Archive

Archive for the ‘Reading’ Category

Book Review: Kingpin

2011/11/19 Comments off

Written by journalist Kevin Poulsen (of wired.coms Threat Level blog), KingPin spans the hacking, cracking and carding underworld spread over several decades. The narrative covers the life and activities of Max Vision, a computer consultant, key member of the carding underworld and ultimately convicted criminal.

From the timescales involved, kingpin covers many years and several of Max’s ‘projects’ made national headlines at the time. Some, like the Pentagon being hacked via a weakness in BIND were folklore by the time I personally entered the infosec profession. While others, like the ongoing wars and takedowns between various carder forums were more recent and featured heavily in the press at the time.

The part of the book that I found fascinating throughout was that I was unaware that many of these, on the surface, unconnected stories were linked to the same individual; plus several more on the legal/whitehat side of the community, some of which I have used and experimented with prior to reading Kingpin, it’s usually interesting to get some of the backstory behind tools in this industry, but it’s especially the case with this backstory.

Equally, I found the portrayal of Max’ early years to be intriguing, reading Kingpin I had the feeling (rightly or wrongly), that the outcome of the story could have been different had a couple of actions and/decisions gone the other way, leaving Max as an asset to the infosec community rather than running one of the largest criminal forums on the net. Can’t help wondering if Max could have ended up being a positive force in the infosec community, or if those that are could have ended up going the same route had circumstances been slightly different.

From the right side of the law, I was fascinated with the details of Special Agent Mularski’s undercover work as Master Splyntr. Like a lot of the content of the book I was familiar with the impact Splyntr had had within carding community from several press articles at the time, but hadn’t dug in too much depth. Knowing more about the time and dedication required by one man that ultimately lead to many arrests I’d like to make an offer to Agent Mularski: if we’re ever in the same place, introduce yourself and the drinks are on me (and hopefully the war-stories are on you).

If you’ve got any interest in information security or crime in general, I’d strongly recommend that you put a few hours aside read Kingpin. If you’re disappointed after you finish I’ll be surprised.

–Andrew Waite

Advertisements
Categories: InfoSec, Reading

Book Review: Zero day

2011/11/14 Comments off

Written by Microsoft’s Mark Russinovich, Zero Day focuses on the actions of a security consultant who starts a job for a client who’s systems have been infected with unknown malware and taking out of action. With the business losing money and circling the drain whilst it’s systems are out of action the characters rapidly find themselves caught up in a plot far large than they originally signed up for.

The scope of the plot starts out slow, and rapidly expands to cover a full gamut of topics, from skiddies in IRC channels and Russian hackers for hire, to corrupt government officials and Al Qaeda terrorist plots (even Bin Laden turns up in person). Dispite the Hollywood style plot elements, Russinovich keeps the technical aspects of the plot grounded in reality, even to the level that the odd code segment included can be reviewed by a (semi)proficient reader can determine the next plot arc before the characters reach the same conclusions.

The overall story, and the culture the characters operate in clearly show the difference between an author with a technical background and plenty of real world experience with the subject matter, over a proficient author who has had expert assistance to get the technical aspects of a story to a plausible level, and makes a very welcome change in this growing area of fiction. Russinovichs experience working with government and industry parties as part of the recent clampdown on botnets, the work in this area is a clear influence for the Zero Day story arc. Thankfully, Despite this being Russinovichs first novel I found it surprisingly well written, with believable characters and a plot that I became emotionally invested in (and without spoilers, cheered inside when a certain character got what I’d felt from first introduction that they deserved).

If you’ve got any interest in information security, computer/network administration to just good sci-fi I’d strongly recommend picking up a copy of Zero Day, it may be shorter that I would have liked (only because I want MORE) but I thoroughly enjoyed the time spent in its created scenario. Hopefully it will serve as a warning of what could happen, rather than a premonition of an actual occurrence; unfortunately it’s likely that those with the true power to stop events similar to the books plot won’t be interested in the story summary and will miss the warning.

— Andrew Waite

Categories: InfoSec, Reading

Book Review: 7 Deadliest Web Application Attacks

A while ago I was offered an excellent opportunity to read and review Mike Shema’s contribution to Syngress’s Seven Deadliest series focused on web application security. My first impression was very positive, and now I’ve had a chance to get my hands on the finished product I haven’t been disappointed.

As with the rest of the Seven Deadliest series the book is broken down into sever chapters, each focusing on a key attack vector. Covered in Web Application Attacks is:

  1. Cross-Site Scripting (XSS)
  2. Cross-Site Request Forgery (CSRF)
  3. SQL Injection
  4. Server Misconfiguration and Predictable Pages
  5. Breaking Authentication Schemes
  6. Logic Attacks
  7. Malware and Browser Attacks

I’ll be the first to admit that web application security isn’t my forte. Rather than let that put me off this was the appeal of the Seven Deadliest series, given the target topic the books aim is to succinctly cover the core issues and let the reader quickly get to grips with the subject material. Shema does this brilliantly; before I reading the book I (thought I) was comfortable with my understanding of web application security issues, after reading I’m now confident in both my theoretical understanding and, crucially, the technical implementation of the attack vectors discussed.

While the material is accessible to a new comer to web application security Shema wasn’t able to cover all subjects touched on during the book. For example, character encoding sets are discussed quite heavily during the cross-site scripting, but isn’t explained indepth at a low level. As a result, what a reader is able to take away from the book will likely be dependent on the experience and knowledge that the reader is able to bring to the material. In my case I was more comfortable with the chapters covering server misconfiguration (chapter 4) and malware (chapter 7).

After re-reading the material I would recommend this book to anyone that deals with web sites in anyway (that’s you), especially considering the price of the Severn Deadliest books. I’d also take a look at the rest of the series, covering:

— Andrew Waite

(oh, and if you won’t take my word for it, pay attention to the recommendation on the back….)

“The threats highlighted should be understood by Web developers, administrators, and general users alike. If you use the Web in any way then this should be on your bookshelf. In addition to detailing the threat Shema also provides countermeasures to minimize or remove the risk, but be warned; you may never look at a Web site in the same way again.”

Andrew Waite, Security Researcher, InfoSanity Research

Gain and maintain passion for infosec

I’ve had this post in the back of my mind for a while, but have held back as it is a quite a personal topic. When talking to anyone working in infosec one aspect remains constant from the rockstars at the top of the media game, the guys in the trenches or the newbies looking for a break; that constant is passion. Ultimately passion is what makes the difference between a job and a career, and in a world with the extra curricular requirements, continued professional development and somewhat crazy work hours that are related to the infosec world passion can be easy to lose and the daily grind results in the infamous burn-out. This makes it really important to have a few ways to remind you why you do what you do.

Looking back it’s easy to identify moments of my life that resulted in an interest for information security, even if the consequences weren’t obvious at the time.

Hackers (yes, the film)

Okay, I’ll come out of the closet on this one. When I rented the film this was my first introduction to the ideas of information security and the world of hacking. No, the film isn’t completely accurate, but what do you expect from Hollywood? What the film did do was start a burning desire to learn more, and as a kid geek who didn’t like the idea of being able to pull Miss Jolie with a laptop and elite skillz? As a result I spent the next few years Googling (OK, searching, Google wasn’t around at the time) hacking and reading any number of ‘how to start hacking’ files. Every now and then I still take the DVD from the box and re-watch the film that, for me, started it all. Hack-the-planet…

DooM

While this game was causing controversy at the time it was responsible for my learning computer basics and, in hindsight, the first time I circumvented access controls. The story is thus:

One Christmas (I was 8 ) my family got our first Windows PC (BBC Micro B with tape drive prior to this), after playing around and gaining my MCSE (Minesweeper Champion and Solitaire Expert) I found the icon for this thing called DooM on the desktop, and it was good. When parents spotted me playing it and reacted to the media controversy and removed the game (well the shortcut), a while later I’d found my way around an MS-DOS shell and was executing doom.exe from commandline. This lasted a couple of weeks before I was spotted again; after I was ‘persuaded’ to explain how I was still playing I had to teach my parents how to actually delete programs. Which did nothing but provide the opportunity for me to pick my first lock to get the install floppies from the disk box, but that’s another story.

