Thursday, July 15, 2010

Why You Should Write Down Your Passwords

Common wisdom over the last couple of decades has been to never write down the passwords you use for accessing networked services. But is now the time to begin writing them down? Threats are constantly evolving and perhaps it’s time to revisit one of the longest standing idioms of security – “never write a password down”. - Gunter Ollmann

Read More:

What to do with passwords once you create them

Cryptography expert Bruce Schneier used to write his passwords down on a slip of paper and keep it in his wallet. Today, he uses a free Windows password-storage tool called Password Safe that he designed five years ago and released into the open-source community. -Elinor Mills, CNET

Read more:

The Rise of the Rogue AV Testers

Recently, I was sitting around with a number of colleagues from Kaspersky Lab, discussing everybody’s favorite subject: the state of anti-virus testing these days. During the talks, somebody brought up the name of a new, obscure testing organization in the Far East. Nobody else had ever heard of them and so my colleague Aleks Gostev jokingly called them a “rogue Andreas Marx." -Costin Raiu

Rogue AV Testers

Malware Persistence without the Windows Registry

For an attacker to maintain a foothold inside your network they will typically install a piece of backdoor malware on at least one of your systems. The malware needs to be installed persistently, meaning that it will remain active in the event of a reboot. Most persistence techniques on a Microsoft Windows platform involve the use of the Registry. Notable exceptions include the Startup Folder and trojanizing system binaries. Examining malware persistence locations in the Windows Registry and startup locations is a common technique employed by forensic investigators to identify malware on a host. Each persistence technique commonly seen today leaves a forensic footprint which can be easily collected using most forensic software on the market. - Nick Harbour


Sunday, February 21, 2010

Owning The Client

Thanks to Jhaddix of I just now found out about this slick tool called SET(Social Engineering ToolKit). According to the creators, the social-engineer toolkit is a robust python open-source tool to aid security professionals in testing social-engineering attacks. The latest version 0.4, is the biggest release yet incorporating a universal java applet attack as well as many other great features.

Jhaddix does a pretty job of summarizing what the tool does. So I won't recreate the wheel. Suffice to say that after watching the Shmoocon presentation and a couple other videos, the tool is simply awesome. I will definitely be taking a keen interest in its development and progress.

For more information check the creator's(David Kennedy aka ReL1K aka Sac Man) website over at Keep up the GREAT work guys.

The Week That Was(Fri,Feb 19)

The following represent,in no particular order, the stories I found interesting during the past week:

Infrastructure vs Application Security Spending

Abusing WCF to Perform Remote Port Scans

New Russian Botnet tries to kill its larger rival

What's the right IT/Information security certification for me?

How to render SSL useless

Thursday, February 18, 2010

Botnet War - No honor among thieves

This I found very interesting. The story is about an upstart Trojan horse program deciding to take on its much-larger rival by stealing data and then removing the malicious program from infected computers.

These guys seem to be in the business of protecting their turf as something similar happened back in 2004.

The Y-Approach

I have been grappling with which IT Security Certification path to take for the past few months now. So when I came across this article I had to take a minute and read it. Incidentally I found this article while reading one of my favorite boards. I am what you would call a newbie to the world of IT Security. And so far I have done the following CEH(Certified Ethical Hacker), OSCP(Offensive Security Certified Professional) and the GPEN - Network Penetration testing.

Having completed the above courses, I now find myself at a cross roads and am uncertain which way to go. What I do know however is that I want to go further down the IT Security rabbit hole. So given my current state of affairs, that of being indecisive, I turned to a few friends for advice. These guys are seasoned IT Security professionals and I hold them in high esteem. Sure enough as the author mentions, they recommended that I do the CISSP, CISA and CISM. Nothing wrong with that, however I don't think I want to tackle those just yet. My inclination is more towards the technical side. I would really love to delve more into the hands on stuff. I am simply fascinated by the work of people like Jerimiah Grossman, Robert Hansen aka @Rsnake to name a few. And would would greatly love to pursue a path along those lines. Eventually starting my own consulting business.

The Y approach seems like something worth looking into given my intentions. As in the end, I want to achieve the best of both worlds i.e. managerial and technical certifications. For now though I will be trying to get some more technical certifications under my belt. I am currently eying the Sans GWAPT - Web Application Penetration Testing. Having come from a developer background this has definitely peeked my interest. The OSCE(Offensive Security Certified Expert) also looks interesting. I must admit that I am leaning towards the Sans certifications track, maybe ending up with the GSE. Sans has some great offerings. But they cost an arm and a leg and would probably require me selling my soul.