Monthly Archives: February 2010

Microsoft Quick Security References for Cross-Site Scripting and SQL Injection

Posted on by
Reply

After a bit of inbox spring cleaning I found this in an RSS feed on how to approach a discovering you have a Cross-Site Scripting and SQL Injection issue on one of your systems. Both papers are published from Microsoft Security Development Lifecycle (SDL) team, but have a host of industry names that have contributed to the material to give it a very well rounded approach. Nice work team!

Both papers are well worth the read if you’re an incident responder and why no pass on to your favourite developers through to the CIO. I may even flash these passed our Grumpy old MS DBATM , despite incurring his displeasure at misuse of his beloved SQL.

Original blog post:

http://blogs.msdn.com/sdl/archive/2010/01/18/how-to-open-a-parachute-during-free-fall-introducing-quick-security-references-qsrs.aspx

The two word documents are here for download:

http://www.microsoft.com/downloads/details.aspx?FamilyID=79042476-951f-48d0-8ebb-89f26cf8979d&displaylang=en#filelist

SANS Brisbane 2010, 24-29 May

Posted on by
Reply

SANS is bringing world-class training to Queensland for SANS Brisbane 2010 on 24-29 May! (http://www.sans.org/info/54773) Why not choose the beauty of the city along the Brisbane River as the backdrop for your training? Register by 14 April to receive the best savings on the following courses:

- Security 401: SANS Security Essentials Bootcamp Style (GSEC) taught by Mark Hofman, SANS Certified Instructor

- Security 560: Network Penetration Testing and Ethical Hacking (GPEN) taught by Eric Conrad, SANS Certified Instructor

GIAC Security Expert (GSE) certification

Posted on by
1

I decided to take a very large leap and attempt one of the toughest, non-specialised, security exams out there, the GIAC Security Expert (GSE) certification

As of today only 16 people hold this qualification. I’ve meet a few of those that hold this certification and am in no doubt they know their security stuff.

I have to pass a grueling multiple choice exam comprising of 150 question from three SANS courses, 401, 503 and 504, in three hours. Pass mark is 75% – that’s 114 out of the 150 questions.

That’s one foot and a quarter of study and review. Roughly around five kilos of SANS books.

When (note the positive thinking and projection) I pass that then I get allowed to attempt the two day practical hands on lab and exam. This is currently only held in the States.

I’m going to chart my tears, sweat, study, practice labs and progress on here for what I hope to be many, many more folk to become GSE certified. 

Why do this to myself?

This is for me to see how much of the years of studying and training on the defensive side has actually sunk in. The two day practical will push me out of any comfort zone I’d like to hide in and give me a real experience of dealing with people a heck of a lot smarter than I am while explaining what I did to protect their systems while under fire. I want to see how I handle this type of situation and pressure.

To me this is more about the experience of those two days and proving I can survive them, than gaining the title of GSE.

A current GSE, Kevin Bong has written this piece on the GSE  and it’s well worth the time to read.

Offensive Security’s Backtrack Wifu – here we go again

Posted on by
Reply

I’ve booked myself on to this course.

This time I blame Ash for making me take this one, but the deluded voices in my head also have something to answer for.

Four months to get to grips with the 25 hours of study material and play with exercises. Should be simple right?

What is this training I speak of, well this from the web site:

“Offensive Security Wireless Attacks”, also known as “BackTrack WiFu” is a course designed for penetration testers and security enthusiasts who need to learn to implement various active and passive Wireless (802.11 2.4 GHz) attacks. The course is based on the Wireless Attack suite – Aircrack-ng.

The course was designed by Thomas d’Otreppe and Mati Aharoni in an attempt to organize and summarize today’s relevant WiFi attacks. This course will kick-start your WiFu abilities, and get you cracking WEP and WPA using the latest tools and attacks in no time!

http://www.offensive-security.com/backtrack-wifu-online-training.php

This should be fun, and hopefully not quite as a steep learning curve as Penetration Testing with BackTrack.

Time will tell.

