Category Archives: SANS

SANS Sydney 2009 SEC501: Advanced Security Essentials – Enterprise Defender with Eric Cole

Posted on by
Reply

Wow!

I have been accepted as the class volunteer for SEC501: Advanced Security Essentials – Enterprise Defender with Dr Eric Cole.

If anyone else is going to be at SANS Sydney 2009, I’ll be the class minon for Dr Cole for his week teaching the class. 

It promises to be a fantastic week of re-evaluating the security defender role and what it takes to keep the enterprise safe. Dr Cole’s class promises to be a highly enteraining and deep dive follow up to the 401 course.

I hope to absorb what I can from the massive stream of knowledge that I’ll be wading in during the week.

If you are there, say hi and no stealing my mints ;-)

SANS APAC Webcast – What Every Pen Tester Should Know About Web Applications

Posted on by
Reply

Dr. Johannes Ulrich, from SANS, is giving a talk on what every pen tester should know about web applications

This is an interactive talk, so if web applications is your thing, or you’re a penetration tester then tune in and ask away.

It’s at lunch time, 12pm on Wednesday the 30th of September, so stick in the calendar.

Oh and it’s a CPE credit for those with ISC2 just watching the session.

Command Line Kung Fu – Learning a another style

Posted on by
Reply

In my dash to pick up the basics of another operating system, getting into the right frame of mind can be, well, difficult. All that time and engery learning what and how to do something correctly in Windows to then run in to the brick wall of a new alien OS and it’s crazy syntax.

It’s a bugger.

Fortunately some nice folks have made the transition easier. Messrs Skodis and Pomeranz, of SANS fame, have joined forces in order to convert one way of OS thinking on the command line to another.

This is massivley funky.

Why? Well they have real world examples with the whys and hows. I was reading it for the Windows command line stuff before realising how useful it is for that other operating system. You know, the one that was working well before Windows even though about blue screening. No, not MacOS. Yes, I know it runs off BSD, but that doesn’t count ….

Go here and learn all about Command Line Kung Fu, whatever your style, to what and how the other side does things.

Steven Sims is coming to town – virtually

Posted on by
Reply

The very intense and mildly insane Mr Stephen Sims is doing a web cast for the Australian Computing Society on the Tuesday, August 25 at 6:00 PM.

He is presenting Pass-the-Hash Attack with Meterpreter, this is a hands on practical, taken straight from day 3 of the SANS 560 track. In case you’ve forgot Stephen will be running that class in November in Sydney.

Remember kids, for hashdump to work he’s exploiting an administrator or SYSTEM process. Oh you’re running as local Administrator now …oops.

Stephen is an awesome teacher and presenter, so expect this to be a great demo of what Metasploit can do to a Windows system.

Good work Ray for sorting out a presentation in our time zone. May this be the first of many!

Update: After watching the presentation, you notices one of Steve’s passions surfaces. He manages to sneak in a full blown live display of a buffer over flow done by hand. Nice work Mr Sims.

Re-educating the Board on where our borders end

Posted on by
Reply

Catching up on the weekly security news, this headline caught my eye, “US and South Korean Sites Under Attack; Late Data Says Attacking PCs to Self Destruct (July 8 & 9, 2009)” from the SANS weekly newsbites. The piece covers recent attacks on US and South Korean government, military and private industry, with some nice technical links on to what is going on. Basically, once the malware has done its task it then overwrites the MBR and partition table. Just like the viruses of the good ol’ days. However, the one comment I will be passing on to my CIO is from Alan Paller, the director of research at the SANS Institute:

“This morning Korea government sources report that the files on the attacking computers are being overwritten – in a massive suicide of the bot-network. Sadly, it will be very easy to construct a new one.”

The two points he clearly raises are:

1) They can destroy the data on an infected computer

2) They can do easily it all over again

Why?

Cyber warfare is not a new nor are bots, but a willingness to throw away compromised machines on massive scale is – ignoring bot-net herders going mad. I still compete with perception antivirus and a firewall will save us from getting in to trouble. I only wish they did. Take the 560 bootcamp or spend two minutes with John Strand to be re-educated on this.

Leaving aside mobile phones, we have a growing number of requests to replace desktops with laptop in the company, so the perimeter I am supposed to be defending now extends to staff homes and families.

