Month: April 2007
My Career Path – Part 3 “The Future”
In my first post I detailed the choices that led me from my original plan of being a history teacher, to dropping out of my computer science program, to starting my first help desk job. In my second post I mentioned how I climbed from my first help desk job, to working at Nortel, and the subsequent layoff that followed.
Unemployment sucked.
Nothing makes you feel as horrible as being layed off from a job. You end up blaming the company at first and then you turn the anger to yourself. At the time of my layoff, the job market in Ottawa was horrible so I had plenty of time to think all of this over as my house was being built. My soon-to-be wife and I lived with my parents for 3 months and her parents for 3 months as we gave up our apartment to save money during construction.
During this time I must have applied to at least 500 different jobs in various locations in Canada, the United States, Europe, and Australia. No one wanted me. The problem with being layed off by Nortel is that, typically, you’re not the only person. In fact I was one of a few thousand people layed off, all looking for the same (any) job.
While at my soon-to-be in law’s I received a call from a company who was contracted, by Nokia, to find some people to work front line firewall and network support. I jumped at the opportunity and within a week I was working as a contractor at Nokia. Since I had very little security experience there was a steep learning curve but Nokia provided exceptional training for both Nokia IPSO (the routing platform), Nokia IP Series appliances (their hardware), and Check Point VPN-1/Firewall-1 (the bundled firewall package).
While working at Nokia I made a point of learning everything I could about the products I supported. I also ensured that I obtained the certifications for the training I received in order to make myself stand out from the rest of my coworkers. Within 8 months, a record at the time I might add, I was hired full time by Nokia. Even thought I was hired into the job I made sure not to stop learning. I felt my routing and switching knowledge was weak so I paid, out of pocket, for a CCNA prep-course, and subsequent exam. Customers were calling in having problems with their Cisco to Check Point VPN’s, so I bought a books on Cisco PIX and Cisco VPN Concentrators and learned how to troubleshoot VPN related issues.
By this time I was hooked on security. At first I tried to read as much as I could on security topics to make me better at my job. The more I read the more I realized that I was genuinely interested in all facets of security, even those that didn’t relate directly to my current role. I started teaching a CompTIA Security+ prep-course, based on my own course content, through a local business to give back to the community. The funny thing was that most of my students were current Taima, now Convergys, employees looking to get ahead just as I had done.
I also started doing some consulting on the side for Cisco and Check Point issues. This helped me learn quite a bit about working with government organizations and subcontracting through other, larger consultancy firms. In 2004, after speaking with two friends at Nokia, we decided to form a business to help add credibility to our consultant engagements and help limit the taxes that could be taken from us. This is how Koteas Corporation was formed. Even though we didn’t, and still don’t, perform a large volume of work due to our full-time jobs, our customers have returned to us when they need help or advice.
At this time in my life I was looking for change. Nokia had become stagnant and there was little room for career advancement. Koteas Corporation didn’t have enough volume to support a full-time employee. I….was in a rut.
In February of 2005 I received a call from a recruiter in Fredericton, New Brunswick. A start-up called Q1 Labs was looking for a 3rd level support person to help support their network security management product, QRadar. They offered to fly me down for an interview to see if I was a fit for the organization. I spoke it over with my wife and I agreed to come down for an interview. The interview process was grueling. I was there for 8 hours and met with the heads of every department (Support, Engineering, and QA), the CTO, the CTA, and the VP of Engineering. I had never worked for a startup before but every person I talked to was so excited about the product and their jobs. This was quite a switch for me coming from such large multi-national corporations as Nortel and Nokia. I was instantly hooked and wanted to work there. After a couple of followup phone interviews with the COO and the CEO I received my package in the mail. My manager at Nokia was happy for me and understood why I wanted a change so we parted on very good terms and still keep in touch to this day.
When I arrived at Q1 I started working immediately. Not only was I supporting our customers but I was also supporting evaluation customers and our Sales Engineers in the field. I also had the opportunity to travel to customer sites to provide installation, configuration, and training services. During this time I wanted to make sure I kept learning so I invested in the SANS Intrusion Detection In-Depth self-study and the GCIA Incident Handling certification. This course was one of the best courses I’ve even taken and taught me so much about packet analysis and intrusion detection. While in support I also had the opportunity to go to a Building Scalable Cisco Internetworks class which taught me quite a bit about high level routing.
