Sector 876

Breaking In

2012-01-02T15:28:00.000-08:00

It's a new year and with it comes new challenges and opportunities for growth - hopefully the Mayans were wrong and it won't be that kind of challenge. You may thinking of switching over into Infosec. So I thought I would share my own experience of how I made that transition in hopes that someone may find it useful.

Background
I started out as an application developer and held that position for a number of years - don't go trying to guess my age now. During that period I always had an interest in Information Security. In fact, the reason for getting into application development was because I loved the field so much. During my research on how to be an Infosec professional, I saw mention of the fact that being able to code would put me at an advantage. So off I went to college to do just that.

Be Passionate
During my time as a developer, I would always find stories related to Infosec and would often have several water-cooler discussions on the topic. In my first job I made friends with the Infosec guy at the time and we had some interesting discussions. I remember when I bought a copy of Hacking Exposed and shared it with him. After that I "was on the radar". When I switched jobs I made sure to keep this up. I would always be talking about some interesting news item that dealt with a security related issues. Especially if it related to our environment. You need to demonstrate passion.

Be Prepared
As time went by I decided that it was time to pursue this option. So I started looking for security related courses that I could do. I ended up picking the Certified Ethical Hacker(CEH) - an entire post could be written on this certification not all of it positive. At the time this course seemed like the best option to get my feet wet and in the end it served as a good introduction into the field. There was one small issue though, it required overseas travel. But I decided that Infosec was what I really wanted and I closed my eyes and made the necessary arrangements - travel/hotel etc.

Whats important to note here is that I did not wait on the company to make the first move. Too often a lot us would like to pursue other career paths but believe that somehow the business owes us something. If we want to do a course - the contents of which will be beneficial to the the business - we feel that the business should cover the costs. My advice to you is to drop that line of thinking for the new year. It was after I had made all the arrangements that my company came onboard. And they didn't cover everything either. You have to take the initiative and prepare yourself for the role. Note also that I had already been sharing my passion so when it came to getting support it wasn't a hard sell.

Once I had completed that course, I was convinced that that was what I wanted to do. When I got back from training I immediately started sharing the information I had learned with just about anybody I could find. Eventually I became the "unofficial security guy".

At the time there was no Infosec role in the company. However that soon changed and suddenly the skillset was required. Opportunity they say favors the prepared mind. And so when time came for that post to filled I had already positioned my self to at least be considered for it.Suffice to say when the dust cleared I got the post. The post at the time was for an Application Security Specialist(ASS).

I continued to sharpen my skills and went on to do a number of other certifications. The most notable would probably have been the Offensive Security Certified Professional(OSCP). Again, some of those certifications were paid for out of pocket.

Perform At The Highest Level
I held that post for a couple years and during that time I ensured that I kept up to date and performed at the highest level. I started a blog and got more involved in the Infosec community. I also created my own little hack lab and tried new things. I bought several books and just immersed myself in the content. It's a lot of content, but it's FUN.

A position soon opened up for a Information Systems Security Officer. I was again considered for the post and in the end I got it.

The lesson here is that whatever it is that you are currently doing, do it well. Make sure you stand out, so that when you decide to move to another area your track record will speak for you.

The Infosec Community
It is awesome and is filled with some really talented people. Get involved. Even before you get the position you are after make sure to get involved.
Start your own blog, listen to podcast, join twitter and follow the guys who are masters of the stuff you are interested in, join an online security board - ethicalhacker.net is a great place to start. The point is, start contributing. Don't fall into the trap of thinking that you have nothing to say. I will be the first to admit that the Infosec community is filled with rockstar types. And it is very easy to become intimidated. Don't be.

Infosec Supply Chain
Have you checked out the job boards recently? If you not, do so now and you will see there are tons of positions waiting to be filled. However, there doesn't seem to be enough skilled professionals to go around. This means that some businesses might be forced to look inside. Start positioning your self, display the passion, take the initiative and get prepared, make sure to perform at the highest level so that when the opportunity presents itself it will be almost feel natural for the business to promote you to that position.

