My question is, in legal terms, is this an attack?  Or is it simply research your are conducting on google?   Who is hacking, is it you, or is it googlebot?   

I enjoyed the book very much.  I don't think that you can copy and paste the code in the book to create your own buffer overflows with today stack guards, but I thought the concepts were quite solid.   It's one of the best tech books I've ever read.

The way I understand it is that USB does indeed use DMA, bypassing the CPU and thus enable decent transfer speeds.   When I did research on this, people are saying that Firewire is a BUS, while USB is a PORT.  While both use DMA, Firewire is more unrestricted.   When Microsoft implemented Firewire, they assumed that it was going to be running very fast things like hard drives.  Interestingly enough, people are saying that the DMA works on eSATA as well.   

I am not sure if any of this is true, but that's what I found while researching this topic.

Wow, I had to read this a few times to grok it.  That's Heavy Duty!  It's an absolutely brilliant attack.  I am guessing this makes cops' work much more difficult to track the intruder. 

I can definitely see that.  I don't work for a purely infosec company.  We do more forensics than anything.   When we do pen testing, it's almost always as part of a larger sec audit (ISO17799, etc).   If we are doing an audit, it's usually because we were hired to do forensics in response to an incident.   Their problems are usually more procedural than technical.  (Not they don't have technical.)   If IT department goes rogue, the preventative methods are usually more procedural.   

Drexel offers an ITSec BS degree entirely online.   Drexel is a good school, with a good reputation in the tech sector.   

http://www.drexel.com/online-degrees/bachelors-degrees/bs-gs-tech/index.aspx

I believe UMAss had a similar program.   I can't seem to find it though.

One of the best I've seen.   Thanks for the link and thanks for digging out the slide presentation.   That made a huge difference.   

There are a couple of good tools that automate the registry entry changes, smac and amac are two I know of.  Neither of these worked on Vista when I briefly had it on my laptop and I "downgraded" back to XP.   Changing  your MAC in Linux is very easy.

I haven't taken the course.   EnCE is a pretty good cert though.  There are about 100 questions, I believe that are multiple choice.   The main portion of the exam is an actual case.   They send you a hard drive and you go to town on a somewhat realistic case.   You have to produce a good report. 

From what I have heard, it's probably not a good idea to take the exam right after the course if you haven't had Encase experience.   From personal experience, Encase is a tool that's very counter-intuitive if you don't use it every day.

Thanks.   Any idea if it was 0day or a missing SMG or Joomla patch?   I am just curious as to how sophisticated the attack was. 

I definitely expect a site like this one to be constantly targeted.   I am not pissed or surprised, I am more curious. 

I can chime in on a couple of these:

* Computer Forensics Investigator:

Experience counts for more then anything.  Ex-Fed and Ex-Cops are in high demand.   My company has ex FBI, Customs / ICE, Local Cops.  Their prior employment is almost an instant marketing tactic.   We also have some non-fed employees, myself included.   

CFCE is the the most sought-after certification, but is only available to law enforcement.   CCE and EnCE are also valuable and are accessible to everyone.   Some states will require a CCE and a PI license for investigative work.  Texas and one of the Carolinas currently require this. 

Wages vary greatly.   A junior investigator can make anywhere from $35,000 to $50,000 depending on location and skill.   A senior investigator can make anywhere form $70,000 to $150,000 due to various factors.   These are private sector numbers.   If you are an agent, you are subject to various government payscales. 

Forensics skills are pretty universal, especially among North America and Europe.   Job Security is quite good, even in this economy.    Clearance is not require unless you are doing government work.   

* Pen Tester:

In my experience CISSP is a good cert to have.   It's famous and opens doors.   The SANS certs are also fairly well known and can get you in the door.   Obviously, experience counts here as well.

There are many folks doing that simply run a Qualys or Retina scan and call it a pen test.   This market is fairly competitive and consulting hourly rates are much lower than in forensics.   I am guessing that the job security here is not a good as in forensics.   Very often, you don't have a choice but to hire a forensic investigator.  Courts require a 3rd party neutral investigator in most cases.   Forensics is responsive and often mandatory.   Pen Testing is preventative and in many execs' view quite optional. 

Salaries vary gain.  I am not sure what the average numbers are, since I haven't participated in hiring a pen tester.   My company primarily focuses on forensics and we do pen testing and audit much more rarely.   

