Security Aegis

1 Trillion in Losses for 2008 - McAfee

2009-02-11T09:03:00.000-08:00

California computer security firm McAfee presented the findings Thursday at the World Economic Forum in Davos, Switzerland, with a warning that the world's dismal financial straits are exacerbating data theft woes.

"Based on the survey findings McAfee conservatively estimates that the global damage from data loss to top one trillion dollars," said McAfee chief executive Dave DeWalt.

A few months ago I did an interview article about the current economic state and how it would affect InfoSec. Now I am poised to revisit that sentiment.

I would really like to be angry at CEO's and companies not giving enough to their IT staff to properly secure systems but I really cant. A few weeks ago I saw many friends lose their jobs, hard workers, and diligent people. The economy sucks right now, and it doesn't matter if you agree if we're in a recession or not, big business believes it.

With a decree from McAfee like this I hope C-Level executives start revisiting InfoSec priorities. They need to see where their policy-rubber doesn't hit the road so to speak. Want specifics? ok, here's some just off the top of my head.

- We need to revise policy. Even if stringent policy isn't your businesses style get someone to draft policy that fits your corporate culture ans still secures your entity.

- Adequate attention needs to be given to client side attacks.

- We need to prioritize the awareness of web application vulnerabilities.

- We need to stop preaching defense in depth, and start doing it.

- We need secure code review in our release cycles.

- We need more application whitelisting on our desktops.

- We need to review our wireless policies.

- We need more database security and input validation or filtering.

-We need user awareness training, compliance testing, auditing, and pentesting.

Lets hope the reality of losing more than our current stimulus package can wake a few people up.

BT4 Released!

2009-02-10T18:09:00.000-08:00

You can get the iso here md5sum and sha512sum

And the VMWare image here md5sum and sha512sum

We are trying to get estimates of downloads. If you link to our ISOs, please use:

http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-beta-iso
http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-beta-vm

and do not link them directly.

Release information will shortly be available on the Remote Exploit Web site.

Incident Handling Resources

2009-02-10T10:46:00.000-08:00

Over at Ethicalhacker.net i was asked to think up a good stepping stone and give some resources for a IH/IR program. Here's what i came up with:

I would create an internal document for each sys admin that contains spots for the systems they administer, description of those systems, a business risk analysis rating (are they critical?), IP/sysinfo, physical location, and a blank lined section for credentials and signatures.

Hand one out to each sysadmin, then have them fill it out and take take it your companies C-level executive who is the chief data owner. Have the admin write down the credentials, sign it, then have the CEO/CIO sign it and lock it away in a binder with a copy of your IR policy (once you draft it), up to date physical topology, toolkit/checklist, host inventory (including roaming laptops), etc. I would also use a data integrity program your systems periodically for comparison (a-la tripwire etc.)

Neophasis has some good ideas for a IH kit (from SANS 504) here:

http://archives.neohapsis.com/archives/fulldisclosure/2003-q3/1579.html

* Use a duffel bag and keep it permanently stocked.
* Never steal from your own bag.
* Hardware:
* Blank, unused (or at least wiped) SCSI disk.
* Blank, unused (or at least wiped) IDE disk.
* Small 8-port hub (NOT A SWITCH!). Get a really old one with AUI &
coax.
* Cat5, Cross-over Cat5, AUI, Coax cables.
* Laptop, dual OS. Use whatever OS's are best for your situation.
* Tx-neutered Cat5 (snip one wire, it's receive-only!)
* PCMCIA WiFi card
* USB Thumb drive.
* Serial cable w/ Cisco router connection.
* Flashlight
* Screwdrivers (but TSA might confiscate them -- you might have to buy
new ones each trip.)
* Female-to-Female RJ45.
* Tape recorder, mini-disk, or equiv.
* Camera (depending upon your requirements, digital, 35mm, or polaroid
in that order of legal admissibility).
* Video Camera, if your plan includes one. Consider the pitfalls of
too much info.
* Software:
* Copying software: dd, windd, ghost, etc.
* Sniffer software: ethereal, etc.
* Forensic software: Coroner's Toolkit, etc.
* Statically linked binaries: ls, ps, etc.
* Bootable OS on floppy or CD.
* Windows Resource Kit.
* Supplies:
* Lots of media for tape recorder.
* Lots of new, unused backup media (floppies, tapes, CD-R, etc.)
* Team phone list & company phone book
* Cell phone & LOTS of batteries (say, 3 or 4).
* Plastic baggies with ties for evidence.
* Extra notebooks (bound, with numbered pages)
* Extra copies of all of your forms.
* Pens (not pencils!)
* Business Cards

You should also consider budget for a a "War Room", a windowless office
(or closet) that you can meet in, tape evidence up on the wall, etc. It
has to have comm (net, phone, fax), TV/VCR, paper, whiteboards, etc.

You also need a slush fund. You need to be able spend money instantly
during an incident. If you need to cut a PO at 3:00AM to get an extra
SCSI drive, or some extra baggies, you are screwed. If you need to
consult the corp travel adviser before you fly to the location of an
incident, you are screwed.

