STE WILLIAMS

Today is the start of National Cyber Security Awareness Month (NCSAM), a US initiative aimed at making sure everyone has the resources they need to stay safer and more secure online.

But it isn’t just for those of you in the USA. Everyone, wherever they are, should use this month as a way to get clued up on security, help educate others on how to stay safe online, and spread the security message.

If you’re reading this, you’re probably already pretty clued up on how to use the internet safely. But are your friends? What about your family?

‘Our Shared Responsibility’

That’s the theme this year – so let’s make sure we all do our bit. Get started by reading our three essential tasks you can do to help your friends and family.

And because it’s the 10th anniversary of NCSAM, we’ve come up with 10 security topics that have hit the headlines over the last decade. From the hand-wavingly general to the pointedly specific, it makes an interesting read.

We’ll be writing a lot more about NCSAM over the next month, so stay tuned.

Oh, and to mark the month we’re giving away 5 goody bags!

We’ll be selecting one winner a week from our list of newsletter subscribers to say thanks to our loyal fans.

If you already receive our newsletter you’ll be automatically entered into the draw. And if you’re yet to subscribe and you’d like to be in with a chance of winning, you can sign up here.

We’ll be in touch at the end of the month if you’ve won. Good luck!

Follow @NakedSecurity

Image of gift bag courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mylW-Gf9usk/

It was his first day on the job at the National Security Agency (NSA), so he did what anybody would do, if you define “anybody” as “somebody who completely ignores rules meant to protect the privacy of both foreign and US persons against federal abuse of surveillance powers”: the new agent snooped on his former girlfriend.

In a letter [PDF] dated 11 September, NSA inspector general Dr. George Ellard detailed 12 investigations into such “intentional and and willful misuse” of spying tools by civilian and military NSA employees.

Two of the investigations are still open, Ellard wrote in his letter to the ranking member of the US Senate’s Judiciary Committee, Senator Charles E. Grassley, while another allegation is being reviewed for possible investigation.

The agent who ambitiously jumped into illegal snooping on his first day on the job was a military member stationed at a site in the continental US, Ellard’s letter says.

The unnamed subject queried six email addresses belonging to a former girlfriend – a US person – without authorization.

Why did he do it?

Well, he wanted to “practice on the system,” he testified, and decided to use his former girlfriend as a cyber-information guinea pig.

A site review of the NSA’s information collection systems – SIGINT – turned up his queries four days later.

The subject reportedly didn’t get any information out of the system and hadn’t read any US person’s email. He received a reduction in grade, 45 days restriction, 45 days of extra duty, and half pay for two months.

Also, it was recommended that he not be given a security clearance.

SIGINT, or foreign Signals Intelligence, is intelligence gathered from electronic signals and systems used by foreign targets, including communications systems, radars, and weapons systems.

According to the NSA’s description, SIGINT’s mission is “specifically limited to gathering information about international terrorists and foreign powers, organizations, or persons” that provides “a vital window for our nation into foreign adversaries’ capabilities, actions, and intentions.”

Technically, checking on whether your spouse is cheating on you or whether somebody you bumped into at a bar is date-worthy is not part of the NSA’s plan.

Nonetheless, seeking a vital window into their partners’ escapades, sexual or other, is precisely the mission that some NSA employees have chosen to pursue.

More examples from Ellard’s letter:

• 2004: A civilian employee based overseas, upon returning to the US, checked out a foreign phone number she found in her husband’s mobile phone because she suspected her husband had been cheating. She managed to eavesdrop on her husband’s phone communications.
• 1998 to 2003: In a case of serial snoopery, one civilian employee based overseas snooped on the telephones of nine foreign women over the course of five years. The tip-off came from another NSA employee who suspected the subject – an NSA civilian employee who was also her lover – of listening to her phone calls.
• 2011 A subject ran her foreign-national boyfriend’s phone number through the system and came up with some material, which she reviewed. She said that she was in the habit of entering foreign national phone numbers of people she met in social settings to ensure she wasn’t “talking to ‘shady characters'”.

