DojoSec

Interview with Dan Kaminsky at ShmooCon 2010

Marcus J. Carey — Fri, 05 Mar 2010 04:46:51 +0000

Dan Kaminsky provided some insight on the hacker community and culture at ShmooCon 2010. I always enjoy talking to different people on their views. I’m playing devil’s advocate a bit here probe for good answers.

Dan Kaminsky – Dissecting the Hack Interview from Marcus J. Carey on Vimeo.

Information Security and Starfish

Marcus J. Carey — Wed, 17 Feb 2010 03:29:17 +0000

One of my favorite stories when it comes to helping people out is the story of a little girl on the beach. The story tells the tale of a young girl throwing starfish back into the ocean to save them from dying. An old man approaches a young girl, then tells her that there are hundreds of starfish on the beach, it would be impossible to save all of them.

The old man told her the work she was doing didn’t matter.The little girl picked up another starfish and looked at the old man. She then throws the starfish in the ocean and tells the old man, “It mattered to that one.”

My goal is to help as many as possible. If what I say matters to one person that needs guidance in information security, I consider my efforts a success. Our industry is filled with brilliant people. Sometimes if things aren’t considered groundbreaking, it can be easily dismissed as nothing new. We tend to focus on the things that we know, instead of picking up any new nuggets that may be available for the taking.

Everything little bit matters in this game.

Jeremy Brown – From Static Analysis to 0day Exploit

Marcus J. Carey — Mon, 07 Dec 2009 17:34:00 +0000

At DojoSec the mission is to spread security knowledge in all forms of delivery. Our newest effort is called DojoSec Sessions which will feature screen captures and presentations from top-notch security professionals. DojoSec presents Jeremy Brown with an excellent presentation on Finding Vulnerabilities with Static Analysis. Thanks Jeremy for your contribution!

Mobile Communications Security Symposium

Marcus J. Carey — Mon, 30 Nov 2009 14:16:00 +0000

REGISTER ASAP – The Capitol College Innovation and Leadership Institute will host the Mobile Communications Security Symposium on December 4, 2009 from 8 a.m. to 12 p.m., on campus, in the Avrum Gudelsky Memorial Auditorium. There is no cost to attend this event. To learn more about the program and the speakers, please visit http://www.capitol-college.edu/news-events/news-headlines/698.

To register for the symposium:

Send an email to ili@capitol-college.edu

Subject: Register, Mobile Comm. Security Symposium

_MJC_

Marcus’ Mailbag: Policy, Enforcement, and Monitoring

Marcus J. Carey — Thu, 26 Nov 2009 01:14:00 +0000

I received the following email on Commercial vs. Open Source, Policy, Enforcement, and Security Monitoring. I’m posting this email in order to share some of the views. It could be perceived as a bit of a rant, but I’m posting it below because it could spark some thought and conversation. Let me know what you think. If you have problem with the grammar, please rely on context clues. _MJC_

=-=-=-=- BEGIN E-MAIL -=-=-=-=

In the Network security field they are vendors that sell products. They claim the products will catch the bad guys, disassemble malware and save the world. All we need to do is buy their products.

Then they are those Open Source vendors that sell support of some open source tool like Clam AV or Snort all we need to do is use it right and we are safe and they sell themselves as consultants. This model for doing business is not new, In the Financial services industry you have those who claim to be financial planners and when you go and see them they do a budget workup with you and then sell you commission based products like life or medical insurance. Then you have those who claim to be fee based financial planners (much like the open source pimps) and sell you things like Term insurance or no load mutual funds you supposedly pay for their expertise.

The problem with these approaches is they are PRODUCT based. The real solution is a mindset and action to get the desired results not some product Open Source or otherwise.

Network Security is not brain surgery. You need policy, enforcement and monitoring. If those 3 are not done then things break down.

Policy that is not enforced is useless, it’s just as bad as if there was no policy at all. In fact if you have a policy you are lured into a sense of false security. If there is no Policy users know they are left to fend for themselves. At [ XYZ ] we don’t have a problem in areas like Europe where privacy laws demand they users not be monitored or punished for breaking policy. It’s the areas where we have the strictest policies that we have problems.

Enforcement – If policies are not enforced then it is useless. Same with dealing with problem areas of the network. If management turns a blind eye towards tunneling and insists on using systems that are not locked down. Giving most users admin rights and walking on egg shells and not going after employees equally for violations you will never secure the network.

Monitoring – I know a few companies we work with and problems arise and you find out that they have a special internet connection that is not being monitoring. They have this special RESEARCH network they can surf porn on. They tether their laptops with their Blackberries or use a SSL tunnel to do whatever they want on the network. Especially in the technical companies the very ones that should be examples and protecting their networks are doing these things. I have seen individuals have their IP addresses Whitelisted so they could watch movies all day claiming they are doing company business then we all wonder how malware got on the network.

Products do not protect or defend the real network. They point out the obvious and until someone pokes their finger at the sore and lets the world know they need to change network security is a charade. Even DojoSec with it open source pimps is not making things better unless it goes after the above mentioned issues.

