Industrionage Enterprise Security

Virtual Lab with VMware

2012-01-09T11:51:00.000-08:00

http://www.ethicalhacker.net/content/view/63/2/

By EH-Net Member Negrita

Some of you reading this may be studying for Certified Ethical Hacker (CEH) or perhaps some other certification at the moment. While reading the study material and installing some of the tools on a box may suffice for some, others would prefer to have an actual lab to do their penetration testing. Buying separate boxes for all your Operating Systems (OSs) can be quite expensive, and may deter some people from wanting to do certs in the first place (unless someone else is paying for it). Thankfully there is a cheap solution to all this and you can get to learn some new things on the way.
The Exam Prep CEH book by Michael Gregg (which I'm using) recommends using at least 3 boxes; a Microsoft Windows Server, a Microsoft Windows Client and a Linux Client. After getting into things, Michael Gregg recommends installing a Linux Server too, as these are the systems you'll most probably be working with afterwards.
Virtualization is a method of using "logical" computers as opposed to using physical ones. To simplify my last statement, this means that you can install a virtual computer to run on your physical box as if it were an application. While there are a few virtualization software vendors in the market, the 2 main players are VMware and Microsoft. Some of the others include Bochs, PearPC, Parallels, SVISTA and XenSource, which are all open source. Check out this comparative table with a much fuller list. In this tutorial, I'll discuss how I've used 2 VMware products to set up my lab. The first is VMware Player and the second is VMware Workstation. I'm certainly no expert on virtualization or these tools, but I'm gladly sharing with you all how I set things up for myself, in the hope that it will help some of you too or at least give you an interesting read.

Before getting started, there are a few facts and some terminology you should know about virtual machines;
1. The main Operating System on the box is known the "host", while the virtual computers running on them are known as "guests".
2. A guest with a disk drive of say 4Gb will create a file of 4Gb on the host OS. Make sure you have enough disk space.
3. The guest OS uses RAM taken from the host. Before running a guest OS on the host, you must make sure you have enough RAM to support both/all OSs running concurrently.
4. A 64-bit guest OS cannot run on a 32-bit host OS. Make sure the guest OS matches the host's CPU.
5. Most importantly, YOU MUST HAVE A VALID LICENSE FOR ALL OS'S RUNNING ON YOUR SYSTEM. For example, if you have a Windows XP guest running on a Linux host, you must have a valid license for both OSs (Yes I know Linux comes with a GPL copyleft). Just because the XP machine is virtual doesn't exempt it from needing a license.

One of the tools I use is called VMware Player, a FREE application that allows you to run predefined virtual guests, which can also be downloaded for FREE. All the FREE virtual machines offered are obviously open source. VMware Player can be played on Windows 2000 Pro and Server, Windows XP Home and Pro, and also Windows Server 2003. It can also be played on various flavours of Red Hat Enterprise Linux, SUSE Linux, Mandrake Linux and Ubuntu Linux.

After downloading and installing VMware Player, you'll want something to play on it. Go to the VMTN Virtual Appliance web page and look through the list of virtual appliances available. You can choose from a wide variety of regular distros like Kubuntu, Gentoo, Debian, Fedora Core, FreeBSD, etc. A very large variety of tools and applications can be found like VPN servers, proxies, firewalls and scanners, and Nagios and other network monitors. Of particular interest to the hacking community are the specialised security appliances such as BackTrack. When downloading a virtual appliance take note of the primary accounts (root) username and password which should be on the download page.

One particularly useful appliance is the LiveCD Virtual Appliance which as the name suggests, allows you to play a live CD. You don't actually have to have a CD in the tray for this to work, but rather the live CD's iso image which must be placed in the same directory as the LiveCD Virtual Appliance. The iso image must be renamed "livecd.iso" for it to work.

Now that you've got your favourite linux distro running, you may start to wonder about the Windows part of the test lab. Surprisingly there is a FREE and legal solution to all this too. VMware Player will only play preinstalled virtual machines, but to create those virtual machines you need a program like VMware Workstation (which I use) or VMware Server. VMware Workstation comes fully functional with a FREE 30 day evaluation license. Once installed, you can use it to create as many virtual machines as you like. The list of supported host OSs is similar to that mentioned above for VMware Player, but the list of guest OSs includes practically all versions of Windows from Windows 95 to Vista including both 32 and 64-bit options, and also a variety of 32 and 64-bit open source OS versions and flavours such as Red Hat Enterprise Linux, SUSE Linux, Mandrake Linux, Turbolinux, Ubuntu Linux, Sun JDS, Novell, FreeBSD, Sun Solaris and other custom Linux installs with a 2.4.x or 2.6.x kernel.

Microsoft will let you download and install a 64-bit version of Windows XP Professional together with a 120 day evaluation license, and a 32 or 64-bit version of Windows Server 2003 together with a 180 day evaluation license. This should be more than enough time to study for CEH and probably a few other certs too.

Adding a new virtual machine is as simple as clicking File>New>Virtual Machine, and then following the instructions of the wizard. First choose if you want a typical or custom install. You will be prompted for the type of OS, the virtual machine's name (i.e. Win2K3 No.1), the machine's location on the host OS, the type of network connection (more on that later), and the capacity of the guest OS hard disk. You can change the amount of RAM the guest uses amongst other things, by clicking on "Edit virtual machine settings" afterwards. This can also be set, by choosing a custom install from the wizard. The custom install will also allow you to use a guest with 2 CPUs. When choosing the guest's disk size, leave enough space for the OS install and for the tools you'll want to install on it afterwards. I find that 4Gb is more than adequate. Next put your install CD in the tray and click "Start this virtual machine". The install is just like that of a regular OS. You can install and download as many virtual machines as your host HDD can hold, but remember that if you don't have enough RAM, you won't be able to run them all concurrently.

After downloading and installing all the guests you want, you'll want to connect them together in a network. When you install VMware Player or Workstation, the application will install 2 default NIC's on the host. The first is called VMnet1 and the second VMnet8. The NICs can be enabled in 3 different modes; Bridged, NAT and Host-only. When installing a new guest, if you chose a typical install, the install will default to Bridged mode. Host-only mode will not allow the guest network access. Most of the virtual appliances I downloaded had been configured to use VMnet8 in NAT mode, which gives the guest OS access to the internet via the host's network connection, so you can surf the internet, and download tools and updates. On each guest I configured a default gateway of 192.168.42.1 and an IP in the 192.168.42.0/24 range. I then pinged the default gateway and some of the other guests to test the network connectivity. This can also be configured using teams. I'm no expert on teams, but more info about them can be found here.

Finally a few words must be said about VMware Tools. VMware Tools is an all-important add on application which allows many things, such as support for faster graphics performance, synchronizing the clocks between the host and guest OSs and also supports file sharing and drag-and-drop features between the host and guests. More info about VMware tools can be found here.

As I've said earlier, I'm not an expert on these topics and they are provided as-is for your use and knowledge. I will gladly receive criticism and comments in the corresponding post in the forum.

2012 cyber crime predictions: More arrests and Willie Sutton 2.0

2012-01-09T11:49:00.000-08:00

http://www.scmagazine.com/2012-cyber-crime-predictions-more-arrests-and-willie-sutton-20/article/219808/

In 2012 we will see more high-profile arrests of cyber criminals and more botnet takedowns, but that's just my opinion, and only one of many predictions being aired as 2011 winds down and the world looks forward to 2012. When you spend most of your time researching various aspects of data security, like malware and cyber crimes, you quickly learn that predictions can come back to bite you, hence the reluctant prognostications of my colleague David Harley, which sometimes veer toward the tongue-in-cheek. However, unless your personal or professional circumstances are such that you can afford to eschew any kind of planning for the future, you need to make at least a few “best-guess” assumptions about what lies ahead.
Although I do think that the coming year will bring more law enforcement efforts to fruition, as a wide range of agencies continue to work together to take down cyber crime operations, I'm sad to say that I see no immediate shortage of criminals willing to take a chance on cyber crime. After all, those chances still look pretty good. The risk of serving time for cyber crime, or getting injured during the execution thereof, is still incredibly low compared to more conventional crimes like walking into a bank and demanding money at gun point. And the rewards are very enticing.
Consider the crime ring busted in 2011 by Operation Ghost Click. According to the FBI, infected computers were used to generate “at least $14 million in fraudulent advertising fees” over a period of four years. Seven people were indicted, but even if the scam involved twice that number, the loot works out at $1 million per person, with almost zero risk of being shot while committing the crime. Compare that with the risky business of robbing a bank. I looked at the FBI's Bank Crime Statistics going back to 2003, and did not see a single year or calendar quarter in which the average take from a physical bank robbery in the United States exceeded $10,000. In some quarters, the average value of stolen bank loot – the FBI actually uses the term "loot" – was below $8,000.
Remember the “scareware” bust earlier this year when the FBI and law enforcement from at least 10 countries worked together to expose a scam that infected 960,000 computers with fake anti-virus software? That cyber crime project cheated consumers out of more than $72 million over three years. If 24 people were involved, that's $1 million per person per year. The smart money is clearly on cyber crime, particularly since you don't need to be smart to commit such crimes.
Consider SpyEye, this year's break-out product in the “easy-to-use botnet builder” category, complete with plug-and-play bank account hacking modules. A big clue to the target demographic for this product, apart from the slick app-style interface, is the feature that cleans up after that most embarrassing of newbie cyber crime gaffs, infecting your own machine with the malware you're trying to distribute.
Perhaps, as programs like SpyEye continue to lower the barrier to entry for aspiring cyber criminals, it is time to rephrase the legendary question asked of Willie Sutton, one of the most notorious bank robbers of the 2oth century: Why do you rob banks? To which Mr. Sutton is reported to have answered: Because that's where the money is. The 21st century version, or Sutton 2.0, might be to ask: Why do you seek unauthorized access to networks and digital devices? Because that's where the data is, and data is the new currency. Even your basic street criminal knows this.
The chances that a random mugging victim will be carrying a lot of cash are slim. There's a much better chance they will have a wallet or purse full of data-bearing plastic cards that can be easily converted into whatever the criminal wants, be it illegal drugs, anonymous gift cards, or actual money. The means to convert large amounts of data into wealth are now widely available. For example, the black market in credit card data is thriving, global and accessible from anywhere, as is the market in compromised data access points. Data pertaining to a real person can be used to fake their identity, open bogus accounts in their name, compromise or drain existing accounts, and generate credit cards used to buy gift cards used to buy high-end merchandise that can be traded for cash, or enjoyed in the comfort of your luxury apartment rented in someone else's name.
In 2012 the struggle to shut down this type of crime will continue, but there will be other forms of cyber crime to contend with as well. According to his autobiography, Where the Money Was: The Memoirs of a Bank Robber, Willie Sutton never gave that famous “where the money is” reason for robbing banks. Here's what he really thought: “Why did I rob banks? Because I enjoyed it. I loved it. I was more alive when I was inside a bank, robbing it, than at any other time in my life.” Substitute “network” for “bank,” and you pretty much have the definition of a career criminal hacker.

Industrionage

2011-12-19T07:14:00.000-08:00

Industrial Espionage

Industrial espionage is the act of gathering proprietary data from private companies or the
government34 for the purpose of aiding another company(ies). Industrial espionage can be
perpetrated either by companies seeking to improve their competitive advantage or by
governments seeking to aid their domestic industries. Foreign industrial espionage carried out by
a government is often referred to as economic espionage. Since information is processed and
stored on computer systems, computer security can help protect against such threats; it can do
little, however, to reduce the threat of authorized employees selling that information.

http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf

Hacker TOOLKIT

2011-03-20T18:41:00.000-07:00

http://www.bnsmidwest.com/hackertoolkit.htm

Information on hacking, security, hackers toolkits, hacking software, and many tools for testing the vulnerabilities of your network and networking devices.

REFERENCE

Tools for Windows and Linux.
Many good tools here for any aspect of security, penetration testing, IDS, firewalls, packet sniffers, network monitoring tools and just about anything else you can think of.

TOOLS

A useful blog site "Hackerville"

2011-02-17T00:30:00.001-08:00

HACKERVILLE

How a Remote Town in Romania Has Become Cybercrime Central

2011-02-17T00:22:00.000-08:00

From Wired Magazine

Râmnicu Vâlcea has only about 120,000 residents, but among law enforcement experts around the world, it has a nickname: Hackerville. The town is full of online crooks who cruise the streets in expensive European cars.
Photo: Nick Waplington

Three hours outside Bucharest, Romanian National Road 7 begins a gentle ascent into the foothills of the Transylvanian Alps. Meadowlands give way to crumbling houses with chickens in the front yard, laundry flapping on clotheslines. But you know you’ve arrived in the town of Râmnicu Vâlcea when you see the Mercedes-Benz dealership.
It’s in the middle of a grassy field, shiny sedans behind gleaming glass walls. Right next door is another luxury car dealership selling a variety of other high-end European rides. It’s as if the sheer magic of wealth has shimmered the glass-and-steel buildings into being.
In fact, expensive cars choke the streets of Râmnicu Vâlcea’s bustling city center—top-of-the-line BMWs, Audis, and Mercedes driven by twenty- and thirtysomething men sporting gold chains and fidgeting at red lights. I ask my cab driver if these men all have high-paying jobs, and he laughs. Then he holds up his hands, palms down, and wiggles his fingers as if typing on a keyboard. “They steal money on the Internet,” he says.
Among law enforcement officials around the world, the city of 120,000 has a nickname: Hackerville. It’s something of a misnomer; the town is indeed full of online crooks, but only a small percentage of them are actual hackers. Most specialize in ecommerce scams and malware attacks on businesses. According to authorities, these schemes have brought tens of millions of dollars into the area over the past decade, fueling the development of new apartment buildings, nightclubs, and shopping centers. Râmnicu Vâlcea is a town whose business is cybercrime, and business is booming.
At a restaurant in a neighborhood of apartment buildings and gated bungalows, I meet Bogdan Stoica and Alexandru Frunza, two of just four local cops on the digital beat. Stoica, 32, is square-shouldered and stocky, with a mustache and prominent stubble. His expression rarely changes. Frunza, 29, is tall and clean shaven. He’s the funny one. “My English will improve after I have a few beers,” he says. We sit at a table on the edge of a big courtyard, piped-in Romanian pop music blaring.
Stoica and Frunza grew up in Râmnicu Vâlcea. “The only cars on the streets were those made by Dacia,” Stoica says, referring to the venerable Romanian carmaker. Access to information was limited, too: Weekday television consisted of two hours of state-run programming, mostly devoted to covering the dictator, Nicolae Ceauşescu. “We had half an hour of cartoons on Sunday,” Stoica says.
In 1989, a revolution that began with anti-government riots ended with the execution of Ceauşescu and his wife, and the country began the switch to a market economy. By 1998, when Stoica finished high school and went off to the police academy in Bucharest, another revolution was beginning: the Internet. Râmnicu Vâlcea was better off than many towns in this relatively poor country—it had a decades-old chemical plant and a modest tourism industry. But many young men and women struggled to find work.
No one really knows how or why those kids started scamming people on the Internet. “If you find out, you let us know,” says Codruţ Olaru, head of Romania’s Directorate for Investigation on Organized Crime and Terrorism. Whatever the reason, online crime was widespread by 2002. Cybercafés offered cheap Internet access, and crooks in Râmnicu Vâlcea got busy posting fake ads on eBay and other auction sites to lure victims into remitting payments by wire transfer. Eventually, FBI agents in the US and Bucharest started to get interested.
In the early days, the perpetrators weren’t exactly geniuses. One of the first cases out of the region involved a team based in the neighboring town of Piteşti. One crook would post ads for cell phones; the other picked up the wired money for orders that would never ship. The two men had made a few hundred dollars from victims in the US, and the guy receiving the cash hadn’t even bothered to use a fake ID. “I found him sitting in an Internet café, chatting online,” says Costel Ion, a Piteşti cop who had been working the cybercrime beat. “He just confessed.”
But as in any business, the scammers innovated and adapted. One early advance was establishing fake escrow services: Victims would be asked to send payments to these supposedly trustworthy third parties, which had websites that made them look like legitimate companies. The scams got better over the years, too. To explain unbelievably low prices for used cars, for example, a crook would pose as a US soldier stationed abroad, with a vehicle in storage back home that he had to sell. (That tale also established a plausible US contact to receive the money, instead of someone in Romania.) In the early years, the thieves would simply ask for advance payment for the nonexistent vehicle. As word of the scam spread, the sellers began offering to send the cars for inspection—asking for no payment except “shipping.”
The con artists got even sneakier. “They learned to create scenarios,” says Michael Eubanks, an FBI agent in Bucharest. “We’ve seen email between criminals with instructions on how to respond to different questions.” The scammers started hiring English speakers to craft emails to US targets. Specialists emerged to occupy niches in the industry, designing fake websites or coordinating low-level confederates.

Internet scammers and their underlings have turned Râmnicu Vâlcea into a hub of international organized crime.
Photo: Nick Waplington

By 2005, Romania had become widely known as a haven for online fraud, and buyers became wary of sending money there. The swindlers adapted again, arranging for payments to be wired to other European countries, where accomplices picked up the cash. A new entry level evolved, people who’d act as couriers and money launderers for a cut of the take. These money mules were called arrows, and their existence elevated Râmnicu Vâlcea to a hub of international organized crime.

Many arrows were Romanians living in Western Europe and the US; some were youngsters from Râmnicu Vâlcea who had moved overseas expressly for the job. They’d go to wire transfer offices to collect remittances from victims, then turn around and wire that money—minus a commission—to Râmnicu Vâlcea or to other arrows in the network. The system served as a kind of firewall, making it much more difficult for law enforcement to track the masterminds.
Back home, the local police were starting to realize they needed people on the cybercrime beat full-time. Frunza, who’d studied informatics in high school before attending the police academy, was working drug cases in Bucharest when he decided to come home. He ended up joining Stoica on the hunt for online con artists. The two learned that suspects expect leniency from the police because their crimes target only foreigners. “The guys will often say, ‘I am not stealing from our countrymen,’” Frunza says. “But a crime is a crime. You have to pay for it.”
Nowadays, Stoica and Frunza occasionally find themselves investigating a childhood acquaintance or, conversely, running into known criminals in social situations. Frunza used to play on the same soccer team as a suspect who was under surveillance. Those connections have helped the two cops pose a formidable challenge to the industry.
A little after 11 pm, Stoica hushes our conversation and tells me to turn around and check out a table across the courtyard, where a small group of flashily dressed young men has just arrived with two blond women who seem barely out of their teens. The men are all under investigation. “It’s a small city,” Stoica says.

The sudden appearance of luxury car dealerships among the grass fields marks the entrance into Râmnicu Vâlcea.
Photo: Nick Waplington

Defining the town center of Râmnicu Vâlcea is a towering shopping mall that looks like a giant glass igloo. The streets are lined with gleaming storefronts—leather accessories, Italian fashions—serving a demand fueled by illegal income. Near the mall is a nightclub, now closed by police because its backers were shady. New construction grinds ahead on nearly every block. But what really stands out in Râmnicu Vâlcea are the money transfer offices. At least two dozen Western Union locations lie within a four-block area downtown, the company’s black-and-yellow signs proliferating like the Starbucks mermaid circa 2003.