In at least 6 of the 12 instances reported by the inspector general, the matters were referred to the Department of Justice. In multiple instances, the NSA employees resigned or retired before being disciplined.

Jameel Jaffer, deputy legal director at the American Civil Liberties Union, told Reuters that the seeming handful of NSA employees who abuse their powers are probably just “the tip of the iceberg” and that the real issue is, rather, the massive amount of surveillance that’s actually legal for the NSA:

If you only focus on instances in which the NSA violated those laws, you’re missing the forest for the trees. … The bigger concern is not with willful violations of the law, but rather with what the law itself allows.

As Mother Jones’s Dana Liebelson commented recently, it seems that not a week goes by wherein we aren’t provided with “a friendly reminder from former NSA contractor Edward Snowden that the government has found a new way to spy on us.”

Liebelson outlined a dozen pending bills aimed at reining in the NSA’s vast surveillance powers.

One of those bills – The Surveillance State Repeal Act (H.R. 2818) – would actually repeal the PATRIOT Act and the 2008 amendments to the Foreign Intelligence Surveillance Act (FISA): the statutes from whence the NSA draws its broad spying powers.

The pending bills seek, Liebelson writes, to:

… keep the NSA from sweeping up phone records en masse, take the rubber stamp away from the top-secret spy court that approves surveillance requests, and allow tech companies to tell the public more about the government requests they receive for user data, among other things.

We wait to see what happens.

And all you former, current or future love interests of NSA employees – known, romantically enough, as “lovints” in NSA speak – be aware: the walls have ears.

Follow @LisaVaas

Follow @NakedSecurity

Image of eavesdropping man courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cbFYCCwKqIM/

Supercharge your infrastructure

BitTorrent wants to (a) take another step towards either respectability, or (b) take itself further outside the mainstream by defying Uncle Sam (take your pick), announcing that it’s trialling a secure, serverless messaging application.

The P2P messaging system is taking alpha sign-ons now, here.

The idea is that if messages can be encrypted properly – which presumably means working out algorithms that don’t have trap-doors or backdoors – then without a centralised server processing the messages, government interception should be harder to implement.

Alec Perkins did the groundwork for the a similar system, and has published an outline here*.

If Perkins’ work represents the current state of the BitTorrent messaging alpha, then it currently relies on an out-of-band exchange for the exchange of users’ keys. He notes that if BitTorrent Sync were upgraded, it could support key exchange in the future. A small node.js Webserver provides the UI to the system.

Each user (contact, or message channel) has a folder containing inbox and outbox. Users provide each other with read-only keys providing access to their in- and out-boxes (note that a different key is used for each). The recipient of a message can only read the message in the sender’s outbox: they can’t change the message. All messages are encrypted with AES 256 with secrets greater than 20 bytes.

BitTorrent is offering alpha sign-ups here. ®

Update: Since this was published, a representative of the BitTorrent team has contacted The Register. He stated that while Alec Perkins’ work is “an interesting use of BitTorrent Sync”, BitTorrent Chat will be “built entirely by one of our internal teams”. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/01/bittorrent_trialling_p2p_secure_messaging/

Supercharge your infrastructure

Yahoo! has paid a bug bounty to security researchers who found a bug that “allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo! user and making him/her clicking on it.” But the bounty was just $US12.50 and came in the form of a voucher that could only be spent in the Yahoo! company store on branded tat.

The quote above comes from a canned statement from Switzerland-based security outfit High-Tech Bridge, which says it set out to test the efficacy of bug bounties by seeing if it could find a flaw on Yahoo! The statement says 45 minutes into tests the XSS flaw detailed above showed its ugly head, leading the company to report the vulnerability to Yahoo!, which responded with an email saying the bug was known and so did not qualify for payment.

Undeterred, the team sent in another three flaws all of which had the same effect. Yahoo! eventually bit and offered the $US12.50 gift voucher as a bounty.

High-Tech Bridge’s CEO Ilia Kolochenko has reacted badly to that offer, declaring it “a bad joke” and opining it “won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price.”

