Free (for the next day or so) Burp Suite course

tedjames

Found this on Twitter: https://twitter.com/PeritusTraining

Go to their site to register: https://training.peritusinfosec.com/

Use the code DIWALIGIFT to get the course for free. Their Twitter post says it's free for the next 72 hours. They posted on October 16, so the code may expire today.

I can't speak for the quality of the training yet, because I haven't started it. But if it's free, what do you have to lose but a little time?

balance

Still works .

DZA_

Thanks @tedjames - I've just signed up!

JDMurray

Yep, I just enrolled too. Great find! I can't wait to review the course.

chrisone

worked for me as of 10/21/19

SteveLavoie

Still working.. 10/21/19  .. 3h35 EST

yoba222

Wow nice! I need to learn Burp Suite on a much deeper level than I do now. I think this might cover some of the Pro modules too, but I could be wrong.

Infosec_Sam

Looks like they just updated the sale to be valid for the next 24h. Thanks for the callout - it doesn't get any better than free, especially for such a powerful tool! Once we get a little further in the course, we'll have to open a discussion about how it's going!

tedjames

Portswigger, the guys who invented Burp Suite, offer free training on their site: https://portswigger.net/web-security

I think there may also be a free course or two on Udemy, maybe Cybrary, too. Also, there's tons of instruction on YouTube.

FluffyBunny

Yup still free, signed up, let's see how it is.

JerseyPaul

Still free. Thanks for the find

thaiguy314

yep, still works as of this morning. thanks for the find!

FluffyBunny

Of course, one question we're not asking ourselves is this: are we being phished?

Because honestly, this'd make a nice watering hole attack on unsuspecting security newbies.

JDMurray

Well, we could use this as an opportunity to do some OSINT detective work on your hypothesis: "Is Peritus Training a front for a phishing/wateringhole campaign?"

I'll start:

• The Twitter account for Peritus Training was recently created on August 2019 and presently has only 23 tweets posted.
• The domain peritusinfosec.com is nearly two years old. 

Suspicious enough to continue?

tedjames

FluffyBunny said:

Of course, one question we're not asking ourselves is this: are we being phished?

Because honestly, this'd make a nice watering hole attack on unsuspecting security newbies.

That's why I use a separate, disposable, if necessary, email account for things like this. I also use it when registering for conferences. I never use my real account and definitely not my work account. I just enter the minimum including fake birthdays (if they are required) and fake phone numbers. Just get in, get what you need (the training), and get out.

Could be that Peritus is trying to create a buzz with free training before upping prices.

It's good that people are paying attention, though. Trust but verify.

Danielm7

Still works, used fake name and disposable email and didn't agree to their promo emails. 

FluffyBunny

tedjames said:

FluffyBunny said:

Of course, one question we're not asking ourselves is this: are we being phished?

Because honestly, this'd make a nice watering hole attack on unsuspecting security newbies.

That's why I use a separate, disposable, if necessary, email account for things like this. I also use it when registering for conferences. 

Ah, but are you using your usual browser and workstation? When I say watering-hole attack, I mean a situation where known security admins (us) are lured to an interesting website which runs nasty code in their browsers  

Hence why I really loved a previous customer of mine, for only allowing Internet access through a seperate browser running through Citrix on a short-lifetime VM. 

tedjames

FluffyBunny said:

tedjames said:

FluffyBunny said:

Of course, one question we're not asking ourselves is this: are we being phished?

Because honestly, this'd make a nice watering hole attack on unsuspecting security newbies.

That's why I use a separate, disposable, if necessary, email account for things like this. I also use it when registering for conferences. 

Ah, but are you using your usual browser and workstation? When I say watering-hole attack, I mean a situation where known security admins (us) are lured to an interesting website which runs nasty code in their browsers  

Hence why I really loved a previous customer of mine, for only allowing Internet access through a seperate browser running through Citrix on a short-lifetime VM. 

All good points! I like your level of paranoia. A friend pays his bills and does banking online using separate VMs for each account. 

FluffyBunny

tedjames said:

All good points! I like your level of paranoia. A friend pays his bills and does banking online using separate VMs for each account. 

Oh, it's not just paranoia. It's an actual attack vector that is being used in the wild. Case in point: the targeted attacks against specific iOS users among Chinese demographics that were discovered by Google's Project Zero. Similar stuff is out there, targeted at you or me, assuming your company is an interesting enough target.

tedjames

FluffyBunny said:

tedjames said:

All good points! I like your level of paranoia. A friend pays his bills and does banking online using separate VMs for each account. 

Oh, it's not just paranoia. It's an actual attack vector that is being used in the wild. Case in point: the targeted attacks against specific iOS users among Chinese demographics that were discovered by Google's Project Zero. Similar stuff is out there, targeted at you or me, assuming your company is an interesting enough target.

I believe you. I know it's not really paranoia, but that's what I call it.

Most people outside of security have told me, during discussions on rights to privacy, "What do I care? I have nothing to hide." I always tell them that, while that may be so, an attacker may be able to pivot off of them onto someone who really does have something to hide, like one of their friends or family members.

JDMurray

tedjames said:

Most people outside of security have told me, during discussions on rights to privacy, "What do I care? I have nothing to hide."

Whenever anyone says that to you, immediately ask them to tell you their Social Security Number.

Danielm7

They'd probably tell you that before their salary or their debt amount. 

tedjames

Danielm7 said:

They'd probably tell you that before their salary or their debt amount. 

You mean like this? https://www.youtube.com/watch?v=UzvPP6_LRHc