview kind of way.
It looks like DallasCon has gone up to $75 this year, both students and regular. But it's two days now instead of one. And I see they've gone entirely into wireless security... which was the best part of last year's anyway.
-DP
If you can't find the NANOG signup info, you don't need to read it.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe