In addition to taking the GSE lab exam at Network Security 2011, I also enrolled to take the Web Application Penetration Testing and Ethical Hacking course. It was a 6 day course taught by Kevin Johnson. Some portions were taught by Justin Searle. They are both great instructors.

My overall impression of the 6 days of this course is very positive. Kevin is an engaging instructor, who uses real-world examples to drive home important points. Like the rest of us, he sometimes veers off on tangents. I found these tangents entertaining!

What’s the most significant thing I learned from taking this course? First off, I came away with an awareness of some of the things that I still do not know. Second, I have a much better understanding of what good practice is when developing a web application. Third, I now know enough to be dangerous with testing, and I need to actually start using what I’ve learned.

Ok, so that was 3 things that I learned!

Here is a brief overview of what the course covered:

• The course starts at the beginning with a review of some basic web application and penetrating testing concepts.
• The next day walks through gathering information about the organization and application (recon and mapping).
• The third day covers discovering vulnerabilities and weaknesses in the application (server-side discovery).
• Day 4 addresses vulnerabilities and weaknesses in the client-side piece of the application.
• Day 5 is where exploitation of the previously discovered vulnerabilities is taught.
• Finally, Day 6 is the culmination of the learning with a Capture The Flag exercise. This was done in an isolated network environment where we had to discover and exploit vulnerabilities in some common web applications. The goal was to find certain specific pieces of information – the “Flags”.

I highly recommend this course for anyone needing a better understanding of web applications and how to find vulnerabilities in them. Much of the class is spent learning how to use automated tools such as proxies, scripting, and injection/cross-site attacks. it is very hands-on.

Beyond just the technical aspects of the course, there are always people who enhance the learning. I found the folks sitting around me to be valuable contributors to my learning. Asking questions and working together to find answers is very beneficial. Thanks Kevin, Tim, Justin, Brian, Patrick, Craig, Richard and others.

Go to the conference. Take the class. You will enjoy it.

- Dan

Taking the GSE

One of the primary reasons that I went to Las Vegas for NS2011 was to take the GIAC GSE hands-on lab exam. A huge motivation for me is that I hold several certifications, all of which need to be re-certified every 4 years. Holding the GSE would mean only having to re-certify one.

As of the time of writing this entry, I do not know whether I passed or not. If not, then I am hoping to be in Orlando in spring of 2012 to do a re-take.

Earning the GSE requires both a written exam and a hands-on lab exam. I passed the written exam in late summer. That qualified me to sit for the lab exam.

———–

There were 11 of us who took the lab exam. It was quite a mix of folks. My brother and I both sat for the exam. Most of us were from the U.S., but there was also representation from Egypt, Australia and New Zealand. I really believe the most enjoyable part was getting to know some of the other test-takers.

I really cannot share much about the lab exam itself. We were required to agree not to share details. The GIAC GSE webpage does give a pretty decent high-level listing of what you need to know and be able to practice.

How did I feel about the exam? It was tough. I choked on some things that should have been very simple. My time management was terrible. The most difficult part was not knowing exactly what we would be expected to demonstrate.

Yep. I’ll do it again if I didn’t pass. It’s worth the work of preparation and the stress of taking the exam.

- Dan

The Travel and Town

I had the opportunity to attend SANS Network Security 2011 in Las Vegas from September 17-25. I attempted the GSE Lab exam the first two days, and then attended SEC542: Web Application Penetration Testing and Ethical Hacking.

The flight to LV was pretty uneventful. As we flew across the western plains, these circles were plentiful across the ground. These are crop circles from aliens, but rather from irrigation pivots. This area has been suffering from drought, but irrigation helps as an equalizer. When we flew across Arizona, we could see the Grand Canyon out the window. Here is a picture of some irrigation circles…

This was the first time that I had actually stayed in Las Vegas. I’ve driven through before, but never felt a need to stay. After being there for several days, there is no strong desire to make this a regular visit.

The conference was being held at Caesar’s Palace, but by the time I called to make a room reservation, there were no rooms available for the first two nights. So, I stayed across the street at Bally’s. Just like most hotels in Las Vegas, a casino is a part of the experience. No, I didn’t lose any money in the slot machines!

The cost of food at the hotel/casino restaurants was more than I really wanted to spend and generally of a style different that want I care for. So, if I was not going to starve, I needed to find someplace else to eat. Using a great variety of apps on my iPhone, I searched and finally found what I was looking for (quite like U2, I suppose) down the street.