I am still a far way off from reaching my goals but the journey has begun.

Hope this helps......

All the best for 2012.

Review: It's Not All About "Me": The Top Ten Techniques for Building Rapport

2012-01-02T14:11:00.000-08:00

I have read so many titles and yet I have never taken the time to write a review. But after reading this one I decided to change that.

This was a very interesting read. The techniques discussed are very practical and can be applied to any situation. As stated in another review, I too enjoyed technique number 5 - Ego suspension. It is in fact one of the hardest things to accomplish.

I also enjoyed technique number 8 - Connect with quid pro quo. Here the author aptly reminds us that human beings are genetically coded to reciprocate gifts.

Prior to reading this book I had not paid much attention to technique number 1 - establishing artificial time constraints. But as the author points out it can be such an effective technique.

I was introduced to technique number 2, the use of accommodating nonverbals while reading Christopher Hadnagy's - Social engineering: The Art of Human Hacking. As a side note that title is a MUST read. Ok so back to the business at hand. I was again reminded of the powerful effect of this technique. The examples used by the author were very effective at driving the point home. He takes you through the stages someone goes though when they are assessing a situation and how use of the technique can help put the individual at ease. Absolutely fascinating !!!

In the end, it is an awesome read. You will have a hard time putting this one down. I bought this over the holidays based on a tweet I saw. And I am glad I did. The "war stories" that accompany each technique will keep you wanting more.

Great job Robin.

This Week In Security (June 17, 2010)

2010-07-17T13:43:00.000-07:00

Firefox security test add-on was backdoored.

ÜberTwitter: your secret spy?

Possible New Rootkit Has Drivers Signed by Realtek

Talk on Chinese Cyber Army Pulled From Black Hat

Mozilla Bumps Bug Bounty to $3,000

Microsoft: 25,000 Computers Attacked With Latest Windows Zero Day

Why You Should Write Down Your Passwords

2010-07-15T17:48:00.000-07:00

Common wisdom over the last couple of decades has been to never write down the passwords you use for accessing networked services. But is now the time to begin writing them down? Threats are constantly evolving and perhaps it’s time to revisit one of the longest standing idioms of security – “never write a password down”. - Gunter Ollmann

Read More:

What to do with passwords once you create them

2010-07-15T17:44:00.000-07:00

Cryptography expert Bruce Schneier used to write his passwords down on a slip of paper and keep it in his wallet. Today, he uses a free Windows password-storage tool called Password Safe that he designed five years ago and released into the open-source community. -Elinor Mills, CNET

Read more:

The Rise of the Rogue AV Testers

2010-07-15T17:29:00.000-07:00

Recently, I was sitting around with a number of colleagues from Kaspersky Lab, discussing everybody’s favorite subject: the state of anti-virus testing these days. During the talks, somebody brought up the name of a new, obscure testing organization in the Far East. Nobody else had ever heard of them and so my colleague Aleks Gostev jokingly called them a “rogue Andreas Marx." -Costin Raiu

Rogue AV Testers

Malware Persistence without the Windows Registry

2010-07-15T17:12:00.000-07:00

For an attacker to maintain a foothold inside your network they will typically install a piece of backdoor malware on at least one of your systems. The malware needs to be installed persistently, meaning that it will remain active in the event of a reboot. Most persistence techniques on a Microsoft Windows platform involve the use of the Registry. Notable exceptions include the Startup Folder and trojanizing system binaries. Examining malware persistence locations in the Windows Registry and startup locations is a common technique employed by forensic investigators to identify malware on a host. Each persistence technique commonly seen today leaves a forensic footprint which can be easily collected using most forensic software on the market. - Nick Harbour

M-unition

Owning The Client

2010-02-21T17:42:00.000-08:00

Thanks to Jhaddix of http://www.securityaegis.com/ I just now found out about this slick tool called SET(Social Engineering ToolKit). According to the creators, the social-engineer toolkit is a robust python open-source tool to aid security professionals in testing social-engineering attacks. The latest version 0.4, is the biggest release yet incorporating a universal java applet attack as well as many other great features.