In 2006 I became the primary trainer for QRadar. I loved going from site to site providing the week long training course on our product. Also, because of my past experiences at Nokia and Koteas, I was able to relate sections of the course to customer needs and situations. At this time I also decided to pay for another SANS course. This time I took the Hacker Techniques, Exploits & Incident Handling course and subsequent GCIA Incident Handler certification (GCIH). Upon completion of my exam I received an email inviting me to join the SANS institute as a Stay Sharp trainer and Local Mentor for my area based on the score I achieved on the exam. I happily accepted!
In late 2006 I was rewarded with a promotion to lead a team of software developers whose main responsibility was integrating 3rd party event and vulnerability data into QRadar. Ironic isn’t it? The guy who dropped out of college because he didn’t like programming was now leading a team of software developers.
The story doesn’t end here as I am still happily working for Q1 Labs, still leading the same team (loving it!), still working on expanding Koteas, starting to be a technical reviewer for security related publications, starting to work more with the SANS institute, still studying and learning all I can, contributing back to the security community in forums and articles, blogging (of course you knew that already), starting to present at conferences, and starting to get my name recognized in the security industry. I hope you have enjoyed this three part series and if you have any questions/comments/concerns or just want to drop a note then please feel free to email me at andrewsmhay [at] gmail.com.
Thanks for reading!
Suggested Blog Reading – Friday April 20th, 2007
Lot’s of news today, as well as some overflow from yesterday, but also lots of fluff and FUD. I’ve tried to weed through some of the clutter for you in today’s list:
Anatomy of a zero-day: Security researchers face hurdles
Cody Pierce knew right away what he had found, but he wasn’t exactly sure how serious it was. Pierce and his fellow researchers at TippingPoint had spent much of the early part of last year poking around in the ActiveX controls in Windows XP, looking for controls that might be vulnerable.
Alla Bezroutchko released a tool yesterday to do automated XSS testing against webmail clients. It is heavily based off of the cross site scripting cheat sheet, but ties that in with a series of emails that attempt to override the built in validation engines built into various web-mail implementations. I am literally the first to admit that I have never looked at webmail in depth. The only time I did, in the case of Roundcube I didn’t even have to go past the first page (it’s now been fixed).
At the Web 2.0 Expo in San Francisco this week, conference organizers attempted to apply the concepts of Web 2.0 to the conference itself. In addition to the expected sessions and BoF sessions, organizers introduced a concept they called “Web2Open”. Web2Open was to be a participatory, attendee directed and led set of sessions similar to BoF but organized completely by attendees. Like a real life forum, attendees would post ideas in open slots on the Web2Open board with descriptions of the topics they wanted to discuss in the session and other attendees could join in or not as was their wont.
Packet fragmentation versus the Intrusion Detection System (IDS) Part 2
Over the course of part one, we saw how to set up the various computers in our VMware lab. The setup was simple, and even the installation and use of fragrouter fairly pain free. We ended off part one with an attempt at packet fragmentation via fragrouter in an effort to evade Snort. That first attempt failed for Snort did indeed pick up the attack. It had no problem in reassembling the fragmented packets and recognizing the attack for what it was; an RPC bind attempt via the MS03-026 exploit contained in the Metasploit Framework. Fragrouter has quite a few more tricks in its arsenal. If you enter the “./fragrouter –help” command as seen in the screenshot below, you will be shown all of the fragrouter options available to you.
Microsoft Office Space: A SQL With Flair
Hey, folks! It’s challenge-time. Tom Liston whipped up this one based on his real-world adventures in the deepest, darkest cubicle jungles of the mid-west. The name? Microsoft Office Space. The game? Figure out how they plan to fool “The Man”. I hope you enjoy this brief excursion into the mind of Tom Liston as much as I did.
New attack puts routers, cell phones at risk
In a demonstration set to take place at the CanSecWest security conference in Vancouver Thursday, Juniper’s Barnaby Jack says he will show how this technique could be used to take control of a router, and then inject malicious software on virtually every machine on the network.