That’s my 2 cents…

=-=-=-=- END E-MAIL -=-=-=-=

Virtualization is Great for Forensics

Marcus J. Carey — Tue, 24 Nov 2009 15:03:00 +0000

The rumblings suggesting that “The Cloud” and Virtualization is an enormous hindrance to digital investigations are exaggerated. These claims sound like scare tactics to me, I think virtualization makes incident response to computer crime much more efficient. The goal of incident response is to preserve as much information as possible. Software such as Live View from CERT is great because it allows investigators to boot disk images.

Virtualization is cutting out the middle man here, as an investigator I’d rather have a virtual machine instead of a disk image. Virtual machine copies provided by service providers provide a “self contained crime scene”, since the virtual machine is frozen in time including the memory. At DojoCon 2009, Richard Bejtlich shared a story were investigators responded to an incident working with a Cloud Provider and were greeted with a shrink wrapped crime scene.

Anyone who as ever used a product such as VMware may have copied and moved images, this is a good thing. It seems that when some are dedicated to screaming about problems, they may be ignoring a great solution staring them right in the face.

_MJC_

Google Hacking Renders Redaction Futile

Marcus J. Carey — Mon, 23 Nov 2009 16:11:00 +0000

Lately, I’ve been looking at tons of SQL injections and SWF login blog posts and screen captures. I notice most hackers attempt to redact the compromised URLs. However, in most cases there is enough information from the screen captures to find the sites.

The attempt to redact the information is an attempt to protect the innocent. The latest instance of this was a blog post on a Symantec SQL Injection that yielded tons of information including serials and passwords. The image below is a screen capture posted within the blog post.

Next, I visit Google and type: site:symantec.com intitle:Teacher Sima

This is just basic Google Hacking here, nothing advanced. This is something I’ve been instinctively doing when I see something like this.

So the question is “Why redact?”

_MJC_

Metasponse Talk at Techno Forensics

Marcus J. Carey — Thu, 29 Oct 2009 12:14:00 +0000

My friend Joshua Marpet recorded video of me doing my Metasponse talk at the Techno Forensics Conference at NIST on his iPhone. He’ll be sending me the complete video so I can post it as one. Although I could take my own video equipment everywhere with me, it sometimes feels stage. This is as real as it gets. Thanks Joshua!!

Marcus J. Carey – Metasponse Talk @ Techno Forensics Conference from Marcus J. Carey on Vimeo.

Cloud Computing and Sunburn

Marcus J. Carey — Wed, 14 Oct 2009 15:14:00 +0000

Can you get sunburn if it’s cloudy outside? The answer is yes, because the clouds don’t block the dangerous rays that burn and cause cancer. Many people believe that the clouds give their skin protection against the sun. This is a big mistake that I’ve found out first hand many times recently. So I tend to put on sun block before I go outside for long days. Our skin is a major asset because it is the first line of defense against infection. We are personally responsible for protecting our asset by applying sun block when needed.

In the information technology industry, Cloud Computing has reminded me of the false sense of security that real clouds have given us. Recently the T-Mobile/Microsoft Sidekick data loss debacle has put into question the reliability of Cloud Computing and Cloud Storage. It is important to remember, when we outsource services and infrastructure to the Cloud, we don’t outsource responsibility.

The T-Mobile Sidekick issue affected many consumers. Just imagine if this was a billion dollar sales organization which lost sales leads, bad news. Several Google Apps services have been disrupted lately, thank goodness there has been no data loss associated with those outages. If Google were to lose my critical data, whose fault would it be for no back-ups? The old saying goes, “When you point your finger at someone, there are three fingers pointing back at you.”

I believe that Cloud solution providers will do their best job (hopefully) to maintain confidentiality, integrity, and availability of their client’s data. When it comes down to it, each organization still must accept responsibility and accountability for their critical assets. If you moved to the Cloud, your business continuity and disaster recovery plans should reflect the worst case scenario.

This means you should have some sort of limited backups that your organization controls. At least perform an assessment of what the minimum requirements are, and then make plans accordingly. I’m not telling you anything new here, it takes a bit of effort. Who are we kidding? Hard drives fail, tape backups didn’t backup anything, back-ups fall off trucks, dog ate my homework, etc…

No one, not even the Cloud, is going to do your pushups for you. Cloud Computing won’t keep your organization from getting burned.

Malwarebytes – An Effective Malware Removal Tool

Marcus J. Carey — Sun, 04 Oct 2009 22:50:00 +0000

If you are having a tough time removing malware from your PC, you might want to check out Malwarebytes Anti-Malware software. Thankfully, you can download a free version which is very effective at removing malware from your Microsoft Windows based system.

Malwarebytes is so effective, that it is one of the preferred tools used for malware removal within the U.S. Government. It produces equal or better results than many other commercial tools on the market. It’s very simple to use and the scanning process is relatively fast in comparison to other malware removal tools.