Nytro

Azi e ultima zi in care se poate aplica pentru participare.

Tin un workshop.

Da, el este: http://i.imgur.com/rslvwoQ.jpg , doar s-a mai ingrasat putin si are ochelari de vedere. Parca aparatul dentar nu il mai purta. Lucreaza in prezent ca "peste" pentru curvele de pe Matasari si e consilier prezedential al lui Basescu.

Conferinta are o tema noua in fiecare an. Anul trecut a fost despre "gaming" si au fost workshop-uri despre grafica 2D si alte chestii de genul acesta. Cei de la EA au dezvaluit chestii legate de FIFA... Anul aceste e pe security. Cei care organizeaza cred ca sunt de la ASE dar dupa cum se vede in formular, conferinta se adreseaza studentilor din 3 facultati: ASE, Poli, FMI.

Da-mi un CV pe PM. Sfat: Mentionati si voi in CV-urile alea pe care nu va stresati sa le faceti bine ca stiti chestii legate de securitate IT. Si dati exemple. Mai exact, daca aplicati la un post de Pentester, faceti CV-ul in cat sa se vada ca sunteti potrivit pentru pozitia respectiva. Daca e un post de Programator C++ scoateti in evidenta ca stiti C++.

Cine suntem? Unic prin tradi?ie, IT is Business, proiect marca BOS Romania, a ajuns la edi?ia a 6-a ?i este intersat de tine, de pasiunile tale ?i de ce nu, de cariera ta. Facem totul pentru tine, studentule cu poten?ial, pasionat de securitatea digital?, curios ?i dornic de a acumula noi cuno?tin?e în acest domeniu. Cum? Prin evenimentul de anul acesta care are ca tem? securitatea digital? vei îmbina no?iunile teoretice cu cele practice într-un mod interactiv. În prima zi (26 martie) iei parte la conferin?a IT is Business unde aplici principiile succesului: pasiunea, încrederea în tine, motiva?ia ?i entuziasmul ?i vei “Keep IT Safe!” al?turi de cele mai mari companii ?i de cei mai renumi?i oameni ai lor din acest domeniu. În cea de a doua zi (27 martie) vei porni în aventura siguran?ei, pe potecile b?t?torite ale securit??ii ?i a m?surilor de protejare digital? al?turi de m?iestria ?i r?bdarea speciali?tilor ce te vor instrui în cadrul workshop-urilor. Program: http://it.bosromania.ro/program/ Info: http://it.bosromania.ro/

Salut, Categoria e destinata persoanelor care isi cauta un loc de munca stabil in domeniul securitatii IT, ca programator sau sysadmin. NU postati aici oferte de servicii de programare sau orice altceva. Ce se poate posta: - o oferta de munca interesanta gasita pe bestjobs (Ex. Malware analyst la Bitdefender) - o oferta de la propriul loc de munca (Ex. Programator C++ la Avira) - o oferta care nu este publica dar pentru care puteti oferi o recomandare Ati inteles ideea. Servicii valide, pentru firme in regula. NU postati ce servicii oferiti voi. Cu alte cuvinte nu intereseaza pe nimeni ca tu iti cauti de munca si stii sa scrii cod in 42 de limbaje de programare. Aici e sectiune doar pentru oferte de angajare. Daca aveti nelamuriri intrebati. PS: Nu ar trebui sa existe limitarea de 50 de posturi aici.

Dev. Security Expert Key Responsibilities: Qualified individual must be able to evaluate the attack surface of Axway applications through use of both tools and processes including threat modeling, architecture and design review, object graphs, UML and data flow analysis. In addition, the ideal candidate must be familiar with the Secure Development Lifecycle (SDL) and be able to assist in implementing the necessary tools, training and processes for a successful SDL implementation. Skills/Qualifications: - experience in both static and dynamic analysis - experience in Fortify SCA and manual penetration testing is a plus. - proficiency in secure source code review and be able to quickly audit unfamiliar code - experience in continuous integration, cloud computing, SOAP, REST, HTML, JavaScript, Java, C/C++ - proficiency in mobile apps is highly desirable. - very good command of English language - both written and spoken Why AXWAY? This is what our candidates can expect from us if they choose to join our team: - Career development: Employee career development is one of Axway’s major company values; and we are deeply committed to helping them leverage the promotion and job mobility opportunities that are right for them. In addition, Axway’s global presence creates opportunities for geographical mobility both within Axway subsidiaries. -A competitive remuneration package and real benefits -A future and a potential for growth in an international company -A very friendly working environment with experienced professionals -Get challenged with important tasks so they can show their full potential and obtain new skills -Working time that can be flexible when needed -More paid vacation -Open office space with various entertainment games – table tennis, drums, sports and more! -------------------------------------------------------------------------------------- Pentru aplicare imi trimiteti CV-ul pe PM.