The walk down The Strip after dark is an experience. It was packed with people! Some were down-and-out. Others were trying to give the impression of a High-Roller. Most had adequate clothing on. Others looked like they were in a “Who Can Dress The Sluttiest” contest. Some were speaking English. Many were not. Most times the sidewalk was packed shoulder-to-shoulder with people.

I took the time to walk around Caesar’s Palace where NS2011 was being held. It is an opulent place.  Here’s a picture of the sports betting area…

One end of Caesar’s Palace featured the Forum Shops. It is basically an up-scale shopping mall. As you would expect, there is a Roman theme to everything. This fountain was in the middle of an intersection…

…

When it came time to make the journey home, I was ready. There is a bus that shuttles visitors between the hotel/casino and the airport. The pickup time at the hotel was about 2 1/2 hours before my scheduled departure time so it seemed there would be plenty of time to make the flight.

So, you can imagine my surprise when we arrived at the airport and came upon one of the longest lines I have ever seen… I was even more surprised at how fast the line moved!

In the end, the trip back was uneventful. As John Denver said many years ago, “It’s good to be back home again. Sometimes this old house feels like a long lost friend.”

Check back in a couple of days for Part 2.

- Dan Strom

That was the statement that a friend said to me this past week. Of course a statement like that implied that he had a completely open wireless network at his place of business.

Open wireless is not all that uncommon. I’m using one right now as I’m writing this.

There are many businesses that may have a legitimate reason to have open wireless…

• coffee shops
• libraries
• hotels
• schools (maybe)

But most have no business need for open wireless. If there is not a need, then it should be encrypted.

So, what are some good reasons for encrypting the wireless network?

1. It helps to keep unauthorized users off your business network. You really don’t want to make it easy for someone to “accidentally” have access to your business information.
2. If credit card information traverses your network, then PCI-DSS may require it.
3. There are always people with less than honorable intentions looking for open networks. They may want access to your business information, or they may simply want to use your network to mount an attack on someone else.

Encrypting your wireless is very easy and is done from the administrative interface on your access point. Be sure to choose WPA2 if that is an option. Give it a complex password. Don’t share the password with people not needing it.

These suggestions also are relevant to your home network.

Finally, many of the more publicized breaches have been launched because the victim company has used weak or no encryption.

- Dan

There was a time when the Macintosh computer was not a desirable target for malware writers. That is no longer the case. A simple Google search will turn up everything from proof-of-concept malware to malware that is actually in the wild.

Options for AV on the Mac have generally been limited. Several years ago I purchased an AV product from a reputable company to run on my Mac. It had the unfortunate side-effect of killing the performance and making the computer crawl.

Another alternative has been to run ClamAV on the Mac OS X computer. I would not have recommended that for the non-technical home user.

Just this week I noticed that Sophos is making a version of their AV product available for FREE to home users. The link can be found here.

The installation is simple. Taking all the defaults automatically connects your computer to the Sophos update server and grabs the latest definitions.

When the install is done, you are greeted with the following window…

When installation is complete, there is now a black shield on the menu bar. Clicking that shield gives a drop-down menu like this:

The default configuration looks reasonable.

One of the best things is that I’ve not noticed a terrible slow-down of performance.

I would recommend the installation of Sophos Anti-Virus for Mac OS X users. The added benefit is that it is FREE for home use.

Be safe.

- Dan

Last night the Kansas City Royals lost a baseball game to the Minnesota Twins by a score of 19 to 1. That tied the worst loss in the teams history. Wow!

I grew up listening to the Royals on the radio almost every night. Those were the days when the Royals were almost always in contention for the top spot in their division, led by players with names like Otis, Rojas, White, Brett, Mayberry, Busby, and many others. That does not seem to be the case now…

I keep wondering how this can happen? Last night it came down to pitching and hitting. The Twins kept hitting everything that the Royals threw, and the Royals didn’t. Someone on the Twins roster hit his very first major league home run – and it was a grand slam! (not good) The inability of the Royals over the past 20 years to regain their former status comes down to execution by players and management.

Now, let’s take a leap over to the information security things that I normally write about.

Last night’s loss illustrates an important point that we all should remember. Unless we are diligent, it is easy to allow gaps to appear in what we are doing to protect our networks and important information.

Just as there was a huge gap last night between what the Royals didn’t do and what the Twin did do, so there is often a big gap in our protection measures. We get busy doing stuff, and allow little holes to appear.

This easily happens regardless of industry. There are federal regulations and industry guidelines to help us do the right thing. But if we don’t regularly evaluate what we are practicing, then gaps appear.