Where Wizards Stay Up Late

One of many hacking related books I ended up reading in my initial search for information was Where Wizards Stay Up Late. If you’ve not read it the book documents the history of the internet, from the early days of DARPA onwards. For me this book provided the belief that computers could be a valid career path and contrary to my teacher’s belief at the time, not just something that kids play with.  All self-respecting geeks should know the history of their craft and the people that made it possible, so if the names Licklider, Larry Roberts, Frank Heart, Honeywell or BBN mean nothing to you I strongly recommend that you pick a copy of the book up.

Ethical Hacker Network

EH-Net was my first introduction to actually communicating with others doing infosec in the real world. The forums are an excellent source of information, discussion and support, and unlike many ‘hacker’ forums newbies and outsiders will be welcomed and supported as they find their feet rather than being ridiculed and ignored for asking ‘stupid’ questions. The support and discussions I received when I first became an active member of the forums gave me the belief and confidence that I could make an information security career a possibility, and I’ve made some great friends and contacts as a result. My biggest regret at the moment is that I don’t have enough time to be anywhere near as active in the forums as I once was, although I do intend to change this.

The best individual resource on EH-Net that I found for gaining and maintaining my passion for an infosec career is Don’s presentation DIY Career in Ethical Hacking. The slides and audio are here, I strongly suggest you take an hour to listen to the advice Don shares. In my case when I first heard the talk I took Don’s advice and had a serious look at my career and where I wanted to be in a few years; as a result I registered infosanity.co.uk a week later. I still listen to the audio every 6-12 months to ensure I can stay on track. Thanks Don 😀

Conscience of a Hacker (Hackers Manifesto)

Possibly on of the best known piece of ‘hacker’ literature was released in Phrack back in 1986. Written by ‘The Mentor’ aka Loyd Blankenship it provides a unique and hard-hitting explanation of why some hackers are hackers, and for the typically introverted geek can help explain some very deep feelings to those that don’t understand. For a number of years I have owned a copy of the DVD recording of Blankenship’s presentation at 2600’s H2K2 conference and always find it inspirational, the story of a kid that showed his parent’s the article and stated ‘this is how I feel at school’ really highlights the power the article can have. Whether you’re already familiar with the article or haven’t encountered it before I’d suggest both reading the original and listening to Blankenship’s recitation and discussion of the article here[.mp3].

—–

That’s my list; whenever the daily grind starts getting on top I can always count on one of the above resources to remind me why I want a career in infosec, or more importantly why I want to turn my hobby and passion into a career.

If you’ve got similar stories, or additional inspirational resources to share I’d love hear them.

— Andrew Waite

Categories: InfoSec, Reading

Book Review: Virtualization for Security

2010/02/27 Comments off

After having this on my shelf and desk for what seems to be an eternity, I have finally managed to finish Virtualization for Security: Including Sandboxing, Disaster Recovery, High Availability, Forensic Analysis and Honeypotting. Despite having one of the longest titles in the history of publishing, it is justified as the book covers a lot of topics and subject matter. The chapters are:

  1. An Introduction to Virtualization
  2. Choosing the right solution for the task
  3. Building a sandbox
  4. Configuring the virtual machine
  5. Honeypotting
  6. Malware analysis
  7. Application testing
  8. Fuzzing
  9. Forensic analysis
  10. Disaster recovery
  11. High availability: reset to good
  12. Best of both worlds: Dual booting
  13. Protection in untrusted environments
  14. Training

Firstly, if you’re not security focused don’t let the title put you off picking this up. While some of the chapters are infosec specific a lot of the material is more general and could be applied to any IT system, the chapters on DR, HA and dual booting are good examples of this.

