The Seminal Hacker's Handbook
Hacking: The Art of Exploitation, 2nd Edition, by Jon Erickson (No Starch Press, 2008, ISBN 978-1-59327-144-2, 488 pages). When the first edition of this book was released in 2003, it examined the misunderstood and maligned practice of hacking. Erickson defines hacking as the art of creative problem solving, whether that means finding an unconventional solution to a difficult problem or exploiting holes in sloppy programming.
In this second edition, he explores arcane exploits, looking at what happens in the code and the underlying logic of the attacks. The book focuses on the fundamentals of C programming from a hacker's perspective.
The included CD provides a complete Linux programming and debugging environment so that readers can experiment without modifying their current operating system. You can get your hands dirty debugging code, overflowing buffers, hijacking network communications, bypassing protections, exploiting cryptographic weaknesses, and perhaps inventing new exploits. The book's stated goal is to teach readers to
• corrupt system memory to run arbitrary code using buffer overflows and format strings,
• inspect processor registers and system memory with a debugger,
• outsmart common security measures such as non-executable stacks and intrusion detection systems,
• gain access to a remote server using port-binding or connect-back shellcode and alter a server's logging behavior,
• redirect network traffic, conceal open ports, and hijack TCP connections, and
• crack encryption protocols used for securing wireless traffic, storing passwords, and verifying identities.
Many people call themselves hackers, but few have the strong technical foundation needed to push the envelope. By revealing the science and reason behind the code, this book brings readers into the creative world of hacking.
IEEE Infocom 2008
13–18 April 2008
Phoenix, Arizona, US
The 27th Annual Conference on Computer Communications, presented by the IEEE Communications Society, will offer hundreds of technical papers, tutorials, panel discussions, and workshops on wireless networks, Internet developments, and other computer communications topics.
Experts from industry and research institutions will address such areas as peer-to-peer networks and applications, underwater networks, wireless ad hoc networks, optical networks and switching, wireless LANs, and congestion control and network coding. Panel discussions will be held on network systems in challenging environments, research frontiers in defense network applications, and the academic entrepreneur in network research.
Dan Farmer, a 20-year computer security veteran, will present the keynote address. He has authored or coauthored a variety of security software programs as well as the book Forensic Discovery (Addison-Wesley), and cofounded Elemental Security, a company involved in enterprise policy and risk management. The conference will begin with a student workshop that will give graduate students in computer networks and data communications the opportunity to share their ongoing research. The last day of the conference will offer workshops on mission-critical networks, mobile networking for vehicular environments, automated network management, and a global Internet symposium.
For more, see www.ieee-infocom.org.
Security Professionals Conference
4–6 May 2008
Arlington, Virginia, US
Sponsored by EDUCAUSE, an association that advances higher education by promoting the "intelligent use of IT," and the Internet2 Computer and Network Security Task Force, the 2008 Security Professionals Conference brings together information security professionals, IT staff, and others from across the higher education community. This year's conference will include pre- and postconference seminars, corporate displays, and sessions that address technical solutions, security policies and procedures, and management issues, including security training and awareness.
Attendees can join "birds of a feather" discussions to network with others with similar interests, or they can establish new groups by notifying the conference in advance (email@example.com) or signing up at the bulletin board near the registration desk upon arrival.
Keynote speakers include Rebecca Whitener, vice president of enterprise risk management and chief risk officer at Electronic Data Systems (EDS) and Greg Garcia, assistant secretary for cybersecurity and communications at the US Department of Homeland Security.
For more, see www.educause.edu/sec08/.
Gartner IT Security Summit
1–4 June 2008
There's no shortage of available security products, but many organizations are short on time and budget. At Gartner's IT Security Summit, entitled "The Future of Information Security: The Next 10 Years," attendees will hear advice on how to
• protect their IT infrastructure against future threats,
• secure businesses on a daily basis,
• ensure that security policies and procedures meet future business and legal requirements,
• pick the right tools and technologies to get the most from their IT security budgets,
• effectively protect data and applications, and
• adapt their IT security role to future technologies and trends.
This conference offers more than 100 sessions across six curriculum tracks: protecting IT infrastructure; enabling secure business; security governance; security tools, technologies, and techniques; protecting data and applications; and the role of the chief information security officer (CISO).
For more, see www.gartner.com/us/itsecurity.
Enterprise 2.0 Conference
9–12 June 2008
Boston, Massachusetts, US
Enterprise 2.0 is about breaking down organizational and technology barriers and adopting new ways to communicate and share information.
The conference examines topics facing organizations that are moving to so-called Web 2.0 tools and technologies, including
• social networking,
• enterprise blogging,
• conferencing applications,
• integrated collaboration platforms,
• Web services,
• wikis and teams,
• Web syndication and feeds,
• enterprise software mash-ups,
• information security,
• enterprise mobility,
• collective intelligence, and
• integrated collaboration platforms.
The Enterprise 2.0 Conference features keynotes, a demonstration pavilion, and the "Launch Pad," an event showing off several emerging companies.
For more, see www.enterprise2conf.com.
Managed Services Market
The Computing Technology Industry Association (CompTIA; www.comptia.org) launched a new site targeted at the growing market of managed technology services.
FocusOnMSP is a resource for managed services providers, manufacturers of products for the managed services market, and customers investing in managed services. It also offers access to major industry news and research, online forms, a directory of managed services vedors, and case studies, articles, and success stories about how to run a managed services business.
It includes the CompTIA Managed Services ROI Tool, which covers many common managed services and generates downloadable output reports. The tool is available at www.focusonmsp.com/roi_calculator.
Self-Assessment Tool for Security Professionals
The International Information Systems Security Certification Consortium (ISC) 2, a nonprofit organization that educates and certifies information security professionals, launched its new Studiscope (pronounced "study scope") online self-assessment tool in January. The tool leverages (ISC) 2 for its taxonomy of information security topics.
The Studiscope self-assessment test uses questions from previous versions of actual certification exams as well as newer questions developed for them. At the conclusion of the simulation, test-takers receive their scores based on an official algorithm used in the actual exam, helping them assess their overall exam readiness.
Originally developed to meet the increased demands placed on the US Department of Defense to certify its personnel, Studiscope is available in three formats: a one-off purchase by an individual, a subsidized or voucher purchase in which all performance results are tracked for an organization separately for one year, and to corporations who purchase the assessment tool as part of a package that includes an education program or other services from (ISC) 2.