Driving past a block of low-rise buildings with neatly trimmed hedges, Stoica notes a couple of apartments owned by people currently under investigation. “I don’t know if the people of Râmnicu Vâlcea are too smart or too stupid,” Stoica says grimly. “They talk a lot to each other. One guy learns the job from another. They ask their high school friends: ‘Hey, do you want to make some money? I want to use you as an arrow.’ Then the arrow learns to do the scams himself.”
It’s not so different from the forces that turn a neighborhood into, say, New York’s fashion district or the aerospace hub in southern California. “To the extent that some expertise is required, friends and family members of the original entrepreneurs are more likely to have access to those resources than would-be criminals in an isolated location,” says Michael Macy, a Cornell University sociologist who studies social networks. “There may also be local political resources that provide a degree of protection.”
Online thievery as a ticket to the good life spread from the early pioneers to scores of young men, infecting Râmnicu Vâlcea’s social fabric. The con artists were the ones with the nice cars and fancy clothes—the local kids made good. And just as in Silicon Valley, the clustering of operations in one place made it that much easier for more to get started. “There’s a high concentration of people offering the kinds of services you need to build a criminal scheme,” says Gary Dickson, an FBI agent who worked in Bucharest from 2005 to 2010. “If your specialty is auction frauds, you can find a money pick-up guy. If you’re a money pick-up guy, you can find a buyer for your services.”
Stoica and Frunza both complain that they’re fighting an unstoppable tide with limited resources. But they haven’t been entirely unsuccessful—in fact, the 2008 case that first revealed the anatomy of Râmnicu Vâlcea’s fraud networks stemmed from Stoica’s investigation of a young entrepreneur named Romeo Chita.
Stoica says Chita started out as an arrow in the UK, and he was good. He moved up the ranks and eventually hired a few friends to establish his own ring. The Romanian authorities began investigating him in 2006, when he started buying new cars every few months and going to clubs every night with no apparent source of legitimate income. Chita launched an Internet service provider called NetOne, which authorities believe he was using as a shelter for fraudulent activity. When cops wanted to identify his customers, Stoica says, Chita usually told them that NetOne didn’t keep records.

Western Union signs have multiplied downtown like the Starbucks mermaid circa 2003.
Photo: Nick Waplington

In January 2008, an informant gave Stoica the cell numbers of two men working for Chita. The police tapped the phones, and the next day one of the men sent Chita a text message with money transfer control numbers—unique numeric sequences required to pick up cash. Stoica and his team followed up with surveillance of Chita and his associates, which established what Stoica calls “the money circuit,” the route through which the funds flowed from victims in the US to Chita and others. Prosecutors now allege that the operation turned into something a little more sophisticated than the usual Râmnicu Vâlcea scam. For example, the case against them details a con known as spear phishing—sending email to US companies that appeared to be from the IRS, the Department of Justice, or some other agency. Through Trojan horses attached to these emails, Chita’s group could obtain the companies’ bank account numbers and passwords. Allegedly, they even hired people in Las Vegas—Stoica says some were homeless—to open fake corporate bank accounts and receive the money.

The same month that Stoica began pursuing Chita, a police officer stopped a car for speeding in the Westlake suburb of Cleveland, Ohio. About to write a ticket, the cop noticed some drug paraphernalia in the car and arrested the two men inside. A further search turned up eight cell phones, two computers, fake IDs, two dozen money transfer receipts, and $63,000 in cash. The pair turned out to be Romanian and eventually confessed to being arrows for an organization authorities traced back to Chita. They had spent most of January driving around the Midwest, picking up money from various Western Union and MoneyGram locations. Their confessions led to more wiretaps and surveillance in the US and Romania over the following months, uncovering a network of at least two dozen accomplices.
That summer, Romanian authorities and FBI agents conducted a series of raids on both sides of the Atlantic. Chita spent 14 months in custody before being granted a provisional release pending the completion of his trial, still pending. On an org chart filed in Stoica’s office, Chita’s photo remains at the top.
Class Café is an inviting coffee shop with a terrace that overlooks a quiet street. It’s nearly empty when I walk in—just the owner behind the counter and a young couple at a corner table.
Stoica discouraged me from attempting this meeting, but I wanted to know what an alleged kingpin looks like. I ask the owner if he knows where Chita is, and he offers to call him. After a brief phone conversation, he hangs up and tells me that Chita is in Bucharest. I remind him that Chita isn’t allowed to leave Râmnicu Vâlcea under the terms of his release, and the owner smiles. He spends a few more minutes on the phone, then hangs up again and asks me to sit. Chita is on his way.
I take a table on the terrace. During our tour of town, Stoica had pointed out Chita’s silver Mercedes on the road, so I ignore the green Jaguar that drives up until a man in Bermuda shorts, canvas shoes, and a white T-shirt climbs out, enters the café, and approaches my table. He introduces himself as Chita’s brother, Marian. He licks his lips nervously and fidgets with an iPhone. “Chita’s coming,” he says after lighting a cigarette and making some phone calls. “But he’s a little drunk.”
A few minutes later, Chita walks around the corner and ambles into the café. Boyish, dressed in shorts, a light-blue polo shirt, and flip-flops, he looks more like a college student than a criminal mastermind. Despite the reputation of Râmnicu Vâlcea’s underworld as relatively free of violence, he has brought along some muscle—a young man in dark glasses with a big tattoo on his arm. The bodyguard slams a beer bottle down on the table and flexes his hand, as if getting ready for a boxing match.
Chita shakes my hand dourly and sits down next to me, looking away. Two other men join us. The young couple from the corner comes over to greet Chita with fawning smiles and handshakes. They clearly recognize him, too. The café owner gets up and leaves. As he walks away, he looks at me gravely and says, “Good luck.”

Râmnicu Vâlcea has become the Silicon Valley of online thievery— a place where the clustering of operations makes boot-strapping a criminal start-up easier.
Photo: Nick Waplington

The tattooed man leans toward me ominously. “Were you sent by Barack Obama?” he asks. I say that I wasn’t, and everyone but me lights cigarettes. Marian, getting increasingly jumpy, demands to know my true agenda. Finally, I spell my name and tell him to search for my stories on his iPhone. He Googles me and shows the screen to his brother. Everybody relaxes a bit, and I silently give thanks for wireless broadband.
Marian asks the young couple to translate for Chita, and they agree to stay. Chita has them tell me to stand, then he pats me down, asking if I’m wearing a wire.
“What do you say to the charges against you?” I ask.
“They are fake,” Chita says, in English.
Marian adds, “It’s all bullshit.” For clarification.
Chita continues with his defense in Romanian, and the couple translates enthusiastically. “He doesn’t even know how to speak English, so it is impossible for him to post ads or exchange email with buyers,” the young woman says. “He doesn’t even have an email address,” she says. “How can he do fraud on the Internet?”
I press Chita about the wiretapped conversations, but his tattooed bodyguard interrupts loudly. “You go back to your hotel room, we send you some nice pussy,” he says, raising his hand for a high five that I feel obligated to meet. The two men beside him laugh, and Chita takes a final drag from his cigarette before rising from his chair. He’s in no mood to discuss the evidence. “This interview is over,” Marian says.
They saunter out of the café and onto the sidewalk, looking surprisingly banal for guys accused of organized cybercrime, enjoying the good life with little effort or risk. Officials have dismantled a few fraud rings in recent years—there were just 188 arrests in all of Romania in 2010—but scores remain in business.
I am left with the friendly couple that helped with the translating. The young man says he’s heard about Chita from his friends and has seen his name in the papers. He tells me he has just received a diploma in engineering from an institution in Bucharest and is now looking for a job here in Râmnicu Vâlcea, his hometown. “I haven’t found anything yet,” he says. Thinking about Marian’s Jag and Chita’s Mercedes, I wonder if he’ll consider a job as an arrow. It’s like Frunza told me at the restaurant: “You arrest two of them and 20 new ones take their place,” he said. “We are two police officers, and they are 2,000.”

Yudhijit Bhattacharjee (yudhijit@gmail.com) is a staff writer at Science. He wrote about decoding a spy’s messages in issue 18.02.

Intelligence on the darker side of the internet

2011-01-25T23:26:00.000-08:00

http://www.shadowserver.org/wiki/

The Shadowserver Foundation is an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud. It is the mission of the Shadowserver Foundation to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malware.

Social Engineering

2011-01-08T19:55:00.000-08:00

http://www.social-engineer.org/framework/Social_Engineering_Framework

What really is social engineering? We define it as the act of manipulating a person to accomplish goals that may or may not be in the “target’s” best interest. This may include obtaining information, gaining access, or getting the target to take certain action.

Guide to Internet Security

2010-12-31T02:58:00.000-08:00

http://kb.netgear.com/app/answers/detail/a_id/1104

For a comprehensive introduction to security, try the 89 page GAO-04-467, the first link in this US Government search. While this document has issues that won't be of interest, it presents the entire security situation very well. (You might want to skip to page 12 where the detailed information begins.)

Overview
Two great truths about security are:

It's common to over- or under-estimate how much risk you have. Computer criminals depend on you implementing security casually.
Attacks that work usually target weak links — things you don't anticipate.

Assuming that you aren't personally targeted, moderately secure networks usually cause hackers to attack elsewhere. You can be moderately secure by ensuring there aren't any obvious weak links in your system.
Types of Security Problems
There are many goals for attacks. Don't assume your network is safe just because you don't do critical work on it.

Snooping. Reading private mail and other personal files.
Destroying or corrupting computer data: Making files unusable, or making a whole computer unusable.
Stealing computer data: Taking credit card numbers, email addresses, company information, etc.
Stopping computer from functioning properly: Blocking incoming traffic so that intended users cannot get access, etc.
Misusing computer resources: Sending spam without you knowing it, etc.
Pranks: practical jokes, breaking in just because it's a challenge.

Basic security practices address all of these. You don't need to implement every one of these practices. However, a secure network will implement most of these.
To Implement Basic Security Practices

Put a firewall between your computers and the Internet. NETGEAR routers can be configured to do an excellent job of this. For details about several security features used by NETGEAR routers see: Security: Comparing NAT, Static Content Filtering, SPI, and Firewalls.
Use your router to control access using MAC addresses (Media Access Control addresses).
Update your operating system and Web browser. For Windows users, install "critical updates". If unsure whether an update applies to your computer, you probably should install it.
Run virus protection programs on all computers. Set the scan to examine all hard disks. Set the scan to continuously examine all incoming files. Check for anti-virus updates frequently, but never wait as long as 2 months.
Contrary to much "expert" advice, there is very little risk writing down passwords. In fact, years from now you may discover you need them to access old files. Never leave a password at its default value. Passwords should not be simple: use characters, numbers, and symbols. It's better not to use names or dates you find easy to remember: your birthday, your dog's name, your username backward, etc.
Good: kB!3ccsiiz_8 or 4*4zbmn-BXY
Very Weak: april2003, cutegirl, me, stonesforever
If you have a wireless network, use WEP or WPA encryption. See What is WEP Encryption for Wireless Networks? for a brief overview of WEP.
If it's practical, use WPA encryption instead of WEP (available on newer NETGEAR equipment). See What's New in Security: WPA (Wi-Fi Protected Access) for details.
If communicating with other VPN sites, such as your business, use VPN.
Do not use a DMZ. (By default this is feature is turned off.)
Limit the shared folders on your network. (Or turn off file sharing entirely.)
Turn up your Web browser's security. In Internet Explorer: Go to: Tools > Internet Options > Security > Default Level > Security level for this zone. With Internet selected in the top box, make sure the slider is set to at least Medium. Internet pages will display with few problems at this level. Setting the slider to High will be most secure, but some pages will not display.
Avoid sending personal information over the Internet. Credit cards are a particular risk: Use a well-known payment system such as PayPal, or send credit card numbers and the expiration date in separate email messages, etc.
When browsing, don't accept software — even if with a certificate — unless it's from a company you think is trustworthy.
DO NOT respond to spam. DO NOT answer messages like "Click on this link to be removed from our mailing list" — except if it is a company to which you actually gave your email address.
Remove your network from the Internet — or turn it off — when not being used. Many people regard this as extreme, however it is also extremely secure.
If you have a wireless network, do not broadcast unnecessarily to where the public might access it — any signal strength above the red indicator is strong enough for full throughput, so don't boost your inside signal more than you need.
Running a public server (for example one that hosts games for other people to use, or one which serves Web pages for public viewing) causes additional concerns. Understand the server thoroughly. Read about recent issues in online newsgroups.

For more explanation of these security practices — if you need the reasons for the recommendations, or to know when particular features are important, see The Reasons Behind Security Features. That document also includes other, less critical security improvements.

Graduated School Last May and moved away from Austin Texas for a new job

2010-10-05T22:59:00.000-07:00

Ninja Hacking: Unconventional Penetration Testing Tactics and Techniques

http://www.net-security.org/secworld.php?id=9948

Throw traditional pen testing methods out the window for now and see how thinking and acting like a ninja can actually grant you quicker and more complete access to a company's assets. Get in before the hacker does by thinking outside of the box with these unorthodox techniques. Use all of the tools that the ninja has at his side such as disguise, espionage, stealth, and concealment.

Learn how to benefit from these by laying your plans, impersonating employees, infiltrating via alarm system evasion, discovering weak points and timing, spyware and keylogging software, and log manipulation and logic bombs. And, really, don't you want to be a ninja for a day just because they're cool? Let Ninja Hacking be your excuse!

Use the tactics of a ninja, such as disguise, espionage, stealth, and concealment, to protect your company's assets
Details unorthodox penetration testing techniques by thinking outside of the box and inside the mind of a ninja
Use the tactics of a ninja, such as disguise, espionage, stealth, and concealment, to protect your company's assets Details unorthodox penetration testing techniques by thinking outside of the box and inside the
mind of a ninja
Expands upon current penetration testing methodologies including new tactics for hardware and physical attacks.

Top 100 Network Security Tools

2010-03-08T14:30:00.000-08:00

http://sectools.org/

Featured Site for February

2010-02-21T15:31:00.000-08:00

http://www.cio.com.au/

February 18, 2010 | NetWitness Discovers Massive ZeuS Compromise

2010-02-21T15:28:00.000-08:00

"Kneber Botnet" Targets Corporate Networks and Credentials

http://www.netwitness.com/resources/pressreleases/feb182010.aspx

HERNDON , VA - February 18, 2010 - NetWitness, the world leader in advanced persistent threat detection and real-time network forensics, announced today that its analysts have discovered a dangerous new ZeuS botnet affecting 75,000 systems in 2,500 organizations around the world. The newly-discovered infestation, dubbed the "Kneber botnet" after the username linking the infected systems worldwide, gathers login credentials to online financial systems, social networking sites and email systems from infested computers and reports the information to miscreants who can use it to break into accounts, steal corporate and government information, and replicate personal, online and financial identities.
NetWitness first discovered the Kneber botnet in January during a routine deployment of the NetWitness advanced monitoring solutions. Deeper investigation revealed an extensive compromise of commercial and government systems that included 68,000 corporate login credentials, access to email systems, online banking sites, Facebook, Yahoo, Hotmail and other social networking credentials, 2,000 SSL certificate files, and dossier-level data sets on individuals including complete dumps of entire identities from victim machines.
Discussing the importance of the Kneber botnet, Amit Yoran, CEO of NetWitness and former Director of the National Cyber Security Division, said, "While Operation Aurora shed light on advanced threats from sponsored adversaries, the number of compromised companies and organizations pales in comparison to this single botnet. These large-scale compromises of enterprise networks have reached epidemic levels. Cyber criminal elements, like the Kneber crew quietly and diligently target and compromise thousands of government and commercial organizations across the globe. Conventional malware protection and signature based intrusion detection systems are by definition inadequate for addressing Kneber or most other advanced threats. Organizations which focus on compliance as the objective of their information security programs and have not kept pace with the rapid advances of the threat environment will not see this Trojan until the damage already has occurred. Systems compromised by this botnet provide the attackers not only user credentials and confidential information, but remote access inside the compromised networks."
"Many security analysts tend to classify ZeuS solely as a Trojan that steals banking information," stated Alex Cox, the Principal Analyst at NetWitness responsible for uncovering the Kneber-bot, "but that viewpoint is naive. When we began to detect the correlation among both the methodology used by the Kneber crew to attack victim machines and the wide variety of data sets harvested, it became clear that security teams must rethink their entire perspective on advanced threats such as ZeuS and consider more diverse mission objectives."
Over half the machines infected with Kneber also were infected with Waledac, a peer to peer botnet. The coexistence of ZeuS and Waledac suggests the goals of resilience and survivability and potential deeper cross-crew collaboration in the criminal underground.
"NetWitness enables the discovery of malicious code like Kneber - before things get critical and valuable data is lost," said Cox. "It is 100% certain that many organizations have no idea they are victimized by these types of problems because they're just not tooled to see them on their networks. The Kneber botnet is just one category of advanced threat that organizations have been facing the past few years that they are still largely ignorant or blind to today."
To download a copy of the NetWitness Kneber whitepaper, visit http://www.netwitness.com.
About NetWitness
NetWitness® Corporation is the world leader in real-time network forensics and automated threat intelligence solutions, helping government and commercial organizations detect, prioritize and remediate complex IT risks. NetWitness solutions concurrently solve a wide variety of information security problems including: advanced persistent threat management; sensitive data discovery and advanced data leakage detection; malware activity discovery; insider threat management; policy and controls verification and e-discovery. Originally developed for the US Intelligence Community, NetWitness has evolved to provide enterprises around the world with breakthrough methods of network content analysis and host-based risk discovery and prioritization. NetWitness customers include Defense, National Law Enforcement and Intelligence Agencies, Top US and European Banks, Critical Infrastructure, and Global 1000 organizations. NetWitness has offices in the U.S. and the U.K. and partners throughout North and South America, Europe, the Middle East, and Asia.
To download the freeware version of NetWitness Investigator, visit http://download.netwitness.com . For more information about securing your entire organization with NetWitness NextGen, contact: sales@netwitness.com . Twitter handle: NetWitness .
Media Contact:
Steve Ward | (703) 994-9349 | pr@netwitness.com

Botnet revelation shows darker underbelly of malware
http://www.cio.com.au/article/336814/botnet_revelation_shows_darker_underbelly_malware?fp=39&fpid=25592

Kneber was built using a well-established toolkit for aggregating botnets called ZeuS that has been around for years

Tim Greene (Network World) 19 February, 2010 09:42:00

Tags: security, Kneber botnet, botnets

Information gathered about a newly discovered botnet called Kneber indicates that multiple infections by different malware on the same host could work together as a sophisticated mechanism to give all the malware a better survival rate.

The sheer size of the Kneber botnet -- 74,000 compromised computers in 2,400 different companies -- attracted most of the attention when Kneber was revealed Thursday. But how it interacts with other malware networks suggests a symbiotic relationship that ultimately makes each botnet more resistant to being dismantled, says Alex Cox, the senior consultant in the research department at NetWitness who discovered Kneber.

Kneber was built using a well-established toolkit for aggregating botnets called ZeuS that has been around for years. Kneber is an example of just one botnet built with the toolkit, but because Cox captured 75GB of log data from the command-and-control server, he was able to examine detailed characteristics of the computers ZeuS took over.

What he found is that more than half the 74,000 compromised computers -- bots -- within Kneber were also found infected with other malware that uses a different command-and-control structure. If one of the criminal networks were disabled, the other could be used to build it up again,

"At the very least, two separate botnet families with different [command-and-control] infrastructures can provide fault tolerance and recoverability in the event that one [command-and-control] mechanism is taken down by security efforts," he says in his written analysis of the Kneber botnet.

In this case, more than half the machines that made up the botnet were infected with both ZeuS, which steals user data, and Waledac, a spamming malware that uses peer-to-peer mechanisms to spread more infections, he says. He can't conclude for sure that they're working together in this case, but the presence of both introduces an interesting possibility: If the ZeuS command-and-control infrastructure is cut down, the owner of the ZeuS botnet could go to the person running the Waledac botnet and pay for it to push a ZeuS upgrade that brings the ZeuS bots back online reporting to a new server, he says.

Alternatively, a single group could run both the ZeuS and Waledac botnets and push the upgrade itself. "From a disaster-recovery perspective, it makes sense," Cox says.

The Kneber server log contained individuals' passwords to sites including Facebook and Yahoo as well as a slew of financial sites including CitiBank, Wells Fargo, PayPal, Citizens Bank and HSBC Bank, according to Cox's report on Kneber.

Cox discovered Kneber Jan. 26 while working at a NetWitness customer site. He found a machine infected with ZeuS that was downloading other malware executables. He traced the traffic back to a ZeuS command-and-control server in Germany, where he was able to grab a month's worth of the server's log data. He won't say he accomplished these actions.

The botnet got its name from hilarykneber@yahoo.com, the registrant listed for the original domain used to pull together various components of the botnet. That same registrant has been associated with seeking other malware including PDF and Flash exploits as well as Trojan installs.