He goes on to say that at $12.50 a bug, Yahoo! has little chance of delivering decent security

“If Yahoo! cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo!’s customers can ever feel safe,” he writes. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/01/yahoo_pays_paltry_1250_bug_bounty_for_nasty_email_vuln/

Supercharge your infrastructure

It has not been a good week for Apple on the security front, and there’s no relief in sight after an Israeli researcher found a way to access a locked iPhone’s contacts and messages database using Siri.

In a YouTube video, Dany Lisiansky showed how a locked phone running iOS 7.0.2 can be opened by using Siri’s voice control to make a call to an attacker’s system. This “feature” then allows an attacker to access the target handset’s Phone application, giving access to call history, voicemail, and entire list of contacts by following seven steps:

1. Make a phone call (with Siri / Voice Control).

2. Click the FaceTime button.

3. When the FaceTime App appears, click the Sleep button.

4. Unlock the iPhone.

5. Answer and End the FaceTime call at the other end.

6. Wait a few seconds.

7. Done. You are now in the phone app.

“It’s easy to imagine how this vulnerability could be exploited by a business rival or a jealous romantic partner,” commented security watcher Graham Cluley.

Cupertino has made security a big selling point for its latest mobes, even going as far as recruiting the New York Police Department to hand out leaflets urging Apple users to upgrade to iOS 7. But the handset has also been targeted by researchers and found wanting, not to mention unsettling to the stomach.

It took the Chaos Computer Club only three days to defeat the new iPhone’s fingerprint scanner, using a fingerprint printout and some latex wood glue. Chinese Apple users showed one possible way around this – using their nipples instead – but that’s unlikely to take off for most users.

Shortly afterwards, attackers found a way to bypass the lock screen using Apple’s Control Center, albeit with some nifty fingerwork. That led to Tim Cook’s security engineers spending a few sleepless nights, and they pushed out an update on Thursday – but a day later Lisiansky found a way to crack the update.

With over 200 million Apple users now using iOS 7, with no way to remove the upgrade, it looks like there could be another update in the pipes soon if iPhone users are going to have their privacy protected.

In the meantime, users are advised to turn off Siri’s ability to work while the handset is locked by going launching the Settings app, tapping General Passcode Lock, turning Passcode on if it isn’t already, then toggling Siri off under Allow Access When Locked. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/30/sweettalking_siri_opens_stalking_security_hole_in_ios_7/

It’s botnet-takedown time again: Symantec has intercepted and redirected more than a half-million machines infected by the pervasive click-fraud botnet ZeroAccess, one of the world’s largest botnets.

In a race to get one step ahead of the botnet operators, researchers at Symantec made the move to sinkhole ZeroAccess bots when they discovered the botnet’s operators were about to push a new version of the malware that fixed weaknesses to allow the botnet to be intercepted and sinkholed.

“Our original plan was to do this conjunction with law enforcement. But, unfortunately, because a technical update was pushed out to the botnet, we had to expedite going into action” with the sinkhole, says Vikram Thakur, a researcher with Symantec Security Response.

ZeroAccess, which typically boasts some 1.9 million bots and has been in operation since at least 2011, is second in size only to Conficker, which, although dormant, is still spreading around the globe. ZeroAccess is, however, the biggest peer-to-peer botnet, according to Symantec. P2P botnets are tougher to tame because infected machines communicate directly to one another for updates and instructions; there is no central command-and-control that can be taken down by researchers or law enforcement.

Symantec began working on ways to sinkhole the botnet this spring and, on June 29, spotted a new version of ZeroAccess malware being spread through the P2P botnet. The new version included fixes for two key design flaws in the malware that, if exploited, would have made sinkholing a snap: specifically, a relatively small list of IPs a bot can communicate with, as well as internal code that left the door open for introducing a rogue IP address — such as a sinkhole — to the bot, says Symantec’s Thakur.

“Those two weaknesses were plugged in the updates pushed on June 29,” Thakur says. So Symantec went into action, getting a sinkhole up and running on July 16. Capturing ZeroAccess bots took about five minutes per machine.