The official SANS site has this good outline:

http://www.giac.org/resources/whitepaper/network/17.php

and this section detailing IR (whitepapers)

http://www.sans.org/reading_room/whitepapers/incident/

read the Handlers Diary's everyday!

http://isc.sans.org/diaryarchive.html

Additional Links:

Security Incident Survey Cheat Sheet for Server Administrators

http://www.zeltser.com/network-os-security/security-incident-survey-cheat-sheet.html

Initial Security Incident Questionnaire for Responders

http://www.zeltser.com/network-os-security/security-incident-questionnaire-cheat-sheet.html

Network DDoS Incident Response Cheat Sheet

http://www.zeltser.com/network-os-security/ddos-incident-cheat-sheet.html

Reverse-Engineering Cheat Sheet

http://www.zeltser.com/reverse-malware/reverse-malware-cheat-sheet.html

My OPML file

2009-02-10T10:44:00.000-08:00

This is my OPML file. Its a collection of everything infosec i have liked for the past year. Blogs, AV reports, security news, vuln reports, you name it you'll prob find it in here.

Big names and small names alike, tools, policy, industry, etc. Over 500 RSS links. I read about 25% of it daily, which means i'm always behind, but it still keeps me up to date =)

It includes the security bloggers network, mine, and some good friends conglomerated links.

Feel free to check through it, edit, trim, critique, but especially add and read.

Hope it helps someone!

http://wiki.securityaegis.com/Home/opml-file

Ethicalhacker.net

2009-02-09T14:20:00.000-08:00

Hey everyone,

If you don't already go check out Ethicalhacker.net.

The reason i say this is because they have a really great community for admins, infosec, and IT all around. The forums, the exclusive articles, and webcasts they host are spectacular. I post a lot around there these days, and ill have a review of Nmap Secrets CBT there too soon.

Not only that but, the Inguardians team posts their monthly challenges there! Go decode some traffic, show off your Incident Handler skills, and win a prize!

-JH out

The Middler - RELEASED

2009-02-08T22:57:00.000-08:00

Jay Beale (creator of bastille linux) will be releasing "the middler" after his talk at shmoocon.

Many of you remember he announced that he was releasing it at defcon 16 but the tool was barely at an alpha stage, he has now completed alpha.

Here ya go:

http://inguardians.com/tools/middler-alpha.tgz

Listen to the Defcon Audio on it here:

http://good.net/dl/bd/defcon-16-audio/08_dc_t412.mp3/info

And get the slides here:

http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-beale-2.pdf

<3 style="">

Jay Beale, Senior Security Consultant and Co-Founder, Intelguardians Network Intelligence, Inc. This talk introduces a new open source, plugin-extensible attack tool for exploiting web applications that use cleartext HTTP, if only to redirect the user to the HTTPS site. We'll demonstrate attacks on online banking as well as Gmail, LinkedIn, LiveJournal and Facebook. We'll also compromise computers and an iPhone by subverting their software installation and update process. We'll inject Javascript into browser sessions and demonstrate CSRF attacks.

Our new tool, The Middler, automates these attacks to make exploiting every active user on your computer's network brain-dead easy and scalable. It has an interactive mode, but also has a fire-and-forget mode that can perform these attacks automatically without interaction. Written in Ruby, this tool is easy to both extend and add into other tools.

PHPBB Hacked via third party script vuln

2009-02-06T07:55:00.000-08:00

Saw this on Security Circus, very sad indeed:

http://hackedphpbb.blogspot.com/

CeWL for Penetration Testers

2009-02-06T07:18:00.000-08:00

From the blog of Seth Misenar

CeWL for Pen Testers

Shortly after flipping through Ed�??s slide deck for Secrets of America�??s Top Pen Testers yesterday, I noticed a fortuitous tool annoucement come across the SANS GIAC Alumni mailing list. Robin Wood emailed to announce the release of a tool called CeWL: Custom Wordlist Generator (which is of course pronounced �??cool�??).

http://www.digininja.org/cewl.php

CeWL �??spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper�?? (from the website).

Very nice. This tool dovetails nicely with Ed�??s first tip from SATPT, �??Build Password Guessing and Cracking Dictionaries�??. In fact, it turns out that the tool was based on a PaulDotCom discussion, http://pauldotcom.com/2008/11/creating-custom-wordlists-for.html, which was in turn based upon content provided in Ed�??s SEC560: Network Penetration Testing, which I will be teaching in Atlanta in February, https://www.sans.org/atlanta09_cs/description.php?tid=1717.

Wshew�?�did you follow all that. Regardless of its origins, CeWL definitely looks like something I will be adding to my tool arsenal. Check it out.

New School Info Gathering by CG

2009-02-04T21:46:00.000-08:00

Chris Gates has a vid of his new school info gathering presentation on vimeo, check it out:

Toorcon X Gates: New School Information Gathering from carnal0wnage on Vimeo.

his blog is here, very cool stuff

Slides here

U3, USB, and related attacks

2009-02-04T18:37:00.000-08:00

So, pauldotcom.com (last week) went over some good info on using u3 enabled USB drives, and software that can thwart USB attacks. Good things were said about software similar to the below to control this threat:

Most of these software use Group Policy GUI's to control the input of devices. Some restrict based on USB UID's.

Unfortunately (at least I think) these software fail to address the fact that we can boot to CD (or network) and mount the USB device from there, then script pull all the info we want out. Physical access to the machine usually means pwnage.

The fear is not only dumping data of a physical machine but ingress malicious code, like John Strand shows here with the meterpreter:

Metasploit Meterpreter Reverse exe from John Strand on Vimeo.

A good description of U3 hacking using switchblade and GonZor be found on the raymond.cc blog:

u3 usb smart drive to become ultimate hack tool

Return from Vegas...

2009-02-02T06:53:00.000-08:00

Another day dawns, and I'm back home with my family after a rigorous week in Vegas for SANS Security Essentials.

I have to say it was one of the most fun infosec experiences I have had.

