I ran across a blog entry a few days ago discussing a programming language for beginner programmers called Small Basic.  Small Basic  is, much like it sounds, a stripped down version of Visual Basic.  What is beneficial about it, is that it contains many of the core elements of common programming languages such as functions, objects, conditionals, loops, and even contains graphical elements.  For those of you who are already programmers and may remember Logo, the turtle is back! 

While there are many languages that contain these same elements, one of the things that make a language a good starter language is the introduction.  Small Basic has a great getting started guide that will walk you through your first "Hello World" and then help you understand what is going on.  From there variables, conditional statements, and loops follow.  Once some of the basics are down, graphics come in and you will gain an understanding of windows, managing colors, and drawing shapes.

The next chapter in the tutorial is on Logo.  If you haven't heard of Logo, it was a language that was invented in the 70's and later had a turtle added and turned into many peoples first programming language.  The turtle has a few basic commands including movement commands for going forwards, backwards, and to the sides.  The Logo turtle is used in this chapter to understand objects and is used to bring many of the skills from the first few chapters together.  This chapter is also an opportunity to try to do some fun things with what we've learned thus far.   

The final chapters focus on subroutines, events, and tying everything together to build our first whole application, a basic paint program.  The tutorial is cut short here with a "(Pending completion)" note, but the appendices have some additional goodies.  Appendix A has a bunch of small sample programs to try out and modify.  Some of these include creation of a game and a fractal program.  Appendix B has a listing of colors that you might like to use along the way.  This is a handy reference regardless if you are a seasoned programmer or not. 

By the end of this tutorial, you won't be an expert programmer, but you should have an understanding of the constructs enough to have an idea of what programming languages can do.  Once you've gotten a little bit under your belt, you're ready to pick up "Hello World" in something like Python, Perl, Javascript, or Visual Basic and getting started with something with more features. 

If you want to check out Small Basic, go to http://msdn.microsoft.com/en-us/devlabs/cc950524.aspx.

 

I agree with Craig, but on top of the things that Craig mentioned, the answer partially depends on what you are trying to protect.  If you were a banking institution then the answer would be different than an online forum. 

Unfortunately due to proxy use in some of the larger ISP's, the IP address is a bad thing to use for security.  There will be some users who will get denied just becase of their ISP.

The security is to have your sessions themselves timeout after a short period of time if you can.  That is why if you go and get a cup of coffee while you are on a bank site you will find yourself logged out.  Unfortunately allowing short session times doesn't work with everything.  For instance, it isn't much fun when your session times out while you are trying to make a post on a forum.  So you have to balance the two.  For a bank, maybe 10 minute session timeouts.  For forums, maybe 2 hour timeouts.

You can also tie some client information to the session if it is important that the information remain safe.  This won't stop people who are very creative, but does raise the bar some, and for automated attacks may cause fewer problems.  For instance, keep the user agent in the server stores session, if the user agent changes, log the person out. Browsers are also pretty noisy in many occasions as to what they will tell you when they make a request.  Adding in something random like the Accept-Charset field which is accessible from most applications may make it secure enough to deter someone who isn't overly intent on messing with you.

Overall, the best way to prevent session theft is to make sure that your website is properly coded and you have input validation issues handled.  Making sure you have good input validation will go a long way to preventing XSS, SQL Injection and a few other types of attacks.  Check out the OWASP top 10 for common ways to prevent application problems. 

Hope this helps!

This is a really neat challenge.  I haven't worked on my answers yet, but there is some really cool stuff in here.  Unless you are REALLY into cryptography, there should be some cool stuff to play with in this challenge.

I'm primarily looking for cool things to give adult males.  I have a number of co-workers who I need to get gifts for, and aside from a bigger lab with more toys in it, I need to find some reasonable things that I might like.  I'm completely out of touch with what cool new gadgets and toys are out there.

phn1x: I completely agree with you there.  I love the books.

I thought that this was a great explanation.  We don't know for sure what what Robert E Lee is going to say about the vulnerability, but this is good reading none the less.

http://insecure.org/stf/tcp-dos-attack-explained.html

I'm working on making a list for what might be good gifts for the holiday season.  I have no idea.  What thoughts do y'all have ?

I would say that there are probably a few routes that wouldn't be bad.  Computer Science is kind of interesting, personally I learned a lot about programming theory, while not as much about good programming practices, secure programming, and common pitfalls.  I was able to pick up a fair amount of networking theory, so I guess part of choosing a major depends on what you want out of it.

Of the people I know who are doing pen testing and information security things, many of them came through other IT functions, such as networking and sys-admin.  One of the great things about college is that the atmosphere of learning frequently doesn't stop at the classroom.  If you can find a part time job working with an IT group or something like that and find a mentor who will help you learn more about enterprise environments, what your degree is in may not matter as much.  When it comes to IT security, I think that in many cases, people are going to be looking for people with experience first, then a degree second. 

Another great option is to find a co-op opportunity through your school with a local company who has an infosec team who is taking either summer students or co-ops.  I've worked with summer students before and that's another opportunity that will end up being whatever you make out of it.  You probably will have to do some stuff that isn't as fun but is something that needs to be taken care of, but walk in and do the things that you're tasked with and show that you know your stuff and then suggest things that you'd like to be involved in. If you show that you are capable, those folks are probably going to be good references for you both technical and employment wise in the future.

The biggest thing is though, college isn't just about the classes.  You have a whole lot of resources at your disposal as far as professors, staff, and other bright students.  Make the most of all of it, and don't forget to have some fun along the way.

EH Columnist Chris Gates presented on something similar at ToorCon.  What he presented on was given a domain name, what can you find out.  Depending on what the IP resolves to, this could definitely be useful. Check out the link to the PDF at : http://carnal0wnage.blogspot.com/ . 

One thing that I haven't seen a lot of mentioned was google.  I know it's probably common sense, but I've been able to track down IP's directly to people based on mail archives, IRC logs, etc. 

Personally, I think that if a script kiddie is going to own a box, for the owner of the box it is probably better if they used servifythis in order to create their back door.  It can uninstall itself, which is awesome.  I'd much rather have that than some of the other stuff out there.  Aside from the fact it can be handy for a pen tester, it has some great uses for other people too.  Microsoft already has a tool called SRVANY.EXE which will let you do something similar, but it's more complex to use. It definitely lowers the bar for people who want to run netcat as a service, but at least you know it is going to go in and out of your machine cleanly instead of worrying about registry keys and such with the current tools out there. 

All of these features are basically raising the security bar on security.  With each thing, the amount of skill and effort it takes to get a working exploit rises.  That's the basic point of all the security stuff we throw out there.  Whether it's firewalls or service hardening or whatever, if there is a person motivated enough and skilled enough with a lot of free time on his/her hands, eventually they will either figure out how to get in or give up to find something more fun. 

There was discussion at DEFCON of how to defeat some of these things.  If you read this article http://arstechnica.com/news.ars/post/20080811-the-sky-isnt-falling-a-look-at-a-new-vista-security-bypass.html there is the discussion that talks what tntcoda said.  The things that I read that seemed most important is that a portion of all of this depends on software developers doing the right thing.  This is also implied with the grsecurity software here: http://www.grsecurity.net/confighelp.php.

In my opinion, we as security people can keep putting up barriers, but when we look at software development, even the folks that the developers frequently look up to such as Microsoft, are opting out of their own security measures (see the first article referenced).  If we are running OS's with only the base services enabled and fully patched, I think that the bar is pretty high up there, but as soon as you start installing software on there, the attack vector just gets bigger.  With Vista as an example, I am pretty confident that many people that got bothered by UAC just turned that puppy off and there goes another layer of protection.  Knowing that IE has opted out of additional security features along with this, and your attack space has gotten larger.

In my opinion, if we want to make sure that the systems are security, it needs to be a multi-pronged approach.  1) it needs to be convenient for the user, 2) it needs to be built into the OS, 3) it needs to be enforced by the applications.  Developers are going to need to start writing code that doesn't opt out of DEP (Data Execution Protection) and ASLR(Address Space Layout Randomization), but sometimes that's hard, and we're willing to compromise. We all compromise some, I am sure that I'm not the only one that's hit the "remind me later" button on Acrobat when I'm trying to read a PDF off of a site that I trust. The compromise is what really gets us in trouble i think.

I think that it may actually be better to approach your questions in reverse order.  I would recommend starting with some basics such as here: http://www.securiteam.com/securityreviews/5DP0N1P76E.html.  Once you understand what's going on, if you have access to the source of the applications that were listed by your IPS as vulnerable and look at the URL's that the IPS reported on.  Look for places where input is accepted from a user and then a query is being run against your SQL server without the variable being checked for validity and special characters being escaped.  For instance, if your site houses articles, and you request articles by a url like "http://myreallyawesomesite.com/articles.php?articleid=31337" then you would want to validate in your application that it checks to ensure that articleid really is a number. 

Before you start running any automated tests, I will start out with a warning.  If you don't understand what is happening with the web app you are scanning, proceed with caution.  Some applications are not coded well, and if you are running a scanner against a poorly coded application bad things could happen.  Just be prepared and if you are not the maintainer of the application, talk to your admins before you start scanning.  There is the chance of data destruction or an un-intentional denial-of-service attack when you run the tools.  For an example, take the URL from the example above and assume that it is vulnerable.  Most applications will try something like add "or 1=1--" to the end of a query string.  If the application is taking the results from the query and finding other examples that might interest you, and it does it for every article you could end up causing the database server to chuck for quite a while which might cause website or database degradation. 