But as previous botnet takedown operations have shown, botnets never really die — they just eventually get retooled, rebuilt, or reinvented. Symantec’s Thakur says the takedown of ZeroAccess, however, is different: “We know that there is law enforcement who is looking into this case,” he says. “So, hopefully, this is a dent the botmaster does not recover from,” he says.

Sean Sullivan, a security adviser at F-Secure, says the sinkhole effort was a “commendable effort” but not an actual fix for the problem of the ZeroAccess botnet.

[Microsoft has flexed its legal muscle again to disrupt yet another botnet: this time, the click-fraud Bamital botnet, the sixth such botnet-takedown operation launched by the software giant in three years. See Microsoft, Symantec Team, Topple Bamital Botnet.]

The majority of the infected ZeroAccess bots are consumer machines, anywhere from 80 to 90 percent, and Symantec has been working with ISPs and CERTs around the world to share information about the botnet so the infected machines can be cleaned up. Symantec also shared information on ZeroAccess bots that it wasn’t able to sinkhole but were communicating with ones it captured.

ZeroAccess’s main moneymaking method is click fraud. The ZeroAccess gang makes tens of millions of dollars a year on these scams, which basically infect unsuspecting users with the malware that generates phony clicks on false ads for payment.

Symantec tested the activity of a click-fraud bot and found that each bot generates about 257 MB of traffic every hour, some 6.1 GB a day, as well as 42 false ad clicks an hour, or 1,008 per day. A click is worth about a penny, but with 1.9 million bots, it quickly becomes lucrative, according to Symantec.

ZeroAccess is a Trojan that employs a rootkit to remain under the radar. It typically spreads via compromised websites in a drive-by download attack and uses the Blackhole Exploit Toolkit, as well as the Bleeding Life Toolkit.

James Wyke, a researcher for SophosLabs, UK, describes ZeroAccess as similar to the TDL family of rootkits. “It uses advanced techniques to hide its presence, is capable of functioning on both 32 and 64-bit flavors of Windows from a single installer, contains aggressive self defense functionality and acts as a sophisticated delivery platform for other malware,” Wyke said in a report on the malware.

Symantec also notes similarities between ZeroAccess and TDL, a.k.a. TDSS and Tidserv. “There is some relationship,” Thakur says. It could either be the same malware writer providing malware to different cybercrime gangs, or that ZeroAccess took over the Tidserve code, according to Symantec. Either way, ZeroAccess searches for and removes any versions of Tidserv on machines it infects.

The attackers behind ZeroAccess are out of Eastern Europe, including Russia and the Ukraine, according to Symantec. Seventy to 80 percent of them are based in Eastern Europe, and Russia, Thakur says.

ZeroAccess also had previously been used for Bitcoin-mining, but the gang earlier this year got out of that business and doubled down on its click-fraud activities.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/symantec-sinkholes-chunk-of-massive-clic/240162016

BROOKLYN, N.Y., Sept. 30, 2013 /PRNewswire/ — Phishing scams are some of the most effective online swindles, hooking both savvy and naive computer users. New insights from researchers at the Polytechnic Institute of New York University

(NYU-Poly) point to two factors that may boost the likelihood that a computer user will fall prey: being female and having a neurotic personality.

A multidisciplinary team comprised of Tzipora Halevi, postdoctoral scholar in computer science and engineering; James Lewis, instructor in the NYU-Poly Department of Science, Technology and Society; and Nasir Memon, professor and head of the Department of Computer Science and Engineering, set out to probe the connections between personality types and phishing to better inform computer security education and training.

In a preliminary study, the researchers sampled 100 students from an undergraduate psychology class, most of whom were science or engineering majors.

Participants completed a questionnaire about their online habits and beliefs, including details about the type and volume of information they share on Facebook. They were also asked to rate the likelihood of negative things happening to them personally online, such as having an Internet password stolen.

Finally, participants answered the short version of a widely used multidimensional personality assessment survey.

Shortly thereafter, the researchers used the email provided by participants to execute a real-life phishing scam, attempting to lure the students to click a link to enter a prize raffle and to fill out an entry form containing personal information. Like many phishing scams, the “from” field in the email did not match the actual address, and the email contained spelling and grammatical errors.