Beers with Ed Skoudis, riding a segway 15mph down the hallways of the Rio with Mike Poor, and 6 days of sponging up GSEC material with James Tarala. Not to mention a great camaraderie with fellow facilitators Ray and George.

Sunday - Day one was setup. Boxes and boxes of books unpacked, conference material sorted, and attendees registered, etc. Most of the heavy lifting was done this day, as well as scrambling to keep attendees as happy as possible. That�??s one thing that I didn't expect was the actual level of service SANS offers their students. It�??s amazing. They really go out of their way to make the high cost of the conference worth it. And it is. This day set the tone for the actual hours of work, 6am-9:30pm on average if you facilitated the SANS@Night lectures which of course I didn�??t want to miss!

Monday - Day two was the first day of class. Getting students to be where they should be, handouts, basic teachers aide stuff. GSEC day one is Network Fundamentals for Information Security; everything from topology, to switching, routing, VoIP architecture, packet analysis, IPV6, IPSEC, and physical security. Having been in IT but never a high powered consultant, getting James�?? input in all the areas was an eye opener. Not to mention I sat next to 4 FBI cybercrime investigators and behind two DOD agents, which was cool and intimidating at the same time. Lucky for me they were all really nice individuals.

Tuesday �?? Day two was the first of the really cool SANS@Night events and the daytime was all about Defense in Depth. Topics included Viruses/Malicious code, Security Policy, Access Control, Incident Handling, Information Warfare, and Web App Security. As mentioned the night event was Rob Lee�??s talk, �??The State of the Hack: The Chinese Threat.�?? This talk was straight scary. Rob went over three cases he had worked on with advanced persistent threats. These were highly capable attackers, well funded, and persistent. Security measures for all these companies were in place, firewalls, IDS, proxies, host auditing, AV, etc. The main tool of choice for the attackers? Spear phising, vulnerable webapps, SQL injection, and browser attacks. Once in they dropped some lightweight but heavy payload malware, creating channels in plain sight but so entrenched in the network they could not be easily removed. An older version of the presentation can be viewed here: http://www.certconf.org/presentations/2008/files/C4.pdf

Wednesday �?? Day three was more depth in IS technologies, including attack strategies, Firewalls, honeypots, Vuln Scanning, IDS, IPS, and Risk Management. Another SANS@night gem was Kevin Johnson�??s Wep app pen testing talk. He covered BeEF, Clickjacking, XSS, CSRF, et al. It was an excellent presentation. I wish he had posted it online, because honestly it was Alices�?? long trip down the rabbit hole. I�??d take the blue pill next time if I didn�??t love this stuff.

Thursday - Day four was secure communications, two modules of crypto, stego, wireless sec, and Opsec. Crypto and linux sec are pretty much my weaknesses right now, so this day really identified the SANS �??drinking from a fire hose�?? motto for me. The best part of the day? Ed Skoudis�?? Night presentation, �??Secrets of Americas Top Pen Testers�??. I blogged about it the day it I saw it. If you haven�??t checked out the slides or seen his other series �??Pentesting Perfect Storm�?? I would highly recommend you check them out. Plus Core came in and opened up the bar! Pizza and beer for all ;)

Friday �?? Day five was all about Windows sec. More Windows active directory than I ever wanted to know about�?� well not quite, but close. No one ever told me most application whitelisting server software was just pretty front ends over AD! Should�??ve guessed.

Saturday- Day six was Linux security. At this point my brain was about full. Like a sponge that had absorbed too much, I was struggling to retain it all. Somehow I made it through, with a somewhat more advanced understanding of the wide world of the penguin.

Overall, it was amazing. If you read this far, you get a little treat. If you�??re in the infosec space, IT space, hell even management space, go be a SANS facilitator. Classes normally are $4000 big ones, as a facilitator you pay $700. You get to meet most of the instructors; you get the online training, and a free GIAC test attempt. I networked with some great people, had some good times, and learned more than I expected.

Jason out ;)

NNS in the mail, yay!

Core, Skoudis, and Lee talk pentesting

2009-01-29T08:41:00.000-08:00

So you all know, or i hope you do, that Core Technologies sponsors webcasts featuring infosec icons like Ed Skoudis. I got a chance to attend a recently drafted one called Secrets of America's Top Pentesters at SANS Las Vegas.

The purpose? Give back to the pentesting community, help it grow, and to point out that pentesting isnt about 0-days at all.

This ppt goes through some advanced tips on:

Social networking and using it to make password lists
Pivoting via netcat and other advanced netcat foo
A comparison of john and rainbow tables attacks, how they work, and why we should do both
Pass the hash attacks

Check it out at the InGuardians site:

http://www.inguardians.com/research/docs/Skoudis_pentestsecrets.pdf

Another great talk that i got to attend was Rob Lee's State of The Hack. Rob went over some of the REALLY nasty targeted malware, case studies profiling it, and the methods it uses. It's really ridiculous. He hasn't decided to share the slides yet but his company Mandiant has posted an earlier version here:

http://www.certconf.org/presentations/2008/files/C4.pdf

Image Curtesy of cox & Forkum Editorial Cartoons =)

Wired and Monster Compromised

2009-01-26T05:10:00.000-08:00

This week two big compromises took place, the first being Steve Job's alleged cardiac arrest hack of Wired.com, and the second being the data compromise of monster.com, the popular job posting website.

While the later was a data breach of information a colleague of mine pointed out the fact that faking Jobs' death could affect Apples stock, making it an effective focused monetary goal, or just a prank, you decide.

Folding@... war?

2009-01-19T22:50:00.000-08:00

Why use your clock cycles and bandwidth to cure cancer, or search for life on other planets, or solve complex math theorems, when you can use it for war?

