March 2010

EC-Council's own training named iClass (http://iclass.eccouncil.org/iclassaffiliate/idevaffiliate.php?id=643). As they describe it: iClass is EC Council’s live, online, instructor-led training platform. iClass makes our entire catalog of vendor neutral certifications available to you in multiple schedule formats, dates, and times. Let's jump right in and take a look. del.icio.us Discuss in Forums

{ Comments on this entry are closed }

Review by Chris Jenks Hacking for Dummies (http://www.amazon.com/gp/product/0470550937?ie=UTF8 tag=thedigitalcon-20 linkCode=as2 camp=1789 creative=9325 creativeASIN=0470550937), an introduction to Ethical Hacking, is shallow enough for anyone first stepping into the field, but with tricks, tips and real-world experiences even the veteran penetration tester will find enlightening. The book is considered to be a good introduction to the world of Ethical Hacking. Like all “for Dummies” books, the subject matter is explained in plain English instead of being filled with jargon and buzz words. That doesn't mean a reader can walk in cold and learn to be an Ethical Hacker (a hacker who is...

{ Comments on this entry are closed }

Beijing, China – April 1, 2010 – The Chinese government announced that effective immediately all US based technology firms and associated products and services will be banned from all Chinese government and state-run agency IT environments. The ban is expected to include critical infrastructure, such as military, finance, utilities, and healthcare as well as education, [...]

{ Comments on this entry are closed }

In the middle of April in Barcelona, my co-worker Guillaume Lovet and I will give a presentation at Black Hat Europe 2010, which is named “Adobe Reader’s Custom Memory Management: A Heap of Trouble“. This talk focuses on the custom heap management, which is being used on Adobe Reader.

In fact, when Adobe Reader is processing a PDF file, in most allocation cases, it does not directly use the system’s heap, but maintains its own heap management system on top of the system-level heap management system. Actually, this feature provides an easier and reliable way to leverage PDF heap-based vulnerabilities.

In this presentation, we dissect its mechanisms with in-depth analysis, and point out its weaknesses by showing how we obtain exact EIP control in many different heap corruption situations.

And, we will also show a working exploit for a PDF zero-day vulnerability we discovered recently in the latest Adobe Reader 9.3.1 (where DEP is enabled by default), as a demonstration of our research. This exploit implements one of the exploitation technologies for the custom heap managements. You may check it out here.

–

Please note that the vulnerability details are currently being protected by our Responsible Disclosure Policy. We are working actively with the Adobe Product Security Incident Response Team to arrange an appropriate timing to disclose the full details (tracked by FG-VD-10-005), since it is highly valuable for this PDF exploitation research. As always, we have developed for our customers a signature in advance against this zero-day vulnerability.

See you there!

{ Comments on this entry are closed }

Scammers use decoy documents (fake invoices, bogus airline tickets, imaginary lottery wins, political commentary on Tibet, information about World Cup 2010 fixtures, and so forth) to trick us into opening files which are dangerous.

SophosLabs is pioneering techniques to use non-dangerous decoy documents to fight back against scammers.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

We don't just get them to open these documents but aim to suck them in thanks to the content of the document, thus distracting and delaying them. This means that:

• they aren't digging around for important data to steal,
• they are more likely to trip up Host Intrusion Prevention System (HIPS) rules, since they stay on-line and active for longer.

This greatly decreases the effectiveness of their hacking forays, and greatly increases the chance of them getting busted.

So to anyone who says, "Traditional security companies aren't interesting in helping to catch the bad guys, only in selling software to block their malicious activities," I say, "Rubbish!"

Prevention is better than cure.

PS: You can guess what sort of material distracts the hackers best.

{ Comments on this entry are closed }

During the Podcasters Meetup at Shmoocon 2010 a conversation began about the worth of penetration testing in the corporate environment. On one side of the tracks, business folks questioning why it was necessary to active exploit business systems while penetration testers argued for such. The conversation and debate has continued on many mediums since Shmoocon and many involved have made some valid points. I have not heard much from anyone who is in the trenches of security operations, however. Since this is my primary role for the small enterprise I support, I thought I could add some of my own perspective to the discussion.