The same registrant is also listed on multiple Web sites seeking money mules -- people who accept illegal transfers of money into their bank accounts and forward them to other bank accounts in an effort to make the funds unrecoverable by the actual owners.

Kneber has been active since March 25, 2009, and most of the sites associated with its activities are in China, according to their underlying IP addresses, NetWitness says. About 17% of these sites are in the United States.

Cox also links Kneber to a phishing attack against U.S. government agencies that sends e-mails apparently from the National Security Agency that urges recipients to click on links that download the malware.

He gives significance to the fact that one of the things Kneber harvests is social networking usernames and passwords. These can be used to get into social networking accounts where they can post links to infected sites. Social network friends are more likely to trust these links because they seem to be posted by people they trust.

Social network accounts can also be mined for personal data that can be useful in further compromising individuals' financial accounts. For example, if social networking accounts yield mothers' maiden names, they might be used to reset passwords of bank accounts, giving attackers a way to get in and transfer money out.

How To Become A Hacker

2010-02-04T16:40:00.000-08:00

Eric Steven Raymond

Thyrsus Enterprises

<esr@thyrsus.com>

Table of Contents

Why This Document?

What Is a Hacker?

The Hacker Attitude

1. The world is full of fascinating problems waiting to be solved.
2. No problem should ever have to be solved twice.
3. Boredom and drudgery are evil.
4. Freedom is good.
5. Attitude is no substitute for competence.

Basic Hacking Skills

1. Learn how to program.
2. Get one of the open-source Unixes and learn to use and run it.
3. Learn how to use the World Wide Web and write HTML.
4. If you don't have functional English, learn it.

Status in the Hacker Culture

1. Write open-source software
2. Help test and debug open-source software
3. Publish useful information
4. Help keep the infrastructure working
5. Serve the hacker culture itself

The Hacker/Nerd Connection

Points For Style

Historical Note: Hacking, Open Source, and Free Software

Other Resources

Frequently Asked Questions

Why This Document?

As editor of the Jargon File and author of a few other well-known documents of similar nature, I often get email requests from enthusiastic network newbies asking (in effect) "how can I learn to be a wizardly hacker?". Back in 1996 I noticed that there didn't seem to be any other FAQs or web documents that addressed this vital question, so I started this one. A lot of hackers now consider it definitive, and I suppose that means it is. Still, I don't claim to be the exclusive authority on this topic; if you don't like what you read here, write your own.
If you are reading a snapshot of this document offline, the current version lives at http://catb.org/~esr/faqs/hacker-howto.html.
Note: there is a list of Frequently Asked Questions at the end of this document. Please read these—twice—before mailing me any questions about this document.
Numerous translations of this document are available: Arabic Bulgarian, Catalan, Chinese (Simplified), Danish, Dutch, Estonian, Farsi, Finnish, German, Greek Hebrew, Italian Japanese, Norwegian, Polish, Portuguese (Brazilian), Romanian Russian Spanish, Turkish, and Swedish. Note that since this document changes occasionally, they may be out of date to varying degrees.
The five-dots-in-nine-squares diagram that decorates this document is called a glider. It is a simple pattern with some surprising properties in a mathematical simulation called Life that has fascinated hackers for many years. I think it makes a good visual emblem for what hackers are like — abstract, at first a bit mysterious-seeming, but a gateway to a whole world with an intricate logic of its own. Read more about the glider emblem here.

What Is a Hacker?

The Jargon File contains a bunch of definitions of the term ‘hacker’, most having to do with technical adeptness and a delight in solving problems and overcoming limits. If you want to know how to become a hacker, though, only two are really relevant.
There is a community, a shared culture, of expert programmers and networking wizards that traces its history back through decades to the first time-sharing minicomputers and the earliest ARPAnet experiments. The members of this culture originated the term ‘hacker’. Hackers built the Internet. Hackers made the Unix operating system what it is today. Hackers run Usenet. Hackers make the World Wide Web work. If you are part of this culture, if you have contributed to it and other people in it know who you are and call you a hacker, you're a hacker.
The hacker mind-set is not confined to this software-hacker culture. There are people who apply the hacker attitude to other things, like electronics or music — actually, you can find it at the highest levels of any science or art. Software hackers recognize these kindred spirits elsewhere and may call them ‘hackers’ too — and some claim that the hacker nature is really independent of the particular medium the hacker works in. But in the rest of this document we will focus on the skills and attitudes of software hackers, and the traditions of the shared culture that originated the term ‘hacker’.
There is another group of people who loudly call themselves hackers, but aren't. These are people (mainly adolescent males) who get a kick out of breaking into computers and phreaking the phone system. Real hackers call these people ‘crackers’ and want nothing to do with them. Real hackers mostly think crackers are lazy, irresponsible, and not very bright, and object that being able to break security doesn't make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word ‘hacker’ to describe crackers; this irritates real hackers no end.
The basic difference is this: hackers build things, crackers break them.
If you want to be a hacker, keep reading. If you want to be a cracker, go read the alt.2600 newsgroup and get ready to do five to ten in the slammer after finding out you aren't as smart as you think you are. And that's all I'm going to say about crackers.

The Hacker Attitude

1. The world is full of fascinating problems waiting to be solved.
2. No problem should ever have to be solved twice.
3. Boredom and drudgery are evil.
4. Freedom is good.
5. Attitude is no substitute for competence.

Hackers solve problems and build things, and they believe in freedom and voluntary mutual help. To be accepted as a hacker, you have to behave as though you have this kind of attitude yourself. And to behave as though you have the attitude, you have to really believe the attitude.
But if you think of cultivating hacker attitudes as just a way to gain acceptance in the culture, you'll miss the point. Becoming the kind of person who believes these things is important for you — for helping you learn and keeping you motivated. As with all creative arts, the most effective way to become a master is to imitate the mind-set of masters — not just intellectually but emotionally as well.
Or, as the following modern Zen poem has it:

    To follow the path:
    look to the master,
    follow the master,
    walk with the master,
    see through the master,
    become the master.

So, if you want to be a hacker, repeat the following things until you believe them:

1. The world is full of fascinating problems waiting to be solved.

Being a hacker is lots of fun, but it's a kind of fun that takes lots of effort. The effort takes motivation. Successful athletes get their motivation from a kind of physical delight in making their bodies perform, in pushing themselves past their own physical limits. Similarly, to be a hacker you have to get a basic thrill from solving problems, sharpening your skills, and exercising your intelligence.
If you aren't the kind of person that feels this way naturally, you'll need to become one in order to make it as a hacker. Otherwise you'll find your hacking energy is sapped by distractions like sex, money, and social approval.
(You also have to develop a kind of faith in your own learning capacity — a belief that even though you may not know all of what you need to solve a problem, if you tackle just a piece of it and learn from that, you'll learn enough to solve the next piece — and so on, until you're done.)

2. No problem should ever have to be solved twice.

Creative brains are a valuable, limited resource. They shouldn't be wasted on re-inventing the wheel when there are so many fascinating new problems waiting out there.
To behave like a hacker, you have to believe that the thinking time of other hackers is precious — so much so that it's almost a moral duty for you to share information, solve problems and then give the solutions away just so other hackers can solve new problems instead of having to perpetually re-address old ones.
Note, however, that "No problem should ever have to be solved twice." does not imply that you have to consider all existing solutions sacred, or that there is only one right solution to any given problem. Often, we learn a lot about the problem that we didn't know before by studying the first cut at a solution. It's OK, and often necessary, to decide that we can do better. What's not OK is artificial technical, legal, or institutional barriers (like closed-source code) that prevent a good solution from being re-used and force people to re-invent wheels.
(You don't have to believe that you're obligated to give all your creative product away, though the hackers that do are the ones that get most respect from other hackers. It's consistent with hacker values to sell enough of it to keep you in food and rent and computers. It's fine to use your hacking skills to support a family or even get rich, as long as you don't forget your loyalty to your art and your fellow hackers while doing it.)

3. Boredom and drudgery are evil.

Hackers (and creative people in general) should never be bored or have to drudge at stupid repetitive work, because when this happens it means they aren't doing what only they can do — solve new problems. This wastefulness hurts everybody. Therefore boredom and drudgery are not just unpleasant but actually evil.
To behave like a hacker, you have to believe this enough to want to automate away the boring bits as much as possible, not just for yourself but for everybody else (especially other hackers).
(There is one apparent exception to this. Hackers will sometimes do things that may seem repetitive or boring to an observer as a mind-clearing exercise, or in order to acquire a skill or have some particular kind of experience you can't have otherwise. But this is by choice — nobody who can think should ever be forced into a situation that bores them.)

4. Freedom is good.

Hackers are naturally anti-authoritarian. Anyone who can give you orders can stop you from solving whatever problem you're being fascinated by — and, given the way authoritarian minds work, will generally find some appallingly stupid reason to do so. So the authoritarian attitude has to be fought wherever you find it, lest it smother you and other hackers.
(This isn't the same as fighting all authority. Children need to be guided and criminals restrained. A hacker may agree to accept some kinds of authority in order to get something he wants more than the time he spends following orders. But that's a limited, conscious bargain; the kind of personal surrender authoritarians want is not on offer.)
Authoritarians thrive on censorship and secrecy. And they distrust voluntary cooperation and information-sharing — they only like ‘cooperation’ that they control. So to behave like a hacker, you have to develop an instinctive hostility to censorship, secrecy, and the use of force or deception to compel responsible adults. And you have to be willing to act on that belief.

5. Attitude is no substitute for competence.

To be a hacker, you have to develop some of these attitudes. But copping an attitude alone won't make you a hacker, any more than it will make you a champion athlete or a rock star. Becoming a hacker will take intelligence, practice, dedication, and hard work.
Therefore, you have to learn to distrust attitude and respect competence of every kind. Hackers won't let posers waste their time, but they worship competence — especially competence at hacking, but competence at anything is valued. Competence at demanding skills that few can master is especially good, and competence at demanding skills that involve mental acuteness, craft, and concentration is best.
If you revere competence, you'll enjoy developing it in yourself — the hard work and dedication will become a kind of intense play rather than drudgery. That attitude is vital to becoming a hacker.

Basic Hacking Skills

1. Learn how to program.
2. Get one of the open-source Unixes and learn to use and run it.
3. Learn how to use the World Wide Web and write HTML.
4. If you don't have functional English, learn it.

The hacker attitude is vital, but skills are even more vital. Attitude is no substitute for competence, and there's a certain basic toolkit of skills which you have to have before any hacker will dream of calling you one.
This toolkit changes slowly over time as technology creates new skills and makes old ones obsolete. For example, it used to include programming in machine language, and didn't until recently involve HTML. But right now it pretty clearly includes the following:

1. Learn how to program.

This, of course, is the fundamental hacking skill. If you don't know any computer languages, I recommend starting with Python. It is cleanly designed, well documented, and relatively kind to beginners. Despite being a good first language, it is not just a toy; it is very powerful and flexible and well suited for large projects. I have written a more detailed evaluation of Python. Good tutorials are available at the Python web site.
I used to recommend Java as a good language to learn early, but this critique has changed my mind (search for “The Pitfalls of Java as a First Programming Language” within it). A hacker cannot, as they devastatingly put it “approach problem-solving like a plumber in a hardware store”; you have to know what the components actually do. Now I think it is probably best to learn C and Lisp first, then Java.
There is perhaps a more general point here. If a language does too much for you, it may be simultaneously a good tool for production and a bad one for learning. It's not only languages that have this problem; web application frameworks like RubyOnRails, CakePHP, Django may make it too easy to reach a superficial sort of understanding that will leave you without resources when you have to tackle a hard problem, or even just debug the solution to an easy one.
If you get into serious programming, you will have to learn C, the core language of Unix. C++ is very closely related to C; if you know one, learning the other will not be difficult. Neither language is a good one to try learning as your first, however. And, actually, the more you can avoid programming in C the more productive you will be.
C is very efficient, and very sparing of your machine's resources. Unfortunately, C gets that efficiency by requiring you to do a lot of low-level management of resources (like memory) by hand. All that low-level code is complex and bug-prone, and will soak up huge amounts of your time on debugging. With today's machines as powerful as they are, this is usually a bad tradeoff — it's smarter to use a language that uses the machine's time less efficiently, but your time much more efficiently. Thus, Python.
Other languages of particular importance to hackers include Perl and LISP. Perl is worth learning for practical reasons; it's very widely used for active web pages and system administration, so that even if you never write Perl you should learn to read it. Many people use Perl in the way I suggest you should use Python, to avoid C programming on jobs that don't require C's machine efficiency. You will need to be able to understand their code.
LISP is worth learning for a different reason — the profound enlightenment experience you will have when you finally get it. That experience will make you a better programmer for the rest of your days, even if you never actually use LISP itself a lot. (You can get some beginning experience with LISP fairly easily by writing and modifying editing modes for the Emacs text editor, or Script-Fu plugins for the GIMP.)
It's best, actually, to learn all five of Python, C/C++, Java, Perl, and LISP. Besides being the most important hacking languages, they represent very different approaches to programming, and each will educate you in valuable ways.
But be aware that you won't reach the skill level of a hacker or even merely a programmer simply by accumulating languages — you need to learn how to think about programming problems in a general way, independent of any one language. To be a real hacker, you need to get to the point where you can learn a new language in days by relating what's in the manual to what you already know. This means you should learn several very different languages.
I can't give complete instructions on how to learn to program here — it's a complex skill. But I can tell you that books and courses won't do it — many, maybe most of the best hackers are self-taught. You can learn language features — bits of knowledge — from books, but the mind-set that makes that knowledge into living skill can be learned only by practice and apprenticeship. What will do it is (a) reading code and (b) writing code.
Peter Norvig, who is one of Google's top hackers and the co-author of the most widely used textbook on AI, has written an excellent essay called Teach Yourself Programming in Ten Years. His "recipe for programming success" is worth careful attention.
Learning to program is like learning to write good natural language. The best way to do it is to read some stuff written by masters of the form, write some things yourself, read a lot more, write a little more, read a lot more, write some more ... and repeat until your writing begins to develop the kind of strength and economy you see in your models.
Finding good code to read used to be hard, because there were few large programs available in source for fledgeling hackers to read and tinker with. This has changed dramatically; open-source software, programming tools, and operating systems (all built by hackers) are now widely available. Which brings me neatly to our next topic...

2. Get one of the open-source Unixes and learn to use and run it.

I'll assume you have a personal computer or can get access to one. (Take a moment to appreciate how much that means. The hacker culture originally evolved back when computers were so expensive that individuals could not own them.) The single most important step any newbie can take toward acquiring hacker skills is to get a copy of Linux or one of the BSD-Unixes or OpenSolaris, install it on a personal machine, and run it.
Yes, there are other operating systems in the world besides Unix. But they're distributed in binary — you can't read the code, and you can't modify it. Trying to learn to hack on a Microsoft Windows machine or under any other closed-source system is like trying to learn to dance while wearing a body cast.
Under Mac OS X it's possible, but only part of the system is open source — you're likely to hit a lot of walls, and you have to be careful not to develop the bad habit of depending on Apple's proprietary code. If you concentrate on the Unix under the hood you can learn some useful things.
Unix is the operating system of the Internet. While you can learn to use the Internet without knowing Unix, you can't be an Internet hacker without understanding Unix. For this reason, the hacker culture today is pretty strongly Unix-centered. (This wasn't always true, and some old-time hackers still aren't happy about it, but the symbiosis between Unix and the Internet has become strong enough that even Microsoft's muscle doesn't seem able to seriously dent it.)
So, bring up a Unix — I like Linux myself but there are other ways (and yes, you can run both Linux and Microsoft Windows on the same machine). Learn it. Run it. Tinker with it. Talk to the Internet with it. Read the code. Modify the code. You'll get better programming tools (including C, LISP, Python, and Perl) than any Microsoft operating system can dream of hosting, you'll have fun, and you'll soak up more knowledge than you realize you're learning until you look back on it as a master hacker.
For more about learning Unix, see The Loginataka. You might also want to have a look at The Art Of Unix Programming.
To get your hands on a Linux, see the Linux Online! site; you can download from there or (better idea) find a local Linux user group to help you with installation.
During the first ten years of this HOWTO's life, I reported that from a new user's point of view, all Linux distributions are almost equivalent. But in 2006-2007, an actual best choice emerged: Ubuntu. While other distros have their own areas of strength, Ubuntu is far and away the most accessible to Linux newbies.
You can find BSD Unix help and resources at www.bsd.org.
A good way to dip your toes in the water is to boot up what Linux fans call a live CD, a distribution that runs entirely off a CD without having to modify your hard disk. This will be slow, because CDs are slow, but it's a way to get a look at the possibilities without having to do anything drastic.
I have written a primer on the basics of Unix and the Internet.
I used to recommend against installing either Linux or BSD as a solo project if you're a newbie. Nowadays the installers have gotten good enough that doing it entirely on your own is possible, even for a newbie. Nevertheless, I still recommend making contact with your local Linux user's group and asking for help. It can't hurt, and may smooth the process.

3. Learn how to use the World Wide Web and write HTML.

Most of the things the hacker culture has built do their work out of sight, helping run factories and offices and universities without any obvious impact on how non-hackers live. The Web is the one big exception, the huge shiny hacker toy that even politicians admit has changed the world. For this reason alone (and a lot of other good ones as well) you need to learn how to work the Web.
This doesn't just mean learning how to drive a browser (anyone can do that), but learning how to write HTML, the Web's markup language. If you don't know how to program, writing HTML will teach you some mental habits that will help you learn. So build a home page. Try to stick to XHTML, which is a cleaner language than classic HTML. (There are good beginner tutorials on the Web; here's one.)
But just having a home page isn't anywhere near good enough to make you a hacker. The Web is full of home pages. Most of them are pointless, zero-content sludge — very snazzy-looking sludge, mind you, but sludge all the same (for more on this see The HTML Hell Page).
To be worthwhile, your page must have content — it must be interesting and/or useful to other hackers. And that brings us to the next topic...

4. If you don't have functional English, learn it.

As an American and native English-speaker myself, I have previously been reluctant to suggest this, lest it be taken as a sort of cultural imperialism. But several native speakers of other languages have urged me to point out that English is the working language of the hacker culture and the Internet, and that you will need to know it to function in the hacker community.
Back around 1991 I learned that many hackers who have English as a second language use it in technical discussions even when they share a birth tongue; it was reported to me at the time that English has a richer technical vocabulary than any other language and is therefore simply a better tool for the job. For similar reasons, translations of technical books written in English are often unsatisfactory (when they get done at all).
Linus Torvalds, a Finn, comments his code in English (it apparently never occurred to him to do otherwise). His fluency in English has been an important factor in his ability to recruit a worldwide community of developers for Linux. It's an example worth following.
Being a native English-speaker does not guarantee that you have language skills good enough to function as a hacker. If your writing is semi-literate, ungrammatical, and riddled with misspellings, many hackers (including myself) will tend to ignore you. While sloppy writing does not invariably mean sloppy thinking, we've generally found the correlation to be strong — and we have no use for sloppy thinkers. If you can't yet write competently, learn to.

Status in the Hacker Culture

1. Write open-source software
2. Help test and debug open-source software
3. Publish useful information
4. Help keep the infrastructure working
5. Serve the hacker culture itself

Like most cultures without a money economy, hackerdom runs on reputation. You're trying to solve interesting problems, but how interesting they are, and whether your solutions are really good, is something that only your technical peers or superiors are normally equipped to judge.
Accordingly, when you play the hacker game, you learn to keep score primarily by what other hackers think of your skill (this is why you aren't really a hacker until other hackers consistently call you one). This fact is obscured by the image of hacking as solitary work; also by a hacker-cultural taboo (gradually decaying since the late 1990s but still potent) against admitting that ego or external validation are involved in one's motivation at all.
Specifically, hackerdom is what anthropologists call a gift culture. You gain status and reputation in it not by dominating other people, nor by being beautiful, nor by having things other people want, but rather by giving things away. Specifically, by giving away your time, your creativity, and the results of your skill.
There are basically five kinds of things you can do to be respected by hackers:

1. Write open-source software

The first (the most central and most traditional) is to write programs that other hackers think are fun or useful, and give the program sources away to the whole hacker culture to use.
(We used to call these works “free software”, but this confused too many people who weren't sure exactly what “free” was supposed to mean. Most of us now prefer the term “open-source” software).
Hackerdom's most revered demigods are people who have written large, capable programs that met a widespread need and given them away, so that now everyone uses them.
But there's a bit of a fine historical point here. While hackers have always looked up to the open-source developers among them as our community's hardest core, before the mid-1990s most hackers most of the time worked on closed source. This was still true when I wrote the first version of this HOWTO in 1996; it took the mainstreaming of open-source software after 1997 to change things. Today, "the hacker community" and "open-source developers" are two descriptions for what is essentially the same culture and population — but it is worth remembering that this was not always so. (For more on this, see the section called “Historical Note: Hacking, Open Source, and Free Software”.)