Hacktivism incarnate, the Patriot executable from www.help-israel-win.com is touted to force your bandwidth into the conflict in the Gaza Strip.

Similar to the StopGeorgia.ru tool, this is the second incarnation of a voluntary botnet client. The idea is to use your computer's bandwidth to DDoS "Israel's Enemies."

Despite the morally shady implications, the authors, a group of Israeli students, have included a uninstaller and promised to dismantle the botnet once the conflict is over.

In depth analysis was conducted by SANS ISC researcher Bojan Zdrnja.

After playing with it a bit (and executing it in a safe environment), the program just connects to an IRC C&C server running on port 80. It has a hardcoded list of C&C servers containing IP addresses and DNS names, probably if some of those hardcoded IP addresses go down. Here's the list extracted and deobfuscated from the binary:

74.200.82.243:80
74.204.170.92:80
213.175.205.254:80
94.76.212.76:80
94.76.212.77:80
74.204.188.161:80
74.204.188.180:80
pati.dyndns.info
defend.is-a-geek.net
pati.servebeer.com
rocker.redirectme.net
pati.chickenkiller.com
takemeout.jumpingcrab.com

The embedded IRC client uses a well known (and legitimate) IRC client library SmartIrc4net.

...
...

Finally, it can retrieve a remote file and save it on the local machine as TmpUpdateFile.exe �?? certainly sounds fishy.
While at the moment it does not appear to do anything bad (it just connects to the IRC server and sites there �?? there also appeared to be around 1000 machines running this when I tested this) the owner can probably do whatever he wants with machines running this.

The uninstall process seems to be correct, as the author(s) say on the web page, but it is questionable if the binary will download something else.

In any case, and as always �?? be careful what you download and run on your machine, especially if it's coming from unknown sources that you can't trust.

Additionally a long and exhaustive list of compromised web hosting servers from which the bot attacks are originating from is listed in the comments here in ACL form.

If it weren't all bad already some versions come packed with a trojaned keylogger and modify registry values in WinXP and Vista, as shown by Anubis malware report.

Very questionable.

As "the dog" would say (a MaximumPC reference), Woof.

Wall 'o' text update...Md5, IE7, and Carders

2009-01-06T05:13:00.000-08:00

Hey all!

Leave it to my friends to whip my butt into shape about updating =P

So what's been up?

--- IE7 Exploit ---

Well, you know you're out of the loop when Microsoft (IE7) XML parser exploit comes out and you are unaware for two days. Sheesh.

HD Moore and the websense guys have the most excellent writeups on it, including step by step RE, outbreak date speculation, etc.

Chris Gates and Dean De Beer over at http://carnal0wnage.blogspot.com have created a pretty stable Metasploit module, good stuff!

--- MD5 Cracked ---

Then we had a scare on SSL being cracked, but it was just MD5 that was ( kinda already) known to be insecure, and CA authorities were still using it, thus allowing fake certs to be written and pass for real in all browsers. The interesting thing here is the hardware to launch the collision attack is 200 clustered PS3's.

The vulnerability is theoretically known since 2004, and a number of security researchers rejected its practical application, due to the amount of CPU time required to exploit a single hash for collision. The researchers used 200 Off-the-shelf Playstation 3 Gaming consoles to perform the necessary calculations. This is slightly frightening. The researchers used 200 PS3 game consoles over eight days. The next generation gaming console (like the future Playstation 4) will be capable of hitting the one Teraflop barrier while the current one tops 0.2 Teraflop. More worrying, future cloud-computing services could make it even simpler to crack security algorithms.

The attack research came from this year's Chaos Communication Congress (25C3) by Applebaum and Sotirov�??s MD5 Considered Harmful Today presentation.

Internet analysis firm Netcraft did some research and discovered that there are currently 135,000 valid third party digital certificates using MD5, which translates into about 14% of all existing certificates on the Internet. The firm found that the �??majority of certificates are from RapidSSL (shown as Equifax on the certificate).�?? All of the 128,000 RapidSSL certificates in use were signed with MD5, Netcraft said. The remaining 7000 vulnerable certificates from Thawte and Verisign, but the analysis firm noted that most of their certificates are signed with the SHA-1 algorithm, which is currently believed to be secure. All other certificates on the Internet use only SHA-1.

The last interesting piece of reading is HD Moore's article located here. If you expand the comments you can see HD, Verisign, and Applebaum converse over the attack, if it has been carried out, when/if Verisign knew about it, and other juicy tidbits.

--- Carding King Jailed ---

Lastly a piece about the carding empire's king, Max Butler, and his auspicious rise to the digital undergrounds peak. Published by Wired. MB was a hacker... more when i get home :P

Working working!

2008-11-09T09:36:00.000-08:00

Hey all,

I hate to post an obligatory "sorry i haven't been around" post, but well, things have been busy. I have been coordinating with vendors for the CBT reviews (those that took up the challenge), and working on a new site. The wiki will be come very different than it is now and i will be launching a new open source project that i think some people will really enjoy. The new site will have integrated forums as well.

That along with preparing for Jan GIAC exam will be my main focus for a while.

More to come soon, I promise! Take care of yourselves and your family, remember that they are the most important!

Well Done...

2008-11-03T21:36:00.000-08:00

A little networking humor =)

Everything I could find on MS08-067 and Gimmiv.A worm

2008-10-28T01:29:00.000-07:00

I won�??t repeat what a million others already have blogged (even though i know many people do) I will provide valuable links though!

