Thoughts on Computer and Network Security

Developers and AppSec : Collectively You're Doing it Wrong

2010-09-09T10:55:00.000-07:00

There's a lot of cool stuff in motion and behind the scenes I'll cover later. But let's start with the most recent hot topic:

Dr. Chenxi Wang spoke today at OWASP Application Security USA 2010, about overcompensating for weak security from Developers (my biased paraphrasing).

The idea is that we can't depend on developers for security, so we need to correct outside of the development process. To over-generalize further, the Web Application Firewall concept is being done wrong. I agree that we can't wait for developers to start writing secure code, but I think this is more of a temporary band-aid to buy us time to starting more secure code--not a solution per se, but a crutch.

Signature detection isn't enough, visibility to steer current attacks would help mitigate if a super-WAF is available. But there's not patch for exploiting business flow/logic, therefore we can't stop educating the developer community to write secure code.

So it boils down to I agree we can't wait until code is secure, because it will never be, but that's no reason to give up on developers. We must fight on every front. That's one reason we started the x06d project: to start adding visibility to the browser and on the network from outside the browser. I'll post updated DEFCON 18 slides from the project soon ...

Netwars Round 5 Results

2009-12-28T13:27:00.001-08:00

There was some confusion on the CNN story: There were three things happening for NetWars in December:

1) Workshop hosted by SANS
2) Allstar challenge
3) Round 5

The CNN article dealt with #2, the Allstar Challenge. Winners for the Allstar Challenge:

1) chrisbdaemon
2) Level
3) SevenM7

The allstar points carried over into Round 5 which ended December 23, 2009. Here are the ROUND 5 TOP 20:


Player         Round5  BONUS Round5TOTAL
alertlogic       6103    125        6228
chrisbdaemon     4279               4279
sleepya          3246               3246
Level            2065               2065
SevenM7          1271     19        1290
user0555          397                397
ace1              126    125         251
h4n5ju57          150                150
xeno280            96                 96
oorang3            89                 89
user0230           41                 41
PuN1sh3r           28                 28
user0910                  17          17
dontarpme          16                 16
n00ne              15                 15
user0341            8                  8
infonaut            5                  5
dr29                       5           5
bpfinn                     5           5
user1260                   3           3

We have some nice things in store for Round 6 in January, 2010. If you would take advantage of a Netwars workshop in your area, please email workshop@netwars.info with WORKSHOP and your preferred zip code in the subject and we'll see what we can do in 2010.

NetWars Allstars and Round 5

2009-12-08T13:13:00.000-08:00

We are finalizing details on the upcoming Allstar event, sponsored by SANS at the CDI 2009 Conference. We have a few surprises up our sleeves to enhance entry-level player experience. Round 5 will prove to be very interesting as we'll be starting the allstar players on a different level during the regular competition.

We will continue to update the http://tinyurl.com/netwarscal calendar with any scheduling changes. We will also be adding more promotional material such as http://tinyurl.com/netwarspromo.

Netwars Round 4 Results

2009-11-30T15:22:00.000-08:00

Round 4 ended Nov 23, 2009, here are the *CORRECTED YET AGAIN* results from that round:


didnot    1601
theCET    1554
xeno280    241
geronim0   187
alertlogic  82
ace1        59
user0230    54
user0692    46
TheWorld    31
user0088     6
celery       2
chrisG       2
bpfinn       1
user0129     1

Round 5 will start Dec 17th, 12:01 AM PST, and will coincide with a Netwars Workshop and Allstar Event (more difficult round) and last through Dec 23rd, 11:59 PM PST. Please see http://sans.org/netwars for the most current information.

Netwars Round 3 Results

2009-10-23T11:40:00.001-07:00

Correcting anomolies in the bonus scores took longer than I had hoped, but we now have our final results for Round 3.0. We definitely will have a round Dec 17-23, and I'm trying to see if we can pull off a round Nov 17-23. We should know in a few days if November will be Round 4.