Why?

Well, guess who starts using the laptop when it gets home; The kids, the other half and possibly Romanian circus clowns, that are in town for the day, all of who have a despair need to check their myspace/facebook/web mail accounts. (Note to self: bring up supported number of users have tripled in next pay review;-))

All one of these non-staff members need do is click on a link, download a file or even open a picture, the AV misses it and the laptop is now co-own by someone out in the cloud. Then, the next day, the infected machine comes back to the office.

As we have IT policies in place, I can be sure none of our staff would do this though.

Back to why pass on Alan’s comments rather than a link to one of the excellent articles from the newsbites page. Alan has the necessary gravitas to appeal to my CIO and the board. Despite my monthly reports and management summaries, I still find management respond more actively to respected senior figures’ opinions and suggestions. Comments and articles like this can help changes perceptions of what senior management think IT security is today.

I’ll take all the help I can get.

Trials & tribulations of writing a GIAC Gold Paper

Posted on by
Reply

My first GIAC gold paper was finally published in the SANS Reading Room. It was a labour of love, frustration, discovery and determination.

For those of you unaware of the process to get a SANS “gold” certification, this is the process. You pass a one of the SANS’ “silver” qualifications, then choose to push yourself further by writing a paper related to the qualification. Applying in the SANS portal to “go gold”, a brief summary of what the paper is based on and what its goals are is required. This summary is read by the gold paper advisors, a group made up of SANS alumina students, and hopefully one of them agrees to take on the role to spend the next six months advising on the paper. Once an advisor takes on the role, a fee is paid to SANS. This covers administration and a fee to the advisor for their time.

From then onwards, drafts are sent to the advisor for feedback, guidance and sanity checks. When the advisor feels the paper is ready, it is submitted to a review board. Should it pass that, the paper is published in the SANS Reading Room. At that point and only that point, Gold certificate is yours.

Why do it in the first place?

A four hour exam is one way of displaying your ability, spending six months to possibly have it published to the entire world to review is another.

Exams test people in certain defined ways, but spending personal time to understand, develop and put down on paper a project is a much, much more extensive test of knowledge and understanding.

For me, this is was a real change and challenge as I don’t write papers. There is no personal or professional requirement to do so. Life has to be about challenges and pushing forward. So I gave it a go.

So what went wrong during the first six months

  • My time management sucked.
  • The outline of the paper was too vague and not defined enough
  • I tried to review and edit the paper by myself
  • I failed to understand what the advisor was telling me to bring the paper back on topic and track

The two cardinal mistakes were I mis-judge how long writing/re-writing took and thought I could edit my own work. Oops.

My original paper wandered all over the place and my advisor, Don, should have hit me with the large ‘Pay Attention’ stick; He tried to re-focus where I was off track. Email is not the best medium to convey certain emphases. If there was not a 14+ hour time difference, then we may have been able to talk directly. The re-writes missed the mark and time got away from me. I got to five months stage and with the Christmas break looming, supported by Don, I applied for an extension. He felt that I was trying hard – School report flash-back: C minus, Chris can do so much more it he applied himself and pays attention – and was getting on the right track.

So with a New Year behind me and the three month extension approved, I found three people willing to review my work. I listen to Don’s advice and made some sweeping edits. Each changes and re-write got smaller and more focused on particular points. Finally Don was happy and submitted it for review by the review board.

Simple rules for the next one

  • Make time to write the paper. It was amazing how many different distractions could and would appear.
  • Have a pre-planned outline of the paper and what it should intend to deliver to the reader content-wise.
  • Pre-build or have full access to any test environments needed for the paper’s subject matter.
  • Build a time line and stick to it. A wise friend told me two months to prove all the concepts in the paper, two months to write them up and two months to edit the paper.
  • Line up two or more people to read the paper and provide honest feedback.
  • Do not expect an instant respond back from the advisor. They have lives give them a couple of days. Plan this into the time line.
  • If you do not hear back from the advisor after two weeks then email SANS. Stuff happens in other people’s lives

To make the next paper better than the last

  • Read other people’s papers
  • Read, or re-read, The Elements of Style by William Strunk
  • Ask friends, peers or SANS instructors what their favourite technical papers, books or writers are. Then read them.
  • Ask someone what you could have do better in the first paper

To make the next paper better than the last

Well the paper is up in the SANS Reading Room here

Trials & tribulations of writing a GAIC Gold Paper

SANS Sydney 2009

Posted on by
Reply

Just got back from the SANS event in Canberra and SANS announce dates for Sydney.