2. Help test and debug open-source software

They also serve who stand and debug open-source software. In this imperfect world, we will inevitably spend most of our software development time in the debugging phase. That's why any open-source author who's thinking will tell you that good beta-testers (who know how to describe symptoms clearly, localize problems well, can tolerate bugs in a quickie release, and are willing to apply a few simple diagnostic routines) are worth their weight in rubies. Even one of these can make the difference between a debugging phase that's a protracted, exhausting nightmare and one that's merely a salutary nuisance.
If you're a newbie, try to find a program under development that you're interested in and be a good beta-tester. There's a natural progression from helping test programs to helping debug them to helping modify them. You'll learn a lot this way, and generate good karma with people who will help you later on.

3. Publish useful information

Another good thing is to collect and filter useful and interesting information into web pages or documents like Frequently Asked Questions (FAQ) lists, and make those generally available.
Maintainers of major technical FAQs get almost as much respect as open-source authors.

4. Help keep the infrastructure working

The hacker culture (and the engineering development of the Internet, for that matter) is run by volunteers. There's a lot of necessary but unglamorous work that needs done to keep it going — administering mailing lists, moderating newsgroups, maintaining large software archive sites, developing RFCs and other technical standards.
People who do this sort of thing well get a lot of respect, because everybody knows these jobs are huge time sinks and not as much fun as playing with code. Doing them shows dedication.

5. Serve the hacker culture itself

Finally, you can serve and propagate the culture itself (by, for example, writing an accurate primer on how to become a hacker :-)). This is not something you'll be positioned to do until you've been around for while and become well-known for one of the first four things.
The hacker culture doesn't have leaders, exactly, but it does have culture heroes and tribal elders and historians and spokespeople. When you've been in the trenches long enough, you may grow into one of these. Beware: hackers distrust blatant ego in their tribal elders, so visibly reaching for this kind of fame is dangerous. Rather than striving for it, you have to sort of position yourself so it drops in your lap, and then be modest and gracious about your status.

The Hacker/Nerd Connection

Contrary to popular myth, you don't have to be a nerd to be a hacker. It does help, however, and many hackers are in fact nerds. Being something of a social outcast helps you stay concentrated on the really important things, like thinking and hacking.
For this reason, many hackers have adopted the label ‘geek’ as a badge of pride — it's a way of declaring their independence from normal social expectations (as well as a fondness for other things like science fiction and strategy games that often go with being a hacker). The term 'nerd' used to be used this way back in the 1990s, back when 'nerd' was a mild pejorative and 'geek' a rather harsher one; sometime after 2000 they switched places, at least in U.S. popular culture, and there is now even a significant geek-pride culture among people who aren't techies.
If you can manage to concentrate enough on hacking to be good at it and still have a life, that's fine. This is a lot easier today than it was when I was a newbie in the 1970s; mainstream culture is much friendlier to techno-nerds now. There are even growing numbers of people who realize that hackers are often high-quality lover and spouse material.
If you're attracted to hacking because you don't have a life, that's OK too — at least you won't have trouble concentrating. Maybe you'll get a life later on.

Points For Style

Again, to be a hacker, you have to enter the hacker mindset. There are some things you can do when you're not at a computer that seem to help. They're not substitutes for hacking (nothing is) but many hackers do them, and feel that they connect in some basic way with the essence of hacking.

Learn to write your native language well. Though it's a common stereotype that programmers can't write, a surprising number of hackers (including all the most accomplished ones I know of) are very able writers.
Read science fiction. Go to science fiction conventions (a good way to meet hackers and proto-hackers).
Train in a martial-arts form. The kind of mental discipline required for martial arts seems to be similar in important ways to what hackers do. The most popular forms among hackers are definitely Asian empty-hand arts such as Tae Kwon Do, various forms of Karate, Kung Fu, Aikido, or Ju Jitsu. Western fencing and Asian sword arts also have visible followings. In places where it's legal, pistol shooting has been rising in popularity since the late 1990s. The most hackerly martial arts are those which emphasize mental discipline, relaxed awareness, and control, rather than raw strength, athleticism, or physical toughness.
Study an actual meditation discipline. The perennial favorite among hackers is Zen (importantly, it is possible to benefit from Zen without acquiring a religion or discarding one you already have). Other styles may work as well, but be careful to choose one that doesn't require you to believe crazy things.
Develop an analytical ear for music. Learn to appreciate peculiar kinds of music. Learn to play some musical instrument well, or how to sing.
Develop your appreciation of puns and wordplay.

The more of these things you already do, the more likely it is that you are natural hacker material. Why these things in particular is not completely clear, but they're connected with a mix of left- and right-brain skills that seems to be important; hackers need to be able to both reason logically and step outside the apparent logic of a problem at a moment's notice.
Work as intensely as you play and play as intensely as you work. For true hackers, the boundaries between "play", "work", "science" and "art" all tend to disappear, or to merge into a high-level creative playfulness. Also, don't be content with a narrow range of skills. Though most hackers self-describe as programmers, they are very likely to be more than competent in several related skills — system administration, web design, and PC hardware troubleshooting are common ones. A hacker who's a system administrator, on the other hand, is likely to be quite skilled at script programming and web design. Hackers don't do things by halves; if they invest in a skill at all, they tend to get very good at it.
Finally, a few things not to do.

Don't use a silly, grandiose user ID or screen name.
Don't get in flame wars on Usenet (or anywhere else).
Don't call yourself a ‘cyberpunk’, and don't waste your time on anybody who does.
Don't post or email writing that's full of spelling errors and bad grammar.

The only reputation you'll make doing any of these things is as a twit. Hackers have long memories — it could take you years to live your early blunders down enough to be accepted.
The problem with screen names or handles deserves some amplification. Concealing your identity behind a handle is a juvenile and silly behavior characteristic of crackers, warez d00dz, and other lower life forms. Hackers don't do this; they're proud of what they do and want it associated with their real names. So if you have a handle, drop it. In the hacker culture it will only mark you as a loser.

Historical Note: Hacking, Open Source, and Free Software

When I originally wrote this how-to in late 1996, some of the conditions around it were very different from the way they look today. A few words about these changes may help clarify matters for people who are confused about the relationship of open source., free software, and Linux to the hacker community. If you are not curious about this, you can skip straight to the FAQ and bibliography from here.
The hacker ethos and community as I have described it here long predates the emergence of Linux after 1990; I first became involved with it around 1976, and, its roots are readily traceable back to the early 1960s. But before Linux, most hacking was done on either proprietary operating systems or a handful of quasi-experimental homegrown systems like MIT's ITS that were never deployed outside of their original academic niches. While there had been some earlier (pre-Linux) attempts to change this situation, their impact was at best very marginal and confined to communities of dedicated true believers which were tiny minorities even within the hacker community, let alone with respect to the larger world of software in general.
What is now called "open source" goes back as far as the hacker community does, but until 1985 it was an unnamed folk practice rather than a conscious movement with theories and manifestos attached to it. This prehistory ended when, in 1985, arch-hacker Richard Stallman ("RMS") tried to give it a name — "free software". But his act of naming was also an act of claiming; he attached ideological baggage to the "free software" label which much of the existing hacker community never accepted. As a result, the "free software" label was loudly rejected by a substantial minority of the hacker community (especially among those associated with BSD Unix), and used with serious but silent reservations by a majority of the remainder (including myself).
Despite these reservations, RMS's claim to define and lead the hacker community under the "free software" banner broadly held until the miid-1990s. It was seriously challenged only by the rise of Linux. Linux gave open-source development a natural home. Many projects issued under terms we would now call open-source migrated from proprietary Unixes to Linux. The community around Linux grew explosively, becoming far larger and more heterogenous than the pre-Linux hacker culture. RMS determinedly attempted to co-opt all this activity into his "free software" movement, but was thwarted by both the exploding diversity of the Linux community and the public skepticism of its founder, Linus Torvalds. Torvalds continued to use the term "free software" for lack of any alternative, but publicly rejected RMS's ideological baggage. Many younger hackers followed suit.
In 1996, when I first published this Hacker HOWTO, the hacker community was rapidly reorganizing around Linux and a handful of other open-source operating systems (notably those descended from BSD Unix). Community memory of the fact that most of us had spent decades developing closed-source software on closed-source operating systems had not yet begun to fade, but that fact was already beginning to seem like part of a dead past; hackers were, increasingly, defining themselves as hackers by their attachments to open-source projects such as Linux or Apache.
The term "open source", however, had not yet emerged; it would not do so until early 1998. When it did, most of hacker community adopted it within the following six months; the exceptions were a minority ideologically attached to the term "free software". Since 1998, and especially after about 2003, the identification of 'hacking' with 'open-source (and free software) development' has become extremely close. Today there is little point in attempting to distinguish between these categories, and it seems unlikely that will change in the future.
It is worth remembering, however, that this was not always so.

Other Resources

Paul Graham has written an essay called Great Hackers, and another on Undergraduation, in which he speaks much wisdom.
There is a document called How To Be A Programmer that is an excellent complement to this one. It has valuable advice not just about coding and skillsets, but about how to function on a programming team.
I have also written A Brief History Of Hackerdom.
I have written a paper, The Cathedral and the Bazaar, which explains a lot about how the Linux and open-source cultures work. I have addressed this topic even more directly in its sequel Homesteading the Noosphere.
Rick Moen has written an excellent document on how to run a Linux user group.
Rick Moen and I have collaborated on another document on How To Ask Smart Questions. This will help you seek assistance in a way that makes it more likely that you will actually get it.
If you need instruction in the basics of how personal computers, Unix, and the Internet work, see The Unix and Internet Fundamentals HOWTO.
When you release software or write patches for software, try to follow the guidelines in the Software Release Practice HOWTO.
If you enjoyed the Zen poem, you might also like Rootless Root: The Unix Koans of Master Foo.

Frequently Asked Questions

Q: How do I tell if I am already a hacker?
Q: Will you teach me how to hack?
Q: How can I get started, then?
Q: When do you have to start? Is it too late for me to learn?
Q: How long will it take me to learn to hack?
Q: Is Visual Basic a good language to start with?
Q: Would you help me to crack a system, or teach me how to crack?
Q: How can I get the password for someone else's account?
Q: How can I break into/read/monitor someone else's email?
Q: How can I steal channel op privileges on IRC?
Q: I've been cracked. Will you help me fend off further attacks?
Q: I'm having problems with my Windows software. Will you help me?
Q: Where can I find some real hackers to talk with?
Q: Can you recommend useful books about hacking-related subjects?
Q: Do I need to be good at math to become a hacker?
Q: What language should I learn first?
Q: What kind of hardware do I need?
Q: I want to contribute. Can you help me pick a problem to work on?
Q: Do I need to hate and bash Microsoft?
Q: But won't open-source software leave programmers unable to make a living?
Q: Where can I get a free Unix?

Q:	How do I tell if I am already a hacker?
A:	Ask yourself the following three questions: Do you speak code, fluently? Do you identify with the goals and values of the hacker community? Has a well-established member of the hacker community ever called you a hacker? If you can answer yes to all three of these questions, you are already a hacker. No two alone are sufficient. The first test is about skills. You probably pass it if you have the minimum technical skills described earlier in this document. You blow right through it if you have had a substantial amount of code accepted by an open-source development project. The second test is about attitude. If the five principles of the hacker mindset seemed obvious to you, more like a description of the way you already live than anything novel, you are already halfway to passing it. That's the inward half; the other, outward half is the degree to which you identify with the hacker community's long-term projects. Here is an incomplete but indicative list of some of those projects: Does it matter to you that Linux improve and spread? Are you passionate about software freedom? Hostile to monopolies? Do you act on the belief that computers can be instruments of empowerment that make the world a richer and more humane place? But a note of caution is in order here. The hacker community has some specific, primarily defensive political interests — two of them are defending free-speech rights and fending off "intellectual-property" power grabs that would make open source illegal. Some of those long-term projects are civil-liberties organizations like the Electronic Frontier Foundation, and the outward attitude properly includes support of them. But beyond that, most hackers view attempts to systematize the hacker attitude into an explicit political program with suspicion; we've learned, the hard way, that these attempts are divisive and distracting. If someone tries to recruit you to march on your capitol in the name of the hacker attitude, they've missed the point. The right response is probably “Shut up and show them the code.” The third test has a tricky element of recursiveness about it. I observed in the section called “What Is a Hacker?” that being a hacker is partly a matter of belonging to a particular subculture or social network with a shared history, an inside and an outside. In the far past, hackers were a much less cohesive and self-aware group than they are today. But the importance of the social-network aspect has increased over the last thirty years as the Internet has made connections with the core of the hacker subculture easier to develop and maintain. One easy behavioral index of the change is that, in this century, we have our own T-shirts. Sociologists, who study networks like those of the hacker culture under the general rubric of "invisible colleges", have noted that one characteristic of such networks is that they have gatekeepers — core members with the social authority to endorse new members into the network. Because the "invisible college" that is hacker culture is a loose and informal one, the role of gatekeeper is informal too. But one thing that all hackers understand in their bones is that not every hacker is a gatekeeper. Gatekeepers have to have a certain degree of seniority and accomplishment before they can bestow the title. How much is hard to quantify, but every hacker knows it when they see it.
Q:	Will you teach me how to hack?
A:	Since first publishing this page, I've gotten several requests a week (often several a day) from people to "teach me all about hacking". Unfortunately, I don't have the time or energy to do this; my own hacking projects, and working as an open-source advocate, take up 110% of my time. Even if I did, hacking is an attitude and skill you basically have to teach yourself. You'll find that while real hackers want to help you, they won't respect you if you beg to be spoon-fed everything they know. Learn a few things first. Show that you're trying, that you're capable of learning on your own. Then go to the hackers you meet with specific questions. If you do email a hacker asking for advice, here are two things to know up front. First, we've found that people who are lazy or careless in their writing are usually too lazy and careless in their thinking to make good hackers — so take care to spell correctly, and use good grammar and punctuation, otherwise you'll probably be ignored. Secondly, don't dare ask for a reply to an ISP account that's different from the account you're sending from; we find people who do that are usually thieves using stolen accounts, and we have no interest in rewarding or assisting thievery.
Q:	How can I get started, then?
A:	The best way for you to get started would probably be to go to a LUG (Linux user group) meeting. You can find such groups on the LDP General Linux Information Page; there is probably one near you, possibly associated with a college or university. LUG members will probably give you a Linux if you ask, and will certainly help you install one and get started.
Q:	When do you have to start? Is it too late for me to learn?
A:	Any age at which you are motivated to start is a good age. Most people seem to get interested between ages 15 and 20, but I know of exceptions in both directions.
Q:	How long will it take me to learn to hack?
A:	That depends on how talented you are and how hard you work at it. Most people who try can acquire a respectable skill set in eighteen months to two years, if they concentrate. Don't think it ends there, though; in hacking (as in many other fields) it takes about ten years to achieve mastery. And if you are a real hacker, you will spend the rest of your life learning and perfecting your craft.
Q:	Is Visual Basic a good language to start with?
A:	If you're asking this question, it almost certainly means you're thinking about trying to hack under Microsoft Windows. This is a bad idea in itself. When I compared trying to learn to hack under Windows to trying to learn to dance while wearing a body cast, I wasn't kidding. Don't go there. It's ugly, and it never stops being ugly. There is a specific problem with Visual Basic; mainly that it's not portable. Though there is a prototype open-source implementations of Visual Basic, the applicable ECMA standards don't cover more than a small set of its programming interfaces. On Windows most of its library support is proprietary to a single vendor (Microsoft); if you aren't extremely careful about which features you use — more careful than any newbie is really capable of being — you'll end up locked into only those platforms Microsoft chooses to support. If you're starting on a Unix, much better languages with better libraries are available. Python, for example. Also, like other Basics, Visual Basic is a poorly-designed language that will teach you bad programming habits. No, don't ask me to describe them in detail; that explanation would fill a book. Learn a well-designed language instead. One of those bad habits is becoming dependent on a single vendor's libraries, widgets, and development tools. In general, any language that isn't fully supported under at least Linux or one of the BSDs, and/or at least three different vendors' operating systems, is a poor one to learn to hack in.
Q:	Would you help me to crack a system, or teach me how to crack?
A:	No. Anyone who can still ask such a question after reading this FAQ is too stupid to be educable even if I had the time for tutoring. Any emailed requests of this kind that I get will be ignored or answered with extreme rudeness.
Q:	How can I get the password for someone else's account?
A:	This is cracking. Go away, idiot.
Q:	How can I break into/read/monitor someone else's email?
A:	This is cracking. Get lost, moron.
Q:	How can I steal channel op privileges on IRC?
A:	This is cracking. Begone, cretin.
Q:	I've been cracked. Will you help me fend off further attacks?
A:	No. Every time I've been asked this question so far, it's been from some poor sap running Microsoft Windows. It is not possible to effectively secure Windows systems against crack attacks; the code and architecture simply have too many flaws, which makes securing Windows like trying to bail out a boat with a sieve. The only reliable prevention starts with switching to Linux or some other operating system that is designed to at least be capable of security.
Q:	I'm having problems with my Windows software. Will you help me?
A:	Yes. Go to a DOS prompt and type "format c:". Any problems you are experiencing will cease within a few minutes.
Q:	Where can I find some real hackers to talk with?
A:	The best way is to find a Unix or Linux user's group local to you and go to their meetings (you can find links to several lists of user groups on the LDP site at ibiblio). (I used to say here that you wouldn't find any real hackers on IRC, but I'm given to understand this is changing. Apparently some real hacker communities, attached to things like GIMP and Perl, have IRC channels now.)
Q:	Can you recommend useful books about hacking-related subjects?
A:	I maintain a Linux Reading List HOWTO that you may find helpful. The Loginataka may also be interesting. For an introduction to Python, see the tutorial on the Python site.
Q:	Do I need to be good at math to become a hacker?
A:	No. Hacking uses very little formal mathematics or arithmetic. In particular, you won't usually need trigonometry, calculus or analysis (there are exceptions to this in a handful of specific application areas like 3-D computer graphics). Knowing some formal logic and Boolean algebra is good. Some grounding in finite mathematics (including finite-set theory, combinatorics, and graph theory) can be helpful. Much more importantly: you need to be able to think logically and follow chains of exact reasoning, the way mathematicians do. While the content of most mathematics won't help you, you will need the discipline and intelligence to handle mathematics. If you lack the intelligence, there is little hope for you as a hacker; if you lack the discipline, you'd better grow it. I think a good way to find out if you have what it takes is to pick up a copy of Raymond Smullyan's book What Is The Name Of This Book?. Smullyan's playful logical conundrums are very much in the hacker spirit. Being able to solve them is a good sign; enjoying solving them is an even better one.
Q:	What language should I learn first?
A:	XHTML (the latest dialect of HTML) if you don't already know it. There are a lot of glossy, hype-intensive bad HTML books out there, and distressingly few good ones. The one I like best is HTML: The Definitive Guide. But HTML is not a full programming language. When you're ready to start programming, I would recommend starting with Python. You will hear a lot of people recommending Perl, and Perl is still more popular than Python, but it's harder to learn and (in my opinion) less well designed. C is really important, but it's also much more difficult than either Python or Perl. Don't try to learn it first. Windows users, do not settle for Visual Basic. It will teach you bad habits, and it's not portable off Windows. Avoid.
Q:	What kind of hardware do I need?
A:	It used to be that personal computers were rather underpowered and memory-poor, enough so that they placed artificial limits on a hacker's learning process. This stopped being true in the mid-1990s; any machine from an Intel 486DX50 up is more than powerful enough for development work, X, and Internet communications, and the smallest disks you can buy today are plenty big enough. The important thing in choosing a machine on which to learn is whether its hardware is Linux-compatible (or BSD-compatible, should you choose to go that route). Again, this will be true for almost all modern machines. The only really sticky areas are modems and wireless cards; some machines have Windows-specific hardware that won't work with Linux. There's a FAQ on hardware compatibility; the latest version is here.
Q:	I want to contribute. Can you help me pick a problem to work on?
A:	No, because I don't know your talents or interests. You have to be self-motivated or you won't stick, which is why having other people choose your direction almost never works. Try this. Watch the project announcements scroll by on Freshmeat for a few days. When you see one that makes you think "Cool! I'd like to work on that!", join it.
Q:	Do I need to hate and bash Microsoft?
A:	No, you don't. Not that Microsoft isn't loathsome, but there was a hacker culture long before Microsoft and there will still be one long after Microsoft is history. Any energy you spend hating Microsoft would be better spent on loving your craft. Write good code — that will bash Microsoft quite sufficiently without polluting your karma.
Q:	But won't open-source software leave programmers unable to make a living?
A:	This seems unlikely — so far, the open-source software industry seems to be creating jobs rather than taking them away. If having a program written is a net economic gain over not having it written, a programmer will get paid whether or not the program is going to be open-source after it's done. And, no matter how much "free" software gets written, there always seems to be more demand for new and customized applications. I've written more about this at the Open Source pages.
Q:	Where can I get a free Unix?
A:	If you don't have a Unix installed on your machine yet, elsewhere on this page I include pointers to where to get the most commonly used free Unix. To be a hacker you need motivation and initiative and the ability to educate yourself. Start now...