I am the typical one man security show that is not uncommon within business the size of my employer. I deal with all aspects of security for the organization including vulnerability scanning and penetration testing. Other responsibilities include regulatory compliance, incident response, patch/vulnerability management, and security architecture. So my view on penetration testers and the services they have to offer is the same as any other consultant or contractor that walks through my door. I welcome the second set of eyes and assistance.

The reality is with all aspects of my daily responsibilities, I am going to miss things, make configurations errors, and downright fuck up from time to time. The fact the matter is I get tired, have a family, and often don't know my systems as well as I may think I do. I am a juggling clown balancing on a unicycle with a warped rim riding right down the middle of the train tracks separating these two groups.

This debate is not new and many others have already touched upon some of the pros of penetration testing. Defense in depth by way of post exploitation testing is one such argument that is completely valid. There are a few additional arguments I would like to make in regards to the usefulness of penetration testing, however.

1. Your penetration tester should not be testing things that you know are broken. This wastes the consultant's time, your money, and does no one any good. If you know it is broken, evaluate the risk then fix it or put the appropriate mitigation in place so that it can be tested during the next engagement.
2. Sometimes exploitation is the only way to verify something is broken. The Symantec exploit I blogged about last October is a great example of the risk assessment and patch management process failing within an organization. This was a situation where the only way to verify that a system was vulnerable even though it was patched was to run the POC on it. Such situations, while not the norm, are also not unusual. If you are trusting your Vendors to secure your environment, you are doing it wrong. It should be noted that the vulnerability was weaponized several months later as reported by dshield.org here.
3. Incident Response! You do have an Incident Response plan right? Thought so! Do you review and practice it? What better time to see how well your IR plan works than when you're actively being attacked. A Penetration Test is a great time for the entire team to have a "fire drill" of sorts. I recently had the opportunity to listen to Andy Ellis speak about incident response. Andy serves as Akamai's Senior Director of Information Security and Chief Security Architect. His statements about availability made an impression on me. If your management is really serious about maximizing up time, then you better have a lean, mean Incident Response team. It is not a matter of; if you have a compromise, it is a matter of when, and how well you respond to it.

What about APT do you ask? I will leave you with a recent description of APT from Matt Olney of the VRT Sourcefire team;

APT: There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that.

Matt's advice includes building a security team with "... at least one very bad person" on it. For the small business security professional, that person is often the penetration tester. Besides they are usually much more fun to have a beer with than senior management.

{ Comments on this entry are closed }

Here is an issue #24 of my “Fun Reading on Security and Compliance,” dated March 31, 2010 (read past ones here). You can judge that my “2blog” folder has been kinda full, since I was too busy working on a few fun consulting projects.
This edition is dedicated to RSA conference – an unending source of awesomeness!
Main section:

1. First, a great read from Dave Shackleford “A Glimpse Into the Security Mindset” which reminds: “Security people have a challenge that is 100% unique to their discipline [within IT – A.C.]: we have adversaries.” While there, also read his “5 Reasons Your Security Program is a Failure.” (quote: “if you don’t have daily SOPs around your monitoring tools and capabilities, you will end up with shelfware, and that just sucks”). But if you really into sucking, check Lenny’s “How to Suck at Information Security”
2. Gartner blog has hilarious “Worst and Best Security Sales Practices” (first). Example: '”saying your product is in market X, since X is currently cool”
3. Josh Corman, Jeff Williams (of OWASP fame) and David Rice (of “Geekonomics” fame) launch “RUGGED software” manifesto: “Software that endures against the environmental forces arrayed against it in cyberspace.” The manifesto is here at its brand new site. 
4. Sad hilarity reigns supreme here in comments at  “Thor vs Clown”  from TaoSecurity. Example: “P(Compromise) = P(C.SMS) x P(C.PIN)”

Logging, log management section and SIEM section:

1. ”Using Logs To Reduce Response Gap”: “Unfortunately, auditing and never really using logs for anything except for records retention can cause organizations to treat them as merely objects to move around and not necessarily utilize for any action.”
2. Prism Microsystems continues its epic mega-saga of “100 Log Management Uses” here at “#27 Printer logs.”   While there, also please read “Sustainable vs. situational values” by Ananth that has this great quote: “I am often asked that if Log Management is so important to the modern IT department, then how come more than 80% of the market that “should” have adopted it has not done so?”
3. Something made the Team Securosis think about correlation – and even argue between themselves: “Network Security Fundamentals: Correlation” (quote: “Most security professionals have tried and failed to get sufficient value from correlation relative to the cost, complexity, and effort involved in deploying the technology.”) and “Counterpoint: Correlation Is Useful, but Threat Assessment Is Fundamental” – then Rocky comments on the whole thing [BTW, I have no idea why they think correlation is about NETWORK security…]
4. BTW, fun correlation discussion is also ongoing at one of the SANS blogs: “IT Audit: Correlating Logs and Event Logs.” It looks like David Hoelzer might bring his DAD correlation project back to life…
5. A fairly intelligent piece on logging (“Best Practices For Windows Log Monitoring”) has this great quote: “Not monitoring your Windows logs is like setting up a security camera and putting an exit sign in front of it.”
6. Lenny has “Establishing a Practical Routine for Reviewing Security Logs:” “A practical routine for reviewing security logs is regularly scheduled, partially automated, alternated among team members, and linked to problem resolution.” Our joint project, "Critical Log Review Checklist for Security Incidents" definitely helps with that.
7. I mean, come on, even McAfee suddenly started talking about logs (something they’ve been ignoring forever). Eric Cole talks about logs in the context of SANS CAG/CSC in “Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs.” He says: “Unmanaged Logs Hurt” and reminds that “Sometimes logging records are the only evidence of a successful attack.” Sadly, at the end he hints that you should be using ePO as a SIEM… gasp.
   

Vendor section [now that I am not employed by the vendor I can call vendors names, etc :-)]:

1. Finally, one SIEM vendor realized that  analyzing firewall rules together with vulnerability data should not be left to the dedicated vendors [I always thought that fw rules + vuln scans analysis is waaay too narrow to launch a company on; SIEM should have ‘owned’ that a long time ago] and launched a new product that looks at events, flows, rules and vulnerability scans. Good idea!
2. And one log management vendor realized that “Reviewing logs everyday is a pain, we just made it easier”
3. AlienVault, OSSIM commercial home, has released OSSIM 2.2. This deck has the highlights. As I am using the system now, it looks more impressive than ever. Seriously!

Enjoy!
Possibly related posts:

• All other security reading posts.

{ Comments on this entry are closed }

The MoMA in New York has added (“acquired” in museum-speak) the @ symbol into a collection in its Department of Architecture and Design, as reported in an Inside/Out article. The article says that @ was included as part of the original ASCII set defined in 1963 as a shorthand for the common accounting phrase “at the rate of”. Its choice for formatting email addresses was made a few years later

In 1967, American electrical engineer Ray Tomlinson joined the technology company of Bolt Beranek and Newman (BBN), where he created the world’s first e-mail system a few years later, in 1971, using a Model KSR 33 Teletype device. BBN had a contract from the Advanced Research Projects Agency of the U.S. Department of Defense to help in the development of ARPAnet, an early network from which the Internet later emerged. Working with Douglas Engelbart on the whole program, Tomlinson was in particular responsible for the development of the sub-program that can send messages between computers on this network. It was the first system able to send mail between users on different hosts connected to the ARPAnet, while previously mail could be sent only to hosts that used the same computer.

In January 1971, @ was an underused jargon symbol lingering on the keyboard and marred by a very limited register. By October, Tomlinson had rediscovered and appropriated it, imbuing it with new meaning and elevating it to defining symbol of the computer age. He chose the @ for his first e-mail because of its strong locative sense—an individual, identified by a username, is @ this institution/computer/server, and also because…it was already there, on the keyboard, and nobody ever used it.

The MoMA collection is attributing @ as a contemporary work of art by Mr. Tomlinson, and the image added to the gallery is “displayed in ITC American Typewriter Medium, the closest approximation to the character used by a Model 33 Teletype in the early 1970s”.

Related articles by Zemanta

• New York's MOMA 'Acquires' @ Symbol? Really? (appscout.com)

{ Comments on this entry are closed }

Fiber Economics — Dave Troy: Fueled By Randomness. Darn good article by Dave Troy, a business man out of Baltimore, MD.  He explains Verizon and Comcast, the two biggest players in Internet access (in terms of “innovation”), and how Google’s Fiber ambitions play into that. Thanks @awilliams for the pointer to that one.

Read more, after the click.

{ Comments on this entry are closed }