How to fail the Offensive Security 101 Exam

Posted on by
8

Being generous of nature, I thought I’d share how to stuff up the exam of Offensive Security 101 course. All the blog postings I’ve found on the exam is how they succeed. Well this is a bit different. I managed to get a remarkable poor result which I can attribute to the following:

  • Not being prepared to spend the full 24 hours to complete the exam
  • Not having the right mind set to work through processes and think like an attacker
  • Not documenting fully and double checking and confirming results
  • Not taking a fresh air breaks
  • Not having enough experience
  • Quite possibly being a whiner

For mere mortals, like myself, that don’t spend time looking for applications and systems to attack, the simple frustration of working through each service to find a hole to get a foot hold is “interesting”*.

*Insert swear words of choice

When attacking a system, the process is simple:

  1. Find a live IP address
  2. Discover the services on the IP address
  3. Search for vulnerabilities for that service

After that successful discovery process, I developed this totally unsuccessful process steps:

  1. Ignore the blinding obvious results from your own scans
  2. Spend ages Googling and finding nothing that really fits
  3. Grasp at straws and download anything that had the service name in it or sounds vaguely like it.
  4. Try to adapt code that mostly wasn’t going to work, while not understanding how the author was attempting to do it in the first place
  5. Watch the poorly complied code fail to do anything and wonder why I didn’t have a root shell prompt
  6. Stare into space for long periods
  7. Muttering to myself
  8. Contemplate a career in herding mice with elephants, blowing stuff up or becoming a reality-tv star
  9. Come up with something equally unlikely to work
  10. Back to step 1

After a number of hours of going through this process it’s somewhat disheartening, especially when you seem to get zip-all back. Letting all that frustration build up and not taking time to have a break is how to fail the exam. Simple :-)

The exam –a post mortem

While reviewing of what went wrong during the exam, a friend commented that I should be used to dealing with similar frustrations as a sys admin. My response was without experience of the methods to get a foot hole, you effectively end up throwing mud at the target and see what sticks. As a Sys Admin, that’s usually the last resort, which you should never do with production systems.

As a great example of this, I was oddly very hesitant to run things that I didn’t really understand that could break it. I struggled to get the simple statement the lab machine are there to be broken. It was weird, I build hundreds of machines each year with the purpose of testing – and invariably breaking them , so why was this different?

It wasn’t different, it was a failure of adjusting my mindset to fit the situation and letting implied pressure of the exam get to me. I’d read other blogs about how people struggled and let their stories compound the “this is going to be really hard” mindset. I hit a wall at a certain point and refused to attempt to climb it.

That’s when I failed.

I honestly though “Well I’m crap at this, let’s never bother with penetration testing again and I’ll stick with my day job.”

Take Two

This where friends, time and a good night’s sleep make the world of difference.

The few days after the failing the exam I gathered up all my notes and records, review them and cleared them up in to an ordered fashion. I realised I had a huge amount of information I hadn’t applied, taken in to account or even tried. With some, okay – a lot, encouragement from friends the exam re-booked.I had twenty days to get back on the program. I did some serious reading and re-practicing of some of the lessons, while attacking home built systems.

My second exam try was a very different experience. I went in with goals and enforced break times. My notes and thoughts were well detailed and ordered. I review my notes and findings after each break, which helped keep a clear perspective of what I was doing and what I’d tried. This time round I completed the exam in 8 hours, successfully getting all the targets in that time. I still made some stupid mistakes, but being able to review my notes I corrected my mistakes after taking a break or two. The only real mistake I didn’t correct was burning the same pot twice while attempting to cook pasta during food breaks. Oops.

Lessons Learnt

Failing the exam was actually a great lesson in itself and worth the 12 hours I spend feeling sorry for myself , staring at “impossible” targets to hack during the first exam. I knew the targets could be hacked, but by putting them in the” too hard bucket” I wasn’t giving myself a fair chance.

Top three tips

Study with someone else, great to bounce ideas off and helps get a better understanding of questions and topics.

Lurk in the IRC chat room and troll through the forums, there’s great gems in there.

Remember to review your findings and double check your findings. It’s all too easy to make simple mistakes and get dishearten despite having the right freakin’ answer all along.

Thanks Damian and Ash for your encouragement and having to put up with my whining/rants.

Thoughts on Advanced Security Essentials – Enterprise Defender

Posted on by
Reply

It is the first time the Advanced Security Essentials – Enterprise Defender (SEC501) class has been run in Australia and to have the course author, Dr Eric Cole, teaching it was fantastic.

I have had said before, Eric is a fantastic speaker, bring a huge amount of energy and real world experience to the material.