Teach Yourself Programming in Ten Years

2010-02-04T16:38:00.000-08:00

http://norvig.com/21-days.html

Peter Norvig

Why is everyone in such a rush?

Walk into any bookstore, and you'll see how to Teach Yourself Java in 7 Days alongside endless variations offering to teach Visual Basic, Windows, the Internet, and so on in a few days or hours. I did the following power search at Amazon.com:

     pubdate: after 1992 and title: days and
      (title: learn or title: teach yourself)

and got back 248 hits. The first 78 were computer books (number 79 was Learn Bengali in 30 days). I replaced "days" with "hours" and got remarkably similar results: 253 more books, with 77 computer books followed by Teach Yourself Grammar and Style in 24 Hours at number 78. Out of the top 200 total, 96% were computer books. The conclusion is that either people are in a big rush to learn about computers, or that computers are somehow fabulously easier to learn than anything else. There are no books on how to learn Beethoven, or Quantum Physics, or even Dog Grooming in a few days. Felleisen et al. give a nod to this trend in their book How to Design Programs, when they say "Bad programming is easy. Idiots can learn it in 21 days, even if they are dummies.
Let's analyze what a title like Learn C++ in Three Days could mean:

Learn: In 3 days you won't have time to write several significant programs, and learn from your successes and failures with them. You won't have time to work with an experienced programmer and understand what it is like to live in a C++ environment. In short, you won't have time to learn much. So the book can only be talking about a superficial familiarity, not a deep understanding. As Alexander Pope said, a little learning is a dangerous thing.
C++: In 3 days you might be able to learn some of the syntax of C++ (if you already know another language), but you couldn't learn much about how to use the language. In short, if you were, say, a Basic programmer, you could learn to write programs in the style of Basic using C++ syntax, but you couldn't learn what C++ is actually good (and bad) for. So what's the point? Alan Perlis once said: "A language that doesn't affect the way you think about programming, is not worth knowing". One possible point is that you have to learn a tiny bit of C++ (or more likely, something like JavaScript or Flash's Flex) because you need to interface with an existing tool to accomplish a specific task. But then you're not learning how to program; you're learning to accomplish that task.
in Three Days: Unfortunately, this is not enough, as the next section shows.

Teach Yourself Programming in Ten Years

Researchers (Bloom (1985), Bryan & Harter (1899), Hayes (1989), Simmon & Chase (1973)) have shown it takes about ten years to develop expertise in any of a wide variety of areas, including chess playing, music composition, telegraph operation, painting, piano playing, swimming, tennis, and research in neuropsychology and topology. The key is deliberative practice: not just doing it again and again, but challenging yourself with a task that is just beyond your current ability, trying it, analyzing your performance while and after doing it, and correcting any mistakes. Then repeat. And repeat again. There appear to be no real shortcuts: even Mozart, who was a musical prodigy at age 4, took 13 more years before he began to produce world-class music. In another genre, the Beatles seemed to burst onto the scene with a string of #1 hits and an appearance on the Ed Sullivan show in 1964. But they had been playing small clubs in Liverpool and Hamburg since 1957, and while they had mass appeal early on, their first great critical success, Sgt. Peppers, was released in 1967. Malcolm Gladwell reports that a study of students at the Berlin Academy of Music compared the top, middle, and bottom third of the class and asked them how much they had practiced:

Everyone, from all three groups, started playing at roughly the same time - around the age of five. In those first few years, everyone practised roughly the same amount - about two or three hours a week. But around the age of eight real differences started to emerge. The students who would end up as the best in their class began to practise more than everyone else: six hours a week by age nine, eight by age 12, 16 a week by age 14, and up and up, until by the age of 20 they were practising well over 30 hours a week. By the age of 20, the elite performers had all totalled 10,000 hours of practice over the course of their lives. The merely good students had totalled, by contrast, 8,000 hours, and the future music teachers just over 4,000 hours.

So it may be that 10,000 hours, not 10 years, is the magic number. Samuel Johnson (1709-1784) thought it took longer: "Excellence in any department can be attained only by the labor of a lifetime; it is not to be purchased at a lesser price." And Chaucer (1340-1400) complained "the lyf so short, the craft so long to lerne." Hippocrates (c. 400BC) is known for the excerpt "ars longa, vita brevis", which is part of the longer quotation "Ars longa, vita brevis, occasio praeceps, experimentum periculosum, iudicium difficile", which in English renders as "Life is short, [the] craft long, opportunity fleeting, experiment treacherous, judgment difficult." Although in Latin, ars can mean either art or craft, in the original Greek the word "techne" can only mean "skill", not "art".
Here's my recipe for programming success:

Get interested in programming, and do some because it is fun. Make sure that it keeps being enough fun so that you will be willing to put in ten years.
Talk to other programmers; read other programs. This is more important than any book or training course.
Program. The best kind of learning is learning by doing. To put it more technically, "the maximal level of performance for individuals in a given domain is not attained automatically as a function of extended experience, but the level of performance can be increased even by highly experienced individuals as a result of deliberate efforts to improve." (p. 366) and "the most effective learning requires a well-defined task with an appropriate difficulty level for the particular individual, informative feedback, and opportunities for repetition and corrections of errors." (p. 20-21) The book Cognition in Practice: Mind, Mathematics, and Culture in Everyday Life is an interesting reference for this viewpoint.
If you want, put in four years at a college (or more at a graduate school). This will give you access to some jobs that require credentials, and it will give you a deeper understanding of the field, but if you don't enjoy school, you can (with some dedication) get similar experience on the job. In any case, book learning alone won't be enough. "Computer science education cannot make anybody an expert programmer any more than studying brushes and pigment can make somebody an expert painter" says Eric Raymond, author of The New Hacker's Dictionary. One of the best programmers I ever hired had only a High School degree; he's produced a lot of great software, has his own news group, and made enough in stock options to buy his own nightclub.
Work on projects with other programmers. Be the best programmer on some projects; be the worst on some others. When you're the best, you get to test your abilities to lead a project, and to inspire others with your vision. When you're the worst, you learn what the masters do, and you learn what they don't like to do (because they make you do it for them).
Work on projects after other programmers. Be involved in understanding a program written by someone else. See what it takes to understand and fix it when the original programmers are not around. Think about how to design your programs to make it easier for those who will maintain it after you.
Learn at least a half dozen programming languages. Include one language that supports class abstractions (like Java or C++), one that supports functional abstraction (like Lisp or ML), one that supports syntactic abstraction (like Lisp), one that supports declarative specifications (like Prolog or C++ templates), one that supports coroutines (like Icon or Scheme), and one that supports parallelism (like Sisal).
Remember that there is a "computer" in "computer science". Know how long it takes your computer to execute an instruction, fetch a word from memory (with and without a cache miss), read consecutive words from disk, and seek to a new location on disk. (Answers here.)
Get involved in a language standardization effort. It could be the ANSI C++ committee, or it could be deciding if your local coding style will have 2 or 4 space indentation levels. Either way, you learn about what other people like in a language, how deeply they feel so, and perhaps even a little about why they feel so.
Have the good sense to get off the language standardization effort as quickly as possible.

With all that in mind, its questionable how far you can get just by book learning. Before my first child was born, I read all the How To books, and still felt like a clueless novice. 30 Months later, when my second child was due, did I go back to the books for a refresher? No. Instead, I relied on my personal experience, which turned out to be far more useful and reassuring to me than the thousands of pages written by experts. Fred Brooks, in his essay No Silver Bullet identified a three-part plan for finding great software designers:

Systematically identify top designers as early as possible.
Assign a career mentor to be responsible for the development of the prospect and carefully keep a career file.
Provide opportunities for growing designers to interact and stimulate each other.

This assumes that some people already have the qualities necessary for being a great designer; the job is to properly coax them along. Alan Perlis put it more succinctly: "Everyone can be taught to sculpt: Michelangelo would have had to be taught how not to. So it is with the great programmers". So go ahead and buy that Java book; you'll probably get some use out of it. But you won't change your life, or your real overall expertise as a programmer in 24 hours, days, or even months.

References

Bloom, Benjamin (ed.) Developing Talent in Young People, Ballantine, 1985.
Brooks, Fred, No Silver Bullets, IEEE Computer, vol. 20, no. 4, 1987, p. 10-19.
Bryan, W.L. & Harter, N. "Studies on the telegraphic language: The acquisition of a hierarchy of habits. Psychology Review, 1899, 8, 345-375
Hayes, John R., Complete Problem Solver Lawrence Erlbaum, 1989.
Chase, William G. & Simon, Herbert A. "Perception in Chess" Cognitive Psychology, 1973, 4, 55-81.
Lave, Jean, Cognition in Practice: Mind, Mathematics, and Culture in Everyday Life, Cambridge University Press, 1988.

Answers
Approximate timing for various operations on a typical 1GHz PC in 2001:

execute single instruction	1 nanosec = (1/1,000,000,000) sec
fetch word from L1 cache memory	2 nanosec
fetch word from main memory	10 nanosec
fetch word from consecutive disk location	200 nanosec
fetch word from new disk location (seek)	8,000,000 nanosec = 8 millisec

Appendix: Language Choice

Several people have asked what programming language they should learn first. There is no one answer, but consider these points:

Use your friends. When asked "what operating system should I use, Windows, Unix, or Mac?", my answer is usually: "use whatever your friends use." The advantage you get from learning from your friends will offset any intrinsic difference between OS, or between programming languages. Also consider your future friends: the community of programmers that you will be a part of if you continue. Does your chosen language have a large growing community or a small dying one? Are there books, web sites, and online forums to get answers from? Do you like the people in those forums?
Keep it simple. Programming languages such as C++ and Java are designed for professional development by large teams of experienced programmers who are concerned about the run-time efficiency of their code. As a result, these languages have complicated parts designed for these circumstances. You're concerned with learning to program. You don't need that complication. You want a language that was designed to be easy to learn and remember by a single new programmer.
Play. Which way would you rather learn to play the piano: the normal, interactive way, in which you hear each note as soon as you hit a key, or "batch" mode, in which you only hear the notes after you finish a whole song? Clearly, interactive mode makes learning easier for the piano, and also for programming. Insist on a language with an interactive mode and use it.

Given these criteria, my recommendations for a first programming language would be Python or Scheme. But your circumstances may vary, and there are other good choices. If your age is a single-digit, you might prefer Alice or Squeak (older learners might also enjoy these). The important thing is that you choose and get started.

Appendix: Books and Other Resources

Several people have asked what books and web pages they should learn from. I repeat that "book learning alone won't be enough" but I can recommend the following:

Scheme: Structure and Interpretation of Computer Programs (Abelson & Sussman) is probably the best introduction to computer science, and it does teach programming as a way of understanding the computer science. You can see online videos of lectures on this book, as well as the complete text online. The book is challenging and will weed out some people who perhaps could be successful with another approach.
Scheme: How to Design Programs (Felleisen et al.) is one of the best books on how to actually design programs in an elegant and functional way.
Python: Python Programming: An Intro to CS (Zelle) is a good introduction using Python.
Python: Several online tutorials are available at Python.org.
Oz: Concepts, Techniques, and Models of Computer Programming (Van Roy & Haridi) is seen by some as the modern-day successor to Abelson & Sussman. It is a tour through the big ideas of programming, covering a wider range than Abelson & Sussman while being perhaps easier to read and follow. It uses a language, Oz, that is not widely known but serves as a basis for learning other languages. <

Notes

T. Capey points out that the Complete Problem Solver page on Amazon now has the "Teach Yourself Bengali in 21 days" and "Teach Yourself Grammar and Style" books under the "Customers who shopped for this item also shopped for these items" section. I guess that a large portion of the people who look at that book are coming from this page. Thanks to Ross Cohen for help with Hippocrates.

Glossary of Vulnerability Testing Terminology

2010-02-04T10:45:00.000-08:00

Original content from: http://www.penetration-testing.com/

Editors: OUSPG crew (OUSPG), Ari Takanen (Codenomicon)

Contents

Glossary of Vulnerability Testing Terminology
ABSTRACT

Several glossaries are available from different fields of expertice on the software engineering and information security. Yet, terminology used in the context of implementation level vulnerabilities has not stabilised. This document collects the relevant definitions from our main areas of interest. Terms are introduced with reference to the source. When multiple sources present the same details on a term, only one is usually noted. An attempt is made to preserve the form of definition used in the original source. The glossary with original wording and reference details has been found useful within the group, thus we are making it publicly available herein. Please do not refer to this glossary, the original source is preferred.
OUSPG Glossary

Abstract Syntax Notation One (ASN.1)
The language used by the OSI protocols for describing abstract syntax. This language is also used to encode SNMP packets. ASN.1 is defined in ISO documents 8824.2 and 8825.2. See also: Basic Encoding Rules. [1]
(C) OSI standards use ASN.1 to specify data formats for protocols. OSI defines functionality in layers. Information objects at higher layers are abstractly defined to be implemented with objects at lower layers. A higher layer may define transfers of abstract objects between computers, and a lower layer may define transfers concretely as strings of bits. Syntax is needed to define abstract objects, and encoding rules are needed to transform between abstract objects and bit strings. (See: Basic Encoding Rules.) [2]

Ad hoc

Something that is ad hoc or that is done on an ad hoc basis happens or is done only when the situation makes it necessary or desirable, rather than being arranged in advance or being part of a general plan. [3]

Ad hoc testing

Testing carried out using no recognised test case design technique. [4]

Ad-lib test

(also ad hoc test), a test executed without prior planning; especially if the expected test outcome is not predicted beforehand. An undocumented test. [5]

Anomaly

An anomaly is a rule or practice that is different from what is normal or usual, and which is therefore unsatisfactory. [3]
Anything observed in the documentation or operation of software that deviates from expectations based on previously verified software products or reference documents. [6]

Attack

An attempt to bypass security controls on a computer. The attack may alter, release, or deny data. Whether an attack will succeed depends on the vulnerability of the computer system and the effectiveness of existing countermeasures. [7]
The act of trying to bypass security controls on a system. An attack may be active, resulting in the alteration of data; or passive, resulting in the release of data. Note: The fact that an attack is made does not necessarily mean that it will succeed. The degree of success depends on the vulnerability of the system or activity and the effectiveness of existing countermeasures. [8]

Attack potential

The perceived potential for success of an attack, should an attack be launched, expressed in terms of an attacker's expertise, resources and motivation. [9]

Audit

(missing definition)

Availability

Assuring information and communications services will be ready for use when expected. [7]

Availability of data

The state when data are in the place needed by the user, at the time the user needs them, and in the form needed by the user. [8]

Backus-Naur Form

(also Backus normal form, BNF), a metalanguage used to formally describe the syntax of another language. [5]
A metalanguage used to formally describe the syntax of a language. [4]

Basic Encoding Rules (BER)

Standard rules for encoding data units described in ASN.1. Sometimes incorrectly lumped under the term ASN.1, which properly refers only to the abstract syntax description language, not the encoding technique. See also: Abstract Syntax Notation One. [Source: NNSC] [1]

Black-box testing

Functional test case design: Test case selection that is based on an analysis of the specification of the component without reference to its internal workings. [4]
Fuctional testing. Testing that ignores the internal mechanism of a system or component and focuses solely on the outputs generated in response to the selected inputs and execution conditions. [6]

Boundary value

A data value that corresponds to a minimum or maximum input, internal, or output value specified for a system or component. See also: stress testing. [6]
An input value or output value which is on the boundary between equivalence classes, or an incremental distance either side of the boundary. [4]

Boundary value analysis

(NBS) A selection technique in which test data are chosen to lie along "boundaries" of the input domain [or output range] classes, data structures, procedure parameters, etc. Choices often include maximum, minimum, and trivial values or parameters. This technique is often called stress testing. [10]
A test case design technique for a component in which test cases are designed which include representatives of boundary values. [4]

Boundary value coverage

The percentage of boundary values of the component's equivalence classes which have been exercised by a test case suite. [4]

Boundary value testing

A testing technique using input values at, just below, and just above, the defined limits of an input domain; and with input values causing outputs to be at, just below, and just above, the defined limits of an output domain. See: boundary value analysis, stress testing. [10]

Branch coverage

Metric of the number of branches executed under test; "100% branch coverage" means that every branch in a program has been executed at least once under some test (also link coverage). [5]

Breach

The successful defeat of security controls which could result in a penetration of the system. A violation of controls of a particular information system such that information assets or system components are unduly exposed. [7]

Brute force attack

(I) A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one-by-one. [2]
(C) For example, for ciphertext where the analyst already knows the decryption algorithm, a brute force technique to finding the original plaintext is to decrypt the message with every possible key. [2]

Buffer overflow

This happens when more data is put into a buffer or holding area, then the buffer can handle. This is due to a mismatch in processing rates between the producing and consuming processes. This can result in system crashes or the creation of a back door leading to system access. [7]

Bug

A fault in a program which causes the program to perform in an unintended or unanticipated manner. See: anomaly, defect, error, exception, fault. [10]

Certification

The comprehensive evaluation of the technical and nontechnical security features of an AIS and other safeguards, made in support of the accreditation process, that establishes the extent to which a particular design and implementation meet a specified set of security requirements. [8]

Classification

A classification is the separation or ordering of objects (or specimens) into classes [WEBOL 1998]. Classifications that are created non-empirically are called a priori classifications [...; Simpson 1961; WEBOL 1998]. Classifications that are created empirically by looking at the data are called a posteriori classifications [...; Simpson 1961; WEBOL 1998]. [11]

Code coverage

An analysis method that determines which parts of the software have been executed (covered) by the test case suite and which parts have not been executed and therefore may require additional attention. [4]

Component

An object of testing. An integrated assembly of one or more units and/or associated data objects or one or more components and/or associated data objects. By this (recursive) definition, a component can be anything from a unit to a system. [5]

Compromise

An intrusion into a computer system where unauthorized disclosure, modification or destruction of sensitive information may have occurred. [7]
A violation of the security policy of a system such that unauthorized disclosure of sensitive information may have occurred. [8]

Confidentiality

Assuring information will be kept secret, with access limited to appropriate persons. [7]
The concept of holding sensitive data in confidence, limited to an appropriate set of individuals or organizations. [8]