PLAYER       ROUND3 BONUS TOTAL

attackresearch 2472    0   2472
oxff           2075    0   2075
rmadair88      1623    6   1629
sleepya         941   93   1034
xeno280         365   64    429
user026         350    0    350
ace1             10   67     77
trvswrn          14   62     76
alertlogic       63    3     66
user186           0   53     53
alteran           0   50     50
unknown          43    0     43
tfgnetwars       18   24     42
jgimer           26    0     26
user620          18    0     18
user123           9    0      9
user052           7    0      7
reprap            6    0      6
user014           6    0      6

NetWars Round 3 Oct 10-Oct 18 2009

2009-09-18T18:18:00.001-07:00

Busy rebuilding the targets for the next round of NetWars, October 10-18, 2009. You can sign up at http://sans.org/netwars/.

Adding a ton of rich content--websites, streaming audio, etc. The NetWars network will be taken down (has been up for practice) while we rebuild everything. Also, if you have some licenses or hardware you'd like to let the project use, please send an email to netwars@sans.org with "SPONSOR" in the subject. There are a ton of things brewing; I hope it comes together soon.

I'm a little bummed I'm building it instead of playing the game . . .

NetWars Round 2.0 Final Scores

2009-09-02T15:29:00.000-07:00

Finally finished adjusting the scores after bonus and team breakdowns, here are the top 20 (well, 21 since the 20th slot was a tie):


SevenM7:       3809
frankred:      3794
tfgnetwars:    1337
funky4strngz:  1337
chrisbdaemon:  1337
cet:           1337
tcp_duece:      495
jgimer:         392
xeno280:        360
ace1:           207
allanak:        126
dr29:           107
deLusion:        89
cygnul:          75
codemasta:       61
punisher:        41
Level:           37
innrwrld:        15
KillerCube:      13
w153man:         11
user296:         11

Stay tuned for more info on the next round (2nd week of October). Mad props to Attack Research for helping keep the in-game peace vigilante style, and technically won most points as a team (but since we're not playing on teams, this is the official score).

NetWars Round 1.5 Final Scores

2009-08-01T22:31:00.000-07:00

Round 1.5 was a half round (it was Round 1.0 but with a new front end) that only lasted four days.


tfgnetwars:     1646
jgimer:          603
funky4strngz:    434
infonaut:        100
enzo:              5
someguy:           5

SANS NetWars Status

2009-07-28T19:17:00.000-07:00

After a meeting in Washington DC about the US Cyber Challenge, there has been a lot of interest in the SANS NetWars project. Since there is little information on NetWars published, I wanted to summarize what I said during the panel discussion on Monday, July 28th, 2009:

We wanted a challenging environment for Netwars. We wanted to
identify information security talent and encourage positive use of that talent. Netwars is designed to run for a week per round.

Most of the environment is hosted at the SANS Institute, but each player downloads a bootable Linux CD Operating System. It contains a few small challenge stages and a tutorial that walks the player through identification and exploitation, ultimately finding the key to the rest of the game. Once in this hosted environment, players compete with other players for access to services and systems, planting flags and defending them to score points. Bonus challenges are also injected during the game and serve as hints and opportunities to get players “unstuck.” Netwars is different than other Red/Blue team or Capture the Flag games because of the combined offensive and defensive requirements but no prep. time required--it's more of a King of the Hill game.

Netwars Round 1 was held in late June, we had about 80 participants that included teenagers, all levels of formal education, and a few information security professionals. We had a handful of participants to extraordinarily well on the defensive side, so we adjusted the game to give the others a fighting chance. Initially, all players entered the game environment in random locations to give each player a realistic chance to accomplish a task before his processes or connections where destroyed by another player. This was not quite good enough, but now once a player's score hits a 500 points threshhold, they get a different set of random entry points. We had a totalof 13 people that made it onto the scoreboard in Round 1.