Fantastic stuff

Four six day courses on offer. Book your place your seat by 30 September, 2009, and save $350 on the fees

The two course on top of my list to get on to are:

SEC501: Advanced Security Essentials – Enterprise Defender with Eric Cole

and

SEC542: Web Application Pen Testing In-Depth with Johannes Ullrich.

Having just completed SEC560: Network Penetration Testing and Ethical Hacking, I can hearty recommend it. Thoughts about it are here

Stephen Sims is a phenomenal teacher and his take on the course would be a real eye opener.

SEC401: SANS Security Essentials with evening Bootcamp class run by Mark Hofman is one of the best ways to get your hands dirty in the security world, but not get buried by the sheer mass of information.

Just have work out how to arrange for the time off now ….

SANS Canberra 2009 Wrap up

Posted on by
2

Amazing how fast six days can blaze past and be so packed full of knowledge, learning, challenges, events and fire alarms.

Flames in Canberra

This year conference was so hot, the place nearly burnt down. Twice.

Survived another SANS conference in Canberra; met a heap of great people, kept entertained by the instructors, kept awake by random false fire alarms during the night and came away with some new skills and knowledge.

I was fortunate to be chosen as one of the four facilitators, so got to run around in the background, have Mentos been thrown at me and finally be expelled by the Americans on the 4th of July.

All of this and get an education. Fantastic stuff.

Over 100 people turned up from all over Oz and New Zealand for the four tracks.

Leading us out of the security darkness and FUD:

  • The home grown Mark Hofman, bring the wholesome security goodness of SEC401: SANS Security Essentials Bootcamp.

The trio of rebellious upstarts from the New World, er, wonderful gentlemen from the United States of America:

  • John Strand, startling students with sudden manoeuvres and forced marches in SEC504: Hacker Techniques, Exploits & Incident Handling.
  • Bryce Galbraith marshaling his desperate band of would be ethical heroes in SEC560: Network Penetration Testing and Ethical Hacking
  • Chad Tilbury bring order and reason to hard drives gone mad in SEC508: Computer Forensics, Investigation & Response

Lucky me, an Englishman surrounded by ungratefuls from the colonies on the 4th of July. And what did I have as a uniform, why a SANS red coat. Ah, the irony!

red coats

It is a red coat. NOT an apron.

Yes, bad puns on the American revolution will continue to creep in. In some cases run in and stage dive spectacularly, head first , on to an empty floor.

Shearwater steered the event seamlessly and smoothly (with a little help from the volunteers of course). A special mention to Shearwater’s Ray for keeping the “low cal” cheese cakes, pecan pies and other yum treats re-appearing despite some of the conference staff attempts to thwart us stuffing our faces. Good work Ray – the legions of late breaking students from 401 salute you!

The courses, like the food, were devoured by everyone, for some just starting out on their understanding of the vast security field, they were astounded by what they were learning. A couple of folks in Mark Hofman’s 401 class felt shell shocked after the second day over the sheer volume of information. Mark’s teaching approach was one of the ways they could absorb and comprehend the knowledge. A high sugar diet apparently helped too.

I was in Bryce’s class and he rocked it. The class was a mixed crowd with a strong government contingent sitting at the back. After the first theory based day, there was a momentum of excitement, as each day built upon the last. Bryce kept us rolling through the material and labs. There were extensive labs exercises each day. Some of the class would read ahead the night before and spend the time playing with the lessons. Others would carefully follow the labs, make sense of the steps and seeing how they worked. Some just went at it.

There were some great questions pitched up from the class. This is where Bryce’s extensive professional knowledge shone through. He ably answered the questions and would always put it in to a real life perspective. The really help drive home some of the points and made the training “sticky”. One of the great qualities SANS’ instructors bring to the material is the ability to help understand it and make it accessible. I noted that Bryce would explain in-depth to those new to the topic, but would mentor those who had their feet in the material already and wanted to explore.