If you have decided to run a tool, you may want to consider http://www.parosproxy.org.  It is quick and simple and essentially you should be able to point your web browser into paros proxy and browser to the applications that your IPS reported and then choose the scan option after clicking on the script and it should generate you a report with problems it has found.  http://grendel-scan.com/ was also released at DEFCON this year, and after playing with it, it does have potential but getting it to only scan select pages is not trivial.  There is also http://www.sensepost.com/research/wikto/ which is also not trivial to configure, but has been around for a good period of time and does detect common misconfigurations and can scan for XSS and SQL injection.  There are also commercial tools which are more thorough and more expensive such as http://www.whitehatsec.com, HP WebInspect, and CORE Impact is now getting into the web-app scanning/exploit market.

Finally you probably want some resources on how to fix the problem.  Check out http://www.owasp.org/index.php/Data_Validation , it has some good rules of thumb but you want to look at the abilities contained in whatever language your applications are in to fix the problem and without knowing the language there are too many possibilities to list out here

Good luck with your assessment.

-Ryan

If you want to be a professional "breaker" then you are going to need to learn why the things happen that you can break.  So many of the technologies today are easy to break and harder to fix, especially on the web.  Unless you have the knowledge to be able to explains what went wrong people will see you much more as a script-kiddie than a knowledgeable professional.  Finding XSS exploits is pretty easy in many occasions, talking to the folks who have the vulnerable application and explaining strategic solutions to fix their problem as well as what lead to the problem is where the money is at.   

On a separate note, in my opinion, learning a scripting languages will probably help you with just about any type of exploit unless everything you do is through a GUI.  For the stuff that I have written for exploiting C applications, most of the code I've written has been in perl and when I'm doing web based assessments that are beyond the basics, I frequently pop back to perl or python to generate the code that I'm going to use for exploit.  Plus, putting your exploit in a script means that it's useful to others, and unless you don't plan on showing anyone else what you did or ever doing it again yourself it's nice to have it especially if you either added a comment here or there or used logical variable names.

Final thought on the breaker vs maker since I've been on both sides is that in many cases, and I encounter this all the time, people don't really understand the magnitude or impact of what they are doing until you show them how it's bad.  I think it's kind of analogous to when you're a kid and a parent says "don't touch that, it's hot" and sure enough, you figure it out on your own.  In some ways, unless we can show what can happen in a controlled environment then you may not get the response that you want.  I think that this is especially true with problems that don't yield a shell on a box.  So much many applications have  XSS bugs in them these days.  When you explain it to someone and they simplify it as "so someone can click on a link and have some other stuff show up  on the page?" then it really doesn't sound that scary.  When you show them that when they clicked on the link for what they thought was the latest Peggle download from their web based email client, that you stole their session cookie and now have full access to their email, then that has a little bit more impact.  I won't say that is necessary all of the time, but it is something that I run up against.

I think that mutli-factor authentication is going to eventually be the key to this.  It will end up being a pain, but until we come up with something better than passwords, it will probably be better than what we have.  I know that paypal and some of the others already have one-time-password generator fobs which you can use along with your username and pin in order to login.  That still doesnt' solve the forgot my pin problem, but even if they can reset your pin, they still have to social engineer you into providing your otp.  I figure eventually you'll lick the screen and it will test your DNA to let you in or something but I think I'd still rather use the OTP generator than log-in in the library when that happens.

That's a great question.  I usually look for exploits 3 places if I"m looking to find something fairly quickly.

The first place I look is metasploit.  If they have it, I check to make sure that my platform and revision numbers are good for the application and then I would try that.

The second place is http://www.milw0rm.com/.  milw0rm is searchable and is updated pretty frequently when people release public exploits.

The third place is securityfocus (http://www.securityfocus.com)  For there, you can search for vendor, product, and revision and then look for what type of vulnerability you need to exploit.  This is slightly more tedious.  If you are looking for remote exploits, just go through and look for the word remote in the title, that is normally a good way to do it, and then look on the exploit tab and see what's there.  Sometimes the exploits are crippled, so you may have to do some tweaking to get it to work.

Also, if you have some cash to drop, Immunity Canvas has a lot of good exploits and is a lot more point and click. 

As for finding an OS, this probably doesn't need to be said, but XP SP3 has all of the SP1 and 2 patches rolled into it, so it's not going to have as many goodies.  Your best bet, is to install XP and not any SPs.  That should pretty much be metasploit gold

Have fun, and remember that these exploits are sometimes noticable, so if you start learning to do this stuff on machines that aren't yours, you will probably get caught.

- Ryan

I've been playing a lot of CTF lately, and two books have really helped.  Hacking, the art of exploitation (http://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441) is the first, and The Shellcoder's Handbook(http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1221526745&sr=1-1) is the second. 

You are going to want to know some assembly along the way, they will help you some, but find a good assembly book.  You will also want to know some programming language, I would probably learn C and perl or python.  I personally prefer perl, but I think it's one of those pancake vs waffles things, they are both delicious.