Clearance is again subject to who you are working for.  Since computer systems are quite uniform and similar tools are used throughout, I can't imagine that it wouldn't be fairly easy to relocate to another country.

* Auditing / Analyst Lead:

CISA certification is pretty valuable here, as well as some accounting experience.  You are often working for internal audit departments.   Financial institutions have these guys on staff.   Financial institutions are struggling now and I can't imagine that the Audit Industry is not hit as well.

I am not sure of the salaries here as well.   I know too many people that have gotten laid off and have taken much lesser salaries here. 

I believe this is one area where transitioning to another country would be more difficult since the regulatory requirements vary from country to country.   The EU has standardized some of it, but you would have to still play catch up if you relocate.   

~~~~~

I can't comment on CISO, since I am not at that stage of my career  

Cyber Warefare job sounds quite sexy and should make you popular with the ladies.  Ok maybe not.

I want to know how we got pwned.   I saw that they mentioned a back door to the forum, but I don't think that was the entry point.

<Oracle_Rant>

I used to be an Oracle DBA, worse actually, Oracle Applications DBA.   For those of you not familiar with Oracle Apps, it's basically their ERP suite, CRM, Inventory and others, powered by Oracle RDBMS.  It includes Apache, Tomcat, tons of JSP pages, tons of shell scripts, tons compiled java code, etc.   The installation literally used to come on 50 CDs.   Most people run it on at least two servers.   I hate to admit it, but I have skipped patching the behemoth on more then one occasion.   Here is why....

Most Oracle patches have prerequisites.  Those prerequisites have their own prerequisites.   By the time you figure which patch you have to start with, you have forgotten what you are patching.   Once you have applied the patches,  you have to figure what those patches broke, and they will break something.  It's not always evident in the hundreds of GB of code what's broken.  By the time you find the issue, you have more patches  that you have apply.   If you are lucky, you don't have to go back to your backup and restore the entire monster.   

And then you get into custom code that is somewhat unsupported by Oracle.  If you patch something, it will break it.  Why do we have custom code in Oracle?   Because Oracle Apps is great if you you are making widgets.   If you don't, you need to customize.  Oracle will give you a great deal on the software, even 80% off the sticker price.   The customization will cost a few million $$ depending on your size.

Oh, and you can't update Java on your machine to the latest version, because the latest version is never certified by Oracle.   All the Java security issues that are so well documented, guess what, you can't patch those.  Oracle has yet to "certify" that they won't break anything.  I find their "certification" quite hilarious actually.

Test systems don't always behave the same way as the production systems.   Just because you've successfully patches a test system, it doesn't mean you get to sleep shortly after patching the production system.

I can go on, but in short it's a mess.  I don't see how Oracle can consider itself security-conscious, at least with Oracle Apps.   Oracle RDMS by itself is a different story.  Complexity and security are never friends, and calling this beast Complex is quite an understatement.   There is an unwritten rule among very experienced Oracle Apps DBAs.   You don't patch if it ain't broken. 

</Oracle_Rant>

I am interested in what others think about this as well.  As you can see, I have some deep emotional scarring inflicted by Oracle .   What about you guys?  Have you had experience with Oracle Apps?   I can't imagine that any installation will pass an Audit or a Pen Test.   I've never worked with SAP.   Does anyone know if that's any different?

I just looked it up, Helix 1.9 was Debian based, 4.0.2.

There could be a number of reasons why hash numbers don't match you attempt to restore the image to another hard drive.   One major reason is bad sectors on drive.   Watch the dmesg output or read the /var/log/messages file to see if the following errors occur:

kernel: hdX: read_intr: error=0x40 { UncorrectableError }, LBAsect=98823, sector=98759

You should also verify your image when you acquire it.   Make sure the hashes match when you acquire the image.

I am not sure if VMWare could be part of the issue, especially if you are imaging a VmWare disk.   Even if you are booting from a Helix CD in VmWare, I am not sure if something else isn't writing to the vmdk files. 

The point is, that there are many things that can go wrong.  Maybe we can help you pin point the issue.   What is the exact configuration you are using?   What drive types and makes, external USB to IDE/SATA connectors, and other devices are you using?  What is your procedure?   What do adepto logs say?

BTW, all of the above should be going into your case log as you are doing an investigation.  Some of the information should go onto an Acquisition Document.