Din ce oras esti? Aplica totusi, cine stie? Ideea e ca nu se accepta munca "remote".

Nu aveti cum sa IL gasiti pe Nemessis. Pentru a veni in sprijinul (autoritatilor si al cocalarilor) cu pula mica, va ofer mai multe informatii despre Neme. Nemesis este O FEMEIE. O zeita mai exact. "Nemesis (grec. ???????, numit? ?i Rhamnusia) era, în mitologia greac?, zei?a r?zbun?rii care pedepse?te crimele, conservând ?i supraveghind ordinea ?i echilibrul în univers sub raportul moral, prin cânt?rirea riguroas? fericirii ?i nenorocirii umane." - https://ro.wikipedia.org/wiki/Nemesis

Salut, Va anunt ca KPMG Romania (unde lucrez si eu) isi largeste echipa de penetration testeri. Si numai unul dintre voi poate fi 'The Chosen One' Daca un mesaj de eroare te intriga sa vezi ce e in spate, daca simti placere in a exploata conditiile limita dintr-o aplicatie, daca iti place sa strici lucruri cu scopul de a le face sa mearga mai bine, atunci ar trebui sa discutam. Cautam o persoana cu background tehnic solid (administrare sisteme si/sau programare si/sau retelistica), care sa fie pasionata de securitate ofensiva - ethical hacking. Chiar daca nu ai facut asta ca parte a unui job, hai sa discutam daca esti interesat. La noi poti gasi un mediu de lucru antrenant si provocator. De obicei, imbinam activitatile pe care le facem intr-un mix placut si util: - reverse shell prin proxy cu tenis de masa - exploatarea unui blind error-based sql injection cu o partida de biliard - bypass de web application firewall cu driblinguri la fotbal (avem echipa) - remote command execution cu o partida de fussball - putina inginerie sociala cu darts sau PS3. Lucram cu majoritatea bancilor din Romania, cu marii operatori de telecom dar si cu firme din alte domenii care doresc sa isi verifice gradul de securizare. Este uneori nevoie de a merge direct la client si de a interactiona direct cu acesta. E o modalitate buna de a ne face noi prieteni Trimite-mi un CV prin mesaj privat sau prin BestJobs. Acesta este anuntul oficial (boring): -> IT Security Junior Consultant (Penetration Tester/ Ethical Hacker) la S.C. KPMG ROMANIA SRL, BUCURESTI - BestJobs Daca aveti intrebari mi le puteti adresa pe PM. Anuntul nu e formulat de mine, eu as fi fost prea putin "academic". Obs. Daca nu aveti deloc experienta cu TCP/IP, securitate web (XSS, CSRF, SQLI...), Linux sau programare, nu va obositi. La fel daca nu sunteti din Bucuresti. Bafta.

Done.

Muie @em

Ce sa fac si eu... Adaugati-va cu highscore aici: http://flappybird.io/leaderboard/ PS: Acel "nume" are XSS, nu stricati clasamentul.

Cauta alt hosting.

[h=2]Free Web Vulnerability Scanner[/h]Netsparker Community Edition is a SQL Injection Scanner. It's a free edition of our web vulnerability scanner for the community so you can start securing your website now. It's user friendly, fast, smart and as always False-Positive-Free. It shares many features with professional edition. It can detect SQL Injection vulnerabilities better than many other scanners (if not all), and it's completely FREE. Download: https://www.netsparker.com/communityedition/

Nu ca "se merita", e obligatoriu.

Salut, Invata si foloseste select + FD_CLR, FD_ISSET, FD_SET, FD_ZERO. Ce face: iti permite sa verifici daca pe unul sau mai multi socketi ai date de intrare, date de iesire sau erori. Adica daca ai primit date (in cozile din kernel) pe acel socket, daca urmeaza sa fie trimise date pe acel socket sau daca a intervenit o eroare pe acel socket, de exemplu inchiderea conexiunii. Ce e important la acest "select" e ca poti "astepta" pe un socket un anumit interval (sau poti sa nu astepti) sa se intample un astfel de eveniment (primire date de exemplu). Adica poti verifica daca pe socket ai date de intrare. Daca ai, le procesezi, daca nu ai, treci mai departe. Sau poti astepta 3000 ms sa primesti date. Dupa 3000 ms, daca ai primit date, le procesezi, daca nu, faci altceva. Nu e foarte complicat si sunt tutoriale care explica in detaliu acest syscall. PS: Daca vrei Windows, pe langa select, ai o serie completa de functii asincrone (cele cu Async) care au ca parametru o functie callback care e apelata exact cand e declansat un eveniment (ca primirea de date).