With never a dull moment, I would find myself being painted by the laser pointer after finishing the labs too quickly by Bryce. Little did I realise that it was a prelude to frequent Mentos carpet bombing.

I blame attacks like this for not winning the day six challenge.

Mento-ed

A Mento in the USB slot will stop all but the most harden pen tester.

John Strand is an impassioned teacher and one that never stops moving, physically or mentally. If you want someone who is clearly passionate and excited about what he does, John is your man. He throws in those great stories and examples, while sweeping the class down the road of learning with him. Ashley, the junior facilitator, was told to use the dart gun if John got too excited or made a break for it. We estimate John could have walked the 300km to Sydney during the six day if we’d let him.

Chad’s class, by stark difference, was an oasis of calm, refinement and serious thoughts. There was a quiet air of awe in Chad’s class room as he guided the class in to the mysteries of digital forensics. Whenever I was running for my life from hurled Mentos, I would see the rapt, focus faces of the class follow Chad thought the lessons. Damian, the senior facilitator, end up have a remarkably peaceful week of order and compliance. The only time the class got restless was on law day. Tragically, the chewy sweets in class that would normal kept them going seemed strangely depleted. They had “magically” been dumped on my laptop again. How ironic.

Sadly, I could never stay to soak in that tranquility, as a moving target means less bruising.

SANS @Night Presentations

What was particular great this time was all the instructors got to do after-class presentations of a topic close to their hearts. It called “SANS @Night” and was worth waiting around for each one of them.

Production Honeypots with John Strand – Tuesday night

John had a fiery, punchy and potentially controversial take on how honey pots should be move out of the shadows of research and in to the headlights of production networks. John’s presentation demonstrated how standard protections provided limited real protection by, what many take as a found stone of security, anti-virus and IDS. John stated that attackers can strike with little fear of retribution, while we are left we little or no information on who they were or what they were after. Safe havens exist in within the physical world which allow attackers to operate with no concern of retaliation or harassment from law enforcement. Why shouldn’t we be more aggressive in our defence?

He proposes the use of production honey pots to collect data from and about the attacker. Why not harvest what browser, pc and location of an attacking machine? Why stay passive? John was not advocating striking back (I’m pretty sure, anyway) but use the honey pot technology in an active, rather than passive manner. In this active mode it could capture significant information on the attacker. John has taken this approach and build a SAN course around some of the many tools and methods he talk over during the evening http://project.honeynet.org/project has a smattering of the tools mention throughout the talk.

As defence is close to my heart, this was one of those time I would have love to had more time to understand and see a honey pot environment in action. There was a lot of empathy in the room about not being so nice when dealing with attackers. The comment that stuck was “we (defenders) have to play by the rule. Attackers don’t care. They do what it takes to get what they want.”

Thought provoking stuff.

SANS Community Evening Panel Discussion by SANS Instructors – Wednesday night

A good number of the Canberra security community turned up to add to the 40 plus students.

A lively and good humoured discussion, but it got somewhat side tracked by a couple of people from the crowd who kept on bring the topic back to their original question. The recurring questions where somewhat generic and could have been answered by your favourite search engine. This was a shame as I could see others who wanted to ask questions, but never got the chance. This was in strong contrast to the last year, where the panel debated a huge range of topics and picked through some very tough questions.

John Strand retorted with some very funny one liners to some of the blander questions, kept us chuckling and Mark got to answer on the more interesting local knowledge queries.

The hour and a bit was up and the speakers were gently herded out of the room. It was during this time a couple of great questions popped up, and I only wish the panel had taken a go at them instead. Next time, perhaps.

Live Incident Response: Memory Analysis with Chad Tilbury – Thursday night

“Introducing the top three must-have capabilities in your IR toolkit that were released in the past year. Learn how live memory collection and analysis is a game-changing tactic now utilized in effective Incident Response and Mitigation techniques. Find out what will replace the tried and true “sysinternals” tools and replace them with capabilities that are crippling rootkit technology.”

I annoyingly missed a large chunk of Chad’s talk, but caught up at the point of a live forensic demonstration. He took the audience through a recovery process and, wow , it was impressive on what he could recover. Watching the presentation really made me put the 508 forensic class on my wish list.

