5. @NTXISSA #NTXISSACSC3 5
Walkthrough
• Certified Ethical Hacker (CEHv7)
Course Description
This Advanced Network Assessment prep course is a self-study resource designed to help students
prepare to sit for the Certified Ethical Hacker CEHv7 exam. Specialty Area(s): Systems Security Analysis,
Computer Network Defense, Vulnerability Assessment and Management Training Proficiency Level: Level
3 – Advanced
Certified Ethical Hacker CEHv7 Overview
CEHv7 Overview Download
Ethical Hacking Introduction Download
Ethical Hacking Terminology Download
Hacking Phases and Vul Research Download
6. @NTXISSA #NTXISSACSC3 6
Walkthrough
Let’s look closer at the PDF’s and “Downloads” by viewing page source
*/launcher.php?course=20&group=1
*'courses/CEHv7/course/videos/pdf/CEHv7_D01_S01_T01_STEP.pdf‘
*'courses/CEHv7/course/videos/pdf/CEHv7_D01_S01_T02_STEP.pdf‘
*'courses/CEHv7/course/videos/pdf/CEHv7_D01_S01_T03_STEP.pdf‘
*'courses/CEHv7/course/videos/pdf/CEHv7_D01_S01_T04_STEP.pdf‘
…
*'courses/CEHv7/course/videos/pdf/CEHv7_D05_S03_T04_STEP.pdf‘
…
*'courses/CEHv7/course/videos/pdf/CEHv7_Demo 3 - SQL Injection_STEP.pdf'
14. @NTXISSA #NTXISSACSC3 14
Walkthrough
And there you have an UNAUTHENTICATED WGET to the website
pulling a copy of the video.
Can you guess how stupid this is?
So, now that we have a vulnerability….how do we report it?
25. @NTXISSA #NTXISSACSC3 25
Ways to Improve
• Bug Bounties
- Provides responsible disclosure
- Allows for “hackers” to earn cash responsibly
- Has proven to be responsive
- (Google)Rewards for qualifying bugs typically range from
$500 to $50,000.
• BugCrowd (https://bugcrowd.com/list-of-bug-bounty-programs)
26. @NTXISSA #NTXISSACSC3 26
Ways to Improve
• Even if they don’t/won’t provide a bug bounty program…
- A central email/Twitter/Anonymous submission program to
report vulnerabilities
• Doing Code Audit…
• Running a real Vulnerability Management Program…
27. @NTXISSA #NTXISSACSC3 27
In Summary
• The Government SUCKS at security. Look at OPM…
• With the right people in place, there is tons of room for
improvement.
• Current means of connecting and reporting is going on deaf ears.
• Even current Government employees are wanting this to improve,
but when they bring this up, it also falls on deaf ears or falls
through budget cracks.
29. @NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – October 2-3, 2015 29
Thank you