• How long has it been since you have reviewed your firewall configuration?
• How about reviewing your logs for suspicious activity?
• When was the last time that your policies were reviewed? Do they still fit your organization?
• Is your patch management plan being followed?
• Are you doing vulnerability assessment? How about pen testing?
• How do you ensure that your software developers are baking good security practices into their code?

Thought should be given to these, and many more, questions about your security practices. The Bad Guys are constantly looking for gaps in your coverage.

Don’t let yourself develop gaps that are too big and costly to overcome. Don’t have a game like the Royals did last night.

- Dan

Most folks will not understand (or even care about) the details of the recently reported DNS rebind vulnerability. But this problem affects many of the low-end cable and DSL routers that are used in homes and small businesses.

Even more alarming is that a tool to exploit this vulnerability is to be released at Black Hat 2010 in just a few days.

What can you do to protect yourself from this exploit?

1. Change the administrative passwords on your routers. All of your routers come with a well-known default administrative password. You should connect to the router and make sure that you are not using the default. You should also use a complex password.
2. Disallow remote administration of the device. Many routers allow administrative access from the Internet. This should be allowed only in rare and well-defined situations. Although this is not directly related to the DNS rebind problems, you should still verify this setting.
3. Upgrade the firmware to the latest version available from the manufacturer. Most manufacturers put out updates to the firmware that is running on their routers. If you are not running the latest version of the firmware for the router, go get it from the manufacturer’s website and do the upgrade. This will protect you from other attacks.
4. If you are using wireless, be sure to use WPA2 to protect your wireless connections. I hope you are not using WEP. Using WPA2 is much better. (A technical explanation is beyond the scope of this post.)

These steps will minimize the attack surface on your devices.

Good luck!

- Dan

When looking for a low-cost and lightweight anti-virus solution for my home computers, I came across VIPRE from Sunbelt Software. It can be found here. I have been using it for a few months and been very pleased.

I have used the Big Names in the past – Norton/Symantec, McAfee, Webroot – and they have provided the necessary protection. I have also used the Free ones – AVG, Avast, MS Security Essentials – and they also have worked.

So, why did I decide to use a relative newcomer?

1. It is lightweight. This doesn’t mean that it cannot handle the big problems, but rather that it uses a small amount of memory and processing cycles to do the job. Some of the Big Names just suck up more of the computing power than I like.
2. Sunbelt offers a home site license. For $49/yr, I can use it on as many Windows computers as I have at home. Right now that is 4 physical machines and another three virtual machines – all for $49/yr.
3. Tech support and help with virus removal is included in the cost of the product. For many non-technical home users, the removal of a virus is extremely difficult. Sunbelt includes tech support to help with this.
4. A robust firewall is included with the product. I know that every version of Windows since XP sp2 has included a firewall. But I have found that the firewall included with VIPRE offers flexibility greater than the normal Windows firewall.
5. In addition to the home product, Sunbelt has an enterprise version of VIPRE. I’ve not worked with it yet, but this is a Good Thing.

Get yourself the 30-day, fully functional trial of VIPRE. I think you will be pleased with the cost (both $$$ and cpu cycles), as well as the protection.

- Dan

Take a look at this article from Network World. It provides high-level descriptions of how you can get infected with malware even though you avoid shady or inappropriate websites.

7 Reasons Websites Are No Longer Safe – Network World

And so that you don’t have to read the long version, here is the short version…

1. Polluted ads
2. SQL Injection attacks
3. User-provided content
4. Stolen site credentials
5. Compromised hosting service
6. Local malware
7. Hacker-engineered fakes

Information technology professionals should take the time to understand each of these attack vectors. Users should look at this as an opportunity to increase their awareness.

- Dan

By now we’ve all heard that Twitter was offline for a couple of hours today, and that FaceBook was running slowly. The reports are that they both were victims of a Distributed Denial of Service (DDoS) attack.

While this was limited to sites that, admittedly, have little measurable business value, what if it was a business-critical site that was knocked off-line?

Now, stay with me while we take a bit of a leap…

Many small businesses and individuals are moving to “cloud computing”. Working documents are in the “cloud”. Software as a Service (SaaS) is finally starting to take off.

Now, if the “cloud” and SaaS provider that you are using are being hit with a DDoS, what plans do you have for your business?

Lessons for the small business…

1. Know the risks associated with your technological model – in this case “cloud” vs local.
2. Make your DRP/BCP include plans in the event your providers are unavailable.
3. Finally, know what response you will have if your providers never return.

Here’s hoping you have a weekend full of availability!

- Dan

UPDATE: The reports now are that many more sites were affected as a result of targeting ONE user (from cnet.com) !