Joomla! site syndication http://www.cyberguardians.org 2008-08-07T15:04:55+01:00 http://www.cyberguardians.org http://www.cyberguardians.org/images/M_images/joomla_rss.png text/html 2008-08-01T09:54:11+01:00 http://www.cyberguardians.org http://www.cyberguardians.org/content/view/85/ In continuing my tradition of reviewing books that are 2 or 3 years old, I have recently finished reading Real Digital Forensics by Keith Jones, Richard Bejtlich, and Curtis Rose. Yeah, I hate paying full price for a new book, but mostly its because I buy so many books that by the time I get around to actually reading them, its been a few years . Now on to the review. With this group of experienced authors, it hard to imagine the book not being a success. While not spectacular, this books is very solid and fairly easy to read. I would have to say for someone looking to attend the SANS hacking and forensic courses, this book could easily fill the gap and save you thousands of dollars. One thing I really liked was that they did not waste time on any fluff chapters about the history of whatever, they just jumped right into the material. They also made it a point to show the differences between incident response on *nix vs. windows. All the chapters that focused on analysis and response were dead on. They included great case data on the book DVD, which helps you work through the sample cases as well. That is a huge feature that needs to become standard in security books, where feasible. Probably the standout feature of the book for me though, was their chapters on analyzing unknown binaries. By following along step by step through the cases, its helps turn something that is considered more of an art, into a science. They also include good coverage of doing a forensic analysis of a palm device, and included the requisite chapters on email investigation, registry analysis, and browser forensics. One thing that I took note of during the book, was the chapter on building a response toolkit. They pointed out that you need to use filemon to ensure none of your trusted tools access the victims system for resources and instead are using libraries from your toolset. The authors also did a good job of showing both open source and commerical tools throughout the book. Some of things I didn't enjoy about the book, was the coverage on duplication. But I guess you can't really do much with a topic that boring. Also, the chapter on domain onwership seemed more like a chapter on their DNS project, so it wasn't very useful. Other then that, I would have like to have seen some coverage on cell phone forensics, which is becoming more mainstream. Overall though this was a great book that I would recommend to anyone in the security field and also system administrators. The authors knowledge of this subject is top notch and its good to be able glean information from them. Not to mention, you can gain a lot of practical experience by working through the example cases on the DVD. You can read my notes on the book here (content/view/84/45/). text/html 2008-04-16T11:52:28+01:00 http://www.cyberguardians.org http://www.cyberguardians.org/content/view/83/ I recently finished reading The Art of Computer Virus Research and Defense (http://www.amazon.com/Computer-Virus-Research-Defense-Symantec/dp/0321304543/ref=sr_1_1?ie=UTF8 s=books qid=1208360397 sr=1-1) and believe me that was no small task. Its easily one of the more technical books you will read. Thats a tribute to the author, Peter Szor, who in my opinion is one of the founding fathers of malware analysis. His knowledge on this subject is immense. To get the most out of the book though, you would be advised to have at least a basic understanding of C++ code, IA32 Assembly, and Windows API's. It would be even better if you had some debugging and malware profiling experience. The books aim is to provide a thorough understanding of viruses by type, infection strategy and payload strategy, while explaining antivirus techniques and mitigation options. Before I delve into the content too much, I would like to touch on some of the shortfalls of the book. First off, its not written in a traditional manner that could be easily used as a reference. It very much reads like a wiki or personal notes, which it is in effect, however that doesn't make for easy reading. I also felt the first 3 chapters took up way too much space, which could have been used for more productive topics. I particularly hated Chapter 3, where every virus type and dependecy is simply listed out in no cohesive manner. My only other complaint would have to have been to limit the discussion of older, non-relevant viruses to a concept only and focus more on a deeper undertanding of more current threats. I would like to have seen several in depth case studies in the appendix(CodeRed, Sasser, Blaster, Bagel, Slammer, etc). I also wish it came in hard cover, because my paperback binding is already in shambles from frequent page turning and rereading text/html 2007-12-03T11:39:21+01:00 http://www.cyberguardians.org http://www.cyberguardians.org/content/view/82/ While collisions in MD5 hashes are nothing new, this most recent study by Wegner, Stevens, Lenstra (Article Link (http://www.win.tue.nl/hashclash/SoftIntCodeSign/) ) adds even more concern to the trustworthiness of an MD5 hash. If you can't trust a signed executable, what can you trust? I think nothing. Their technique however requires much premeditation. Its not as if you can create a collision on an existing executable. To be effective in a malicious way, it would require that you create two executables up front with the same hash. This is done by appending 832 bytes of useless data to the existing executables. As you can imagine, this would make it very easy for a criminal to create two versions of software, one with a backdoor, that have the exact same MD5 hash. Of course, it would be easy for them to get the good one signed and then create a download site with the malicious one. While this is somewhat sophisticated, i could definitely see this being utilized by the hack for money crews. It doesn't take much to get your software posted on some shareware download site. Also, I could see elite crews even trying to get drivers signed in this method. So what are we supposed to do about it? The authors of the paper suggest that SHA-1 is much more resistant to collisions and is a better alternative. Despite that, I think a search for a better hashing and signing algorithm get underway if it already hasn't. I don't think the threat is imminent by any means, but we will need something stronger in place within the next 2-3 years. text/html 2007-09-21T11:04:18+01:00 http://www.cyberguardians.org http://www.cyberguardians.org/content/view/80/ I had the pleasure of reading Windows Security Resource Kit (http://www.amazon.com/gp/product/0735621748/ref=wl_itt_dp/104-7308219-7344736?ie=UTF8 coliid=I37BSFNVEXBI6H colid=9UNJYTC63A3T). The book's two authors are both seasoned security veterans and their IT geek humor is enjoyed throughout the book. I found myself thinking, Yeah, I've been there before several times and laughing at the absurdity of the situations we are frequently presented with. Two notes of caution about this book before delving in. These guys were both Microsoft employees at the time of the writing, so yes you will see some mild MS bias throughout, but they do a good job of reminding you in the text as well. I mean really, who recommends ISA server over a FW appliance like Netscreen, Checkpoint, or ASA, other then a MS employee or a Redmond Kool-aid drinker. Also, while this book contains great nuggets of information, for someone thats been in the security industry awhile, there will be a lot of general IT security information that you can just skim through in the first few chapters. This does not take away from the book in any way, just broadens the target audience some. text/html 2007-05-17T12:03:00+01:00 http://www.cyberguardians.org http://www.cyberguardians.org/content/view/78/ After reading a very spirited, informative discussion on this topic over at SecurityFocus (http://www.securityfocus.com/) I decided to throw my own hat into the ring. I want to expand on several relevant topics. 1 - Certifications are a joke - A certification alone, without experience is typically not worth that much in the real world. It proves that the candidate can pass a test, often with having the questions in advance( see Testking/ActualTests). All it really guarantees, is that the candidate has some basic knowledge of the subject. Even the certs with experience requirements are pitiful, due to the fact that they do not audit every candidate. And if they did, there's always a chance they lied, like most people do on their resume. 2 - Certifcations are necessary - until the HR machine is overhauled, you cannot afford to not have certifications. Unless you have a good contact in the company, most non-certified individuals will be screened out by the non-technical HR employee, who basically knows keywords. I think also if your very specialized, like on a certain product or field, having one of the more advanced certs could be very rewarding financially. Also on the opposite spectrum, having certs in several different areas, like various OSes, networking, security, etc can show that your pretty versatile. 3 - Experience is still king - despite the fact that you have a lot of enhanced resumes out there, experience is still the most important factor in deciding whether or not a candidate will be successfull. A good track record of completing projects, troubleshooting, implementing, etc along with personal references from those jobs are still the best indicator that I've seen. Granted you need to do a fair amount of vetting via the technical interview, I still think its what employers should put more emphasis on versus certifications. In conclusion, I would like to state that I don't think its possibile for anyone to argue that the current certification system we have is not broke on multiple levels. We have hiring managers without a clue. We have money grubbing, so called experts selling us mediocre certifications. In short, we all have to take responsibility for fixing it. Whether its done by educating people of the dangers of paper only certified employees or by designing a new system, something needs to be done.