Two new modules to sneak in right before New Years
December 30, 2010
It’s almost that time of year – when we drop one digit and add another to the calendar. 2011, here we come! With that said – we’ve released a couple new modules for our members, both by the great Jeremy Conway.
Evilgrade: Client Side Exploitation One Update at a Time
“Evilgrade is a modular framework that allows us to take advantage of poorly and insecurely implemented application upgrade and update processes. The Evilgrade framework allows us to inject arbitrary and/or fake updates of our choosing into these applications with ease. It comes with several pre-made binaries (agents), a working default configuration for fast adoption into penetration tests, and has it’s own built in WebServer and DNSServer modules. Evilgrade is fairly simple to set up with new and/or customized settings, and also has an intelligent auto configuration process built in that
will auto populate fields such as agent size, MD5 hash value, and SHA hash values when introduce our own binary agents into the framework.”
Armitage: Fast and Easy Hacking
“Armitage is a graphical user interface (GUI) attack management tool for Metasploit framework. Armitage enables us to visualize targets, choose exploits wisely, and interact with the advanced features and capabilities found within the Metasploit framework with ease. According to the author, Armitage aims to make Metasploit usable for security practitioners who understand hacking but don’t use Metasploit every day. After successfully completing this learning module and its associated lab I believe you will agree with me in that the author has done a great job of accomplishing this goal.”
If you haven’t become a full-fledged member yet, what better time to consider it, being the transition to a new year and all (Resolutions, anyone? 
). Just jump over to our membership page to sign up!
And as always, if you have any questions or concerns about becoming a member, email us.
Have a safe and happy New Years!
Cheers,
The Hacker Academy Team
Even for the marketing guy, there’s no escaping security
December 28, 2010
Rob Murray here. I’m one of the “behind the scenes” guys here at The Hacker Academy, producing all the graphics, marketing materials, and help with the development and maintenance of the site. While most of my colleagues in the graphics and marketing worlds would never have the topic of security cross their minds, more and more today it’s becoming necessity to place security in the forefront of the mind, regardless of application.
Take for example the XSS vulnerability found within Google’s popular service Website Optimizer. GWO is quickly becoming a major cornerstone of internet marketing and research. This prevalence in today’s modern marketing vehicles opens up an increasing number of doors for vulnerabilities, like the aforementioned Cross-site Scripting problem in GWO, to be exploited in new, not previously thought of areas.
Now, for those who incorporate GWO services into their website for reporting and split-testing and haven’t addressed this problem, it’s recommended that you take the time to fix the vulnerability; both by Google, and common sense. It’s actually brutally easy, to be honest. Truth be told, the vulnerability will only affect those who have also had their server compromised by a separate attack, but it’s still a good idea to not let this one slip through the cracks. Note, the vulnerability only affects experiments that were created before December 3rd, 2010; any new experiments created after this date already include the updated code. It is recommended you delete any paused or completed experiments and remove the scripts from your site(s) to ensure the elimination of any latent threat.
For those who don’t want to delete an experiment that are currently running, here’s a link to another blog post with a great walkthrough for updating the Google Web Optimizer Control Script for your experiments:
Google Website Optimizer Security Bug and How to Fix It via Search Marketing Sage
It just goes to show how prevalent security threats are, and how wide a scope they cover, in our modern world. Even as a “graphics guy”, I like to think of it as a “good offense always trumps good defense” scenario: no matter what your job title, security is the proactive responsibility of all members of the team. Time and time again, it’s proven that it’s just only the network that is directly at risk, but the secondary and tertiary access vehicles as well.
Just some thoughts and a heads up
Cheers,
Rob Murray
Have you seen the Pyramids?
December 18, 2010
If you have yet to see the pyramids, now is your chance. The Hacker Academy in partnership with ProSIS will be delivering a 5 day, hands-on Web Application Security class in Cairo, Egypt. This class will be held February 20th-24th and will cover many areas of web app security.
Attendees will learn extreme Web App Security from the mind of a hacker through thought provoking lectures and hands-on labs. Typical lab exercises consist of a real-world application that demonstrates a vulnerability commonly found in a web app. Attendees will learn how to assess the application as a black hat hacker and exploit the app so that they can demonstrate the true risk of the vulnerability to the application owner.