MS08-067

Original MS bulletin

MS08-067 breakdown Article

Metasploit Exploit for MS08-067

Milw0rm Exploit

Comments by F-Secure Team on dates ranges of outbreak

RE of original MS08-067 also
RE of original MS08-067

Gimmov.A

General Gimmiv.A Worm Breakdown

Gimmiv.A worm breakdown 2

Small listing of affected networks

Sample of the code (might not still be up)

Fears for InfoSec: An interview article regarding financial crisis and IT security

2008-10-24T03:18:00.000-07:00

Recession. Low consumer spending. Collapse of the financial sector.

These are terms everyone�??s buzzing about. They are a reality that seemingly affects everyone. This year we have seen large companies being bought out, big names with a lot of tech behind them mash up their systems, and even Silicon Valley bigwigs shaking in their boots.

Security Aegis wanted to know what some outstanding industry professionals had to say on some of the key points in this storm. Below are excerpts from interviews with Stephen Northcutt (president of SANS and founder of the GIAC certifications), Justin C. Klein Keane (Vulnerability researcher and owner or MadIrish.net), Andre Gironda (Vulnerability researcher and member of OWASP Tools Team), and Chris Gates (VP of Operations for LearnSecurityOnline.com and monthly columnist for EthicalHacker.net), as well as my own perspectives on the topics.

With IT scare articles everywhere I wanted to know how they thought the US�??s current financial predicament would affect IT security as a whole. We got great responses thinking about the problem from all different angles.

�??I think the downturn will affect security in a rather profound way. Security is an intangible investment for many companies, meaning when it works you aren't ever aware of it. I think many companies will be tempted to slash their security budgets to save money�?? Keane said. Gates responded similarly, �??I think people will be less inclined to purchase new security appliances and will put off any non critical work in their enterprises.�??

Although these responses were bleak we were inspired by Gironda�??s vision, which became a hopeful mantra, �??It means more crime both online and off. More people will be desperate, from white-collar to blue, and even the poorest classes of people. This will lead to more crime, id-theft, and many other issues. IT Security will become as important and more strained, as would law enforcement and hospitals.�??

I felt a dark tone throughout the interviews, pointing towards fear for statically employed InfoSec professionals who would have budget cuts and layoffs, but then also hearing promise of contract work rise as the nature of pay-for-service would prevail. So naturally we asked the contractors what they thought. In a surprising show of confidence most of them were not phased. �??I am relatively lucky that being in NoVA and government contractor I haven�??t seen much in the way of any slowdown. Probably because monies for the contract I am on hav(ing) already been awarded�?? said Gates. Gironda citing a multitude of smart investing options put it very simply �??�?�The stock market has always, and will always be, crap. It will never affect me.�??

I moved back to a core question we thought was important enough to single out: do you foresee hiring and raise freezes for IT security folk?

Northcutt responded, �??Certainly Jason, not for all IT Security folk, some stocks are up, some organizations are doing well, but here is my take. The financials have been hit very hard. Now some of them such as Goldman Sachs are well positioned to make investments for the future, but mostly even the ones with minimal subprime exposure were caught in the down draft. Business in general is hurt by the credit crunch, so that slows them down. The government will not be hit immediately, but as lower tax receipts happen, we will start to see cutbacks. But, I certainly do not expect this to last forever.�??

To me this was bittersweet. Of course recessions don�??t last forever, of course there is an end in sight, but hard times fall and sometimes render people useless. The dotcom crash had big-time webapp folks, sys admins, and internet engineers looking for work at K-Mart. Keane added, �??Hiring and salary freezes are definitely on the horizon for everyone in IT, especially security. I think many people in security will be lucky to keep their jobs, so not getting a raise will be more palatable.�?? Gironda took the diversification route, �??For network security people: yes (it will affect them), Appsec security people: no.�?? Gates added �??�?�(it) sucks because most IT security people are underpaid�??

With 4/4 worried I tried to bring some different questions to the table, I asked about the value of certifications in hard times, open source/volunteer projects, pricing for security resources, and the ever constant fear of outsourcing.

I�??m a fan of certification, some aren�??t. That�??s ok. Every time a position has come down to two candidates who were similarly skilled, certifications will show that a potential employee is dedicated to excellence and has the drive to excel. The idea can be seen in the current state of the American education system undergrad programs, many employers just want to see a degree regardless of what it is, some people would argue the same principle about the CISSP, but thats a discussion I wont get into here). Regarding certification Northcutt said �??Sadly, the biggest value is in layoff situations. If you are on the street, anything that makes your resume stand out is a benefit.�?? With Keane following in, �??I don't think the value of certification is going to change much. The cert is still only going to be valuable in certain sectors. However, when the economy slows and more people are looking for work employers can be more discriminating. With a large pool of applicants, HR departments will have the luxury of requiring certifications.�?? �??It is best to get certs during a recession, but do not expect them to get a job until the recession ends. It's called "planning for the future". The best plan is to make sure that you are working and making money�?? added Gironda.

On a side note I wanted to ask about open source projects, volunteer projects, and paid tools like Core Impact. These are things important to a thriving security web community. Keane said, �??Open source tends to do fairly well through recessions. If nothing else there are more out of work programmers around to contribute. Making an investment in open source is especially safe in a down economy because you don't risk becoming locked in to an unsupported product because a vendor went out of business.�?? On paid tools Gironda chimed in with �??Core Impact has recently split their product line into a primary tool and the �??Impact Essential�?? cheaper product. We'll see more splits like this for companies like Core who spend too much money on research for products that don't sell, don't work, and cause more problems than they solve.�??

