Opportunities to Present at OWASP AppSec Europe, by AppSec EU 2016

AppSec Europe seeks to bring together developers and security professionals at all points in their careers to be the thriving global community that drives visibility and evolution in the safety and security of the world’s software. We understand that robust security requires diversity of thought and practitioners. We also know that a conference that meets the needs of our community must provide a buffet of learning and teaching experiences. We are currently seeking submissions for the following in conference events:

How to create basic Snort IDS rules, by Mattia Campagnano

This post follows up to Install Snort in Kali Linux, the easy way.

I am going to create some basic rules to use Snort as an IDS.

The first thing to do is defining what Snort has to protect as the Home network.

You need to edit its configuration file (/etc/snort/snort.conf) as follows:

Why Is It Important to Automate Compliance Activities?, by Dave Millier, CRISC

Compliance is an essential part of any company’s information security strategies. It governs businesses’ best practices and ensures that they keep their customers’ information safe. Hackers and other cyber criminals only need to exploit one weak point to take down an entire system, so ensuring Network Security is essential to any organization that handles valuable data.

Guessing full VISA card details in seconds is doable if you guess across 1000 sites, by NewsWatcher

Researchers have now shown an a practical attack that they can guess a VISA card's card number‍, expiry date‍ and CVV code‍ in less than 6 seconds by guessing distributedly across around 1000 sites.

The attack requires a name of a VISA card holder - which you can acquire rather easily in the millions on the Internet or the dark web, and then the rest of the details are guessable by applying the distributed method of trying to confirm the varying details on different sites - sites will reply back when you get it right.

Can hackers be emotionally resilient? by Violet Blue

When I gave a talk at CCC about harm reduction for hackers, I included information from the only study on hackers and Aspergers that has ever been performed. The report is fascinating and I highly recommend giving it a read. What it found was surprising: Contrary to popular perceptions of hackers as unfeeling, detached, un-empathetic (Aspie or on the autism spectrum), it turns out that the hacker character is the opposite of the overly-analytical Sherlock who can't have relationships or friendships.

The Irish PM, Cabinet Ministers & Head of Police Force use Gmail for Official Business, by Graham Penrose

The leader of the country whose government presides over the data protection compliance of a host of global social media sites uses Gmail for government business.

Let’s just think about that for a second. The guy uses a service who in a2013 filing, while defending a data-mining lawsuit, said that people have “no legitimate expectation of Privacy in information” voluntarily turned over to third parties.

Kali Linux 2016.2 LXDE Installation and Review, by SysAdminsHowto

Kali Linux 2016.2 is an updated ISO image of the popular GNU/Linux distribution designed for ethical hackers and security professionals who want to harden the security of their networks, which contains the latest software versions and enhancements for those who want to deploy the OS on new systems. This version includes bug fixes and improvements. New Kali linux 2016.2 release comes with various popular desktop environments, including KDE, MATE, Xfce, LXDE, and Enlightenment E17 flavors.

Kali Linux Website:

An Interview with the DHS Cyber Chief, by Dan Lohrmann

So how can we get our arms around this problem of protecting‍ the homeland from the bad actors in cyberspace? What issues are most pressing? How is the U.S. Department of Homeland Security addressing these challenges? What partnerships and new developments are important?

Perhaps most important: Where is cyber-defense and infrastructure protection‍ heading in 2016 and beyond?

To answer these questions and address a whole list of important security topics‍, I don’t know of anyone who has a more important and relevant perspective than Dr. Phyllis Schneck.

General Data Protection Regulations: Where Should You Start, by Craig Clark

Within the information security and Privacy space, the GDPR‍ and its many and varied implications have been under discussion for some time. Outside this arena, though, the GDPR has taken time to reach the attention of a wider audience. Now, with significantly less than two years to go before enforcement, it seems that the GDPR touch paper has been lit, and many organisations are beginning to worry about its wide scope and how best to achieve compliance before the enforcement date of 25 May 2018.

Operating System Based Vulnerability Assessment and Exploitation

In the previous post, we focused on gathering information about our target. Various information included the target IP address, open ports, available services, operating system and so on. One of the biggest assets in the process of information gathering is gaining knowledge about the operating system used by the target server or system. This information can prove to be very helpful in penetrating the target machine as we can quickly look for exploits and vulnerabilities of the operating system in use.

Auto-Detection and E-discovery Tools recommendations

I am reaching out to my peers to gain some advice on good auto-detection tools that can be used along with IPS/IDS for device discovery. Has anyone out there used Savvius or other similar tools that can provide feedback or guidance on best tools? The goal is to have robust automated e-discovery and reporting without constant configuration. Any info would be appreciated, thanks!

Do You Buy, Build, or Partner for Cyber Security Capability?

"Do you buy, build, or partner for cyber security capability" This is a question a lot of MSPs and IT providers are looking a right now. It's no secret that according to the CompTIA data (see below chart), the Cyber Security discussion with businesses will be a hot topic worldwide.

x33fcon 2017 - CFT

CFT Rules

Each training proposal should be sent to cft (at) as a text email without any attachments (trainer photo is the exception)
Each training should last 2 or 3 days
CFT submissions must be made by trainer himself/herself. No third parties
should be involved
We will contact potential trainers if any questions arise

Please note that by agreeing to train at x33fcon you are granting x33fcon organizers the rights to advertise your training at, twitter and all other mediums in paper and electronic form.