“We were surprised to see that 17% of our targets were successfully phished–and this was a group with considerable computer knowledge,” Lewis said.

The majority of those who fell for the scam were women, and those women who were categorized as “neurotic” according to the personality assessment were likeliest to fall for the phishing scam. Neurotic personalities are characterized by irrational thoughts and a tendency toward negative feelings like guilt, sadness, anger, and fear.

There was no correlation between men’s personality types and their vulnerability to phishing.

“These results tell us that personality characteristics may exert considerable influence when it comes to choices about online behavior, and that they may even override awareness of online threats,” Lewis explained.

The team found no correlation between participants’ level of knowledge of computer security and their likelihood of being phished.

The researchers also examined the connections between the amount of personal information participants admitted to sharing on Facebook and personality traits.

Those categorized as having “open” personalities tended to share the most information on Facebook, and to have the least restrictive privacy settings on the social networking site, thus increasing their vulnerability to privacy leaks.

“In the moment, it appears that computer users may be more focused on the possibility of winning a prize or the perceived benefits of sharing information on Facebook, and that these gains distract from potentially damaging outcomes,” Lewis said.

The researchers also uncovered an inverse relationship between those with “openness” and “extroversion” as personality traits and the likelihood of their being phished or sharing copious information on Facebook. Among the cohort studied were 12 people without Facebook accounts. All were men, none fell prey to the phishing scheme, and all were least likely to be characterized as “open” or “extroverted.”

While the researchers emphasized that their study sample was small and further investigation is needed, they believe that insights into how personality traits impact decision-making online may aid in the design of more effective computer interfaces, as well as security training and education. As this experiment tested a single type of scam–prize phishing–future work may explore whether other personality types prove vulnerable to different types of scams.

These findings were first presented at the Second International Workshop on Privacy and Security in Online Social Media. Halevi, Lewis, and Memon conducted the investigation in collaboration with the Center for Interdisciplinary Studies in Security and Privacy (CRISSP), which brings together experts in computer security, psychology, law and public policy to formulate new approaches to privacy in an increasingly interconnected world. Their research was supported by a grant from the National Science Foundation.

The Polytechnic Institute of New York University (formerly the Brooklyn Polytechnic Institute and the Polytechnic University, now widely known as NYU-Poly) is an affiliated institute of New York University, and will become its School of Engineering in January 2014. NYU-Poly, founded in 1854, is the nation’s second-oldest private engineering school. It is presently a comprehensive school of education and research in engineering and applied sciences, rooted in a 159-year tradition of invention, innovation and entrepreneurship. It remains on the cutting edge of technology, innovatively extending the benefits of science, engineering, management and liberal studies to critical real-world opportunities and challenges, especially those linked to urban systems, health and wellness, and the global information economy. In addition to its programs on the main campus in New York City at MetroTech Center in downtown Brooklyn, it offers programs around the globe remotely through NYUe-Poly. NYU-Poly is closely connected to engineering in NYU Abu Dhabi and NYU Shanghai and to the NYU Center for Urban Science and Progress (CUSP) also at MetroTech, while operating two incubators in downtown Manhattan and Brooklyn.

For more information, visit www.poly.edu.

Article source: http://www.darkreading.com/vulnerability/vulnerability-to-phishing-scams-may-be-l/240162004

When Interop gears up tomorrow in New York, you can bet your trade-show tchotchkes that software defined networking (SDN) will dominate airtime as one of the prevalent themes. Many vendors and pundits will push the performance and operational boosts from SDN as the most obvious benefits of SDN strategies. But as organizations roll up their sleeves and dig into the technology and architecture of SDN, they could find that the biggest opportunity for improving IT through it may actually be in security.

Click here for more articles from Dark Reading.
Click here to register to attend Interop.

SDN could act as a natural technological extension of the accelerating trend toward segmentation, says Reuven Harrison, CTO of Tufin Technologies.

