I can’t believe it’s August already. This year is just flying by. I think I’ve tentatively decided to try and get to Black Hat next year so I may have to start tucking away money now for airfare. That might be a challenge because it’s also my 5 year anniversary next year. Think my wife would let me combine the two trips? 🙂

Here’s the list:
The Beginning of a Windows Pentest Encounter – Thanks to LonerVamp for pointing this one out.

Here is a quick paper (notes) about pen-testing a Windows Active Directory network. While I do know this paper covers only the lowest-hanging fruit, it seems that all too often, these lowest-hanging fruit are the most common fruit found in the wild.

Insider Threat and Cowboys:

The Wall Street Journal Tells Your Personnel How To Get Around Your Security

– I hope organizations treat this as a “wakeup call”
Oh, boy, reading this Wall Street Journal story, “Ten Things Your IT Department Won’t Tell You” brought back some memories of personnel who went to great lengths to get around security requirements!

All the networking you could need: Netcat – Good cheat sheet for NetCat commands.

So my SANS course this past week culminated today with a nice game of capture the flag. While not Defcon caliber it ended up being quite a lot of fun, especially for a game that only could last six hours, and did a fantastic job of bringing the course together. We learned a lot of tools during the class and playing scenario based ctf brought it all together as many of them were used during the game. Mostly we focused the old favorites: NMap, Nessus, John the Ripper; the kinda tools that have been around forever, and for good reason.

We focused mainly on another tool, one I’d known but used little. Called the “network swiss-army knife” Netcat proved, as we were promised by Ed, the most useful tool of the whole course. Netcat does just about everything. Yes, I know, if you’ve been in networking or security for any amount of time you’re asking how I’d missed that, I hadn’t, but practical use is something else. There’s no doubt it’s one of the most useful tools a network admin, security engineer, or hacker could ever want. So just for general consumption, and for myself, I’m posting the cheat sheet I used during our class CTF competition (my team came in 3rd of around 50 in case you were wondering) just to get any other Netcat neophytes started and possible remind some old hands of some fun tricks.

Security Freak Video Lectures – Hacking, Programming, Networking & More – Yay videos!!!!

A while back a reader e-mailed us about a new site they have called Security Freak, the site is about informatin security education and is mostly using video lectures to illustrate and convey the lessons.

Security-Freak.net is an attempt to lower the entry barrier for starting computer security research. The author has noticed that during his interactions with security enthusiasts in general and students in particular, he noticed that many lose interest because of the lack of organized learning resources in this area.

The admissibility vs. weight of digital evidence – Interesting post about a topic that I don’t regularly get to think about.

There is always a lot of conversation about when digital evidence is and is not admissible. Questions like “are proxy logs admissible?” and “what tools generate admissible evidence?” are focused on the concept of evidence admissibility. Some of the responses to these questions are correct, and some not really correct. I think the underlying issues (at least from what I’ve observed) with the incorrect answers stems from a confusion of two similar yet distinct legal concepts: evidence admissibility and the weight of evidence.

s/regex/English/g – I agree with Lori on this. Especially in my line of work there is a need for strong regular expression knowledge when dealing with operating system, application, and device logs.

So if you’re a developer and find yourself in need of a good tutorial, i.e. one that doesn’t tersely indicate you should RTFM(an page), check out this blog post by I’m Mike, appropriately titled “The absolute bare minimum every programmer should know about regular expressions”. Mike also has some more detailed posts about regular expressions and all are a great place to start digging into the craziness that is regex.

When you’ve finished reading if you want to play around with some regular expressions – cause practice makes perfect – check out Regex Designer, a nice little app that not only evaluates regular expressions but lets you visually see how the matches are made. It’s a great tool for learning regular expressions as well as fleshing out more complex expressions before trying it out in a live application. This one is great for beginners or experts.

Upcoming Workshop on Windows Memory Analysis – If you find yourself in Deutschland you may want to check this out.

I’m excited to announce that I will hold a workshop on Windows Memory Analysis on Thursday September 13, 2007 at the IMF Conference in Stuttgart, Germany.

The workshop most likely will be themed around the detection of a trojan horse and a rootkit. During the 90 minutes I will demonstrate the usage of the Microsoft Debugger and some open-source tools.

Worm vs Thief: Take Your Pick – Wow. I would have loved to have been a fly on the wall during that conversation.

At a recent security conference (as many mentioned, presentations are not even half the value of such events!), I had this eye-opening chat with a guy who manages security at a large “natural resource extraction” company (to avoid specifics …). The conversation moved towards “data security” vs “IT infrastructure security,” which I always thought to be a somewhat artificial distinction (they are kinda the same since the sole purpose of IT infrastructure is to process and move data around). However, for this guy the difference was very real; in fact, he said: “I’d rather have all my critical systems fell to a worm than have the details of my mining process stolen and possibly disclosed! We will go out of business the next year.” I argued that surely his company has more assets and “crown jewels” than that, but he explained that there are key pieces that, if purposefully stolen, will cause the worst case scenario to manifest …

Project Lasso 4 Released – Collecting logs from a Windows box is a disgusting endeavor that usually leaves you feeling dirty and shamed. Tools like Lasso help you feel that much cleaner when you’re done 🙂

Project Lasso collects all log data from Windows hosts without the need for any agents or code installed on the remote system – this speeds up deployment and reduces administration, leading to a much higher ROI. Windows DLL files contain critical information relating to the log messages themselves.