Jhaddix does a pretty job of summarizing what the tool does. So I won't recreate the wheel. Suffice to say that after watching the Shmoocon presentation and a couple other videos, the tool is simply awesome. I will definitely be taking a keen interest in its development and progress.

For more information check the creator's(David Kennedy aka ReL1K aka Sac Man) website over at Secmaniac.com. Keep up the GREAT work guys.

The Week That Was(Fri,Feb 19)

2010-02-21T16:34:00.000-08:00

The following represent,in no particular order, the stories I found interesting during the past week:

Infrastructure vs Application Security Spending

Abusing WCF to Perform Remote Port Scans

New Russian Botnet tries to kill its larger rival

What's the right IT/Information security certification for me?

How to render SSL useless

Botnet War - No honor among thieves

2010-02-18T18:17:00.000-08:00

This I found very interesting. The story is about an upstart Trojan horse program deciding to take on its much-larger rival by stealing data and then removing the malicious program from infected computers.

These guys seem to be in the business of protecting their turf as something similar happened back in 2004.

The Y-Approach

2010-02-18T17:37:00.000-08:00

I have been grappling with which IT Security Certification path to take for the past few months now. So when I came across this article I had to take a minute and read it. Incidentally I found this article while reading one of my favorite boards. I am what you would call a newbie to the world of IT Security. And so far I have done the following CEH(Certified Ethical Hacker), OSCP(Offensive Security Certified Professional) and the GPEN - Network Penetration testing.

Having completed the above courses, I now find myself at a cross roads and am uncertain which way to go. What I do know however is that I want to go further down the IT Security rabbit hole. So given my current state of affairs, that of being indecisive, I turned to a few friends for advice. These guys are seasoned IT Security professionals and I hold them in high esteem. Sure enough as the author mentions, they recommended that I do the CISSP, CISA and CISM. Nothing wrong with that, however I don't think I want to tackle those just yet. My inclination is more towards the technical side. I would really love to delve more into the hands on stuff. I am simply fascinated by the work of people like Jerimiah Grossman, Robert Hansen aka @Rsnake to name a few. And would would greatly love to pursue a path along those lines. Eventually starting my own consulting business.

The Y approach seems like something worth looking into given my intentions. As in the end, I want to achieve the best of both worlds i.e. managerial and technical certifications. For now though I will be trying to get some more technical certifications under my belt. I am currently eying the Sans GWAPT - Web Application Penetration Testing. Having come from a developer background this has definitely peeked my interest. The OSCE(Offensive Security Certified Expert) also looks interesting. I must admit that I am leaning towards the Sans certifications track, maybe ending up with the GSE. Sans has some great offerings. But they cost an arm and a leg and would probably require me selling my soul.

Heartland Lessons

2009-08-22T08:00:00.000-07:00

The Heartland Payment Systems data breach that resulted in the theft of more than 130 million credit and debit card numbers dominated the news during the past couple of weeks. The company is the world's ninth largest credit processing company. So you would think that they would have taken the necessary precautions to prevent breaches of this nature from occurring. I say this against the backdrop of the breach being due to a sql injection vulnerability. The vulnerability is well understood, and security analysts have warned retailers about it from time immemorial. Sql injection is in fact so popular that it is the most common form of attack against Web sites.

I often felt that hackers employed techniques found only in rocket science manuals. However since becoming a part of the infosec world I have come to the realization that it is in fact not so. Now don't get me wrong some exploits can be looked at as a work of art. And therefore will require some doing. However the majority of attacks do not fall into that category.

This latest incident is testament to that fact. Sql injection is at the script kiddie level of attacks. As there are several tools available that simply require you to point, click and viola you're done.

So when a company like Heartland falls prey to attacks like this it is just unbelievable. Recall that sql injection attacks seek to exploit one of the basic tenets of web application development. And that is you should not trust ANY input from the user.