It was exciting to be there to watch the ingenuity of the players. One of the highlights from the first round was in the form of a bonus challenge. One player managed to break into the superuser account in exactly 20 keystrokes and one mouse-click, beating out all other players that did the same in 34 to 68keystrokes. The winning player from Round 1 managed to manipulate the scoring system to increase his scoring rate (since the scorebot existed in the scope of attack network, he kept the legal points). All players used the same connection pool, so an enterprising player created a fake password prompt that led other players to believe their account password was no longer valid.

Netwars Round 1.5 was held last weekend for three days, with 100 players. We changed this version of the game by providing a less foreign initial image and a safer entry point. Each player received their own personal image with just their key to play the rest the game. We only had six players score due to the short round. My favorite point in this round was where the second place player completely
firewalled off a Windows XP target from the game because he had to accomplish some real-life tasks. This firewall, only allowing the scorebot and his personal backdoor in. It took about 5 hours for the first and third place winners to join forces and broke into this player's backdoor and liberate the target so they could continue scoring on it.

We will announce the next full round on August 10th. You can register now at www.sans.org/netwars. The environment has been a great challenge to play and to operate, and we are adding new targets and internal networking to add more depth to the game.

I have a pile of things to do before heading out to DEFCON . . . I have a pile of things to post as well that have been put on hold while buiding the NetWars system, so check back in a couple weeks.

NetWars Round 1.0 Final Scores

2009-07-01T22:33:00.000-07:00

NetWars Round 1.0 Results (June Round, 80 players)

The following scores are the top ten places (eleven because 10th is a
tie). This includes all scoring from Round 1 including corrections
for missing points and BONUS items.


 10153 sevenm7
  3940 pragmatk
   530 funky4strngz
   522 jgimer
   468 tfgnetwars
   210 cadillacgolf
   187 marksman
   126 enzo
    22 slybot
    20 lstep
    20 timeverson

Keeping ssh connections running

2009-06-26T09:34:00.000-07:00

This week has been pretty exciting, we've had a large number of players in Round 1 of SANS's Netwars competition. The game is half Capture-the-Flag and half King-of-the-Hill shoot em' up!

One of the defensive techniques a player has been using during the game will manipulate the other player's terminals and eventually cause them to drop their connection. There are a few different techniques that will help work around that particular defense.

First, an infinite while loop will keep in you a shell (this will work
until he starts killing based on the "while")

ssh playa@netwars.sans.org "while(true);do sh; done"

Or, you could make your own shell, either by uploading one from a
compatible box of your own or the local one (he still needs to
run commands, so there should be a shell _somewhere):

ssh playa@netwars.sans.org "cp /bin/sh ~/.blah;~./blah"

You don't get prompts for those shells and some commands will expect
"terminal" screens, but you can still interact quite a bit more than
single ssh commands. One could step it up a bit as well and use something like this in the ssh command to make the name of the shell random:

export NEWSH="`head /dev/random|wc -c `";cp /bin/sh./".${NEWSH}";"./.${NEWSH}"

But don't forget you probably need to escape all the backticks and doublequotes.

This has been a blast, hope to post a lot more about Netwars soon.

Stego Using TCP Retransmissions

2009-05-27T11:05:00.000-07:00

Follow the title link to an article that describes steganographic techniques using TCP ACK packets. Remember, these are the packets that are designed to either positively acknowledge how many bytes are received and even negatively acknowledge which byte is expected next. The article claims how the researchers can smuggle data as a covert channel in ACK to circumvent filtering and censorship.

If you HEARD my SCALE 7X presentation Custom FileSystems (slides), you would have heard how I described injecting spoofed ACKs to create an ACK storm that actually sustains a filesystem until the storm subsides. To create a sustainable filesystem, you would only need to create mirrors or parity storms ala RAID to give you a chance to restart the fallen one.

The reasons this is particularly more attractive than an alternative:

1) Transport layer--nobody knows you are using their webserver to bounce bytes off of unless they are looking at the transport layer.
2) Spoofable--you can spoof the ACK, ignore the resets, which allows you bounce the filesystem around a little and potentially avoid detection.
3) Troubleshooting ACK storms (if they are even noticed) usually involve part swapping network hardware--which won't affect the filesystem.

