Month: August 2007
ChicagoCon 2007 is Fast Approaching
Unfortunately I’m not able to attend this event but if you’re in the area I encourage you to drop by:
ChicagoCon combines a professional security conference, certification training and a hacker con into a single, unique event. Not just another bootcamp, ChicagoCon adds value to your training dollars by providing top instructors, recognized certifications, keynotes, evening presentations, hacking demos, gift bags with t-shirts, an EH-Net version of BackTrack with Metasploit 3 and packaged as a VMware Virtual Appliance & much more. 11 courses with exams on site including CISSP, CEH, CHFI, Expert Pen Testing, Web App Hacking, Cisco (CCNA & SNPA), SOX/COBIT, Security+, Linux+, and PMP. From the novice, to the ultimate techie, to the CISO chair… everyone interested in a career in security will find something at ChicagoCon, your one-stop shop for security training and certification. Keynotes: John C. Dvorak, Steve Hunt, Lance Spitzner, Symantec, and Doug Steelman of the DoD.
More information can be found here: http://www.chicagocon.com/
Open Integration Services Positions at Q1 Labs
As many of you know I am happily employed by Q1 Labs Inc., managing a team of software developers who are responsible for integrating 3rd party event and vulnerability data into Q1 Labs QRadar.
Due to recent growth, I am now looking for developers to join our Integration Services team. As a member of the Q1 Labs Integration Services Team, you would be responsible for the integration of third-party events and vulnerability data into Q1 Labs’ flagship network security management solution, QRadar. As a qualified candidate, you must be able to:
- Research the logging/messaging capability of log sources and determine the best method for integrating them
- Collect, analyze, and classify sample log messages and create methods for parsing them
- Work with internal groups to design, implement, test, and document device support, including processing, alerting, and reporting capabilities
- Work well independently and within a team; especially cross-functional teams in a fast-paced environment
In addition to the above skills, you must also possess:
- Development experience in Java and/or C++
- Solid understanding of networking protocols and principles
- Experience with UNIX/Linux operating systems including system administration
- Scripting experience using a dynamic language such as Perl and/or Python (additional scripting language knowledge a plus)
- Good unit and integration testing experience
- Exceptional problem-solving expertise and attention to detail
- Strong oral and written communication skills
- Experience with development and release practices for a commercial product
- Self-driven quick learner with attention to detail and quality
Additional skills that will help you succeed in this role are:
- Development experience with relational databases
- Knowledge of security best practices and methodologies
- Experience in security log analysis, application log analysis, and general log management best practices
- Knowledge of log transport protocols
Since this position is located in Fredericton, New Brunswick, Canada relocation assistance and visa sponsorship is available. So if you are interested, or know of anyone who would be, please email a resume to andrewsmhay@gmail.com with a description of why you feel you would excel at this position.
Suggested Blog Reading – Thursday August 2nd, 2007
I can’t believe it’s August already. This year is just flying by. I think I’ve tentatively decided to try and get to Black Hat next year so I may have to start tucking away money now for airfare. That might be a challenge because it’s also my 5 year anniversary next year. Think my wife would let me combine the two trips? 🙂
Here’s the list:
The Beginning of a Windows Pentest Encounter – Thanks to LonerVamp for pointing this one out.
Here is a quick paper (notes) about pen-testing a Windows Active Directory network. While I do know this paper covers only the lowest-hanging fruit, it seems that all too often, these lowest-hanging fruit are the most common fruit found in the wild.
The Wall Street Journal Tells Your Personnel How To Get Around Your Security
– I hope organizations treat this as a “wakeup call”
Oh, boy, reading this Wall Street Journal story, “Ten Things Your IT Department Won’t Tell You” brought back some memories of personnel who went to great lengths to get around security requirements!
All the networking you could need: Netcat – Good cheat sheet for NetCat commands.
So my SANS course this past week culminated today with a nice game of capture the flag. While not Defcon caliber it ended up being quite a lot of fun, especially for a game that only could last six hours, and did a fantastic job of bringing the course together. We learned a lot of tools during the class and playing scenario based ctf brought it all together as many of them were used during the game. Mostly we focused the old favorites: NMap, Nessus, John the Ripper; the kinda tools that have been around forever, and for good reason.