Eric’s overview of how the course came to be and who its intended audience should be drew a couple of students from other classes. There was hardly any bribery, stalking or pleading involved in this at all. The two people at the back of the room bound, gagged and drugged where merely by coincidence. Would I lie to you, dear reader? Anyway….

My poor interpretation is that 501 is the natural extension of 401 for those transitioning in to the role of security professional without picking a specialty. Where the 401 spends an roughly an hour on a myriad of varied security topics, 501 picks 6 critical areas and spend the day on each of them. If you really like the material from one of the days, it is then easy to work out which SANS or security training to take next. This is pretty darn helpful, I a see hundreds of posting for “What should I doing to be come a security professional?”  so picking a path that gets you out of bed in the morning with a spring in your step is the way to go.

With a title of enterprise defender, you may think this is just for IT folk in large companies. It isn’t. The course can be applied to companies of any size, from one man do-everything-band IT support to an entire team of dedicated security staff. You need to take the cue from the course title, It’s for those how are defenders and work in a defenses role or for those who aren’t sure what they like to specialise into.

It takes a logical approach to rationalising how to do security in a planned, thoughtful manner. Nothing earth shattering or mind blowing appear in the material; it doesn’t need to do that. It provides the framework to apply good security to any company. This can be easily missed in the rush to get projects completed on time and things working. We get pushed in to just doing “stuff” to get a new system in to place without looking at the bigger picture.Each day proves a solid understand of a critical security skill set and role, at the end of each day you have the tools and knowledge to step in to that role and not stuff it up.

I enjoyed and appreciated the material and content of the course despite having completed a number of other SANS courses. This is a profession where learning never stops, so even re-capping and refreshing the so called basics is never a waste of time.

Before I rattle off my take on each day, I want to mention a number of conversations I had with other students on the flow of the course and how it fitted in with the other SANS 500 level courses. The most discussed point was number of hands on labs, or lack of them on day two and three. I actually liked the two days of talk, mainly due to the content and partially because I’ve used the tools described in those two days fairly heavily over the last few months.

Fortunately, Australians aren’t quiet, shy flowers and mentioned this to Eric. There was plenty of time at breaks and after the day has ended to run through lab work. Most nights five or six people stayed behind to re-do the labs, just so they could get extra practice in with the bonus of having others around to talk over any problems.

SANS courses are the perfect time to play with tools and practice techniques in a calm, non-critical environment. The added bonus is you have a real person to help out if you run in to problems with it. Labs can break up the day and re-focus the brain or labs can disrupt the day as, in real life, thing don’t always work; you spend an hour troubleshooting why your lab isn’t work while the girl next to you has finished the whole lab in ten minutes. Still, both are real, hands on experience.

Day 1 Defensive Network Infrastructure

Switches, Routers, Firewall and other networking gear

The day started off with an illuminating and fascinating attack using routers. The day was pretty Cisco heavy, but the lesson are easily transposed to other vendors technologies.

Know what is on your network how it is configured, understand how it should be configured and use change management to get it there was the theme of the day.

Take a step back think what network needs to do and check that it is doing it. Light labs

Day 2 Packet Analysis

Understand the traffic on your network, what it’s doing and what it should look like. Profiling your normal traffic  makes looking the Bad Stuff TM much easier to find.

no labs

Day 3 Penetration Testing

no classroom labs, but the back of the book has a number of self study one

Day 4 First responder

Great stuff. Lots of things to apply and how to do them as a first responder to an incident.

labs

Day 5 Malware

Heavy labs. Got to find and purge Bad Stuff TM , lots of hands on fun!

Day 6 Data Loss Prevention

No classroom labs, but the back of the book has a number of self study ones

This day covers a number of topics and in my mind should possibly be day one, rather than the last day. My reasons are:

Normally covering risk and procedures is like slowly pulling nails from each finger with tweasers, slow and painful. Eric injects passion, direction and relevance, really make it applicable to the real world and the working lives of the student. I slogged through the CISSP domain when I was studying for the exam. Honestly, I feel Eric brought this section to life, I learnt more in those few hours, will remember and apply use this section than I ever could from the long, dark days of my CISSP study.

Amazon Kindle: a Trojan horse for looking normal

Posted on by
Reply

I was sceptical before hand, but now this little thing has dropped 4 kilos from my book bag.