The tools are here from the talk along with some truly amazing community input: http://forensics.sans.org/

Incorporating Advanced MitM Attacks in Your Penetration Testing Regimen with Bryce Galbraith – Friday night

Bryce had been talking about monkey in the middle (MitM) attacks all week, so it was no surprise that the 560 students were looking forward to the presentation. Although MitM attacks are not new, it is a shocking to see how utterly effective they can be to bypass security measures. Bryce went through a host of scenarios on subverting what is normally taken as a secure method of communicating. The attacks covered layer 2-7 in the OSI model, so it really kicked off the brain to thinking was my environment open to this and if yes, how would I close it down?

A truly great talk to close off the week.

Bryce in action

Bryce in action

For those curious how I managed to keep track of the day of the week mapped to what course day, I can now reveal my secret:

Socksanddays

Socks – it works for me

Yup, my sock have the day of the week on them. Who needs these high tech solutions anyway?

Until next time.

Thoughts on SANS’ 560 course

Posted on by
Reply

I got to take the SEC560: Network Penetration Testing and Ethical Hacking with Bryce Galbraith.

Penetration testing is not part of my official job role, but understanding the mindset, tools and tactics employed is immensely valuable to any one working on behalf of the networks defence team. So off I went and jumped in the deep end.

Having already taken the Sec 504: Hacker Techniques, Exploits & Incident Handling course, which also written by Ed Skoudis, I was keen to see what made the courses different since there appeared to be a overlap of the material at first glance. With the warning “SANS Security 560 is one of the most technically rigorous courses offered by the SANS Institute”, I have to admit I was intrigued.

The first day has a heavy emphasis on methodology and report writing, which seemed to deter a number of students in the class. It became clear how important solid, clear and concise report writing skills are to a professional penetration tester. The writing skills are critical to the client the test is being performed for. If they can understand and act on the report of the test, you get a happy client. Happy client can mean repeat business. That’s good. As someone that has to throw together monthly security reports, it was more encouragement to keep reports clear, concise and not too techie. The methodology section covered how to provide maintain consistent results using a variety of frameworks.

I will not go in to the following days, as they covered skills, concepts and tools in both Windows and Linux. The course layout is detailed here. Many labs made up those days to counter point the theory with solid practicals. The days provided the core elements, a foundation, if you will, of the training and skill sets required  for penetration testers.

The Day Six Challenge

This is the day you put together what you have practiced and learnt and apply it to a real world situation. Thinking on your feet is required, with plenty of lateral brain work. That is all you will get from me J

The day six challenge is perfect. Fiendish, demanding and  aggressively driven to get the prise as quickly as possible but without destroying every jump point or system you touch. This is tailored to the pen tester skills and gives a clear insight in to how broad minded – and skilled – you would have to be.

No, I did not win the challenge, but I took away a great deal of notes, to do lists, insights and a sense of achievement.

As a interesting aside, 504’s final day is much more raw, as it is a hack and slash approach for Sysadmins have at it and play attacker for once. I am not putting the challenge down in the slightest, it was excellent fun to go full tilt at someone else’s systems in the all consuming charge to get the flags first.

In my own mind, I would love the day six challenge of 504 to be more on the defending, and repelling of an attacker, rather than being the attacker. Being an offense is a very different mindset to defence. Attacker need to find one fault, defenders have to fix them all. Guess who feels the more pressure.

Mr Galbraith

As to our instructor, it was absolute pleasure to have Bryce guide us through the lessons, material and labs. Bryce’s teaching style is calm, open to questions and focused. It is all too easy for a question to spark off a whole thread of detours and off topic ramblings. Bryce kept us alert, on track and entertained.  A sprinkling of relevant, and some very funny,  war stories dropped in to highlight the course material and practicals. To have someone that works in the penetration and security space consulting for a wide range of clients teaching, you get a very real sense of how to use these skills and supplement them with a variety of tools. What was amazing to watch and understand was how Bryce use installed tools and utilities of the OS to “live off the land”, as he call it, to subvert the network and systems to reach the target goal. So many standard system tools that ease administration are an absolute menace in the wrong hands.

560 Boot Camp

We also took part in a boot camp session, on the second, fourth and fifth nights of the training. These ran directly after the day class until 6:30 pm.

This was an added bonus, as I had not heard of this before and was not expecting it. The boot camp sessions were voluntary, running for on and a half hours.