Cu alte cuvinte, spre binele vostru, evitati site-urile guvernamentale. Sunteti liberi sa spargeti site-uri ale unor alimentare sau brutarii, dar evitati "tinte" care va pot face probleme.

Am fost 3 persoane din staff la conferinta. Plus cativa membri. Deci ii intereseaza pe cei de pe RST. Si e legata de securitate. Si e o stire. Deci poate fi postata aici.

@B7ackAnge7z Am votat, primul. Se poate afla usor (Google) si la ce firma.

Posted from Lynx.

Salut, e mai mult o curiozitate, dar ar fi frumos sa vedem cam ca ce lucreaza lumea pe aici. Eu vreau sa vad cine lucreaza ca Developer/Security si cam care e procentul. Alegeti domeniul in care lucrati si daca vreti dati mai multe informatii, opinii si sugestii, intr-un post.

Super, unde gasim un sample?

New design flaw found in crypto's TLS: Pretend to be a victim online Researchers reveal way to hoodwink encryption protocol – and how to fix it By John Leyden, 5 Mar 2014 Security researchers have developed a new man-in-the-middle attack against the cryptographic protocol TLS – a protocol that is used to encrypt online banking and shopping, and other sensitive connections, to thwart eavesdroppers. The so-called Triple Handshake attack can, in certain conditions, outwit vital checks carried out to verify the identity of a user connecting to a server over a secure connection. In other words, it's possible to for a malicious system to intercept a user's login credential (a client certificate in this case) and masquerade as that victim with any server that also accepts the same credential. The quirky flaw was uncovered by security researchers at the French National Institute for Research in Computer Science and Control (INRIA) and draws from their previous work in the field. The attack also has implications for the security of SSL (Secure Sockets Layer), the still widely used predecessor to TLS (Transport Layer Security), as the researchers explain on their website: We have discovered a new class of attacks against applications that rely on the TLS Internet Standard for securing their communications. Essentially, if a user connects to a malicious website and presents a TLS client certificate, the malicious website can then impersonate the user at any other website that accepts the same TLS client certificate. The attacks work with all TLS and SSL versions, as well as the DTLS variant. As you may have noticed, online websites and similar services typically use usernames and passwords rather than TLS client certificates to log users in. This limits the impact of the attack. In practice the flaw becomes more of a problem when it comes to logging into Wi-Fi access points. "Variants of our attacks apply to specific scenarios of standard authentication protocols that rely on TLS, such as the PEAP Wi?Fi authentication mechanism," the researchers explained, adding that their exploit is similar to a previously uncovered cryptographic flaw – the 2009 Ray and Rex TLS renegotiation attack. The researchers – Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Alfredo Pironti and Pierre-Yves Strub – advocate short?term application-level mitigations as well as long-term changes to the TLS protocol to strengthen the standard and safeguard its users against this latest attack and other assaults along the same lines. "Let me stress that the attacks we found exploit a protocol-level issue, and not specific implementation bugs," Pironti told El Reg. "We also propose short-term application-level mitigation, but we aim at getting the protocol fixed, which would solve the issue at its root." The French team have already notified major vendors of TLS software implementations (at Microsoft, Google and others) as well as the Internet Engineering Task Force (IETF) about their research. The experts publicly disclosed the attack and possible countermeasures at an IETF meeting in London on Tuesday evening. An outline of their research was posted ahead of this meeting on an IETF mailing list on Monday. A draft detailing proposed changes to strengthen the TLS protocol can be found here. 'People shouldn't panic' Infosec professionals and programmers' early reaction to the Triple Handshakes research was cautious. "In short, the TLS handshake hashes in too little information, and always has. Because of that it's possible to synchronise the state of two TLS sessions in a way that breaks assumptions made in the rest of the protocol," senior Google software engineer Adam Langley explained on his personal website. "I'd like to thank the researchers for doing a very good job of disclosing this. [They] even included a draft for fixing the TLS key derivation to include all the needed information to stop this attack. "People shouldn't panic. The impact of this attack is limited to sites that use TLS client-certificate authentication with renegotiation, and protocols that depend on channel binding. The vast majority of users have never used client certificates." Marsh Ray, an authentication expert at Microsoft, noted: "Criticality is difficult to gauge." Chris Eng, another security expert, half joked: "I'm just going to do what I usually do and wait for ?@tqbf? [Thomas H. Ptacek] to tell us if the SSL/TLS vuln(s) matter." Pironti and other researchers at INRIA previously discovered a way to exploit flaws in Google and Microsoft's web email services using a glitch in the TLS technology. ® Sursa: New design flaw found in crypto's TLS: Pretend to be a victim online • The Register