Automating Signature Updates for Cisco IPS/IDS Sensors
Without management software, administrators supporting these sensors must manually retrieve signature updates. I support a small network for one of my customers, for which purchasing this software was not an option. So I developed my own Perl scripts that run on a Solaris box to (1) automate the update discovery and retrieval task, and (2) verify success and send an email notification following the actual update installation. In this article, I will describe the details of these processes, highlighting remote management of a Cisco IPS device via SSH and explaining the integration with the IPS automatic upgrade feature.
Apple Stitches Up 25 Holes in Mac OS X
This latest shipment of 25 security updates came on the same day that a “pwn-2-own” contest launched at the CanSecWest security conference here in Vancouver. Hackers clustered in hotel rooms were feverishly trying to exploit the two unpatched Macs downstairs in the main conference hall, but Apple hopped on the phone to inform the conference organizers of the security update release. The show’s organizers patched the Macs before they were hacked.
As an avid reader of this diary, you know of course that things are not always what they appear to be. As was the case with a user today, who after hitting a convoluted set of exploit files ended up where his browser tried to download files from us6-redhat520-com. No, this isn’t RedHat Inc. And no, the HTMs coming from there are not HTMs but EXEs in disguise. In the meantime, the more nimble of the AV vendors even came up with names for the critter: Backdoor.Generic.U (McAfee) and Troj_Agent.PUE (Trend). The hoster of the site has been informed, the owner of the domain and site seems to be located in China.
Effective Vulnerability Management (Part 2)
In this posting I wanted to focus on effectively responding to new threats and vulnerabilities. I am not talking about incident response, attack analysis, or forensics, as these are disciplines that are instantiated once something actually happens. I am referring to how an organization should respond to critical vulnerabilities; especially those with exploit code or attacks occurring in the wild, prior to an incident actually occurring.
Without having to have vendor X,Y,Z`s appliance or application on the network etc, you can simply install the PNLog Agent on your XP machine (sorry no Vista, i`ve refrained for now, due to colleagues screams in the office), create the simple parser, and test the functionality.
Argus: Practical BotNet Detection
I use argus for my daily task, like I mentioned argus client tools are easy to use but hard to master, it is trivial to work with it sometimes. However I believe experience may make you wiser when dealing with complex tools, I really appreciate Hanashi’s work on BIRT for sguil report generation. As Hanashi is working on sancp session data, I’m more of looking into argus flow data. Here’s very short paper that I have written in using argus client tools(ragrep and radump) to perform botnet detection.
Suggested Blog Reading – Thursday April 19th, 2007
Finally the sun is out! I’m looking forward to my weekend of warm weather, BBQ meat, and studying for my CISSP exam…
Well two out of three ain’t bad…
Here’s the list for today:
NAC all-in-one test on the horizon
We’ve provided comprehensive information on ways the available NAC architectures have been outfitted by a host of vendors to provide authorization tactics, end point security measures, enforcement points and management wares that tie all the necessary NAC pieces together.
Attackers improve on JavaScript trickery
As JavaScript becomes an increasingly key component of online attacks, attackers are investing more energy in obfuscation and other techniques to make defenders’ attempts at reverse engineering more difficult, a security researcher told attendees at the annual CanSecWest conference on Wednesday.
PRIAMOS – SQL Injection and Vulnerability Scanner
PRIAMOS is a powerful SQL Injector & Scanner, it allows you to search for SQL Injection vulnerabilities and execute the code injection using vulnerable strings to get all possible Databases, Table and Column data with the PRIAMOS SQL Injection Module.
Recently I wrote Taking the Fight to the Enemy Revisited that mentioned air power concepts as they relate to information warfare. The Air Force Association just published a story by Hampton Stephens titled War in the Third Domain. I found several points quoteworthy.
Anonymous Posting on the Internet: Privacy vs. Defamation vs. Information Security
Over the past few months I’ve discussed with several different organizations the issue of their personnel posting on Internet sites, to blogs, within Internet communities, and various other locations. The issues are many, but few organizations have really thought about them all; the implications of employees posting from the corporate network, using their corporate email address within online postings, the time used while at work to post, the possibility of libelous statements being made that the corporation may have to ultimately end up paying for, and many assorted other issues.
