Year: 2007
Suggested Blog Reading – Tuesday April 24th, 2007
Well my wife is heading to New York with work for 3 months so I guess I’ll have lots of time to read and blog. One of the downsides to her leaving for the next 3 months is that I won’t have a chance to head to a major city to sit for my CISSP exam until the fall. Perhaps this is a good thing as now I can enjoy my spring/summer and work on my horrible golf score 🙂
Here’s today’s list:
Vulnerabilities Are Not Marketing Fodder – I don’t agree with TippingPoint holding out but the funding for the prize had to come from somewhere…
I was a huge fan of the hack a mac (pwn to own) contest at CanSecWest last week. But I was only a fan because I, like many of us, wanted to see a point proven to the Apple Macintosh users that they suffer from the same security concerns that the rest of us do. I think that point has been proven.
U.S. Army team wants second chance at hacker contest – We’ll do better this time…..we promise…no foolin’
A team of U.S. Army hackers will attend the Hack In The Box (HITB) Security Conference 2007 in Kuala Lumpur later this year, seeking redemption after falling short at a hacker competition in Dubai earlier this month, the conference organizer said Tuesday.
Techm4sters Releases ProTech Security Distribution – I’ll have to check this out.
– Is this like Nubuntu? It is similar, yes! But we wanted something friendlier to the end-user and so we tried a different approach and tested new tools. You’ll see that there are many differences amongst them. Many ideas have been taken from NUbuntu as well as other security distributions to try to make the most complete, reliable and easiest tool for your use. I hope you can appreciate our work.
XSS Attacks book — Congrats on the book Jeremiah! Hopefully he’ll let me review it 🙂
At long last, we put the finishing touches on our new book (XSS Attacks), the cover art, and sample chapter (including ToC). It’ll be sent to the printers May 5 and shipped a few days after. Woohoo!
Russinovich: Malware will thrive, even with Vista’s UAC – Wait…you mean a shiny new product won’t solve all of my problems?
Despite all the anti-malware roadblocks built into Windows Vista, a senior Microsoft official is lowering the security expectations, warning that viruses, password-stealing Trojans and rootkits will continue to thrive as malware authors adapt to the new operating system.
Follow the Bouncing Malware: Day of the Jackal – Funny story or scary story? You be the judge?
Otte Normalverbraucher leaned back in his chair, stretched and yawned. It was nearing midnight, and now that he stopped to think about it, he realized that he was going to be very tired in when his alarm clock went off in the morning.
SMTP Authentication Update – You can invent all the technologies in the world but unless people use it it’s useless (remember Betamax?)
Opinion: It’s about 2 and a half years since the standards bodies threw up their hands and left SMTP authentication to the industry. Implementation progress has been slow but positive. And there have been some surprises.
Suggested Blog Reading – Friday April 20th, 2007
I apologize for not having any weekend updates but the weather was far too nice to sit at my computer. Going forward I will probably not have an update on Saturday and may only post one on Sunday if there is some good quality news that can’t wait for Monday. Here is the list for Today (including some from Saturday and Sunday):
Nirbot’s been a huge source of another set of attacks we’ve been tracking in the past few months, as well, the Symantec AV realtime VirusScan attack on TCP ports 2967 and 2968. Given that Nirbot’s involved in that, we would expect to see a similar drop in attack activity at about the same time and, sure enough, we do.
Apple Safari 0Day Demonstrated
According to the contest rules the OSX box was fully patched and the exploit had to require no user intervention. This first attack “owned” the OSX box with user privileges but under the contest rules that was all the exploit had to do. The second OSX box is still up for grabs and for that one a new exploit has to be used and the flaw must lead to a root level compromise.
LLTD – Link Layer Topology Discovery Protocol
Gomor released a LLTD (Link Layer Topology Discovery Protocol) implementation written in Perl (using Net::Frame framework).
It was a great week in Vancouver, Canada. It began with some really good instructional classes that the CanSecWest guys call Dojo Sessions then moved into some excellent and not so excellent presentations. Here is my breakdown of each day and what talks I thought were the best, the worst and why.