The next month is very busy, so I don't know if I'll have a chance to roll out a hello-world for this, but since I promissed it in February, I'll try to make it happen while stuck on a a long flight or two.

It's always good to have options

2009-05-18T11:28:00.000-07:00

When it comes to being creative, it's always good to have options. I hadn't ran into a really good alternative to the WayBack Machine for pulling up old versions of pages. I have used ChangeDetection.com to keep an eye on sites I wanted to know were updated, but weren't updated often enough to have as a favorite. But today I realized they had added a lot of features I hadn't taken advantage of yet.

For example, one site I highly recommend to pentesters, can be tracked as it is changed by using:
"http://www.changedetection.com/log/uk/co/vulnerabilityassessment/penetration%20test_log.html"

The thing is, somebody must have already started monitoring of the page for there to be any history, but it's something work checking for research and finding lost pages. It also can help you sift through information overload. There is an RSS feed option if that is something you use as well.

re-pwning the box you already own

2009-05-18T10:44:00.000-07:00

Friday I was called to handle a malware situation. This was essentially a mission-critical workstation and the goal was not to fully reverse engineer or preserve the machine for evidence. The McAfee antivirus product identified a malicious .js and .exe, but the logs didn't show the detection. The behavior I was called to fix was that most executables failed to run.

I started experimenting with other useful commands, and found that wmic was not affected in the same way but still provided a shell. So start->run->wmic.exe. Once I had a wmic shell open, I could execute the following:

process call create cmd.exe

Which did spawn a shell where start-run failed. Once I'm in this shell I ran a few commands to look around to confirm there wasn't still a separate malicious process that didn't belong. It appears the McAfee client did successfully kill separate executables.

Here I ran via the cmd.exe shell a reg.exe command to enumerate drivers:

reg.exe query "hklm\software\microsoft\windows nt\CurrentVersion\Drivers32"

Here, most things seemed normal except for one value named "aux6" that was something like "../isgerh.exe" (parent directory then a random executable). On different systems, this will be a different aux device, so the important thing to remember is if the infection just happened, it will be the highest-numbered device.

To delete this device from the registry, I simply typed:

reg.exe delete "hklm\software\microsoft\windows nt\CurrentVersion\Drivers32" /va aux6

After a reboot, things behaved normally.

If you boot into safe mode you can make the registry edit with the regedit.exe or reg.exe without running wmic. A full scan of the drive in safe mode likely would have removed the malicious driver, but the registry would still attempt to load it and would result in an EventLog entry about a driver failing to load. It is also possible that a stager execuable could re-dowload the malicious driver as well. So far, it seems that the combination of the commercial scanner and the registry edit completely removed the malware that prevented most executables from running.

Often I'm asked why/how I ended up focusing on Incident Response/Handling plus Penetration Testing. Well, sometimes you have to re-pwn your machine you own. The command line building blocks are great for both. A good reason to follow the Command Line Kung Fu blog.

I have two majors projects I'm trying to wrap up today, and I promise I'll post info on them as soon as I can. Meanwhile, have you registered for the SANS Penetration Testing Summit?

Back to Basics - Essence of Hacking

2009-05-05T17:06:00.000-07:00

I was listening to a recording of a portion of pauldotcom's episode 150--and there was a good discussion on hacking basics. What would you focus on if you were starting in the security industry?

For me, I would say, be surrounded by academia. Not necessarily in a four-year degree program, (although I'm very grateful for what I got out of it), but I find I learned the most be surrounded by folks striving for knowledge. I learned more about compilers trying to survive running javac on HPUX 10.X than actually making a java compiler that compiles java (so yes, it was supposed to correctly accept itself as input). I learned how to tunnel services remotely with ssh just to read email remotely, not to bypass an IDS or firewall (ok, it did do that also which was nice).

So how to do any cyber-thing better--even if it is just getting started--surround yourself with information, but be careful not to drink the coolaid--use the information and apply it to your environment, exceed original designs and documentation, explore, improvise . . .