Undoubtedly the range of content in the book is one of it’s biggest draws, I felt like a kid in a sweet shop when I first read the contents and had a quick flick through, I just couldn’t decide where to start. This feeling continued as I read through each chapter, different ideas and options that I hadn’t tried were mentioned and discussed, resulting in me scribbling another note to my to-do list or putting the book down entirely while I turned my lab on to try something.

The real gem of information that I found in the book was under the sandboxing chapter, which was one of the topics that persuaded me to purchase the book in the first place. Considering that one of the books authors is Cartsten Willems, the creator of CWSandbox it shouldn’t be too surprising that this chapter covers sandboxing well. The chapter also covers creating a LiveCD for sandbox testing, while very useful for the context it was explained in, it was one of several parts to the book where by brain started to hurt from an overload of possible uses.

As you might have already guessed, the range of topics is also one of the books biggest weaknesses. There just isn’t enough space to cover each topic in sufficient depth. I felt this most in the topics that I’m more proficient with, while the Honeypotting chapter does a great job of explaining the technology and methodology but I was left wanting more. The disappointment from this was lessened on topics that I have less (or no) experience with as all the material was new.

Overall I really liked the book, it provides an excellent foundation to the major uses of virtualisation within the infosec field, and perhaps more importantly leaves the reader (at least it did with me) enthusiastic to research and test beyond the contents of the book as well. The material won’t help you become an expert, but if you want to extend your range of skills there are definitely worse options available.

–Andrew Waite

Categories: InfoSec, Reading

Review: Professional Penetration Testing (for EH-net)

2009/09/28 1 comment

I was recently asked by Don over at EH-Net if I would be interested in reviewing a new book by Thomas Wilhelm of Heorot.net: ‘Professional Penetration Testing: Creating and operating a formal hacking lab’. Naturally I jumped at the opportunity.

I don’t want to discuss the book in too much detail here, as you can read the full review at Ethical Hacker here, but the book is a great addition to my home library. Don also worked his magic to convince the publisher to release a chapter from the book free of charge, chapter four covers the initial setup and configuration of hack lab environment, and can be downloaded from the review.

Hope the review is of use to someone out there, thanks to Thomas for writing the book in the first place and to Don for hooking me up with the review.

Andrew Waite

Categories: InfoSec, Lab, Reading, VMware

Good night Milw0rm

Final Update: Crisis averted, Milw0rm is still up and functioning.

Looks like Milw0rm is calling it a night. Haven’ t been able to get any official word as the site is unavailable. As the site is now unavailable it’s hard to tell what happened, but an ISC diary has this message from the site:

Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don’t :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn’t fair to the authors on this site. I appreciate and thank everyone for their support in the past.
Be safe, /str0ke

Always a shame when a big player in the infosec community closes it’s doors. My thanks to all those how contributed and ran the site when it was a going concern; and if anyone has a recent mirror, I’d appreciate a copy, mines a little dated 😥

Andrew Waite

Update:
Looks like the fat lady may not be singing for Milw0rm just yet, Str0ke post this on Twitter:

I have talked with a few friends and I’ll be handing the site over so a group of people can add exploits / other things to the site. Hopefully it will be a new good start

Plus Dale Pearson of Security Active pointed me in the direction of splo.it, which is currently posting nothing but a farewell to Milw0rm. Given the (rather cool) URL it may become Milw0rm’s spiritual successor.

Update 2:
This keeps on going, Milworm came back and then died under the load of people trying to grab an upto date archive (ISC Diary). Until/if Milw0rm comes back for good you can get a copy of the July archive via Security Database Tools Watch

Categories: Exploit, InfoSec, Reading, Tool-Kit