One of the most often used, and later debated, analogies used for actions in the security/hacker industry is that of comparing port scanning to walking down a road checking doors and windows to see which are unlocked. This is fundamentally flawed because port scanning looks for open services that your computer is offering other people on the network. There is no expectation of ’services’ offered when walking down a neighborhood street, regardless of checking doors and windows. A slightly better analogy would be walking down a street full of shops that have no power (no lights, no neon open signs) checking doors to see which are open.
We know how many words a picture is worth. The figure above, from Boxed In by Information Security magazine, shows why Unified Threat Management appliances are going to replace all the middleboxes in the modern enterprise. At some point the UTM will be the firewall, so the gold UTM box above will also disappear. In some places even the firewall will disappear and all network security functions will collapse into switches and/or routers.
Hackers get free reign to develop techniques says Microsoft security chief
“Part of the picture is bleak. In the online world, cyber criminals can do their research for as long as they want in absolute security and secrecy then when they’re done they can take their exploit, find a way to automate it and post it on a Web site where thousands or millions of other criminals can download it,” said Scott Charney, vice president of Trustworthy Computing at Microsoft, in Redmond, Wash. “That doesn’t happen in the real world. One burglar, no matter how good he is, can’t breed hundreds or thousands of others just like him. The laws of physics kick in.”
Finally, Common Event Expression (CEE) is Out!!!
CEE standardizes the way computer events are described, logged, and exchanged. By utilizing a common language and syntax, CEE takes the guesswork out of even the most menial of event- or log-related tasks. Tasks including log correlation and aggregation, enterprise-wide log management, auditing, and incident handling which once required expensive, specialized analysts or equipment can now be performed more efficiently and produce better results.
Andy Jaquith’s new excellent book, Security Metrics is a must-read for any anyone even slightly interested in getting more scientific about the Art of Security or perhaps even looking to rise up in unison against subjective, biased, sometimes excellent, oft-times not, auditors and other security reviewers that second guess everything you do (no offense to you good auditors out there ;-)).
This release from EMC/RSA makes compelling reading, but needs some careful analysis. (Please bear in mind I am not knocking RSA here, some of my best friends are algorithms. I think that Messrs Rivest, Shamir and Adleman would want this to be analysed in a logical way however.)
Pitfalls of a Home Based Ethical Hacking Business
Self-employed security professionals, or those who are involved with small businesses, will invariably find themselves conducting security assessments and penetration tests of Internet facing systems and services. These activities will happen through resources that are generally not as robust as those supplied to security professionals in medium and large organizations. The following is a list of a few items that a security team should take into consideration before performing security related activities under these conditions.
Top 10 Internet Crimes of 2006
The Internet Crime Complaint Center filed its annual report last month, but didn’t get the attention it deserved. A look inside offers some revealing statistics on the darker side of the Web.
The decision on what method to use, depends on a few factors, namely whether to install an agent on the host, the desired load on the MARS appliance, and how near real-time we want the event data that MARS will process.
In an interesting email that was sent to me I was asked to take a peek at a new software tool, not yet released to the public called Vidoop (there is an interesting article on it here). While I was unable to actually take a look at the software, I’ve got a pretty good idea of how it works from the Wired article. After downloading a software certificate that allows you to use their software basically you say, “I like animals” and it shows you pictures of horses and cats and dogs all mixed in with a bunch of non-animal photos. You choose the the correct photos (a la kittenauth CAPTCHA) and you are granted access.
To be honest, many Sguil analysts feel the need for more sophisticated reporting. Paul Halliday’s excellent Squert package fills part of this void, providing a nice LAMP platform for interactive reports based on Sguil alert information. I use it, and it’s great for providing some on-the-fly exploration of my recent alerts.
A simple defense against Google hacking techniques
“If you have company secrets, you have to take steps to make sure it doesn’t get into the public domain,” said Daniel Pinto, a Stewartsville, N.J.-based security consultant whose company is called RAC Partners LLC. “Google isn’t reaching into your company, it’s just making available what’s already out there. Sensitive information gets out if someone inside a company or one of its partners makes it available.”
Is it a bot or a worm? Neither, its a BOTWORM!
This is the first I’ve heard someone mash bot and worm together and dub it ‘botworm.’ Computerworld.com dubbed the latest variant of Rinbot a botworm because a worm propagates a bot payload. Nothing new here except (I think) the term botworm.