Cost-risk analysis

The assessment of the costs of providing data protection for a system versus the cost of losing or compromising the data. [8]

COTS Software

Commercial Off the Shelf - Software acquired by government contract through a commercial vendor. This software is a standard product, not developed by a vendor for a particular government project. [7]

Coverage

Any metric of completeness with respect to a test selection criterion. Without qualification, usually means branch or statement coverage. [5]

Crash

The sudden and complete failure of a computer system or component. [6]

Debugger

One who engages in the intuitive art of correctly determining the cause (e.g., bug) of a set of symptoms. [5]

Defect

Nonconformance to requirements. [12]

Denial of Service

Action(s) which prevent any part of an AIS from functioning in accordance with its intended purpose. [7]
Any action or series of actions that prevent any part of a system from functioning in accordance with its intended purpose. This includes any action that causes unauthorized destruction, modification, or delay of service. Synonymous with interdiction. [12]
Intentional degradation or blocking of computer or network resources. [13]
(I) The prevention of authorized access to a system resource or the delaying of system operations and functions. (See: availability, critical (resource of a system), flooding.) [2]

Disclosure of information

Dissemination of information to anyone who is not authorized to access that information. [13]

Dynamic analysis

The process of evaluating a system or component based on its behavior during execution. [6]
(NBS) Analysis that is performed by executing the program code. Contrast with static analysis. See: testing. [10]

Error

(1) The difference between a computed, observed, or measured value or condition and the true. specified, or theoretically correct value or condition. (2) An incorrect step, process, or data definition. Also: fault. (3) An incorrect result. Also: failure. (4) A human action that produces an incorrect result. Also: mistake. [6]
(ISO) A discrepancy between a computed, observed, or measured value or condition and the true, specified, or theoretically correct value or condition. See: anomaly, bug, defect, exception, fault. [10]
An error is a mistake made by a developer. It might be typographical error, a misleading of a specifications, a misunderstanding of what a subroutine does, and so on (IEEE 1990). An error might lead to one or more faults. Faults are located in the text of the program. More precisely, a fault is the difference between incorrect program and the correct version (IEEE 1990). [11]

Error guessing

A test case design technique where the experience of the tester is used to postulate what faults might occur, and to design tests specifically to expose them. [4]

Error seeding

The process of intentionally adding known faults to those already in a computer program for the purpose of monitoring the rate of detection and removal, and estimating the number of faults remaining in the program. [6]
Contrast with mutation analysis. [10]

Evaluation

Evaluation is a decision about significance, valua, or quality of something, based on careful study of its good and bad features. [3]
Assessment of a PP [Protection Profile], an ST [Security Target] or a TOE [Target of Evaluation], against defined criteria. [9]

Exception

An event that causes suspension of normal program execution. Types include addressing exception, data exception, operation exception, overflow exception, protection exception, underflow exception. [6]

Exercised

A program element is exercised by a test case when the input value causes the execution of that element, such as a statement, branch, or other structural element. [4]

Exhaustive testing

A test case design technique in which the test case suite comprises all combinations of input values and preconditions for component variables. [4]
(NBS) Executing the program with all possible combinations of values for program variables. Feasible only for small, simple programs. [10]

Exploit

(verb) To, in some way, take advantage of a vulnerability in a system in the pursuit or achievement of some objective. All vulnerability exploitations are attacks but not all attacks exploit vulnerabilities. [14]
(noun) Colloquially for exploit script: a script, program, mechanism, or other technique by which a vulnerability is used in the pursuit or achievement of some information assurance objective. It is common speech in this field to use the terms exploit and exploit script to refer to any mechanism, not just scripts, that uses a vulnerability. [14]

Exploitation (of vulnerability)

The exploitation of an access control vulnerability is whatever causes the operating system to perform operations that are in conflict with the security policy as defined by the access control matrix. [11]

External IT entity

Any IT product or system, untrusted or trusted, outside of the TOE [Target of Evaluation] that interacts with the TOE. [9]

Failure

Deviation of the software from its expected delivery or service. [4] (after Fenton)
The inability of a system or component to perform its required functions within specified performance requirements. [6]

False Negative

Occurs when an actual intrusive action has occurred but the system allows it to pass as non-intrusive behavior. [7]

False Positive

Occurs when the system classifies an action as anomalous (a possible intrusion) when it is a legitimate action. [7]

Fault

An incorrect step, process, or data definition in a computer program. [6]
A manifestation of an error in software. A fault, if encountered may cause a failure. [4] (after do178b)
An incorrect step, process, or data definition in a computer program which causes the program to perform in an unintended or unanticipated manner. See: anomaly, bug, defect, error, exception. [10]

Fault injection

The hypothesized errors that software fault injection uses are created by either: (1) adding code to the code under analysis, (2) changing the code that is there, or (3) deleting code from the code under analysis. Code that is added to the program for the purpose of either simulating errors or detecting the effects of those errors is called {\it instrumentation code}. To perform fault injection, some amount of instrumentation is always necessary, and althrough this can be added manually, it is usually performed by a tool. [15]

Fault Tolerance

The ability of a system or component to continue normal operation despite the presence of hardware or software faults. [7]

Flaw hypothesis methodology

A systems analysis and penetration technique in which specifications and documentation for the system are analyzed and then flaws in the system are hypothesized. The list of hypothesized flaws is then prioritized on the basis of the estimated probability that a flaw exists and, assuming a flaw does exist, on the ease of exploiting it, and on the extent of control or compromise it would provide. The prioritized list is used to direct a penetration attack against the system. [8]

Formal

Expressed in a restricted syntax language with defined semantics based on well-established mathematical concepts. [9]

Formal specification

(I) A specification of hardware or software functionality in a computer-readable language; usually a precise mathematical description of the behavior of the system with the aim of providing a correctness proof. [2]

Format

The organization of information according to preset specifications (usually for computer processing) [syn: formatting, data format, data formatting] [16]

Glossary

A glossary is an alphabetical list of words or expressions and the special or technical meanings that they have in a particular book, subject, or activity. [3]

Hacker

A person who enjoys exploring the details of computers and how to stretch their capabilities. A malicious or inquisitive meddler who tries to discover information by poking around. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn on the minimum necessary. [7]

Implementation under test, IUT

The particular portion of equipment which is to be studied for testing. The implementation may include one or more protocols. [17]

Implementation vulnerability

A vulnerability resulting from an error made in the software or hardware implementation of a satisfactory design. [13]

Information warfare

(missing definition)

Injection vector

(missing definition)

Input

A variable (whether stored within a component or outside it) that is read by the component. [4]

Instrument

1. A tool or device that is used to do a particular task. 2. A device that is used for making measurements of something. [3]
In software and system testing, to install or insert devices or instructions into hardware or software to monitor the operation of a system or component. [6]

Instrumentation

Instrumentation is a group or collection of instruments, usually ones that are part of the same machine. [3]
Devices or instructions installed or inserted into hardware or software to monitor the operation of a system or component. [6]
The insertion of additional code into the program in order to collect information about program behaviour during program execution. [4]
(NBS) The insertion of additional code into a program in order to collect information about program behavior during program execution. Useful for dynamic analysis techniques such as assertion checking, coverage analysis, tuning. [10]

Integrity

Assuring information will not be accidentally or maliciously altered or destroyed. [7]
Sound, unimpaired or perfect condition. [8]

Interface

(1) A shared boundary across which information is passed. (2) A Hardware or software component that connects two or more other components for the purpose of passing information from one to the other. (3) To connect two or more components for the purpose of passing information from one to the other. (4) To serve as a connecting or connected component as in (2). [6]
(1) (ISO) A shared boundary between two functional units, defined by functional characteristics, common physical interconnection characteristics, signal characteristics, and other characteristics, as appropriate. The concept involves the specification of the connection of two devices having different functions. (2) A point of communication between two or more processes, persons, or other physical entities. (3) A peripheral device which permits two or more devices to communicate. [10]

Interface testing

Testing conducted to evaluate whether systems or components pass data and control correctly to each other. [6]
Integration testing where the interfaces between system components are tested. [4]

Language

Any means of conveying or communicating ideas; specifically, human speech; the expression of ideas by the voice; sounds, expressive of thought, articulated by the organs of the throat and mouth. [16]

Least privilege

Feature of a system in which operations are granted the fewest permissions possible in order to perform their tasks. [18]
The principle that requires that each subject be granted the most restrictive set of privileges needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use. [8]

Liability

Liability for something such as debt or crime is the legal responsibility for it; a technical term in law. [3]

Malicious code, malicious logic, malware

(I) Hardware, software, or firmware that is intentionally included or inserted in a system for a harmful purpose. (See: logic bomb, Trojan horse, virus, worm.) [2]
Hardware, software, or firmware that is intentionally included in a system for an unauthorized purpose; e.g., a Trojan horse. [8]

Mutation analysis

(NBS) A method to determine test set thoroughness by measuring the extent to which a test set can discriminate the program from slight variants [mutants] of the program. Contrast with error seeding. [10]
A method to determine test case suite thoroughness by measuring the extent to which a test case suite can discriminate the program from slight variants (mutants) of the program. See also error seeding. [4]

Mutation testing

A testing methodology in which two or more program mutations are executed using the same test cases to evaluate the ability of the test cases to detect differences in the mutations. [6]

Mutually suspicious

The state that exists between interacting processes (subsystems or programs) in which neither process can expect the other process to function securely with respect to some property. [8]

Negative tests

Tests aimed at showing that software does not work (also called dirty testing); e.g., most effective tests. [5]

Network protocol stack

Software package that provides general purpose networking services to application software, independent of the particular type of data link being used. [18]

Operational testing

Testing conducted to evaluate a system or component in its operational environment. [6]

Oracle

A mechanism to produce the predicted outcomes to compare with the actual outcomes of the software under test. [4] (after Adrion)
Any (often automated) means that provides information about the (correct) expected behavior of a component (HOWD86). Without qualification, this term is often used synonymously with input/outcome oracle. [5]

Path coverage

Metric applied to all path-testing strategies: in a hierarchy by path length, where length is measured by the number of graph links traversed by the path or path segment; e.g. coverage with respect to path segments two links long, three links long, etc. Unqualified, this term usually means coverage with respect to the set of entry/exit paths. Often used erroneously as synonym for statement coverage. [5]

Penetration

(I) Successful, repeatable, unauthorized access to a protected system resource. (See: attack, violation.) [2]
The successful unauthorized access to an automated system. [7]
The successful act of bypassing the security mechanisms of a system. [8]

Penetration Testing

The portion of security testing in which the evaluators attempt to circumvent the security features of a system. The evaluators may be assumed to use all system design and implementation documentation, that may include listings of system source code, manuals, and circuit diagrams. The evaluators work under the same constraints applied to ordinary users. [7] [8]
(C) Penetration testing may be performed under various constraints and conditions. However, for a TCSEC evaluation, testers are assumed to have all system design and implementation documentation, including source code, manuals, and circuit diagrams, and to work under no greater constraints than those applied to ordinary users. [2]

Point of Control and Observation, PCO

A place (point) within a testing environment where the occurrence of test events is to be controlled and observed as defined by the particular abstract test method used. [17]

Precondition

Environmental and state conditions which must be fulfilled before the component can be executed with a particular input value. [4]

Proprietary

(I) Refers to information (or other property) that is owned by an individual or organization and for which the use is restricted by that entity. [2]

Protection profile

An implementation-independent set of security requirements for a category of TOEs [Target of Testing] that meet specific consumer needs. [9]

Protocol

A set of conventions that govern the interaction of processes, devices, and other components within a system. [6]
(ISO) A set of semantic and syntactic rules that determines the behavior of functional units in achieving communication. [10]
(I) A set of rules (i.e., formats and procedures) to implement and control some type of association (e.g., communication) between systems. (E.g., see: Internet

Protocol.) [2]

Agreed-upon methods of communications used by computers. A specification that describes the rules and procedures that products should follow to perform activities on a network, such as transmitting data. If they use the same protocols, products from different vendors should be able to communicate on the same network. [7]
A set of rules and formats, semantic and syntactic, that permits entities to exchange information. [8]
Code of correct conduct: "safety protocols"; "academic protocol".[16]
Forms of ceremony and etiquette observed by diplomats and heads of state.[16]

Protocol Data Unit, PDU

A PDU is a message of a given protocol comprising payload and protocol-specific control information, typically contained in a header. PDUs pass over the protocol interfaces which exist between the layers of protocols (per OSI model). [17]

Regression testing

Retesting of a previously tested program following modification to ensure that faults have not been introduced or uncovered as a result of the changes made. [4]

Reliability

The probability of a given system performing its mission adequately for a specified period of time under the expected operating conditions. [8]
Software reliability is the probability that software will provide failure-free operation in a fixed environment for a fixed interval of time. Probability of failure is the probability that the software will fail on the next input selected. Software reliability is typically measured per some unit of time, whereas probability of failure is generally time independent. These two measures can be easily related if you know the frequency with which inputs are executed per unit of time. Mean-time-to-failure is the average interval of time between failures; this is also sometimes referred to as Mean-time-before-failure. [15]

Residual risk

The portion of risk that remains after security measures have been applied. [8]
(I) The risk that remains after countermeasures have been applied. [2]

Risk

The probability that a particular threat will exploit a particular vulnerability of the system. [8]
(I) An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result. [2]

Risk analysis

The process of identifying security risks, determining their magnitude, and identifying areas needing safeguards. Risk analysis is a part of risk management. Synonymous with risk assessment. [8]
(C) The analysis lists risks in order of cost and criticality, thereby determining where countermeasures should be applied first. It is usually financially and technically infeasible to counteract all aspects of risk, and so some residual risk will remain, even after all available countermeasures have been deployed. [FP031, R2196] [2]

Risk assessment

A study of vulnerabilities, threats, likelihood, loss or impact, and theoretical effectiveness of security measures. The process of evaluating threats and vulnerabilities, known and postulated, to determine expected loss and establish the degree of acceptability to system operations. [7]

Risk management

The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. It includes risk analysis, cost benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review. [8]
(I) The process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. (See: risk analysis.) [2]

Robustness

The degree to which a system or component can function correctly in the presence of invalid inputs or stressful environmental conditions. [6]
See: software reliability. [10]

Safety

(DOD) Freedom from those conditions that can cause death, injury, occupational illness, or damage to or loss of equipment or property, or damage to the environment. [12]
(I) The property of a system being free from risk of causing harm to system entities and outside entities. [2]
Software is deemed safe if it is impossible (or at least highly unlikely) that the software could ever produce an output that would cause a catastrophic event for the system that the software controls. Examples of catastrophic events include loss of physical property, physical harm, and loss-of-life. [15]

Safety-critical software

Safety-critical software is any software that can directly or indirectly contribute to the occurrence of a hazardous system state. [19]

Security

A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences. [7]
The subfield of information science concerned with ensuring that information systems are imbued with the condition of being secure, as well as the means of establishing, testing, auditing, and otherwise maintaining that condition. [14]
(I) (1.) Measures taken to protect a system. (2.) The condition of a system that results from the establishment and maintenance of measures to protect the system. (3.) The condition of system resources being free from unauthorized access and from unauthorized or accidental change, destruction, or loss. [2]
Security is concerned with the protection of assets from threats, where threats are categorised as the potential for abuse of protected assets. All categories of threats should be considered; but in the domain of security greater attention is given to those threats that are related to malicious or other human activities. [9]

Security evaluation

An evaluation done to assess the degree of trust that can be placed in systems for the secure handling of sensitive information. One type, a product evaluation, is an evaluation performed on the hardware and software features and assurances of a computer product from a perspective that excludes the application environment. The other type, a system evaluation, is done for the purpose of assessing a system's security safeguards with respect to a specific operational mission and is a major step in the certification and accreditation process. [8]

Security flaw

An error of commission or omission in a system that may allow protection mechanisms to be bypassed. [8]

Security function

A part or parts of the TOE [Target of Testing] that have to be relied upon for enforcing a closely related subset of the rules from the TSP [TOE Security Policy]. [9]

Security measures

Elements of software, firmware, hardware, or procedures that are included in a system for the satisfaction of security specifications.[8]

Security requirement

Security requirements generally include both requirements for the presence of desired behaviour and requirements for the absence of undesired behaviour. It is normally possible to demonstrate, by use or testing, the presence of the desired behaviour. It is not always possible to perform a conclusive demonstration of absence of undesired behaviour. Testing, design review, and implementation review contribute significantly to reducing the risk that such undesired behaviour is present. [9]

Security target

A set of security requirements and specifications to be used as the basis for evaluation of an identified TOE [Target of Testing]. [9]

Security testing

Testing whether the system meets its specified security objectives. [4]
Security testing attempts to verify that protection mechanisms built into a system will, in fact, protect it from improper penetration. ... Given enough time and resources, good security testing will ultimately penetrate a system. [20] (p.652)
A process used to determine that the security features of a system are implemented as designed. This includes hands-on functional testing, penetration testing, and verification. [8]

Silver bullet

A methodology, practice, or prescription that promises miraculous results if followed - e.g., structured programming will rid you of all bugs, as will human sacrifices to the Atlantean god Fugawe. Named either after the Lone Ranger whose silver bullets always brought justice or, alternatively, as the only known antidote to werewolves. [5]

Smart testing

Tests that based on theory or experience are expected to have a high probability of detecting specified classes of bugs; tests aimed at specific bug types. [5]

Snake oil

Derogatory term applied to a product whose developers describe it with misleading, inconsistent, or incorrect technical statements. [18]

Sneaker

An individual hired to break into places in order to test their security; analogous to tiger team. [7]

Software reliability

(IEEE) (1) the probability that software will not cause the failure of a system for a specified time under specified conditions. The probability is a function of the inputs to and use of the system in the software. The inputs to the system determine whether existing faults, if any, are encountered. (2) The ability of a program to perform its required functions accurately and reproducibly under stated conditions for a specified period of time. [10]

Statement coverage

Metric of the number of source language statements executed under test. [5]

Static analysis

The process of evaluating a system or component based on its form, structure, content, or documentation. Contrast with: dynamic analysis. [6]
Analysis of a program carried out without executing the program. [4]
(NBS) Analysis of a program that is performed without executing the program. [10]

Stress testing

Testing in which a system is subjected to unrealistically harsh inputs or load with inadequate resources with the intention of breaking it. [5]
Testing conducted to evaluate a system or component at or beyond the limits of its specified requirements. See also: boundary value. [6]
Stress tests are designed to confront programs with abnormal situations. ... Stress testing executes a system in a manner that demands resources in abnormal quantity, frequency, or volume. ... Essentially, the tester attempts to break the program. [20] (p.652-653)

Structural testing

Testing that takes into account the internal mechanism of a system or component. Types include branch testing, path testing,, statement testing. Syn: glass-box testing; white-box testing. Contrast with: functional testing (1) [6]
(1) (IEEE) Testing that takes into account the internal mechanism [structure] of a system or component. Types include branch testing, path testing, statement testing. (2) Testing to insure each program statement is made to execute during testing and that each program statement performs its intended function. Contrast with functional testing. Syn: white-box testing, glass-box testing, logic driven testing. [10]

Subtest

The smallest identifiable part of a test consisting of at least one input and one outcome. [5]

Symbolic execution

A software analysis technique in which program execution is simulated using symbols, such as variable names, rather than actual values for input data, and program outputs are expressed as logical or mathematical expressions involving these symbols. [6]

Syntax

The structural or grammatical rules that define how symbols in a language are to be combined to form words, phrases, expressions, and other allowable constructs. [10]

Syntax testing

A test case design technique for a component or system in which test case design is based upon the syntax of the input. [4]

System testing

The testing of a complete system prior to delivery. The purpose of system testing is to identify defects that will only surface when a complete system is assembled. That is, defects that cannot be attributed to individual components or the interaction between two components. System testing includes testing of performance, security, configuration sensitivity, startup and recovery from failure modes. [21]

System Under Test, SUT

The real open system in which the Implementation Under Test (IUT) resides. [17]

Target of evaluation, TOE

An IT product or system and its associated administrator and user guidence documentation that is the subject of evaluation. [9]