“Security used to be perimeter-based, and now it is becoming based on multiple zone layers within an enterprise network — the trend is to have more and more smaller zones for improved control,” he says, saying that this has increased security complexity as it has brought with it increasingly more network security devices to control those zones. “Using software-defined networks, rather than going into a specific device and writing command lines when you want to change anything on the network, you can write software that pulls APIs on devices to allow traffic, deny traffic, look at traffic, and report traffic. You can orchestrate security across your network.”

According to Tom Nolle, president of CIMI Corp., a strategic IT consultancy, one of the greatest advantages of SDN is that connectivity within that model can be explicit as compared to the traditional implicit model.

“You establish an IP network, and it is designed to route traffic between addressed endpoints promiscuously, which means that if you know somebody else’s address, then you can send them something,” Nolle says. “In any permissive network environment like that, security has to be based on a combination of the requirement for authentication and on the notion that you are going to interpose a barrier to those connections you don’t want, which is to say a firewall.”

Contrast that with SDN, which, in theory, provides only a routing path between those places that an architect wants it to communicate, Nolle says — for example, if an organization was to segment the data center into a dozen application-specific enclaves, with each enclave containing all of the components necessary to run a given application. Meanwhile, at a branch office the organization might create four worker-class user groups into which people are placed based on their job descriptions, which contains several user groups based on individual’s job classes.

“Now what I do is use SDN to drive a path between an application group and each of the worker groups that that application is allowed to be accessed from,” Nolle says, explaining that each group is connected to only those application enclaves they’re authorized to use. “By joining the worker to a worker group in the branch, which I can also do with SDN, I can provide a mechanism that absolutely prevents somebody from accessing an application they’re not entitled to because they can’t even send traffic to it.”

While a combination of existing security technology could offer similar types of role-based control, the difference with SDN is the flexibility and elegance the architecture, says Christofer Hoff, vice president of strategic planning for the security business group at Juniper Networks.

“If you think about how we deploy a good majority of our security controls, it hinges on a brittle network,” Hoff says. “What SDN is prompting is the adaptation of security into much more decomposable, atomic units, and then you’re going to be able to deliver those services in combination where and when needed, rather than think of security as these monolithic edge devices you plunk somewhere and try to then make sure that traffic is unnaturally routed through them.”

In the long term, SDN will allow for greater automation due to improved integration.

“SDN gives us the ability to have these kinds of dynamic feedback loops between what would be considered today as independent pieces of the security stack, allowing them to interoperate in the same way application software does in terms of API,” Hoff says.

While there are many moving parts necessary to deploy and policies to develop before the industry gets to that point, Hoff believes that the trend of virtualization in other parts of IT infrastructure have been a sort of a dress rehearsal for SDN.

“We have been iterating on this theme where we’ve taken physical appliances and started to think about how we virtualize them,” he says. “So it depends on how mature the organization is relative to other types of virtualization. If the security teams have not embraced and understood the impact of virtualization, they are going to be potentially rendered even less impactful in their ability to contribute as a functional portion of the SDN life cycle of deployment.”

At this point, it is hard for anyone to come to a consensus on how soon SDN will gain widespread popularity. But one point that Nolle mentioned as a potential stumbling block is the very same security benefit he and the others have explained here.

“The SDN space could be a serious problem for the incumbent security vendors. Increasingly, security vendors are also network equipment vendors who have to support the SDN connection technology, and they would look at SDN models that threaten their security business as models that were revenue-reducing. Consequently, they’re not going to be tremendously interested in moving them forward,” Nolle says. “So it’s very possible that the major advantages of SDN with respect to security could never be exploited.”

Regardless of when or if, though, Harrison says that IT can at least take an immediate-term lesson from the SDN philosophy.

“We believe that security needs to be a top-down approach,” he says. “So you need to see what your business applications are and kind of build your security defenses around that, not the other way around. It’s important to manage or to engage the application owners into the security process.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/perimeter/reaping-the-security-rewards-of-sdn/240162035

Last week, one of the partners in my firm (Bishop Fox) said something that really rang true: if you want to be a real penetration tester, you have to live it.