This article over at Dark Reading should serve as a timely reminder of the impact such vulnerabilities can have and some steps you can take to mitigate against such attacks.

Infiltrating A Botnet

2009-08-22T07:16:00.000-07:00

I have always had an interest in Botnets. So when I came upon this article posted by awesec on Ethicalhacker it immediately piqued my interest. Incidentally if you have not already checked out the folks over at ethicalhacker you should go say hello.

So back to the article at hand. A Cisco research team while on an assignment recently, noticed a tremendous number of alerts including IRC activity, far larger than anything that could be benign, were occurring on the customer’s network. It turned out that the machines had been compromised and had become a part of a botnet.

The article explains how they got rid of the Botnet but more interestingly gives some insights into the mind and motives of a botmaster. It really is an interesting read.

The Windows "FOR" Loop

2009-07-21T19:06:00.000-07:00

As some of you may or may not know windows supports numerous different kinds of FOR loops. This post aims to discuss two of the most common and powerful.

FOR /L loops can be used as counters, starting at a given number, and incrementing by a given step, counting to another number.

FOR /F loops are more advanced and offer options of iterating over a set of files, the contents of files or the output of a command.

Syntax And Usuage
The syntax for the FOR /L loop is as follows
c:\> for /L %i in ([begin],[increment],[end]) do [command]

Using the syntax above we could implement a simple counter using the following:
c:\> for /L %i in (1,1,10) do echo %i

In case you're not a programmer, %i represents a variable we wish to use as our incrementer. We can also refer to the %i in the [command] and it will be replaced with the current value through the loop. Pretty cool huh? %i will start at [begin],changing by [increment] at each cycle through the loop, and going up to [end] value. The [command] will run once during the loop.It is important to note that %i should be an integer as good ole windows will drop any decimal places.

My very first program was to print 'Hello World' to the console. Yeah I know, it's boring but hey, we all have to start some where. And so on that note let's print 'Hello World' using our loop.

c:\> for /L %i in (1,1,10) do echo Hello World
This will print Hello World to the console ten times. A sample of the output is also shown.

c:\>echo 1 Hello world
1 Hello world

c:\>echo 2 Hello world
2 Hello world

c:\>echo 3 Hello world
3 Hello world

You will notice that the output is ugly. We can clean this up, essentially turning off echo by adding the "@" in front of our [command]. Our new loop now becomes

c:\>for /L %i in (1,1,10) do @echo %i Hello world
1 Hello world
2 Hello world
3 Hello world

This looks much better. Again take note that only a sample of the output is shown here.

Ok, so we can print Hello World ten times. What good is that? Well we can extend it to build a simple ping sweep like so:

Ping Sweep
c:\> for /L %i in (1,1,255) do @ping -n 1 192.168.1.%i | find "Reply"

This command will create our counting loop with a variable of %i, starting at 1, incrementing by1, going through to 255. On each iteration it will ping without displaying the command (@), sending(-n 1) ICMP echo request message to 192.168.1.%i. And scraping through the results looking for the word "Reply" indicating a response to the ping request.

All this is nothing new. Ed Skoudis covers this and a lot more in his weekly Command Line Fu blog. I encourage you to check it out.

The next post will cover the more advanced FOR /F loop.

Bait

2009-07-07T17:47:00.000-07:00

Do you remember that movie ? It starred Jamie Foxx. He played the role of Alvin Sanders an ex-con who is used by the police to lure a criminal out of hiding. Go watch the movie if want to know how it turns out.

Traditionally, attackers went after our servers, but there has been a shift to the client side because server-side applications have been targets for attackers since 2001, and these applications have matured. Attackers have therefore turned their attention to weaknesses in desktop applications such as browsers, media players, common office applications and e-mail clients. In short the user has now become the center of attention.And has therefore taken on the role of Alvin Sanders.Bait.

F-Secure showed samples of bait files recently showing real malware-laden Microsoft Word and Adobe PDF documents it has received. I could see how they could easily slip under the radar. The files are well done.