When asked how they saw state of affairs related to out sourcing of vulnerability assessments and pentests we got different viewpoints ranging from a very capitalistic view from Gates, �??I think the best person for the price should do the work�?� (I)t�??s all about what the client wants and needs to protect against�?? to statements of warning from Gironda, �??SaaS and other outsourcing models are bad for organizational risk. Black box testing only finds 0-10 percent of the vulnerabilities that they cover (which are about 1 percent or less of the total vulnerabilities possible). The information discovered could be subverted. Remote vuln assessments and pen-tests are dangerous and many organizations are beginning to realize this.�??

We also inquired about the corporate mergers/mashups and change in big enterprise networks. Are they an opportunity for attackers?

Gironda had this to say, "Mergers/takeovers ruin audits, especially things like patching initiatives. Both sides expect that the other has done their jobs, when in fact, neither have. It delays and prolongs security initiatives, which raises risk higher than most other scenarios." Keane added, "Network merging is certainly an opportunity - for attackers. It's going to be a nightmare for support folks."

Gates response gave a little hope,

"It should be a great chance for some security companies to do great things. Whether or not those people actually do them or not is another matter. Lack of funds is always a good reason to just "get something done" instead of "getting it done right"

To be honest, when I set out to write this article I didn�??t expect my fear to be agreed upon. I regard these peers very highly and most were very fearful for others and it was an eye opener to say the least. Not to say I didn�??t expect the reality, but rather I hoped there would be a nice big sunset for the InfoSec hero to walk into. I think that these interviews show that the niche of InfoSec is one that is fragile but vastly important. We can hope that through the rocky fears of a recession our careers bloom due to vast realization of how critical security is, but it never hurts to have a resume polished, be constantly improving our skill set, and poll dice.com every once and awhile.

Read the responses here as well as final thoughts and a complete transcript of the interviews.

Thanks for reading,

J.H.

New Media RSA 2008 , OWASP, ToorconX

2008-10-15T14:50:00.000-07:00

Lots of updates today!

I gotta tell tell you, my iPod never has been so full. The con community continues to grow and offer a great asset to IT Security who wants to stay up to date with the latest research, tools, ideas, and keep connected with like minded individuals. With no further ado:

RSA 2008 audio and slides

Info on RSA

Slides and Audio

These will most likely not be up for very long, I used the Firefox extension DownloadThemAll! to grab them.

OWASP AppSec 2008 video

Descriptions with links to video

ToorconX

Description and lineups

Sildes for Presentations

I'm not sure how long these will be up either ;) **be sure to check out Chris Gates talk on New School Information Gathering from Toorcon, which imo is great stuff =)

SecurityCBT Award Assesments have begun!

2008-10-15T14:13:00.000-07:00

So after a long paternity leave, I have sent out feelers for the CBT awards. The vendors as it stands are:

Mile2/Career Academy, SANS Institute, Offensive Security, Specialized Solutions/QuickCert,
Infosec Institute, VTC, Learnkey, Testout, Boson, Security Innovation, CBTnuggets.

if anyone has another CBT vendor that matches the awards leave a comment and I will add them =) Additionally if you have suggestions on the criteria or certs, I'm more than willing to revamp these.

Awards:

1st , 2nd, 3rd - Best in class for Begging Ethical Hacking/ Intro to Pentesting

1st, 2nd, 3rd -Best in class for Advanced Ethical Hacking and Pentesting

1 winner each - Best in class for specific Certs - Security+, CEH/ECSA/LTP/CNDA, CISSP, GIAC certs, SSCP, SCNS/SCNP/SCNA, CISA, CERT GSIH, OSPA/OPST

Wireless Shootout: CWSP vs OSWP

Honorable Mention

Security Aegis Kick Ass Award

Criteria:

1) Engaging
2) Who has the qualifications
3) Value
4) Who shows up on your resume the best
5) Who prepared you for the related Cert the best
6) Who has the best customer support
7) Best demo policy

Defcon 16 - Top ten with audio for all! - late update

2008-10-14T06:08:00.000-07:00

Well... even though Defcon was two months ago doesn't mean I can't blog about it! =)

There was some digital gold that many people overlooked at this year�??s Defcon, but thanks to Darkoz I, unlike other bloggers (heh), can provide the audio for these presentations!! I listened to almost all this years Defcon talks and although some say the quality of the con degraded i thought these presentations were awesome. Take some time and listen to them, you wont regret the fun, ingenious, and awesome ideas they all bring =)

For AUDIO click the link that has /wait at the end, that will bring you to the page with the mp3 link on it

1) BackTrack Foo - From bug to 0day

Mati Aharoni Owner, Offensive Security.
As pentesters and hackers we often find the need to create our exploits on the fly. Doing this always presents a challenge. But one challenge took us to a new limit and a new level. We want to share the method with you. From Bug to 0Day will show the audience the process of fuzzing, locating the bug, using egghunters then figuring out to build a pure alphanumeric shellcode to exploit it.

This will truly be the most mind bending 60 mins you will spend in exploit development.

Mati is a network security professional, currently working with various Military and Government agencies as well as private sector businesses. His day to day work involves vulnerability research, exploit development and whitebox / blackbox Penetration Testing.
Mati is most know for his role in creating the award winning, internationally acclaimed linux pentesting distro, BackTrack. As well as his lead role in creating the hottest security training school in the international market today, "Offensive Security". This focused, intense school hones the skills for security professionals by teaching them the tools and methodologies popular in the market. Mati has been training security and hacking courses for over 10 years and is actively involved in the security arena.