We focused mainly on another tool, one I’d known but used little. Called the “network swiss-army knife” Netcat proved, as we were promised by Ed, the most useful tool of the whole course. Netcat does just about everything. Yes, I know, if you’ve been in networking or security for any amount of time you’re asking how I’d missed that, I hadn’t, but practical use is something else. There’s no doubt it’s one of the most useful tools a network admin, security engineer, or hacker could ever want. So just for general consumption, and for myself, I’m posting the cheat sheet I used during our class CTF competition (my team came in 3rd of around 50 in case you were wondering) just to get any other Netcat neophytes started and possible remind some old hands of some fun tricks.
Security Freak Video Lectures – Hacking, Programming, Networking & More – Yay videos!!!!
A while back a reader e-mailed us about a new site they have called Security Freak, the site is about informatin security education and is mostly using video lectures to illustrate and convey the lessons.
Security-Freak.net is an attempt to lower the entry barrier for starting computer security research. The author has noticed that during his interactions with security enthusiasts in general and students in particular, he noticed that many lose interest because of the lack of organized learning resources in this area.
The admissibility vs. weight of digital evidence – Interesting post about a topic that I don’t regularly get to think about.
There is always a lot of conversation about when digital evidence is and is not admissible. Questions like “are proxy logs admissible?” and “what tools generate admissible evidence?” are focused on the concept of evidence admissibility. Some of the responses to these questions are correct, and some not really correct. I think the underlying issues (at least from what I’ve observed) with the incorrect answers stems from a confusion of two similar yet distinct legal concepts: evidence admissibility and the weight of evidence.
s/regex/English/g – I agree with Lori on this. Especially in my line of work there is a need for strong regular expression knowledge when dealing with operating system, application, and device logs.
So if you’re a developer and find yourself in need of a good tutorial, i.e. one that doesn’t tersely indicate you should RTFM(an page), check out this blog post by I’m Mike, appropriately titled “The absolute bare minimum every programmer should know about regular expressions”. Mike also has some more detailed posts about regular expressions and all are a great place to start digging into the craziness that is regex.
When you’ve finished reading if you want to play around with some regular expressions – cause practice makes perfect – check out Regex Designer, a nice little app that not only evaluates regular expressions but lets you visually see how the matches are made. It’s a great tool for learning regular expressions as well as fleshing out more complex expressions before trying it out in a live application. This one is great for beginners or experts.
Upcoming Workshop on Windows Memory Analysis – If you find yourself in Deutschland you may want to check this out.
I’m excited to announce that I will hold a workshop on Windows Memory Analysis on Thursday September 13, 2007 at the IMF Conference in Stuttgart, Germany.
The workshop most likely will be themed around the detection of a trojan horse and a rootkit. During the 90 minutes I will demonstrate the usage of the Microsoft Debugger and some open-source tools.
Worm vs Thief: Take Your Pick – Wow. I would have loved to have been a fly on the wall during that conversation.
At a recent security conference (as many mentioned, presentations are not even half the value of such events!), I had this eye-opening chat with a guy who manages security at a large “natural resource extraction” company (to avoid specifics …). The conversation moved towards “data security” vs “IT infrastructure security,” which I always thought to be a somewhat artificial distinction (they are kinda the same since the sole purpose of IT infrastructure is to process and move data around). However, for this guy the difference was very real; in fact, he said: “I’d rather have all my critical systems fell to a worm than have the details of my mining process stolen and possibly disclosed! We will go out of business the next year.” I argued that surely his company has more assets and “crown jewels” than that, but he explained that there are key pieces that, if purposefully stolen, will cause the worst case scenario to manifest …
Project Lasso 4 Released – Collecting logs from a Windows box is a disgusting endeavor that usually leaves you feeling dirty and shamed. Tools like Lasso help you feel that much cleaner when you’re done 🙂
Project Lasso collects all log data from Windows hosts without the need for any agents or code installed on the remote system – this speeds up deployment and reduces administration, leading to a much higher ROI. Windows DLL files contain critical information relating to the log messages themselves.