The lesson here is that we should not neglect our users. We should seek to educate them on the various attack vectors being used by attackers. This should be done using a language that they understand and practical examples they can relate to.

How is your user awareness program? Do you even have one?

Those URL Shortners

2009-07-06T18:31:00.000-07:00

So unless you have been living under a rock, you have probably heard about Twitter. And if you have used Twitter then you know all about url shorteners. Basically, long urls are simply hard to pass along. They tend to sometimes break in email, are harder to verbalize in a conversation, and they are difficult, or in some cases near impossible to remember. Url shortners solve this issue by, well, shortening the length of that long url .

The problem with this is that a link that used to be transparent is now opaque. As you may have guessed this has led to a huge proportion of shortened links acting as a disguise for spam and a slue of other bad things.

One way around this problem of obfuscation is the use of the AVG LinkScanner.This is a free tool from AVG. It scans the pages behind all the links you click or type into your browser. And then tells you in real-time whether a Web link you’re trying to click to contains malicious code. Pretty cool.

Its not the perfect solution I am sure. But I believe it's worth a second look.
I'm sure there are several other tools. So feel free to share.

0-Day Microsoft DirectShow

2009-07-06T16:54:00.000-07:00

Today was all abuzz with news on a new 0-day exploit affecting the msvidctl.dll component of Microsoft DirectShow. The bug can be leveraged to run code on users' PCs if they are tricked into visiting a malicious website through Internet Explorer. The operative term being Internet Explorer. The internet is filled with pocs'. However if you are too lazy to search you can check out the carnal0wnage.attackresearch blog. Beware however, if your running Avast it may not like what it finds.

There is not currently a fix for this vulnerability,so in the mean time switch on over to FirefFox 3.5.

Keeping Up With The Joneses

2009-07-04T13:50:00.000-07:00

We live in a dynamic, evolving world. And it is therefore important that we keep abreast with the latest trends in our respective fields. This is a surefire way of getting ahead of the rest of pack.

With that said I found the following resources to be quite helpful with achieving the above mentioned objective for us infosec types.

Social Networking Sites
Not only are these sites fun to hack and useful in the reconnaissance phase of a pentest. They also represent one of the best ways to network in the infosec field. Twitter for example is proving to be a great tool for this. Jhaddix from SecurityAegis has a very good write up over at EthicalHacker.net on leveraging its power in this regard. I encourage you to read it. Good stuff gets posted on twitter long before it hits mainstream. Case in point is the release of RSnakes new tool Slowloris.

RSS Feeds
Another way to keep up is via RSS feeds. Paul Asadorian from the famed PaulDotCom has an extensive list to get you started. All you need to do is download the feeds and import them into your RSS news reader. So check that out also.

Blogs/WebCasts
Well you can start off by always reading this blog to get your day started. Ok let's get back to reality. Bloggers is a good place to start. With regards to webcasts Sans has some very good ones. Check this out to whet your appetite.

There is a lot more that can be said on this topic. I am only scratching the surface here. Mubix has a much better list here.

These are just some of the resources that I have found useful.So check them out and feel free to share your own.

Additional resources

The Attack Of The AV

2009-07-04T08:29:00.000-07:00

PC's running the popular McAfee VirusScan were brought down recently when the anti virus program began attacking core system files. Based on anecdotes the 'attack' appears to be caued when older VirsuScan engines install DAT 5664 which the anti virus giant pushed out within the last 36hours.

Affected systems then start to identify a wide variety of legitimate and frequently crucial system files as malware. According to this article files belonging to Microsoft Internet Explorer, drivers for Compaq computers and even the McAfee-associated file McScript.exe were being identified as a trojan called PWS!hv.aq.

I can only imagine what admins the world over are going through right now. Hopefully will get a lid on this situation ASAP.

Reputation-Based Security

2009-07-04T07:45:00.000-07:00

Zulfikar Ramzan technical director and architect at Symantec recently spoke with CNET where he took the opportunity to outline the company's future plans.