Slides

Audio

2) Owning the Users with The Middler

Jay Beale, Senior Security Consultant and Co-Founder, Intelguardians Network Intelligence, Inc. This talk introduces a new open source, plugin-extensible attack tool for exploiting web applications that use cleartext HTTP, if only to redirect the user to the HTTPS site. We'll demonstrate attacks on online banking as well as Gmail, LinkedIn, LiveJournal and Facebook. We'll also compromise computers and an iPhone by subverting their software installation and update process. We'll inject Javascript into browser sessions and demonstrate CSRF attacks.

Our new tool, The Middler, automates these attacks to make exploiting every active user on your computer's network brain-dead easy and scalable. It has an interactive mode, but also has a fire-and-forget mode that can perform these attacks automatically without interaction. Written in Ruby, this tool is easy to both extend and add into other tools.

Slides

Audio

3) Grendel-Scan: A new web application scanning tool

David Byrne Security Consultant, Trustwave, Eric Duprey Senior Security Engineer, Dish Network. While commercial web application scanners have been available for quite a while, the selection of open source tools has been limited. Grendel-Scan is a new tool that aims to provide in-depth application assessment. Written entirely in Java and featuring an easy to use GUI, the tool is intended to be useful to a wide variety of technical backgrounds: from IT security managers, to experienced penetration testers.

Grendel-Scan can test for authentication and authorization bypass, SQL injection (blind and error-based), XSS, CRLF injection / response splitting, session key strength, session fixation, file/directory/backup enumeration, directory indexing, web server mis-configuration, and other vulnerabilities. Exploration of the web application can be accomplished through an embedded proxy server, via automated spidering, or search engine reconnaissance.

The accuracy of the testing is increased by powerful features such as automatic detection and correction of logged out sessions, heuristic file-not-found detection, and an embedded HTML DOM parser and JavaScript engine for full page analysis. Grendel-Scan was architected with extensibility in mind. Powerful libraries offering features such as input/output tracing, session tracking, or HTML DOM comparisons make the development of new test modules much easier.

The presentation will feature an overview of the application's design, results of comparative analysis against similar tools, and a live demonstration of the tool using a real application (not an intentionally vulnerable app).

Slides

Audio

4)Nmap: Scanning the Internet

Fyodor Hacker, Insecure.Org. The Nmap Security Scanner was built to efficiently scan large networks, but Nmap's author Fyodor has taken this to a new level by scanning millions of Internet hosts as part of the Worldscan project. He will present the most interesting findings and empirical statistics from these scans, along with practical advice for improving your own scan performance. Additional topics include detecting and subverting firewall and intrusion detection systems, dealing with quirky network configurations, and advanced host discovery and port scanning techniques. A quick overview of new Nmap features will also be provided.

Slides

Audio

5) Career Mythbusters: Separating Fact from Fiction in your Information Security Career

Lee Kushner President, LJ Kushner and Associates, LLC, Mike Murray Director of Neohapsis Labs. How long should my resume be? Do I really need to be a Manager? Do I need to attend business school? What certifications do I need? Does my title matter? Should I go after money or a cool job? What are the hot skills du jour? How do I use LinkedIn and Facebook? All of these questions are asked continually by Information Security professionals as they assess their current positions and determine which future opportunities align with their aspirations. Mike Murray and Lee Kushner return to the DefCon stage to answer these questions and dispel the prevailing myths that permeate the information security industry. Participants should leave the presentation with a better way to map out their own career and separate fact from fiction as they make decisions on how to pursue their ultimate career goals.

Slides

Audio

6) Password Cracking on a Budget

Matt Weir Security Researcher, Sudhir Aggarwal Security Researcher. Not every bad guy writes down passwords on sticky note by their monitor. Not every system administrator fully documents everything before they leave. There are a lot of legitimate reasons why you might need to crack a password. The problem is most people don't have a supercomputer sitting in their basement or the money to go out and buy a rack of FPGAs. This talk deals with getting the most out of the computing resources you do have when cracking passwords.

Our group at Florida State University is currently working on password cracking research to aid in forensics analysis. We've analyzed disclosed password lists to try and figure out how real people actually create passwords. Not all of these lists have been in plain text so we've had to go through the pain of cracking passwords ourselves. Just like you, we are still waiting on funding for that supercomputer as well. In this talk, we'll go over some of the tools and techniques we've used to crack these password lists using only a couple of PCs, such as custom wordlist generation and choosing the right word mangling rules. We'll also talk about some of the lessons we've learned and the mistakes we've made along the way.

Slides

Audio

7) Stealing The Internet - A Routed, Wide-area, Man in the Middle Attack

Anton Kapela Security Researcher, Alex Pilosov Security Researcher. In this presentation we're going to show Defcon how broken the Internet is, how helpless its users are without provider intervention, and how much apathy there is towards routing security.

With the method described in this talk, an attacker is able to gain full control and visibility of all IP packets heading towards an arbitrary destination prefix on the Internet. From the perspective of the victims network, every inbound packet they receive will have first taken the 'scenic route' through the attackers network before getting reaching the true destination.

The presentation will show attendees how (roughly) BGP works on the Internet, how and what providers do (or don't do) when interconnecting their networks, concluding with a discussion of the hijacking method and a live demo of 'man in the middled' traffic, in-flight, to an undisclosed destination, including countermeasures employed to further obscure the interception and ensure nearly perfect network transparency. Ettercap and others please stand aside - routed Internet hijacking has come of age!