Taxonomy

A scheme that partitions a body of knowledge and defines the relationships among the pieces. It is used for classifying and undertranding the body of knowledge. [22]
A taxonomy is the theoretical study of classiication, including its bases, principles, procedures and rules [Simpson 1945; ...; WEBOL 1998]. [11]

Technical attack

An attack that can be perpetrated by circumventing or nullifying hardware and software protection mechanisms, rather than by subverting system personnel or other users. [8]

Technical vulnerability

A hardware, firmware, communication, or software flaw that leaves a computer processing system open for potential exploitation, either externally or internally, thereby resulting in risk for the owner, user, or manager of the system. [8]

Test

(1) An activity in which a system or component is executed under specified conditions, the results are observed or recorded and an evaluation is made of some aspect of the system or component. (2) To conduct an activity as in (1). (3) A set of one or more test cases. (4) A set of one or more test procedures. (5) A set of one or more test cases and procedures. [6]
Subtests are grouped into tests, which must be run as a set, typically because the outcome of one subtest is the input or the initial condition for the next subtest in the test. Tests can be run independently of one another but are typically defined over the same database. [5] (p.447)

Test bed

An environment containing the hardware, instrumentation, simulators, software tools, and other support elements needed to conduct a test. [6]
Any system whose primary purpose is to provide a framework within which other systems can be tested. Test beds are usually tailored to a specific programming language and implementation technique, and often to a specific application. Typically a test bed provides some means of simulating the environment of the system under test, of test-data generation and presentation, and of recording test results. [23] according to Dictionary of Computing, Vallerie Illingworth, C1996

Test bed configuration

This includes many things: hardware physical configuration, platform software configuration, operating system version, sysgen details, test terminals, test tools, etc. It must be possible to precisely recreate the entire test situation... [5] (p.448)

Test case

(1) A set of test inputs, execution conditions, and expected results developed for a particular objective, such as to exercise a particular program path or to verify compliance with a specific requirement [do178b?]. (2) Documentation specifying inputs, predicted results, and a set of execution conditions for a test item [24]. See also: test case generator; test case specification. [6]
A document describing a single test instance in terms of input data, test procedure, test execution environment and expected outcome. Test cases also reference test objectives such as verifying compliance with a particular requirement or execution of a particular program path. [21]

Test case generator

A software tool that accepts as input source code, test criteria, specifications, or data structure definitions; uses these inputs to generate test input data; and, sometimes, determines expected results. Syn: test data generator, test generator. [6]

Test case specification

A document that specifies the test inputs, execution conditions, and predicted results for an item to be tested. Syn: test description, test specification. [6]

Test case suite

A collection of one or more test cases for the software under test. [4]

Test cycle

A formal test cycle consists of all tests performed. In software development, it can consist of, for example, the following tests: unit/component testing, integration testing, system testing, user acceptance testing and the code inspection. [25]

Test design

Documentation specifying the details of the test approach for a software feature or combination of software features and identifying the associated tests. [6] [24]

Test driver

A program or testing tool used to execute and control testing. Includes initialization, data object support, preparation of input values, call to tested object, recording and comparison of outcomes to required outcomes. [5]
A software module used to invoke a module under test and, often, provide test inputs, control and monitor execution, and report test results. Syn: test harness. [6]
A program or test tool used to execute software against a test case suite. [4]

Test environment

A description of the hardware and software environment in which the tests will be run, and any other software with which the software under test interacts when under test including stubs and test drivers. [4]

Test execution

The processing of a test case suite by the software under test, producing an outcome. [4]

Test generator

A program that generates tests in accordance to a specified strategy or heuristic. [5]
See: test case generator. [6]

Test item

A software item which is an object of testing. [6] [24]

Test log

A chronological record of all relevant details about the execution of a test. [6]

Test plan

A document describing the scope, approach, resources, and schedule of intended test activities. It identifies test items, the features to be tested, the testing tasks, who will do each task, and any risks requiring contingency planning. [6] [24]
A record of the test planning process detailing the degree of tester indedendence, the test environment, the test case design techniques and test measurement techniques to be used, and the rationale for their choice. [4]

Test procedure

(1) Detailed instructions for the set-up, execution, and evaluation of results for a given test case. (2) A document containing a set of associated instructions as in (1). (3) Documentation specifying a sequence of actions for the execution of a test [24] [6]
(NIST) A formal document developed from a test plan that presents detailed instructions for the setup, operation, and evaluation of the results for each defined test. See: test case. [10]

Test report

A document that summarizes the outcome of testing in terms of items tested, summary of results (e.g. defect density), effectiveness of testing and lessons learned. [21]
A document that describes the conduct and results of the testing carried out for a system or component. Syn: test summary report. [6]

Test result analyzer

A software tool used to test output data reduction, formatting, and printing. [10]

Test strategy

Any method for generating tests based on formally or informally defined criteria of test completeness (also test technique). [5]

Test suite

A test suite is a set of related tests, usually pertaining to a group of features or software component and usually defined over the same database. Suites are combined into groups. [5] (p.448)
A group of tests with a common purpose and database, usually run as a group. [5]

Tester

One who writes and/or executes tests of software with the intention of demonstrating that the software does not work. Contrast with programmer whose tests (if any) are intended to show that the program does work. [5]

Testing

The purpose of testing is to discover errors. Testing is the process of trying to discover every conceivable fault or weakness in a work product. [26]
(1) The process of operating a system or component under specified conditions, observing or recording the results, and making an evaluation of some aspect of the system or component. (2) The process of analyzing a software item to detect the differences between existing and required conditions, (that is, bugs) and to evaluate the features of the software items. [6]

Thrashing

A state in which a computer system is expending most or all of its resources on overhead operations, such as swapping data between main and auxiliary storage, rather than on intended computing functions. [6]

Threat

The means through which the ability or intent of a threat agent to adversely affect an automated system, facility, or operation can be manifest. A potential violation of security. [7]
Any circumstance or event with the potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of service. [8]

Threat analysis

The examination of all actions and events that might adversely affect a system or operation. [8]

Tiger team

[U.S. military jargon] 1. Originally, a team (of sneakers) whose purpose is to penetrate security, and thus test security measures. ... Serious successes of tiger teams sometimes lead to early retirement for base commanders and security officers. 2. Recently, and more generally, any official inspection team or special firefighting group called in to look at a problem. A subset of tiger teams are professional crackers, testing the security of military computer installations by attempting remote attacks via networks or supposedly `secure' comm channels. The term has been adopted in commercial computer-security circles in this more specific sense. [27]
Government and industry - sponsored teams of computer experts who attempt to break down the defenses of computer systems in an effort to uncover, and eventually patch, security holes. [7]

Trojan Horse

An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data. [7]

Underflow

(ISO) The state in which a calculator shows a zero indicator for the most significant part of a number while the least significant part of the number is dropped. For example, if the calculator output capacity is four digits, the number .0000432 will be shown as .0000. See: arithmetic underflow. [10]

Unit

The smallest piece of software that can be independently tested (i.e., compiled or assembled, loaded, and tested). Usually the work of one programmer consisting of a few hundred lines of source code. [5]

Validation

The process of evaluating a system or component during or at the end of the development process to determine whether it satisfies specified requirements. [6]
(1) (FDA) Establishing documented evidence which provides a high degree of assurance that a specific process will consistently produce a product meeting its predetermined specifications and quality attributes. Contrast with data validation. [10]

Vendor

A person or an organization that provides software and/or hardware and/or firmware and/or documentation to the user for a fee or in exchange for services. Such a firm could be a medical device manufacturer. [10]
A 'vendor' is any entity that produces networking or computing technology, and is responsible for the technical content of that technology. Examples of 'technology' include hardware (desktop computers, routers, switches, etc.), and software (operating systems, mail forwarding systems, etc.). Note that the supplier of a technology is not necessarily the ' vendor' of that technology. As an example, an Internet Service Provider (ISP) might supply routers to each of its customers, but the 'vendor' is the manufacturer, since the manufacturer, rather than the ISP, is the entity responsible for the technical content of the router. [28]

Vulnerability

Hardware, firmware, or software flow that leaves an AIS open for potential exploitation. A weakness in automated system security procedures, administrative controls, physical layout, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to information or disrupt critical processing. [7]
A weakness in system security procedures, system design, implementation, internal controls, etc., that could be exploited to violate system security policy. [8]
(I) A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy. [2]
(C) Most systems have vulnerabilities of some sort, but this does not mean that the systems are too flawed to use. Not every threat results in an attack, and not every attack succeeds. Success depends on the degree of vulnerability, the strength of attacks, and the effectiveness of any countermeasures in use. If the attacks needed to exploit a vulnerability are very difficult to carry out, then the vulnerability may be tolerable. If the perceived benefit to an attacker is small, then even an easily exploited vulnerability may be tolerable. However, if the attacks are well understood and easily made, and if the vulnerable system is employed by a wide range of users, then it is likely that there will be enough benefit for someone to make an attack. [2]
"A state-space vulnerability is a characterization of a vulnerable state which distinguishes it from all non-vulnerable states. If generic, the vulnerability may characterize many vulnerable states; if specific, it may characterize only one..." [Bishop and Bailey 1996] [11]
The Data & Computer Security Dictionary of Standards, Concepts, and Terms [Longley and Shain 1990] defines computer vulnerability as: 1) In computer security, a weakness in automated systems security procedures, administrative controls, internal controls, etc., that could be exploited by a threat to gain unauthorized access to information or to disrupt critical processing. 2) In computer security, a weakness in the physical layout, organization, procedures, personnel, management, administration, hardware or software that may be exploited to cause harm to the ADP system or activity. The presence of a vulnerability does not itself cause harm. A vulnerability is merely a condition or set of conditions that may allow the ADP system or activity to be harmed by an attack. 3) In computer security, any weakness or flaw existing in a system. The attack or harmful event, or the opportunity available to threat agent to mount that attack. [11]
[Amoroso 1994] defines a vulnerability as an unfortunate characteristic that allows a hreat to potentially occur. A threat is any potential occurence, malicious or otherwise, that can have an undesirable effect on these assets and resources associated with a computer system. [11]
...a fuzzy vulnerability is a violation of the expectations of users, administrators, and designers. Particularly when the violation of these expectations is triggered by an external object. [11]
Software can be vulnerable because of an error in its specification, development, or configuration. A software vulnerability is an instance of an error in the specification, development, or configuration of software such that its execution can violate the security policy. [11]
A feature or a combination of features of a system that allows an adversary to place the system in a state that is both contrary to the desires of the people responsible for the system and increases the risk (probability or consequence) of undesirable behavior in or of the system. A feature or a combination of features of a system that prevents the successful implementation of a particular security policy for that system. A program with a buffer that can be overflowed with data supplied by the invoker will usually be considered a vulnerability. A telephone procedure that provides private information about the caller without prior authentication will usually be considered to have a vulnerability. [14]
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy. [29]
A 'vulnerability' is a characteristic of a piece of technology which can be exploited to perpetrate a security incident. For example, if a program unintentionally allowed ordinary users to execute arbitrary operating system commands in privileged mode, this "feature" would be a vulnerability. [28]

Vulnerability analysis

Systematic examination of an AIS or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation. [7]
The systematic examination of systems in order to determine the adequacy of security measures, identify security deficiencies, and provide data from which to predict the effectiveness of proposed security measures. [8]

Vulnerability assessment

A measurement of vulnerability which includes the susceptibility of a particular system to a specific attack and the opportunities available to a threat agent to mount that attack. [8]

Vulnerability case

(missing definition)

Worm

Independent program that replicates from machine to machine across network connections often clogging networks and information systems as it spreads. [7]
(I) A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively. (See: Morris Worm, virus.) [2]
A computer program which replicates itself and is self- propagating. Worms, as opposed to viruses, are meant to spawn in network environments. Network worms were first defined by Shoch & Hupp of Xerox in ACM Communications (March 1982). The Internet worm of November 1988 is perhaps the most famous; it successfully propagated itself on over 6,000 systems across the Internet. See also: Trojan Horse, virus. [1]

Other possible sources of terms

These are some works that we should find and look through for checking possibly useful terminology and cross-referencing the terms present.

Dictionary of Computing, Vallerie Illingworth, C1996
National Bureau of Standards [NBS] Special Publication 500-75 Validation, Verification, and Testing of Computer Software, 1981.
NBS. Special Publication 500-56, "Validation, Verification, and Testing for the Individual Programmer." (February 1980).
NBS. S.P. 500-93 Software Validation, Verification, and Testing Technique and Tool Reference Guide, 1982, 138 pp.
NBS. Special Publication 500-98, "Planning for Software Validation, Verification, and Testing." (November 1982).
Federal Information Processing Standards [FIPS] Publication 101, Guideline For Lifecycle Validation, Verification, and Testing of Computer Software, 1983.
American National Standard for Information Systems, Dictionary for Information Systems, American National Standards Institute, 1991.
Pressman, R., Software Engineering, A Practitioner's Approach, Third Edition, ?McGraw-Hill, Inc., 1992.
Myers, G., The Art of Software Testing, Wiley Interscience, 1979.
Beizer, B., Software Testing Techniques, Second Edition, Van Nostrand Reinhold, 1990.
Voas
The New IEEE Standard Dictionary of Electrical and Electronics Terms, IEEE Std. 100-1992.
IEEE Standards Collection, Software Engineering, 1994 Edition, published by the Institute of Electrical and Electronic Engineers Inc.
do178b
FDA Technical Report, Software Development Activities, July 1987.
FDA Guide to Inspection of Computerized Systems in Drug Processing, 1983.
FDA Guideline on General Principles of Process Validation, May 1987.
Reviewer Guidance for Computer Controlled Medical Devices Undergoing 510(k) Review, Office of Device Evaluation, CDRH, FDA, August 1991.
HHS Publication FDA 90-4236, Preproduction Quality Assurance Planning.
BSI. BS 4778-89 Glossary of Terms used in Quality Assurance

References

[1]

G. Malkin (Editor). (1996). "Internet Users' Glossary". The Internet Society. http://www.ietf.org/rfc/rfc1983.txt.

[2]

R. Shirey. (2000). "Internet Security Glossary". The Internet Society. http://www.ietf.org/rfc/rfc2828.txt.

[3]

COBUILD English Language Dictionary. (1990). Collins.

[4]

"Glossary of terms used in software testing (Version 6.2)". British Computer Society Specialist Interest Group in Software Testing (BCS SIGIST). http://www.testingstandards.co.uk/Gloss6_2.htm.

[5]

Beizer, B.. Software Testing Techniques. Second edition. (1990). Van Nostrand Reinhold. ISBN: ISBN 1850328803.

[6]

(1991). "Standard Glossary of Software Engineering Terminology (ANSI)". The Institute of Electrical and Electronics Engineers Inc..

[7]

"NSA Glossary of Terms Used in Security and Intrusion Detection". http://www.sans.org/newlook/resources/glossary.htm.

[8]

(2000). "Glossary of Computer Security Terms". http://packetstormsecurity.org/docs/rainbow-books/NCSC-TG-004.txt.

[9]

(1999). "Common Criteria for Information Technology Security Evaluation - Part 1". Common Criteria.

[10]

"Glossary of computerized system and software development terminology". Food and Drug Administration. http://www.fda.gov/ora/inspect_ref/igs/gloss.html.

[11]

Krsul, I.. (1998). "Software Vulnerability Analysis". Department of Computer Sciences, Purdue University.

[12]

Rice, R.. (1999). "Software Testing Glossary". Rice consulting. http://www.riceconsulting.com/Library/gloss.htm.

[13]

John D. Howard, Thomas A. Longstaff. (1998). "A Common Language for Computer Security Incidents". Sandia National Laboratories. http://www.cert.org/research/taxonomy_988667.pdf.

[14]

Julia Allen, Alan Christie, William Fithen, John ?McHugh, Jed Pickel, Ed Stoner. (2000). "State of the Practice of Intrusion Detection Technologies". http://www.sei.cmu.edu/publications/documents/99.reports/99tr028/99tr028title.html.

[15]

Cigital Labs. "Definitions". http://www.cigitallabs.com/resources/definitions/.

[16]

"The DICT development group". http://www.dict.org.

[17]

"Glossary". http://www.atis.org/atis/data/glossary.htm.

[18]

(2000). "Glossary from the VPN Mailing List". http://kubarb.phsx.ukans.edu/~tbird/vpn/vpn-glossary.html.

[19]

Nancy G. Leveson. Safeware: system safety and computers. (1995). Addison-Wesley Publishing Company Inc.. ISBN: ISBN 0-201-11972-2.

[20]

Pressman, R.. Software Engineering, A Practitioner's Approach. Third edition. (1992). ?McGraw-Hill.

[21]

"C&A Software Engineers' Glossary". Chambers and Associates. http://www.chambers.com.au/glossary/glossary.htm.

[22]

(1986). "Standard Taxonomy for Software Engineering Standards (ANSI)". The Institute of Electrical and Electronics Engineers Inc..

[23]

"Glossary Terms and Acronyms". http://www.coe.missouri.edu/~is334/projects/Project_LIS/glossarya.html.

[24]

(1983). "Standard for Software Test Documentation". The Institute of Electrical and Electronics Engineers Inc..

[25]

Perkins, J.. Advanced Microsoft Visual Basic 5, Chapter 10: Well, at Least It Compiled OK! The Value of Software Testing. Microsoft Press.

[26]

Myers, G.. The Art of Software Testing. (1979). Wiley Interscience.

[27]

(1999). "Jargon File". http://www.jargon.org/html.

[28]

N. Brownlee, E. Guttman. (1998). "Expectations for Computer Security Incident Response". The Internet Society. http://www.ietf.org/rfc/rfc2350.txt.

[29]

J. Arvidsson, A. Cormack, Y. Demchenko, J. Meijer. (2001). "TERENA's Incident Object Description and Exchange Format Requirements". The Internet Society. http://www.ietf.org/rfc/rfc3067.txt.

Other glossaries

These do not contain terms that we were interested in, but might be useful for others.

"Glossary of Communications, Computer, Data, and Information Security Terms"

Rob Slade
http://victoria.tc.ca/int-grps/books/techrev/secgloss.htm

"Payment and security glossaries and taxonomies"

Ann and Lynn Wheeler
http://www.garlic.com/~lynn/index.html#glossary

"?TestWorks & Testing Technology Glossary"

http://www.soft.com/Technology/glossary.html

"Valtionhallinnon tietoturvakäsitteistö"

Valtionvarainministeriö.
http://www.vm.fi/vm/fi/04_julkaisut_ja_asiakirjat/01_julkaisut/05_valtionhallinnon_tietoturvallisuus/50903/50902_fi.pdf

"Tietotekniikan termitalkoot"

Tekniikan Sanastokeskus.
http://www.tsk.fi/termitalkoot/

"ATK-sanakirja"

Tietotekniikan liitto
http://www.ttlry.fi/tuotteet/#anchor-24430

"HSTYA-projektin terminologiaa"

Mikael Linden Tampereen teknillinen korkeakoulu
http://www.csc.fi/suomi/funet/middleware/projektit/hstya/muut/hstya_termit.html

"Varmennesanasto" HST-ryhmän laatima varmennesanasto http://www.fineid.fi/vrk/fineid/files.nsf/files/A5AFD456B5385401C225712200443180/$file/Varmennesanasto.doc

Sanders and Chappell Wireshark Resources Network Sniffing

2010-01-23T11:40:00.000-08:00

http://www.chrissanders.org/

http://www.chappellseminars.com/index.html

TaoSecurity Google v China

2010-01-19T11:24:00.000-08:00

In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google...

First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted...

These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

Welcome to the party, Google. You can use the term "advanced persistent threat" (APT) if you want to give this adversary its proper name. See my post Report on Chinese Government Sponsored Cyber Activities for more details.

I have to really applaud Google for saying they might shut down operations in a country of 1.4 billion potential consumers as a result of an incident detection and response!

There were many events last year that fulfilled my prediction for 2009 Expect at least one cloud security incident to affect something you value. I think this one wins hands down.

