Suggested Blog Reading – Tuesday July 31st, 2007

ReadOnly a couple of days left until I head out on vacation. Just so everyone knows I will not be able to post anything during my time off as I will be someplace that does not have Internet access (crazy I know!).

“But Andrew…how will you survive?”

Don’t cry for me readers…I’ll be fine 🙂

Here’s the list:
Preventing and Detecting Sensitive Data on P2P Networks – Interesting post.

The problem is not so straightforward. It’s a mix of company policies, perimeter and endpoint protection, data protection, and culture. Alan fails to see the problem all the way through. Sure, your NAC might prevent P2P apps from existing the network.. But what about on employee’s home networks? Many people are being issued laptops so they can work from home, on the go, etc. How is NAC going to stop P2P there? How do you stop people from installing P2P apps on their personal computers? From bringing or sending data home through email, thumb drive, cd-rw?

Chief Security Strategist @ Splunk – Looks like Raffey is heading over to Splunk. Congratulations to you Raffey. I hope everything works out well for you.

Effective immediately, I have a new employer! I am leaving ArcSight to start working for Splunk, an IT search company in San Francisco. As their Chief Security Strategist, I will be working in product management, with responsibility for all of the UI and solutions.

The work I have been doing in my past with log management and especially visualization is going to directly apply to my new job. I will be spending quite some time to help further the visual interfaces and define use-cases for log management. Exactly what I’ve been doing for the last four years already

For the first time – 4.1.2 CAM/CAS guides in HTML – You don’t really have to read this as it’s more for my future reference 🙂

CAM Guide:

CAS Guide:

The Inner Structure – Good post explaining the Vista event log XML structure.

By far the largest part of an event record consists of a complex binary XML structure. I’m going to explain its internals in a series of postings. I’m starting with an overview of the XML schema.

Fortunately the XML structure is not completely undocumented. The Microsoft Developer Network provides an extensive documentation of the XML schema.

Black Hat speaker denied entry to the US – This same thing happened to a co-worker of mine. He has been performing professional services for Q1 Labs for a few years now and only recently has it come up that he couldn’t enter the U.S. from Canada without paperwork. Andrew’s trick when asked what he is doing in the United States “Training”. The follow-up is always “Giving or receiving” and my answer is always “Giving”. Another option is to simply say “meetings”.

Halvar Flake, well-known speaker on reverse engineering, was denied entry into the United States this weekend for his presentation at Black Hat 2007. Halvar had given presentations at Black Hat for the last seven years, but when he tried to gain entry to the US after a 9 1/2 hour flight, he was sent back to Germany due to a mistake he made in the visa process. The chances of him getting a visa and being allowed back into the US in time for his presentation are slim to none.

Wfuzz – A Tool for Bruteforcing/Fuzzing Web Applications – Another tool to check out.

Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.

YACoSTO, One Year Ago – Come on people…read the post 🙂

One year ago, to the day, I posted YACoSTO. I explained how I reversed a program that “protects” data. This is one of my favorite posts, but it hardly gets any hits. I encourage you to read it, because this time, I focus on reversing the protected data rather than the program itself. You might learn a couple of new and simple techniques.

Zero day IPS sigs leave a trail of crumbs for hackers – Interesting idea. I would have never thought about that. Perhaps I’m just inherently good 🙂

Its Black Hat and the fur is going to fly this year it appears. Those two wild and crazy guys of Mac attack fame, Dave Maynor and Robert Graham of Errata Security lead things off this year. According to this article in Dark Reading by Kelly Jackson Higgins, the former ISS guys are going to demonstrate how Black Hats can reverse engineer zero-day signatures like those used by Tipping Point to figure out where these perhaps unknown vulnerabilities exist and how to exploit them. Lets be clear Maynor and Graham say that this is not a Tipping Point only problem. But that is what they will be demonstrating. Could be a little payback from back in their ISS days.

Virtual Machine = Virtual Vulnerability? – Not good.

It seems that Ed Skoudis and team have come up with a way to really escape a VM and run an exploit on the host system. This is still “shaky” in terms of it’s not perfect and it’s not complete but the potential consequences of this is pretty severe. VM’s are used quiet heavily today for many different things. One of the biggest being malware testing. The bad guys have already figured out a way to make that more difficult but this makes it even worse. A VM is used because it can be blown away and reloaded in a matter of minutes so if it get hosed it’s no big deal. If the bad guys can cause the VM to crash and then exploit the host machine then that puts AV research in a bit of a bind. VM’s are also used by companies to save space, hardware and time. Lots of security software runs on VM’s and this has the potential to put all of that at risk.

F-Secure Reverse Engineering Challenge 2007 – Damn, bad timing. I wish this was happening in a few weeks instead.

Be ready to compete in the F-Secure Reverse Engineering Challenge ( this Friday. I expected the challenge to start on Thursday like last year, so now I have a scheduling conflict!

It looks like the challenge is organized like last year: go to the website and download the first challenge. Start the program, and provide the correct password (this is where reversing skills come in handy). You’ll be given an e-mail address in exchange for the correct password (a wrong password yields no e-mail address).

Scroll to top