I know I blogged this before---but stay tuned for an announcement of an initiative with regards to entry level \cyber\S+\ig

If you are at a SANS conference, ask around about this--you may get a sneak peak. Or maybe you should just watch http://twitter.com/sanshacknet and get an idea of what's to come . . .

Cyberwarfare

2009-03-11T21:31:00.000-07:00

Interesting posts are starting to show up out there about a surge of interested in the US armed forces and cyberwarfare. There's a lot of momentum building up. If you were at SANS in Orlando last week, you might have heard about a new project SANS is going to launch very soon. Stay tuned--expect an official announcement sometime in the next week or so.

Last week I had the pleasure of presenting at the SecureIT Conference in Los Angeles, CA. A keynoter, Randy V. Sabett, J.D., CISSP, made some very interesting points about US law with regards to defense. Generally, US federal laws tend to favor the fact that the individual can do anything necessary to defend his person. For Cyber Law issues, this is contrary to the history of case law established for non-Cyber issues.

So what I'm saying is that playing the Devil's Advocate or to role play a bad guy just to understand an attack is a very useful thing. But what about offensive skills? Does the properties of Mutual Assured Destruction apply to Cyberwarfare? Is it possible to display offensive strength and still be legally OK?

Now don't get me wrong, I'm not standing next to an ankle biter saying "Sweep the leg, Johnny!" But I think some interesting things are in motion . . . Stay tuned . . .

Audio Watermarking for Triangulation

2009-03-07T17:38:00.000-08:00

This is an interesting thing that uses practical steganographic techniques to pinpoint the location where a recording device is in a movie theatre. It's not entireably unbelievable that this is possible, given that we have surround sound. I imagine the accuracy varies, though, not all theatres are equal and you may have the folks disapproately located.

The ways around this seem obvious to me: heavily convert the audio, and record from multiple locations, mixing it down. Of course, that likely affects the sound quality of the final bootleg product, but it would do the job. Or the bootlegger could mix in interesting signals that would skew the triangulation (like my previous post about how a certain sine wave prevents youtube.com from compressing the audio in a video).

Not to wave-off their work, but we really need to be moving forward and not lateral right now, like most security issues--it's an arms race.

The past week was good, enjoyed speaking at SecureIT. This week I'll be at TUG U2U then Charleston, NC for SANS Sec 504, see http://bluenotch.com/events for more info.

When your backup method is not out-of-band=FAIL

2009-03-02T09:51:00.000-08:00

So I spent quite a bit of time traveling lately, last week I was in Edmonton, AB. When I return to my office there are two labels from UPS saying they tried to deliver the package. What really seems silly is their policy states (according to the unhelpful and unlucky person who answered my phone call) is that they hold onto the package for 5 business days, waiting for you to respond to the postcard they just mailed you--TO THE SAME PLACE THEY HAVE NOT BEEN ABLE TO GET ANYBODY!

You would think that either the collection of UPS stickies on the door, or the fact their excellent tracking database records the delivery attempts, that mailing a postcard to the same address is a terrible idea. All you catch there is somebody who wasn't available at the time to receive the UPS package, not people who are gone for a simple week!

Of course, by chance, they came during a week when nobody was in the Bluenotch Corp. office, and the killer is that the package spends more time in transit from shipper to me, then a measly 5 business days at a UPS location 20 miles away, then twice again as much time going back to the shipper. This package has spent more twice as much time on a UPS truck than waiting to be picked up, and it is going to double again when the shipper-reships it. The thing is, I know that email address and phone number is included in the shipping documentation, so if they really wanted to try to resolve the situtation, they could.

So try to get the most value out of this little incident--Don't have your backup system or your communications in same flawed mechanism, be SURE it is truly as out-of-band as possible.

Had a great discussion during my File Systems with FUSE talk at SCALE and this week I'll be at Secure IT Conference in Los Angeles. Next week is a series of workshops put on by The User Group at TUG 2009: Users To Users.

Working on a killer project I hope to post about at the end of the week once I get a few more details pounded out.