So whether you are one of many from around the world that are a current member of The Hacker Academy, on our mailing list, live in Egypt currently…or want to see the pyramids (and take a great web application security class), now is your chance. For more information including a syllabus or pricing, contact either The Hacker Academy from outside of Egypt or if you currently live in Egypt contact Prosis.
As a warm up for the in-person class, lead instructor of The Hacker Academy Mike Murray will be giving a free webinar on December 22nd 11:00 PM PST/December 23rd 9:00 AM Cairo Time, which will go hand in hand with the class in Egypt in February.
Web Application Hacking, Beyond the OWASP Top 10. If you are interested in attending this free webinar, click here to register.
Free THA Webinar- Becoming a Professional Pen Tester
December 13, 2010
The next THA free webinar is right around the corner! Mike Murray will be discussing what it takes to become a professional penetration tester. Information covered in this webinar is taken and expanded on from the first module within The Hacker Academy.
Here is a brief description of what will be covered: Mike will describe what it takes and how to become a great penetration tester. This includes everything from showing professionalism on the job, to ethics, and everything in between. You will understand that acquiring techniques is not the hard part, but becoming skilled at this craft is an art.
When: Wednesday, December 22, 2010
Time: 2PM EST
Length: 1 Hour
Where: Online
Cost: Free
To join us for this 1 hour free webinar, Click Here!
Note: if you’ve previously signed up for our webinars, there is no need to sign up again – you will have already received an invite via email.
3 New Modules for The Hacker Academy for start of December
December 11, 2010
That’s right – three! We thought with the colder temperatures entering a lot of the world with the start of December, we’d release a couple extra modules than usual to help forget about the cold.
The first two modules are additions to the Ethical-Hacking section of our curriculum; one of them adding a WHOLE new topic of learning:
Jeremy Conway brings us a new lesson on Browser Exploit Framework, more commonly referred to as BeEF. Jeremy explains: “The Browser Exploitation Framework (BeEF) is a professional tool that was specifically built to demonstrate the real-time impact of browser vulnerabilities. BeEF provides penetration testers with a simple but extremely feature rich and extendable framework that effectively manipulates normal browser functionalities into Zombie controlling features. BeEF’s XMLRPC integration with Metasploit further enhances these capabilities by bringing browser exploitation to the masses via an intuitive and user-friendly web interface.”
Dan Frye’s new module for Ethical-Hacking actually adds a whole new section of Ethical-Hacking, titled Programming & Reverse Engineering. The first module for this section is Dan Frye’s Basics of Coding in Ruby; Dan explains: “Ruby is a rather interesting programming language that has begun to get more widespread traction in the last few years. What makes Ruby so powerful is the ability to couple Object Oriented techniques and concepts into the flexible scripting language paradigm. This module will provide students with a basic technical understanding of coding in Ruby as well as simple examples of what makes Ruby so attractive as a programming language.”
The third module to be released is Jeremy Conway’s new Cutting-Edge module, to continue his PDF attacks series – PDF Exploitation via Metasploit. Jeremy summarizes: “It’s no secret that Metasploit is an extremely powerful and feature rich exploitation toolkit and within this learning model we are going to take look at how we can utilize these capabilities to carry out tailored client side PDF attacks against our targets. We will also examine a few of the not so well known capabilities within Metasploit specifically related to PDF attacks such as the PDF parsing module. And last but not least we will expand upon the built-in Meterpreter scripts with our very own Meterpreter script that will allow us to infect all PDF files on a targets computer with the Social Engineering PDF Payload.”
If you haven’t already become a member, come see what you’ve been missing out on.
The Hacker Academy’s Aaron Cohen on CNBC – what a stud!
December 11, 2010
One of our instructors, Jeremy Conway, found this clip of Aaron from a few years back of one of his appearances on CNBC. All we can say is two things: 1) thank you for finding this Jeremy , and 2) ladies, calm yourselves – Aaron is taken .
In this interview, Aaron discusses the vulnerability of public wireless networks, specifically in hotel/motel establishments that offer Wi-Fi access. Aaron offers some suggestions in regards to “safe practices” for traveling business people.
Click on the image below to check out the video!