In a similar vein, Paul Graham says, “To do something well, you have to love it. So to the extent you can preserve hacking as something you love, you’re likely to do it well. Try to keep the sense of wonder you had about programming at age 14. If you’re worried that your current job is rotting your brain, it probably is.”

A real hacker doesn’t see what they do as just a job or as just a hobby – they see it as a lifestyle. There is no border between work and play, the line between the two made indistinguishable by countless cans of late-night Red Bull.

We’ve talked about how some pen testers will use checklists and methodologies when performing scans or doing their testing. These can be useful, but a real pen tester sees them as a baseline against which they begin to explore, like a jazz musician improvising a new and better tune. This experimentation allows a hacker to gain more knowledge and experience than any text book can provide. In fact, this is where the argument arises about the over-learned not having the right, open mindset needed to pen test. Too much structure can inhibit the dynamic nature of true penetration testing. Having all the knowledge in the world only matters if you also know how to apply it. Reading may get you far, but there’s no better teacher than real world experience.

In his piece on Great Hackers, Paul Graham says, “I know a handful of super-hackers … Their defining quality is probably that they really love to program. Ordinary programmers write code to pay the bills. Great hackers think of it as something they do for fun, and which they’re delighted to find people will pay them for.” Now, Graham uses the term “hacker” to describe individuals with a passion for working on code, etc., but his observation rings true for penetration testers as well.

What sets real penetration testers apart is their motivation and willingness to lose themselves in something they love. Not just in hacking, but this applies to expertise in other fields, as well. From video games to photography, martial arts to musical instruments – it’s the ability to throw yourself into something entirely, no matter if for work or play, which will take you to the next level.

When your girlfriend teases you that you’ve been ignoring her calls and texts for the past day, when you look out your window and realize the sun is coming up and you’ve hacked all night, when you suddenly remember that you haven’t eaten yet, or you let the pizza burn in the oven because you’re finally hitting your stride in exploits — that’s when you know that passion has taken over. That it’s no longer what you do but who you are.

Article source: http://www.darkreading.com/vulnerability/pen-testing-making-passion-a-priority/240162029

Catch up with the last seven days of security stories in our weekly roundup.

Watch the top news in 60 seconds, and then check out the individual links to read in more detail.

Monday 23 September 2013

• Firefox burns Chrome in our trustworthy browser poll

Tuesday 24 September 2013

• California gives teenagers an ‘eraser button’ to delete their web mistakes
• SSCC 117 – Apple all over the news, lots of patches, browser trust and Facebook privacy [PODCAST]
• Teen privacy “eviscerated” by planned Facebook changes
• LinkedIn denies hacking into users’ email

Wednesday 25 September 2013

• Recycled Yahoo email addresses still receiving messages for previous owners – passwords included
• Fake reviews land SEO companies in hot water
• Siri offers the latest backdoor into your iPhone – just ask nicely!
• Facebook wants to auto-fill your credit card details – would you trust it? [POLL]
• Twitter button problem causes “torrent download” confusion – here’s what happened

Thursday 26 September 2013

• Apple releases iOS 7.0.2 – swiftly squashing two lockscreen bugs
• “Mailbox” app on iPads and iPhones runs JavaScript from emails – vulnerability or feature?
• Data-stealing botnets found in major data brokers’ servers
• Using heartbeats as passwords to secure medical devices

Friday 27 September 2013

• Facebook finally wins $3 million payout in Power Ventures spam lawsuit
• Game apps under fire from consumer law makers
• Online dating scam costs lovelorn Canadian $500k
• How to avoid being one of the “73%” of WordPress sites vulnerable to attack
• Sky-high error in Apple Maps leads drivers onto airport runway
• Schoolboy arrested over Spamhaus DDoS, world’s biggest cyber attack

Saturday 28 September 2013

• Copying fingerprints, Firefox trusted, Facebook not, Yahoo recycles – 60 Sec Security [VIDEO]

Sunday 29 September 2013

• £1.01 billion kept out of cybercrooks’ hands, claim UK e-cops

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8XUWtLqPjNc/