Beyond DNS-rebinding

2009-01-30T11:58:00.000-08:00

I've been spending a lot of time this month following and contemplating the material out there about DNS-rebinding and the assumptions made in how we browse the web. There's some really great content from rsnake and Kaminsky.

I've been working on a new FUSE powered distributed filesystem that would work as an XSS payload. Think of it this way: instead of stashing your loot on your server or somebody else's--just continuely juggle it between a few servers that allow for a little bit of public control. Say you had access to a couple of XSS-vulnerable servers. After a little bit of AJAX injected into the sites, as long as there is a catalyst (browser hitting one of the vulnerable sites), you can maintain a basic filesystem. Even if it isn't a stored XSS vulnerability, you can still constantly refresh the pages to keep the files "stored." It works for DRAM, why not for this?

So how might we accomplish this? We could use the arbitrary TCP traffic mechanisms referenced in Kaminsky's presentation above, but that would require flash with the javascript. But is there an easier way? Remember Kaminsky's extensive work on DNS tunneling? We could just use AJAX to trigger the DNS requests and then we can stash our files in DNS just like the DNS tunnel techniques.

Ok, so we could control DNS requests and based on timing of the responses we could effectively "save" data. What other possibilities do we have? Some of the rebinding techniques are useful because the Same Origin Policy let's two sites that are considered part of the same domain to share resources. Why bother with DNS? We have a great tool we can leverage to accomplish the same thing: TinyURL.

So I will be writing this up today to submit the BlackHat CFP, and hopefully find time to code it somewhere between all of the Events I'll be teaching/presenting at. Any thoughts or tips from any of you that might have been playing with this lately?

Sometimes simpler is better

2009-01-09T15:44:00.000-08:00

I gave a presentation on Essential Pentesting Methodology last night at the monthly SoCalITPro meeting. It was a last minute event, but it went very well and a lot of IT folks got a lean and mean introduction into the issues that surround a successful penetration test.

We also demonstrated an ASP code injection. We had a simple ASP app that wrote files with little input filtering so one could write their own ASP pages remotely. We were running commands and talked about how we could an ASP shell in the webpage itself (have you ever seen PHPShell?). Since we were demonstrating without a formal example, I ended up hacking together an ASP shell script and put it at http://www.bluenotch.com/resources/. I wasn't going to bother publishing it since http://aspshell.sourceforge.net exists, but after checking it out I realize it's a little more complicated than necessary and I was unable to use it for the ASP code injection demonstration I'm cooking up for Core Security's January 22nd Webcast. Thought somebody might find this one useful. -Update: Sorry, that link was originally to another webcast Core is hosting, I've corrected the link.

BTW, there is still room for a few people at the SANS Security 560 Network Penetration Testing with bootcamp. Please email me if you missed the discount code.

Starting 2009 off with a free webcast

2009-01-02T09:56:00.001-08:00

I'll be spending a lot of development time in January, then quite a few classes in February. January 22nd I'll be contributing to Core Security's Comprehensive Penetration Testing. I'll be demonstrating using some custom modules and incorporating them into Core's IMPACT Pro software. During the free webcast you will be able to see a discount code that will get you 10% any SANS Sec 560 course.

February starts off with SANS Security 560 in Atlanta, GA and Los Angeles, CA. I'll be giving a presenation on Custom File Systems at SCALE, and also teaching SANS Security 504 in Edmonton, AB. See www.bluenotch.com/events/ for the links and more info.

I hope to announce in the next couple of months my personal pet project for 2009, but here's a hint: Yet another cool Javascript payload to use in cross-site style attacks. Hoping it works out well enough I can speak at a few security conferences this year about it.

2009: Year of Pentesting?

2008-12-18T20:34:00.000-08:00

So 2009 is starting to look like a serious year for the pentesting scene. We saw such a huge variety and depth of vulnerabilities in 2008 that most folks are recognizing the importance to seeing if their systems are truly as secure as they assume. Did the patch take? Are there machines not configured as policy and procedure dictates? Can we even tell if someone were to attack?