I can read and carry all my geeks book, massive pdf files and evil security books without raising suspicions.

I get curious glances on the bus, but none of the looks of outright horror and fear when I leafing through a 1000 pager on TCP/IP.

I can quickly flip to a human friendly book if someone takes and interest in the kindle and wow them with free access to buy books anywhere in the world.

Then I can sneak back to reading up on BOFs, SEH and other three letter acronyms (tla) of the IT world with click of a button.

Even the Microsoft training manual PDF’s overly Visio-ed diagrams come out well.

Mu-ha-ha

Now if only copy write laws banning thousands of books being delivered to Australia based kindles could be sorted, I’d be a very happy man.

Luke Patrick Mohan

Posted on by

I am an uncle.

My wonderful brother, Paul, and his beautiful wife, Diana, have given birth to their first born.

I got to see him, via the magic of Skype, on his first day home.

There are no words to express my joy and love for them.

I am an uncle!

Paul David Gibbons

Posted on by
Reply

Paul was, at first glance, dour, foreboding, solitary and scary. To those that managed to get passed that carefully constructed façade, he was some completely different.

I shall miss my friend’s remarkable insights, stark reality checks, thoughtfulness and generosity of spirit. His courage in taking leaps in to unknown was almost easily missed, cloaked in one of his shrugs and casual comments. It took years to notice and years to figure out, but that was Paul, a bit of an enigma.

From college lectures to travelling over parts of the country, we shared some great adventures, utter failures, some awful drinks and a lot of getting side tracked.

On his first flight, he flew to India and spent months in a totally alien culture, travelling to as many places time allowed him to reach. I still have his one piece of communication, a letter, he managed to construct over the many months away. The letter arrived almost on the same day Paul returned home. It had taken three months to write and jumped from adventure to disaster to discovery. It was all over the shop, but gave a joyful tour of what he experienced and amazing sights, places and people of this other world.

Paul’s love of reading and understanding took him to Aberystwyth University in Wales. In a memorable road trip, two of us packed Paul and all his worldly belongings, minus a few hundred books, in to a small car and set off for Wales. Despite Jude’s military training we still managed to get horribly lost and found ourselves in the middle of a desolate Welsh valley in a somewhere in an unknown Nation Park. Undeterred by have not the slightest idea of where we were, being forced to dodge the local wild life or how the road dropped precipitously at ever corner, we forged on with the light failing rapidly. Several hours later and with a great deal of luck, smoking of cigarettes and rationing of the chocolate stash, we finally limped into Aberystwyth.

We deposited Paul’s belongs deep in some student hall and promptly took him to a pub, piled him with copious amounts of alcohol as a farewell gesture. We said our goodbyes and left him surrounded by suitably drunken fellow students, looking out over the Welsh coastline. It was only after several hours of driving did we realise that he had no clue how to find his way back to his new residence. That night was spent drunken cursing us while climbing at very, very steep hills to try each University digs to find his room. Doing this in the fresh, brisk, biting sea air, massive amount of excursion, a slowly developing hangover and signs all in Welsh only wasn’t as funny as we found it, apparently.

Even as one of the “old” students, he manage a fair bit of mischief during that time but kept an eye on the uni kids that inhabited that part of his life. He proudly achieved his degree in Information & Library Studies and proved to a great deal of people he was much more than they realised.

I got to work with Paul a couple of times. Whether it was setting up show jumping rings, cooking for the masses or working in IT, he always maintained an almost stubborn common sense and pragmatism approach. He’d often played the role of the heavy, casting black looks and unflinchingly doing the dirty work; he always approached it intelligently and with care if you took the time to notice.

I have a thousand and one stories ranging from him always having time to talk with the homeless of Brighton to the time he nearly ran me through with a fencing foil. Ended up at standing at Stone Henge on the Autumnal equinox at midnight being mistakenly hunted by security is one I still have photographic evidence of to prove it actually occurred. That’s what happens when you get to be someone’s friend for more than twenty year.

He found love, friendship, peace and happiness with Julie in recent years.

My friend passed away on the 25th Of December, 2009.

He remains in my mind’s eye propped against a wall with a half read book in hand, bag slung causally over his shoulder and can of coke fighting for space with a pack of cigarettes in a pocket peeking out. A disapproving, well practiced, “you’re late” look on his half shaven face offset with a mirthful sparkle in those brown eyes.