In a previous comment, Tim Newsham mentions reverse engineering an application by running it in a VM. As it so happened, I gave a talk on building and breaking systems using VMs a couple years ago. One very nice approach is ReVirt, which records the state of a VM, allowing debugging to go forwards or backwards. That is, you can actually rewind past interrupts, IO, and other system events to examine the state of the software at any arbitrary point. Obviously, this would be great for reverse engineering though, as Tim points out, there haven’t been many public instances of people doing this. (If there have, can you please point them out to me?)
Yesterday while I was helping Jeremiah with he forced basic auth cookie testing he asked a good question, which is how you can better de-anonymize users through alternative methods. Some of the initial thoughts he had wouldn’t work, but the first thing that popped into my head was FTP and Gopher. Using out of bound methods to make TCP or UDP connections to a monitoring site are easy ways to correlate users (compared with time).
My initial idea is to have all my blog posts regarding usages of network security tools to be included and packaged into the book, but I realize that this won’t make it a good book for Network Security Analyst. I have more thoughts about the book lately hence I can’t have it shipped sooner. There are four primary sections for the book which I think very important for network security analyst wannabe
Ever wondered whether Blue Pill really works or was just a PR stunt? Ever wanted to see how practical are various timing attacks against it? (And can even those “unpractical” be cheated?) Or how many Blue Pills inside each other can you run and still be able to play your favorite 3D game smoothly? Or how deep Alex can hook into Windows NDIS to bypass your personal firewall? Do you want to see Patch Guard from a “bird’s eye view” perspective? Or do you simply want to find out how well the latest Vista x64 kernel is protected? Ever wondered how rootkits like Deepdoor and Firewalk really worked? You can’t sleep, because you’re thinking constantly about how Blue Pill-like malware can be prevented? Does Northbridge hacking sound sexy to you? 🙂
David Naylor (a semi-reformed SEO Blackhat) has an interesting writeup on how to stop badly behaving robots from spidering your site. I would hardly call this technique new (I’ve seen this scripts in one form or another for nearly a decade). However, it’s a good primer for anyone who runs a big website and who is otherwise powerless to stop people from doing it.
what I learned a few weeks ago: http request smuggling
Recently I saw an HTTP Request Smuggling alert fly past my IPS. It turned out to be a false positive, but led me down the path of figuring out what that attack actually was. This was one of the bigger things I learned that week. Coincidentally, almost that same day, I browsed backlog quiz questions from Palisade and came across one about HTTP Request Smuggling. Whoa!
PCI: Is Compliance Really the Goal?
I think that really is the goal for larger merchants, but I’m not so sure about the smaller one’s. I can’t help thinking that for a smaller merchant, the cost of compliance would often exceed the cost of simply outsourcing the card processing such that PCI no longer applies. To be fair, I haven’t done the serious research to determine whether that’s true, but given the implementation time lines referenced in the article, it seems plausible. It’s also possible that there aren’t outsourcing services that really meet the needs of smaller merchants.
My Career Path – Part 3 “The Future”
In my first post I detailed the choices that led me from my original plan of being a history teacher, to dropping out of my computer science program, to starting my first help desk job. In my second post I mentioned how I climbed from my first help desk job, to working at Nortel, and the subsequent layoff that followed.
Unemployment sucked.
Nothing makes you feel as horrible as being layed off from a job. You end up blaming the company at first and then you turn the anger to yourself. At the time of my layoff, the job market in Ottawa was horrible so I had plenty of time to think all of this over as my house was being built. My soon-to-be wife and I lived with my parents for 3 months and her parents for 3 months as we gave up our apartment to save money during construction.
During this time I must have applied to at least 500 different jobs in various locations in Canada, the United States, Europe, and Australia. No one wanted me. The problem with being layed off by Nortel is that, typically, you’re not the only person. In fact I was one of a few thousand people layed off, all looking for the same (any) job.
While at my soon-to-be in law’s I received a call from a company who was contracted, by Nokia, to find some people to work front line firewall and network support. I jumped at the opportunity and within a week I was working as a contractor at Nokia. Since I had very little security experience there was a steep learning curve but Nokia provided exceptional training for both Nokia IPSO (the routing platform), Nokia IP Series appliances (their hardware), and Check Point VPN-1/Firewall-1 (the bundled firewall package).