Recently, I've had the good fortune of re-using some of my scripts and programming that I cook up during a pentest. I will release a couple of Perl scripts and a couple of Python modules in January in conjunction with a public webcast. I will be demonstrating writing custom modules for CORE's Impact product in a webcast on January 22, 2009. Then I'll be teaching SANS's Security 560: Penetration Testing / Ethical Hacking course (by Ed Skoudis) about once a month if the schedule doesn't change much. I'll also be spending some time in Edmonton to teach the SANS Security 504: Incident Handling / Hacking Techniques February 23-28. I still keep a full listing of events I will be speaking at on the corporate website, but it's moved to http://www.bluenotch.com/events/.

Oh, and if you haven't seen the Sec 560 course, SANS has an on-demand free demonstration. If you check out the www.sans.org/athome section, you can register for a free SANS @HOME session which has lecture and exercises to see if the course would be what you expect. I imagine SANS is also giving a discount to the course if you attend the free @HOME session then the actual course. The first time SANS did this for Sec 560 it immediately filled up, so register quickly!

Long time, no post

2008-11-17T15:17:00.000-08:00

So things have busy behind the scenes. Spent some time in San Diego, San Antonio, Sacramento, Sydney, and Boston in the last month. This month we have Hacking Techniques in Columbus, OH and Network Penetration Testing in Lake Tahoe, CA in December.

One of the reasons we've been busy is that we've been moving offices down the street to another building in downtown Long Beach, CA. Today is the first day I'm working from the new office, and it will take some more work to get settled in.

There should be a mini-SANS presentation at www.socalitpro.org's Noggin' Fest on December 11, 2008 in Irvine, CA. This is part of the COINS project (Community of Information and Network Security) sponsored by SANS. Stay tuned for more info.

Then, on the horizon in February, we have a two-course event in Los Angeles, CA (Marina Del Rey). We will have both Security 401, Security Essentials, and Security 560, Network Penetration Testing and Ethical Hacking. Both courses have bootcamps included in the cost.

Lightning Rod Defenses

2008-09-29T12:13:00.001-07:00

So I'm on my way back home after a brief day of meetings at SANS Network Security 2008. I'm a little tired from another SANS Security 560 course plus bootcamp in Indianapolis, so I acquired a Redbull drink before leaving. At the Airport checkpoint, I was surprised to find that I already forgot about putting any fluids in my carry-on, and the TSA promptly removed the water bottle I had also put in my bag. Here I am after my flight and realized I had the redbull still. So maybe it's time to dust off the honeypots or any other lightning-rod type defenses when you are thinking about improving your security posture . . .

I haven't forgotten about StegoFS, I still hope to have some releaseable code in the near future. However, I'm not sure how much time I'll have to spend on it between SANS Sydney and SANS San Antonio (and 3 other presentations in California-here).

Work Work Work - StegoFS demo

2008-08-26T23:25:00.001-07:00

So things have been super busy as of late, and there is not much sign of things letting up. I still hope to release something from the new StegoFS project, but I'm scheduled to be in many different places in the next few months.

I have had a few folks contact me about the video I demonstrated at DEFCON 16. I choose a video from youtube (that awful HACKERS movie) because at the time I was testing how consistent youtube was in compressing audio and video that it had already processed. Also, it's nice to choose something with aspect ratio bars--that way I can demo a barcode style watermark where you can see it (how to demonstrate something designed to be hidden is problematic . . .). Plus, it was handy to use a video that unlikely to be watched. http://www.youtube.com/watch?v=djhWj19aWAA or just search youtube for "OMG HACKERS"--at least right now it is the top result.

So if you check it out, you may want to use an FLV recorder such as real player. In this example, the coded data is just hexadecimal FF in even hamming code, in triplicate. I chose to use grey as ones and leave black as zeros just to make it easier to read. Watch the video for a while, and notice how youtube's compression manipulates the encoded bits worse when there is a lot of bright activity on the screen. But all we have to do is average them out, maybe add a little more redundancy, then we are good to go--mostly. :)

You may want to use an accessability tool like xzoom to zoom in on the coded part of the video.