Slides

Audio

8) Dan Kaminsky DNS Exploiting - Black Ops 2008

Dan Kaminsky, a penetration tester with IOActive, shows a flaw in the Domain Name System that would allow attackers to easily impersonate any website -- banking sites, Google, Gmail and other web mail websites -- to attack unsuspecting users.

Kaminsky announced the vulnerability after working quietly for months with a number of vendors that make DNS software to create a fix for the flaw and patch their software. On July 8, Kaminsky held a press conference announcing a massive multivendor patch among those vendors, and urged everyone who owns a DNS server to update their software.

Slides

Audio

Video!!

9) Identification Card Security: Past, Present, Future

*note, this is a former research field of mine. although Doug had a great presentation, there was much lacking on the topic. I will be doing some new research on multispectrum holograms, etc soon! =)

Doug Farre Administrative Director, Locksport International . Come learn how identification cards have taken over our lives, how they can be manufactured at home, and how you can start a legal ID making business. Come learn all the tips and tricks about amateur id manufacturing and pickup the first ever Complete Amateur ID Making Guide. Also, come test your ability to spot a fake, vs. a real, and check out the newest in ID technology. Polycarbonate laminates, biometrics, Teslin, and RFID. Lastly, see how corporations are affecting the identification card fiasco in the U.S. What's in your wallet?

Slides

Audio

10) Bringing Sexy Back: Breaking in with Style

David Maynor CTO, Errata Security, Robert Graham CTO, Errata Security. Security is getting better; there is no doubt about that. High value targets are increasing their security while buying into the buzzword hype with phrases like "defense in depth". Firewalls, IPS, AV, NAC, and a host of other technologies have done a lot to give the pointy hair bosses of the world the ability to sleep easy...or has it. While those PHB sleep easy in their bed the ability to compromise a site at will continues to grow.

Remember the good old days of planting Trojans in microcontrollers of your enemy's hardware or shipping packages with system updates that contain backdoors? What happened to those days? What if I told you that breaking into a site is as easy as sending a package via some third party carrier or throwing up a website. This talk will cover penetration techniques that at first glance appear to be Hollywood fiction but are easy and reliable methods of intrusion.

Miss this talk and you may never know why you have a package in your shipping department addressed to "U R Owned, INC.".

Slides

Audio

Security Aegis Wiki launched

2008-10-02T09:34:00.000-07:00

wiki.securityaegis.com is now up. If you feel like reading more of Security Aegis type content head over and check it out. Also if you wish to add content or collaboration, email the address there and ill add you. Enjoy =)

Certified Ethical Hacker Version 6

2008-10-01T16:37:00.000-07:00

The CEH cert has been the one of the most controversial certs to real world pentesters. A few years ago, it was the only cert of its kind, and having it was an asset. Fast forward to today and many think it is just a glorified tool review taught by people with no real world pentest experience.

My opinion has teetered back and forth on this. For an entry level job in infosec I think the CEH does the same thing as the A+/N+/S+, presumably lets an employer know that you have the equivalent of 6 months of on the job experience as a security engineer.

Regardless, that is not what this post is about:

Recently at a EC-Counsel Summit the instructor slides leaked for the much revamped version 6 of the CEH. I don't condone downloading pirated stuff but looking at the topics makes me a little more confident in the course.

In doing research for the CBT awards, I talked to a quickcert.com rep named Wade, who said only a handful of trainers are teaching the new version. Quickcert being one of them. I was also directed to an interview on ethicalhacker.net with Haja Mohideen who thought the first class on v6:

http://www.ethicalhacker.net/content/view/190/24/

The slides were first posted on www.arabhardware.net (http://tinyurl.com/4n4pzf) and ended up at http://tinyurl.com/45q5yg

v6 offers a substantial re-haul of the curriculum. Impressive in my opinion.

A good anti-CEH argument is made with retorts from someone who knows the program and layout well here, its a good read i recommend it.

Stumble hacking?

2008-10-01T02:37:00.000-07:00

Have you ever noticed theres just too much information out there?

I mean, it's a big bad internet out there and if you cant find specifics about a topic you need info on ( google fu) why not rely on others who have searched before you?

Enter Stumble Upon

Stumble Upon uses a distributed database of marking technology. If you've ever heard of Digg.com, its kind of like that except a clientside app. Based on the "stumbles" of like minded individuals on the net you can click a browser toolbar button and go to sites relevant to your interests.

So lets say i want to search the Stumble database for a topic instead, like... penetration testing!

This is easy:

1) Create a Stumble account at www.stumbleupon.com

2) Download the browser app, sign in, etc

3) enter in your browser http://www.stumbleupon.com/tag/penetration-testing/

4) Click the button "Stumble Pages About This"

now your browser Stumble button will only take you to sites related to Penetration Testing.

This is topic based searching based on like minded peers. They might know a resource you don't!

Notes: you can do this for any topic, by using the url structure in step 3. Separate words by hyphens: example: http://www.stumbleupon.com/tag/ethical-hacking

have fun!

Don't forget to tag pages with the "i like it" button, so the stumble community grows!

--Update--

I've decided to list my favorite SU findings for the day at the bottom of each post. Todays are tools from www.nosec.org, open source vuln scanner and an SQL injector that look interesting :

http://www.nosec.org/web/jsky

http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.nosec.org/web/pangolin&sa=X&oi=translate&resnum=1&ct=result&prev=/search%3Fq%3Dhttp://www.nosec.org/web/index.php%253Fq%253Dpangolin%26hl%3Den%26client%3Dfirefox-a%26channel%3Ds%26rls%3Dorg.mozilla:en-US:official%26hs%3DU8d%26sa%3DG%26pwst%3D1