While working at Nokia I made a point of learning everything I could about the products I supported. I also ensured that I obtained the certifications for the training I received in order to make myself stand out from the rest of my coworkers. Within 8 months, a record at the time I might add, I was hired full time by Nokia. Even thought I was hired into the job I made sure not to stop learning. I felt my routing and switching knowledge was weak so I paid, out of pocket, for a CCNA prep-course, and subsequent exam. Customers were calling in having problems with their Cisco to Check Point VPN’s, so I bought a books on Cisco PIX and Cisco VPN Concentrators and learned how to troubleshoot VPN related issues.
By this time I was hooked on security. At first I tried to read as much as I could on security topics to make me better at my job. The more I read the more I realized that I was genuinely interested in all facets of security, even those that didn’t relate directly to my current role. I started teaching a CompTIA Security+ prep-course, based on my own course content, through a local business to give back to the community. The funny thing was that most of my students were current Taima, now Convergys, employees looking to get ahead just as I had done.
I also started doing some consulting on the side for Cisco and Check Point issues. This helped me learn quite a bit about working with government organizations and subcontracting through other, larger consultancy firms. In 2004, after speaking with two friends at Nokia, we decided to form a business to help add credibility to our consultant engagements and help limit the taxes that could be taken from us. This is how Koteas Corporation was formed. Even though we didn’t, and still don’t, perform a large volume of work due to our full-time jobs, our customers have returned to us when they need help or advice.
At this time in my life I was looking for change. Nokia had become stagnant and there was little room for career advancement. Koteas Corporation didn’t have enough volume to support a full-time employee. I….was in a rut.
In February of 2005 I received a call from a recruiter in Fredericton, New Brunswick. A start-up called Q1 Labs was looking for a 3rd level support person to help support their network security management product, QRadar. They offered to fly me down for an interview to see if I was a fit for the organization. I spoke it over with my wife and I agreed to come down for an interview. The interview process was grueling. I was there for 8 hours and met with the heads of every department (Support, Engineering, and QA), the CTO, the CTA, and the VP of Engineering. I had never worked for a startup before but every person I talked to was so excited about the product and their jobs. This was quite a switch for me coming from such large multi-national corporations as Nortel and Nokia. I was instantly hooked and wanted to work there. After a couple of followup phone interviews with the COO and the CEO I received my package in the mail. My manager at Nokia was happy for me and understood why I wanted a change so we parted on very good terms and still keep in touch to this day.
When I arrived at Q1 I started working immediately. Not only was I supporting our customers but I was also supporting evaluation customers and our Sales Engineers in the field. I also had the opportunity to travel to customer sites to provide installation, configuration, and training services. During this time I wanted to make sure I kept learning so I invested in the SANS Intrusion Detection In-Depth self-study and the GCIA Incident Handling certification. This course was one of the best courses I’ve even taken and taught me so much about packet analysis and intrusion detection. While in support I also had the opportunity to go to a Building Scalable Cisco Internetworks class which taught me quite a bit about high level routing.
In 2006 I became the primary trainer for QRadar. I loved going from site to site providing the week long training course on our product. Also, because of my past experiences at Nokia and Koteas, I was able to relate sections of the course to customer needs and situations. At this time I also decided to pay for another SANS course. This time I took the Hacker Techniques, Exploits & Incident Handling course and subsequent GCIA Incident Handler certification (GCIH). Upon completion of my exam I received an email inviting me to join the SANS institute as a Stay Sharp trainer and Local Mentor for my area based on the score I achieved on the exam. I happily accepted!
In late 2006 I was rewarded with a promotion to lead a team of software developers whose main responsibility was integrating 3rd party event and vulnerability data into QRadar. Ironic isn’t it? The guy who dropped out of college because he didn’t like programming was now leading a team of software developers.
The story doesn’t end here as I am still happily working for Q1 Labs, still leading the same team (loving it!), still working on expanding Koteas, starting to be a technical reviewer for security related publications, starting to work more with the SANS institute, still studying and learning all I can, contributing back to the security community in forums and articles, blogging (of course you knew that already), starting to present at conferences, and starting to get my name recognized in the security industry. I hope you have enjoyed this three part series and if you have any questions/comments/concerns or just want to drop a note then please feel free to email me at andrewsmhay [at] gmail.com.
Thanks for reading!