Only a couple of days left until I head out on vacation. Just so everyone knows I will not be able to post anything during my time off as I will be someplace that does not have Internet access (crazy I know!).

“But Andrew…how will you survive?”

Don’t cry for me readers…I’ll be fine 🙂

Here’s the list:
Preventing and Detecting Sensitive Data on P2P Networks – Interesting post.

The problem is not so straightforward. It’s a mix of company policies, perimeter and endpoint protection, data protection, and culture. Alan fails to see the problem all the way through. Sure, your NAC might prevent P2P apps from existing the network.. But what about on employee’s home networks? Many people are being issued laptops so they can work from home, on the go, etc. How is NAC going to stop P2P there? How do you stop people from installing P2P apps on their personal computers? From bringing or sending data home through email, thumb drive, cd-rw?

Chief Security Strategist @ Splunk – Looks like Raffey is heading over to Splunk. Congratulations to you Raffey. I hope everything works out well for you.

Effective immediately, I have a new employer! I am leaving ArcSight to start working for Splunk, an IT search company in San Francisco. As their Chief Security Strategist, I will be working in product management, with responsibility for all of the UI and solutions.

The work I have been doing in my past with log management and especially visualization is going to directly apply to my new job. I will be spending quite some time to help further the visual interfaces and define use-cases for log management. Exactly what I’ve been doing for the last four years already

For the first time – 4.1.2 CAM/CAS guides in HTML – You don’t really have to read this as it’s more for my future reference 🙂

CAM Guide:
http://cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/412_cam_book.html

CAS Guide:
http://cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/412_cas_book.html

The Inner Structure – Good post explaining the Vista event log XML structure.

By far the largest part of an event record consists of a complex binary XML structure. I’m going to explain its internals in a series of postings. I’m starting with an overview of the XML schema.

Fortunately the XML structure is not completely undocumented. The Microsoft Developer Network provides an extensive documentation of the XML schema.

Black Hat speaker denied entry to the US – This same thing happened to a co-worker of mine. He has been performing professional services for Q1 Labs for a few years now and only recently has it come up that he couldn’t enter the U.S. from Canada without paperwork. Andrew’s trick when asked what he is doing in the United States “Training”. The follow-up is always “Giving or receiving” and my answer is always “Giving”. Another option is to simply say “meetings”.

Halvar Flake, well-known speaker on reverse engineering, was denied entry into the United States this weekend for his presentation at Black Hat 2007. Halvar had given presentations at Black Hat for the last seven years, but when he tried to gain entry to the US after a 9 1/2 hour flight, he was sent back to Germany due to a mistake he made in the visa process. The chances of him getting a visa and being allowed back into the US in time for his presentation are slim to none.

Wfuzz – A Tool for Bruteforcing/Fuzzing Web Applications – Another tool to check out.

Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.

YACoSTO, One Year Ago – Come on people…read the post 🙂

One year ago, to the day, I posted YACoSTO. I explained how I reversed a program that “protects” data. This is one of my favorite posts, but it hardly gets any hits. I encourage you to read it, because this time, I focus on reversing the protected data rather than the program itself. You might learn a couple of new and simple techniques.

Zero day IPS sigs leave a trail of crumbs for hackers – Interesting idea. I would have never thought about that. Perhaps I’m just inherently good 🙂

Its Black Hat and the fur is going to fly this year it appears. Those two wild and crazy guys of Mac attack fame, Dave Maynor and Robert Graham of Errata Security lead things off this year. According to this article in Dark Reading by Kelly Jackson Higgins, the former ISS guys are going to demonstrate how Black Hats can reverse engineer zero-day signatures like those used by Tipping Point to figure out where these perhaps unknown vulnerabilities exist and how to exploit them. Lets be clear Maynor and Graham say that this is not a Tipping Point only problem. But that is what they will be demonstrating. Could be a little payback from back in their ISS days.

Virtual Machine = Virtual Vulnerability? – Not good.

It seems that Ed Skoudis and team have come up with a way to really escape a VM and run an exploit on the host system. This is still “shaky” in terms of it’s not perfect and it’s not complete but the potential consequences of this is pretty severe. VM’s are used quiet heavily today for many different things. One of the biggest being malware testing. The bad guys have already figured out a way to make that more difficult but this makes it even worse. A VM is used because it can be blown away and reloaded in a matter of minutes so if it get hosed it’s no big deal. If the bad guys can cause the VM to crash and then exploit the host machine then that puts AV research in a bit of a bind. VM’s are also used by companies to save space, hardware and time. Lots of security software runs on VM’s and this has the potential to put all of that at risk.

F-Secure Reverse Engineering Challenge 2007 – Damn, bad timing. I wish this was happening in a few weeks instead.

Be ready to compete in the F-Secure Reverse Engineering Challenge (http://www.khallenge.com) this Friday. I expected the challenge to start on Thursday like last year, so now I have a scheduling conflict!

It looks like the challenge is organized like last year: go to the website and download the first challenge. Start the program, and provide the correct password (this is where reversing skills come in handy). You’ll be given an e-mail address in exchange for the correct password (a wrong password yields no e-mail address).