The first session was on report writing, we had some drop outs from students keen to avoid more paper work. As a group we broke down a poorly constructed report, then rebuilt it and made it more relevant, giving it focus and flow. The group discussion threw together a wide range of thoughts, ideas, suggestions and the occasional disagreement on how to improve the report. With the before and after example report, it was easy to see how thinking through the layout and to who the audience is, a solid report could be created.

Session two was on Metasploit, using it to deploying ‘sploits to a USB device. The entire class stayed and attended. We all knew it was going to be that good. No-one left their seats as we jumped straight in to the boot camp from class. The hour and a half flew by, but most of us finally brandished a Metasploit backdoor payload hidden on a USB drive, with a large grin on our faces.

Session three, we lost two people (it was Friday night), but again the class stayed glued to their seats and followed Bryce through various methods of Netcat-ing without Netcat using Windows and Linux OS tools to emulated a relay. Never realised how helpful and user friendly *Nix systems could be compared to Windows in this task ;-) This really emphasized that it is creativity, not the tools, that differentiate the truly talented pen testers.

504 and 560: Do They Overlap?

I would have to say the tools used may be the same as 504, but the mindset, application and drive of the course is very, very different. That is where the value is. Mr Skoudis & team has done an excellent job in make the course stand up by itself, but flow on smoothly from the 504 course should you take both.

In my opinion, 504 is understanding the attackers and how to deal with them, with a brief foray into their world and tools. Focus is placed on incident response methodology and being the responder to event on the systems or network.

560 is starkly about being the attacker, albeit in an ethical manner, and using every possible tool, trick, technique, toehold to get in and grab the prize. Each attempt at getting in to a system or network is documented, but it is about finding the weak points in the armour and exploiting them to get to the target.

Final Thoughts

The course was challenging and though provoking. It is easy to get cocky, thinking this stuff is simple when completing the classroom labs, but the day six challenge brings you firmly back to earth. For people searching for a career in penetration testing the course sets you a clear understanding of what you knew to be able to do, think and report on in this role. Too many times I have had poorly cleaned and all to generic Nessus scans handed over to companies I’ve worked for, as part of their yearly audit. This helps sets the bar to what should be expected and delivered.

For those of us non-pen testers, the insights to what can happen if you let basic, simple standards drop or get forgotten about become blindingly obvious. Use good passwords/phrase, patch and keep an eye on logs files and it would stops a great deal of the possible in roads for testers or real attackers.

Oh and it’s great fun too.

Daemon by Daniel Suarez

Posted on by
Reply

Hiding from the rain this weekend, I was perusing through my local book shop new releases section, when I came accross a book called Daemon by Daniel Suarez. From the book’s cover artwork it was obviously technology based rather than supernatural, so I scooped it up and had a quick glance. The back cover aluded to bots getting up to mischief on a massive scale and bumping people off.

Techo-based stories can be hit or miss, but I haven’t picked up one in a while, so grabbed a copy. With the rain pouring outside and terrible tv re-runs, I settled in with the book.

I flew through the book and finished it the next day.

 Daniel is an independent systems consultant working heavily with databases and obviously done a huge amount of research.What struck me is how realistic the technical segments were and how the thematics echoed in a number of conversations I been involved in, had or listened in on. Reading the back pages, I noted that he’d been working with the guys that did the Hacking Exposed series, so Iguess that’s why I recognize a bunch of the attacks.

At the recent SANS conference in Sydney, over a few beers after one session, James Shewmaker was talking on similar, but more advanced exploits, he’d witnessed and was teaching on how to defend against to his class 504: Hacker Techniques, Exploits and Incident Handling. I’ve only had to deal with this sort of attack at a local level. It’s almost scary to see these sort of attacks put in to a feasible story line with global consequences.  At the same conference I was bugging Mike Poor about a course he authored on bots and worms, his passion and fascination is always  infectious, so can talks for days on the topic. Pretty much everything he talked on surfaced in the book . I wonder how much of Mike’s suggestions on dealing, subverting and defeating with bots will appear in the sequel, Freedom.

Once bit that did make me smile was the though of the use of netstumber  - surely they should have been using Kismet ;-)

If your a looking for a good solid piece of entertainment with some scary IT implications, well worth a read.