Never mind the China angle for a moment. All of us should stop and consider what sort of data we are storing at Google, and in what form that data is stored. Google's Keeping Your Data Safe post for Enterprise customers claims While some intellectual property on our corporate network was compromised, we believe our customer cloud-based data remains secure. However, my experience with these sorts of incidents is that if it occurred in "mid-December," Google will be spending the next several months realizing how large the exposure really is.

A Declaration of the Independence of Cyberspace

2010-01-07T16:24:00.001-08:00

Governments of the Industrial World, you weary giants of flesh and

steel, I come from Cyberspace, the new home of Mind. On behalf of the

future, I ask you of the past to leave us alone. You are not welcome

among us. You have no sovereignty where we gather. We have no elected

government, nor are we likely to have one, so I address you with no

greater authority than that with which liberty itself always speaks. I

declare the global social space we are building to be naturally

independent of the tyrannies you seek to impose on us. You have no

moral right to rule us nor do you possess any methods of enforcement we

have true reason to fear. Governments derive their just powers from the

consent of the governed. You have neither solicited nor received ours.

We did not invite you. You do not know us, nor do you know our world.

Cyberspace does not lie within your borders. Do not think that you can

build it, as though it were a public construction project. You cannot.

It is an act of nature and it grows itself through our collective

actions. You have not engaged in our great and gathering conversation,

nor did you create the wealth of our marketplaces. You do not know our

culture, our ethics, or the unwritten codes that already provide our

society more order than could be obtained by any of your impositions.

You claim there are problems among us that you need to solve. You use

this claim as an excuse to invade our precincts. Many of these problems

don't exist. Where there are real conflicts, where there are wrongs, we

will identify them and address them by our means. We are forming our

own Social Contract . This governance will arise according to the

conditions of our world, not yours. Our world is different. Cyberspace

consists of transactions, relationships, and thought itself, arrayed

like a standing wave in the web of our communications. Ours is a world

that is both everywhere and nowhere, but it is not where bodies live.

We are creating a world that all may enter without privilege or

prejudice accorded by race, economic power, military force, or station

of birth. We are creating a world where anyone, anywhere may express

his or her beliefs, no matter how singular, without fear of being

coerced into silence or conformity. Your legal concepts of property,

expression, identity, movement, and context do not apply to us. They

are based on matter, There is no matter here. Our identities have no

bodies, so, unlike you, we cannot obtain order by physical coercion. We

believe that from ethics, enlightened self-interest, and the

commonweal, our governance will emerge . Our identities may be

distributed across many of your jurisdictions. The only law that all

our constituent cultures would generally recognize is the Golden Rule.

We hope we will be able to build our particular solutions on that

basis. But we cannot accept the solutions you are attempting to impose.

In the United States, you have today created a law, the

Telecommunications Reform Act, which repudiates your own Constitution

and insults the dreams of Jefferson, Washington, Mill, Madison,

DeToqueville, and Brandeis. These dreams must now be born anew in us.

You are terrified of your own children, since they are natives in a

world where you will always be immigrants. Because you fear them, you

entrust your bureaucracies with the parental responsibilities you are

too cowardly to confront yourselves. In our world, all the sentiments

and expressions of humanity, from the debasing to the angelic, are

parts of a seamless whole, the global conversation of bits. We cannot

separate the air that chokes from the air upon which wings beat. In

China, Germany, France, Russia, Singapore, Italy and the United States,

you are trying to ward off the virus of liberty by erecting guard posts

at the frontiers of Cyberspace. These may keep out the contagion for a

small time, but they will not work in a world that will soon be

blanketed in bit-bearing media. Your increasingly obsolete information

industries would perpetuate themselves by proposing laws, in America

and elsewhere, that claim to own speech itself throughout the world.

These laws would declare ideas to be another industrial product, no

more noble than pig iron. In our world, whatever the human mind may

create can be reproduced and distributed infinitely at no cost. The

global conveyance of thought no longer requires your factories to

accomplish. These increasingly hostile and colonial measures place us

in the same position as those previous lovers of freedom and

self-determination who had to reject the authorities of distant,

uninformed powers. We must declare our virtual selves immune to your

sovereignty, even as we continue to consent to your rule over our

bodies. We will spread ourselves across the Planet so that no one can

arrest our thoughts. We will create a civilization of the Mind in

Cyberspace. May it be more humane and fair than the world your

governments have made before. Davos, Switzerland February 8, 1996

Cosmo in the movie Sneakers (1992)

2010-01-04T13:31:00.000-08:00

"There's a war out there, old friend. A world war....and it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think... it's all about the information! The world isn't run by weapons anymore, or energy, or money. It's run by little ones and zeroes, little bits of data. It's all just electrons."

http://www.ethicalhacker.net/content/view/284/1/

Live Hacking: The Ultimate Guide to Hacking Techniques & Countermeasures for Ethical Hackers & IT Security Experts

2009-12-30T09:48:00.000-08:00

http://livehacking.com/

Dr. Ali Jahangiri, a world-renowned information technology (IT) expert, brings us the next must-have in IT training: Live Hacking, the definitive and comprehensive guide to computer hacking. Groundbreaking, insightful, and practical, this guide serves to inform IT professionals about and challenge existing conceptions of hacking, its victims, and its consequences, but with an eye to empowering prospective victims with the knowledge they need to thwart the criminal elements in cyberspace. Whether you work in a Fortune 500 company or if you’re just looking to protect your home office from hackers, this book will provide you with all the information you need to protect your valuable information. Don’t be a victim; be ready!

Live Hacking is straightforward, easy to read, and a reference that you’ll use again and again. It’s the kind of book you’ll want to keep in your back pocket! With a user-friendly writing style and easy-to-follow diagrams and computer screenshots, Dr. Jahangiri expounds on all of the major issues—and more—in hacking:

- Basic Hacking Terminology
- Reconnaissance
- Google Hacking
- Scanning
- Enumeration
- Password Cracking
- Windows Hacking
- Malware
- Data Packet Sniffers
- Web Server and Web Application Hacking
- Denial of Service
- Wireless Network Hacking

Rest assured, Dr. Jahangiri knows all of the tools of the trade to help protect your organization’s IT assets. He brings his many years of academic, professional, and practical experience to the fore in order to equip you and your organization with the know-how needed in this day and age to defend your data against the ever-increasing cyber-thieves on the Internet. Millions of dollars are lost each year to these criminals. Dr. Jahangiri shows you in this brand new book—the most complete guide on the market—how to avoid becoming another statistic.

Dr. Jahangiri conducts thousands of hours of training per year, has patents in network security, and speaks on a variety of computer security-related issues all over the world. He even offers advice on his web site www.alijahangiri.org . His new book Live Hacking is like having your own private IT security guard. With his knowledge at your fingertips, you can fight back and stay on the offensive!

Securing GovSpace

2009-12-29T14:19:00.000-08:00

http://www.govtechblogs.com/securing_govspace/

By Mark Weatherford: Musings on the latest rumors and news in the government cyber-security arena.

Nitesh Dhanjani Thoughts on Information Security, Technology, and Science

2009-12-29T13:49:00.000-08:00

http://dhanjani.com/

Computer World Comprehensive IT knowledge site

2009-12-28T11:38:00.000-08:00

http://www.computerworld.com/

Everything is under control. Everything...

2009-12-28T09:58:00.000-08:00

New book "Freedom" from Daniel Suarez and his security website: http://www.thedaemon.com/index.html

The Ethical Hacker Network (Online Magazine)

2009-12-26T09:31:00.000-08:00

Free online magazine for the security professional: http://www.ethicalhacker.net

As attacks increase, U.S. struggles to recruit computer security experts

2009-12-24T14:37:00.000-08:00

By Ellen Nakashima and Brian Krebs

Washington Post Staff Writer
Wednesday, December 23, 2009

The federal government is struggling to fill a growing demand for skilled computer-security workers, from technicians to policymakers, at a time when network attacks are rising in frequency and sophistication.

Demand is so intense that it has sparked a bidding war among agencies and contractors for a small pool of special talent: skilled technicians with security clearances. Their scarcity is driving up salaries, depriving agencies of skills, and in some cases affecting project quality, industry officials said.

The crunch hits as the Pentagon is attempting to staff a new Cyber Command to fuse offensive and defensive computer-security missions and the Department of Homeland Security plans to expand its own "cyber" force by up to 1,000 people in the next three years. Even President Obama struggled to fill one critical position: Seven months after Obama pledged to name a national cyber-adviser, the White House announced Tuesday that Howard Schmidt, a former Bush administration official and Microsoft chief security officer, will lead the nation's efforts to better protect its critical computer networks.

The lack of trained defenders for these networks is leading to serious gaps in protection and significant losses of intelligence, national security experts said. The Government Accountability Office told a Senate panel in November that the number of scans, probes and attacks reported to the Department of Homeland Security's U.S. Computer Emergency Readiness Team has more than tripled, from 5,500 in 2006 to 16,840 in 2008.

"We know how we can be penetrated," said Sen. Benjamin L. Cardin (D-Md.), chairman of the Judiciary subcommittee on terrorism and homeland security. "We don't know how to prevent it effectively."

Indeed, the protection of critical computer systems and sensitive data, said former National Security Agency director William Studeman, may be the "biggest single problem" facing the national security establishment.

Agencies under attack

One evening in May 2006, a U.S. embassy employee in East Asia clicked on an innocent-looking e-mail attachment that opened the door to the most significant cyberattack the State Department has yet faced, allowing attackers operating through computers in China to send malicious computer code into the department's networks in the region.

State's cyber-emergency response team immediately went into action, working round-the-clock for two weeks to isolate the harmful code and craft a temporary patch that officials said prevented a massive data theft.

The department's response to the attack highlights how skills matter, experts said. In 2000, State had hired technicians -- the vast majority contractors -- who custom-built an intrusion detection system and trained people to identify malicious software and reverse-engineer it to determine an attack's goals and methods. As a result, department technicians in 2006 were able to contain the attack quickly, said Alan Paller of the SANS Institute, who has analyzed the case for the Center for Strategic and International Studies.

Unlike State, most government agencies and private companies lack the skills and resources to muster a robust containment effort.

Two months after the East Asia intrusion, the Commerce Department detected a similar attack -- but only after a deputy undersecretary was unable to log on to his computer. Contractor technicians were never able to identify the initial date of penetration into the computers of the Bureau of Industry and Security, which controls sensitive exports of technology that has both commercial and military uses.

It took eight days once the attack was discovered for technicians to install a filter to prevent leaks, and then they installed the wrong kind of filter, said Paller, sharing previously undisclosed findings about the incident, first reported in The Washington Post in October 2006.

Because of "operational security concerns," the Commerce Department declined to comment for this article. But a senior Commerce official told a House Homeland Security panel in 2007 that the agency had no evidence that data were compromised. Still, the department replaced hundreds of workstations and blocked employees from regular Internet use for more than a month.

Commerce is trying to improve, but it can take years to put the people, processes and technology in place to wage an effective defense, said Mischel Kwon, former director of the Department of Homeland Security's readiness team. For years, she said, most civilian agencies were forced by federal law to spend their cyber-funds on security audits as opposed to crafting a strong security program.

And most federal information technology managers do not know what advanced skills are needed to combat cyberattacks, said Karen Evans, information technology administrator in the Bush administration.

"Skills," Paller said, "are much more important than hardware."

The federal pay gap

A pillar of the federal government's effort to develop talent is the National Science Foundation's Scholarship for Service program, which pays for up to two years of college in exchange for an equal number of years of federal service. However, the program has placed fewer than 1,000 students since its inception in 2001.

The career of a 30-year-old computer scientist named Brian Denny shows how the government is often outbid by the private sector in recruiting cyber-warriors.

Denny earned a computer science masters degree in 2004 from Purdue University on an NSF scholarship. In return, he spent two years at the National Security Agency, identifying novel security flaws in computer systems and software. Then Booz Allen Hamilton, a major intelligence contractor, hired him at a 45 percent pay raise.

Today, Denny works for a small employee-owned firm that has federal government and private-sector contracts, and his pay is higher still. "You can still do a lot of cool national-security-related work as a contractor," said Denny, chief security architect for Ponte Technologies in Ellicott City, Md., near the NSA. "The pay difference is so dramatic now," he said, "you can't ignore it."

Recently, a military officer with 20 years' cybersecurity experience and a coveted security clearance sauntered out of a job interview with Northrop Grumman, a major defense contractor that is making an aggressive play for potentially billions of dollars in government cyber-business.

"It's mind-roasting," said the officer, who is about to retire. "I've had people call my house, recruiters for defense contractors . . . probably 20 calls."

The labor shortage is torquing up salaries, a cost that often gets passed on to the government. Some young people with three years' experience and a clearance are commanding salaries above $100,000. "Companies are paying people to jump from one company to another," said Ed Giorgio, a former NSA official and Ponte Technologies co-founder. The job-hopping can undermine the firm's performance on a contract, he said.

Philip Reitinger, deputy undersecretary of Homeland Security's National Protection and Programs Directorate, conceded that the government generally cannot match industry pay scales. "But in government, one can have a bigger ability to effect change at an earlier place in your career than anywhere else," he said. "And -- your country needs you."

Homeland Security officials acknowledged that hiring 1,000 people will be difficult, so they are also looking at training people already in the federal government.

Cybersecurity lawyers, researchers and policymakers are also in short supply. The Pentagon, for instance, lacks a career path to develop "expert decision-making in the cyber field," said Robert D. Gourley, a former Defense Intelligence Agency chief technology officer. "The great cyber-generals are few and far between."

Information Security Forum

2009-12-22T16:14:00.000-08:00

https://www.securityforum.org/

Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit organisation that supplies authoritative opinion and guidance on all aspects of information security. By harnessing our world-renowned expertise and the collective knowledge and experience of our 300 members, the ISF delivers practical solutions to overcome wide-ranging security challenges impacting business information today.

Four main areas of service are available to our Members:

	Tools and Methodologies, built using the collective expertise, insight, and knowledge of our Members worldwide		A comprehensive programme of Knowledge and Information Exchange, offering interactive peer-to-peer forums that give Members an opportunity to meet on a regular basis to share best practices, experiences and perspectives on a wide range of issues.

	An impressive library of Research and Report material, incorporating an unmatched degree of thought leadership in information security, information risk management and related topics.		The ISF Annual World Congress, our flagship global event which offers attendees an opportunity to discuss key security challenges and gain practical advice from peers and leading industry experts from around the world.

A comprehensive national broadband plan.

2009-12-16T14:14:00.000-08:00

FCC digs into broadband controversies

by Marguerite Reardon

The Federal Communications Commission is taking on difficult and controversial issues as it works toward developing a comprehensive national broadband plan.

On Wednesday the agency heard from an FCC task force on the progress that it's making in writing that broadband plan, which will be presented to Congress in February.

The FCC has been tasked with developing a plan that will get broadband services to all Americans. In working to come up with a comprehensive policy, the FCC has tackled several controversial issues, most notably reforming the Universal Service Fund, reallocating wireless spectrum, and forcing more competition in the market for cable set-top boxes.

One of the top items on the FCC task force's to-do list is reforming the $7 billion rural phone subsidy program called the Universal Service Fund. This program, which also provides funding for schools and libraries through its E-rate program, is funded by consumers, who are charged extra fees on their long-distance phone bills. Specifically, the agency wants to expand the program to help fund broadband service in parts of the country where private industry doesn't find it profitable to invest.

The task force didn't provide long-term recommendations for transitioning USF into funding broadband deployments. But in the short term, it suggested extending some current programs such as life-line link-up to schools and other public areas to provide more access to unemployed people who may not have Internet connectivity at home. The idea is that these individuals can use broadband in these public areas to look for jobs.

FCC Chairman Julius Genachowski said it will take time to get reforms in place. He noted that the national broadband plan won't directly affect USF, but he said the program, once it's expanded, will eventually help fund and become a key part of helping get broadband to underserved parts of the country.

"It's tempting to kick the can [USF reform} further down the road," he said. "But for many reasons it's important to begin tackling these issues now. We must make sure that the fund fully supports the technology of today and tomorrow, not just the technology of the past."

But the process is going to be a long one, he said. And he wouldn't comment on whether true reform could be achieved in his term as chairman.

The FCC task force also reiterated its plans to re-evaluate spectrum issues. Genachowski has said publicly that one of his top priorities is reallocating and finding more spectrum that can be used to build wireless broadband services. Both he and the CTIA, a trade group representing the wireless industry, say there is a looming spectrum crisis that could result in dire consequences without adequate attention now.

During its report to the commission, the broadband task force said it is working with Congress to inventory and assess current spectrum usage in the U.S. It is calling for Congress to also require periodic review of spectrum uses and to find ways to clear spectrum bands that aren't serving other uses, such as wireless broadband.

The task force also said during its presentation Wednesday that it's looking at ways to spur more competition in the cable set-top box market. The group said that a lack of competition in the set-top box market has also resulted in a lack of innovation. The agency feels that more competition in this market would spur companies to develop new Internet applications and services that could be accessed via TVs.

The FCC is considering requiring paid TV providers, such as Comcast, Time Warner Cable, AT&T, and Verizon Communications to supply a low-cost network interface device that would allow people to access the Internet on their TVs and to access cable TV without using a cable box.

Industrionage Enterprise Security

Virtual Lab with VMware

2012 cyber crime predictions: More arrests and Willie Sutton 2.0

Industrionage

Hacker TOOLKIT

A useful blog site "Hackerville"

How a Remote Town in Romania Has Become Cybercrime Central

Intelligence on the darker side of the internet

Social Engineering

Guide to Internet Security

Graduated School Last May and moved away from Austin Texas for a new job

Ninja Hacking: Unconventional Penetration Testing Tactics and Techniques

Top 100 Network Security Tools

Featured Site for February

February 18, 2010 | NetWitness Discovers Massive ZeuS Compromise

"I am also a victim of cyber-stalkerby the Associate Vice President of the C ..."

"It's worth remembering that any future

"They have 4 servers: 3 Dell Poweredge 1950's - one is firewall, two are ..."

"Thanks for the article. In general I agree and I like using clouds and doin ..."

"Perhaps they should look at the quality of the service rather than protecti ..."

How To Become A Hacker

Eric Steven Raymond

Why This Document?

What Is a Hacker?

The Hacker Attitude

1. The world is full of fascinating problems waiting to be solved.

2. No problem should ever have to be solved twice.

3. Boredom and drudgery are evil.

4. Freedom is good.

5. Attitude is no substitute for competence.

Basic Hacking Skills

1. Learn how to program.

2. Get one of the open-source Unixes and learn to use and run it.

3. Learn how to use the World Wide Web and write HTML.

4. If you don't have functional English, learn it.

Status in the Hacker Culture

1. Write open-source software

2. Help test and debug open-source software

3. Publish useful information

4. Help keep the infrastructure working

5. Serve the hacker culture itself

The Hacker/Nerd Connection

Points For Style

Historical Note: Hacking, Open Source, and Free Software

Other Resources

Frequently Asked Questions

Teach Yourself Programming in Ten Years

Peter Norvig

Why is everyone in such a rush?

Teach Yourself Programming in Ten Years

References

Answers

Appendix: Language Choice

Appendix: Books and Other Resources

Notes

Glossary of Vulnerability Testing Terminology

Table Of Contents

ABSTRACT

OUSPG Glossary

References

Other glossaries

Sanders and Chappell Wireshark Resources Network Sniffing

TaoSecurity Google v China

A Declaration of the Independence of Cyberspace

Cosmo in the movie Sneakers (1992)

Live Hacking: The Ultimate Guide to Hacking Techniques & Countermeasures for Ethical Hackers & IT Security Experts

Securing GovSpace

By Mark Weatherford: Musings on the latest rumors and news in the government cyber-security arena.

Nitesh Dhanjani Thoughts on Information Security, Technology, and Science

Computer World Comprehensive IT knowledge site

Everything is under control. Everything...

The Ethical Hacker Network (Online Magazine)

As attacks increase, U.S. struggles to recruit computer security experts

Information Security Forum

A comprehensive national broadband plan.

FCC digs into broadband controversies

"They have 4 servers:
3 Dell Poweredge 1950's - one is firewall, two are ..."