Symantec has what they call the Symantec Community Watch program where customers submit data back to them about security events and related happenings on their system at any given moment in time. The submission of this data is void of human intervention. The program currently has well over 30 million participants.

The company plans to use this data in the next version of its Norton Antivurs 2010 product. Accroding to Ramzan this new approach dubbed reputation based security is really about looking at a much wider spectrum of machines to make a much more informed decision about what one file is doing.

This approach is in stark contrast to to what currently exists where a blacklist or a white list is used. This approach essentially looks for files you are either know are bad as in the case of a blacklist. Or files known to be good as in the case of a whitelist. Both these approaches neglect what happens in the middle. And so reputation based security is geared towards addressing that.

This is an interesting approach. However I am sure the bad guys will find a way around it.
We'll see.

Mozilla will issue security fixes for Firefox3.5

2009-07-02T17:56:00.000-07:00

Wow that was quick!!! Mozilla which just released the latest version of its Firefox browser on Tuesday is already planning to release web security fixes for bugs in Firefox3.5 according to ComputerWorld.com

The company essentially plans to fix at least three bugs and what it calls "topcrashes". Some interesting things to note about this version is that it includes tools for controlling private data, including a private browsing mode(hmmm that's interesting )

In its first 36 hours it was downloaded 6.5 million times.

Have You Ever Been Tempted By The Lure Of The DarkSide?

2009-07-02T17:15:00.000-07:00

This story is a couple days old(in the world of IT a day is like a thousand years) but I still wanted to mention it. Max Ray Vision aka "Iceman" pleaded guilty on Monday to two counts of wire fraud stemming from the theft of approximately 2 million credit card numbers(yes you read that right!!!) and $86 million in alleged fraudulent purchases. WOW!!!! Just WOW!!!!!!!

Vision was a security consultant before he got arrested. So I guess the lure of going to the DarkSide got the better of him. In commenting on the incident FBI agent J.Keith Mularski who spent two years undercover infiltrating a group of cyber scammers who bought and sold stolen credit cards says that some guys simply allow their curiosity to get the better of them. And in the end find themselves going down that dark path.

How many of you guys who are currently employed in the INFOSEC industry have ever entertained the thought of going to the Dark Side? You have all the required skills. You have all the tools? And to cap it all off we are in the midst of a Global recession. So why not?

It isn't worth it. I say use your skills for the good of society and the cyberworld.

Vision now faces up to 60 years in prison when he is sentenced in October.

Securing That Shiny New PC

2009-07-01T20:09:00.000-07:00

So you just unpacked that brand new shiny pc and fired her up. And you are anxious to hit up your favorite social networking site. At this point security considerations may be the farthest thing from your mind. In fact you may not even be concerned with security at all.

Well with attackers focusing a lot more on the end user(that's you) you need to take a more proactive approach towards security. Bill Brenner has a nice article on securing that new pc.

He recommends taking the following steps:

Uninstall Stuff You Don't Need
Install Firefox
Install NoScript and other Firefox add-ons
Search for all needed Windows patches
Customize your AV/firewall package

5 Steps to Secure a New PC

Security,Group Size, and the Human Brain

2009-07-01T17:54:00.000-07:00

I wonder if this is why I can't seem to remember the names of some of my co-workers. Based on the findings of primatologists Robin Dunbar, 150 is the cognitive limit to the number of people a human brain can maintain a coherent social relationship with.

Security, Group Size, and the Human Brain

Juniper pulls researcher's Black Hat ATM talk

2009-07-01T17:28:00.000-07:00

I was not planning to attend the conference but I still find this story very interesting. The talk I gather was pulled because the affected ATM maker(Diebold probably?) raised concerns that it would not be able to fix the flaw in time. Give me a break!

I don't know how true that is but chances are they very much knew about it and decided not to do anything. Or better yet take an ETERNITY to address the flaw. And so if that is indeed true then I believe that research as important as this should be made available to the public in order to advance the state of security.