Suggested Blog Reading – Thursday August 2nd, 2007

ReadI can’t believe it’s August already. This year is just flying by. I think I’ve tentatively decided to try and get to Black Hat next year so I may have to start tucking away money now for airfare. That might be a challenge because it’s also my 5 year anniversary next year. Think my wife would let me combine the two trips? 🙂

Here’s the list:
The Beginning of a Windows Pentest Encounter – Thanks to LonerVamp for pointing this one out.

Here is a quick paper (notes) about pen-testing a Windows Active Directory network. While I do know this paper covers only the lowest-hanging fruit, it seems that all too often, these lowest-hanging fruit are the most common fruit found in the wild.

Insider Threat and Cowboys:

The Wall Street Journal Tells Your Personnel How To Get Around Your Security

– I hope organizations treat this as a “wakeup call”
Oh, boy, reading this Wall Street Journal story, “Ten Things Your IT Department Won’t Tell You” brought back some memories of personnel who went to great lengths to get around security requirements!

All the networking you could need: Netcat – Good cheat sheet for NetCat commands.

So my SANS course this past week culminated today with a nice game of capture the flag. While not Defcon caliber it ended up being quite a lot of fun, especially for a game that only could last six hours, and did a fantastic job of bringing the course together. We learned a lot of tools during the class and playing scenario based ctf brought it all together as many of them were used during the game. Mostly we focused the old favorites: NMap, Nessus, John the Ripper; the kinda tools that have been around forever, and for good reason.

We focused mainly on another tool, one I’d known but used little. Called the “network swiss-army knife” Netcat proved, as we were promised by Ed, the most useful tool of the whole course. Netcat does just about everything. Yes, I know, if you’ve been in networking or security for any amount of time you’re asking how I’d missed that, I hadn’t, but practical use is something else. There’s no doubt it’s one of the most useful tools a network admin, security engineer, or hacker could ever want. So just for general consumption, and for myself, I’m posting the cheat sheet I used during our class CTF competition (my team came in 3rd of around 50 in case you were wondering) just to get any other Netcat neophytes started and possible remind some old hands of some fun tricks.

Security Freak Video Lectures – Hacking, Programming, Networking & More – Yay videos!!!!

A while back a reader e-mailed us about a new site they have called Security Freak, the site is about informatin security education and is mostly using video lectures to illustrate and convey the lessons. is an attempt to lower the entry barrier for starting computer security research. The author has noticed that during his interactions with security enthusiasts in general and students in particular, he noticed that many lose interest because of the lack of organized learning resources in this area.

The admissibility vs. weight of digital evidence – Interesting post about a topic that I don’t regularly get to think about.

There is always a lot of conversation about when digital evidence is and is not admissible. Questions like “are proxy logs admissible?” and “what tools generate admissible evidence?” are focused on the concept of evidence admissibility. Some of the responses to these questions are correct, and some not really correct. I think the underlying issues (at least from what I’ve observed) with the incorrect answers stems from a confusion of two similar yet distinct legal concepts: evidence admissibility and the weight of evidence.

s/regex/English/g – I agree with Lori on this. Especially in my line of work there is a need for strong regular expression knowledge when dealing with operating system, application, and device logs.

So if you’re a developer and find yourself in need of a good tutorial, i.e. one that doesn’t tersely indicate you should RTFM(an page), check out this blog post by I’m Mike, appropriately titled “The absolute bare minimum every programmer should know about regular expressions”. Mike also has some more detailed posts about regular expressions and all are a great place to start digging into the craziness that is regex.

When you’ve finished reading if you want to play around with some regular expressions – cause practice makes perfect – check out Regex Designer, a nice little app that not only evaluates regular expressions but lets you visually see how the matches are made. It’s a great tool for learning regular expressions as well as fleshing out more complex expressions before trying it out in a live application. This one is great for beginners or experts.

Upcoming Workshop on Windows Memory Analysis – If you find yourself in Deutschland you may want to check this out.

I’m excited to announce that I will hold a workshop on Windows Memory Analysis on Thursday September 13, 2007 at the IMF Conference in Stuttgart, Germany.

The workshop most likely will be themed around the detection of a trojan horse and a rootkit. During the 90 minutes I will demonstrate the usage of the Microsoft Debugger and some open-source tools.

Worm vs Thief: Take Your Pick – Wow. I would have loved to have been a fly on the wall during that conversation.

At a recent security conference (as many mentioned, presentations are not even half the value of such events!), I had this eye-opening chat with a guy who manages security at a large “natural resource extraction” company (to avoid specifics …). The conversation moved towards “data security” vs “IT infrastructure security,” which I always thought to be a somewhat artificial distinction (they are kinda the same since the sole purpose of IT infrastructure is to process and move data around). However, for this guy the difference was very real; in fact, he said: “I’d rather have all my critical systems fell to a worm than have the details of my mining process stolen and possibly disclosed! We will go out of business the next year.” I argued that surely his company has more assets and “crown jewels” than that, but he explained that there are key pieces that, if purposefully stolen, will cause the worst case scenario to manifest …

Project Lasso 4 Released – Collecting logs from a Windows box is a disgusting endeavor that usually leaves you feeling dirty and shamed. Tools like Lasso help you feel that much cleaner when you’re done 🙂

Project Lasso collects all log data from Windows hosts without the need for any agents or code installed on the remote system – this speeds up deployment and reduces administration, leading to a much higher ROI. Windows DLL files contain critical information relating to the log messages themselves.

Scroll to top