So this won't work every time, but you need to rescan the box for vulnerable servies from the unprivileged shell.  Especially for legacy services, you may note that a favorite vendor "fix" is to tell you to firewall the service so it can't be hit from outside.  If you got on the machine, you are now on the trusted network... whack away!

On *nix don't forget to look at cron jobs, shell scripts, and setuid binaries that shouldn't be.  If you have limited sudo, try things like ed, vi, cat, cp.  All those can be used to repalce co figs and give you root.

 Last, remember that you don't have to be root to get valuable information.  If on a db server, I really want the db, mail server == mail...

I have to say that this really gets my goat.  This guy figures out how to clone gift cards and does so on a regular basis.  People get screwed out of money they put on gift cards (this is NOT a victimless crime). 

People who commit this type of crime need to be taught a real lesson.  While the damages were in the range of $6,000, this cost MUCH more than that to track down.  Additionally, it isn't like he'd have stopped.  I don't think I know someone his age who didn't get at least six months probation for petty shoplifting.  Then this clown gets 18 months probation for this AND a DUI?  What the heck???


Well, after reading this, I'm pretty sure we'll see more of it.  Especially since the precedent for non-deterrence has been set.

http://www.tomsguide.com/us/Sealtiel-Chacon-Zepeda-Gift-Card-Cyber-Crime-Fraud-crime,news-7780.html

Sorry guys, I take another approach on this one.  I think that Oracle has taken an indefensible stance on the lawsuit over Android's use of Java.  The fact that it was only done briefly (and silently) makes it seem juvenile.  On the other hand, if they just came out with the big middle finger, I'd be all for it.  I was a big Sun supporter, including doing some work on OpenSolaris related software and I'm more than a little pissed that Oracle took the anti-open source stance this month.  The Android gripe is just another side of the same coin.

I start on the 29th, so I'll be sure to try to fill in the blanks as I go.  I haven't done OCSP, so taking on the OCSE was a little intimidating.  I finally decided that I had enough interest in the topic to invest the time and enough background to not be wasting my money so I bit the bullet and went for it.  I'll post back by mid September and let you know if I think it was a mistake.

If anyone can share some insight (besides what's in the syllabus), please do so.  I've already paid, so I'm stuck, but I would like to know about others' experiences. 

I made the decision after hearing the same thing as MaXe said echoed by everyone who had taken the course (I won't regret it).

Consider the source.  It's certmag.  I'm not surprised if they are surprised by anything...

Without a doubt.

I'll add to the sentiment that there were too many people for the Riv.  DEFCON either needs a new location next year or it needs to pre-sell tickets and limit numbers (like ShmooCon).  Personally, I'm all for a new location.

So H1t M0nkey, I agreed with some of your picks and I didn't get to see the last two.  I wasn't very impressed with the Malware Freak Show.  Compared to many of the folks there, these guys were stellar presenters but the content was a little weak.  Of course, I may be biased since I work in mawlare all the time, but I thought it was lacking.

The Nmap scripting engine talk was good.  Hardware hacking for the software guys convinced me to put an Arduino board on my Christmas list.  The GSM talk was great.  I wanted to see the "Powershell: OMFG" talk, but couldn't get in the room.  I don't see those slides on the CD.  Does anyone know where they are posted?

The android rootkit talk was a little weak in that they basically described how they built a Linux rootkit.  The droid specific stuff took less than 10 minutes.

The most memorable talks by far were "How I met your girlfriend" where the speaker talked about merging web hacking with the real world and "My life as a spyware developer."  While the latter was a little light on tech, the guy presented well and it was well put together.

Sil brings up a great point.  I LOVE open source software for home use.  I'm not a fan for work use.  It's been my experience I spend more time dealing with build problems, updates, broken features, etc than is worth it to save the cost (not to mention they usually have a smaller feature set).

If you are planning to use anything with version 0.2.2 for your DLP, just tell management to plan on dedicating something close to an FTE to fully support it.  That makes the pill of the licensing cost of commercial software easier to swallow.  If on the other hand management wants to get involved with the project (name recognition in the community, whatever), more power to them and you for supporting it.

Just remember, using open source software isn't really free....

Ditto all.  I'm only heading out for DEFCON, but I'm definitely interested in a meet and greet.

I've talked to a lot of people who have taken the SANS-610 course and I have looked through the material.  I was curious if anyone has taken the exam (the more recently the better, I figure they have added content for the fifth day).

I have been doing malware RE for a few years now and I think I'm pretty knowledgeable.  I've got more than a passing familiarity with IDA Pro and Olly which seem to be used in the course. I did some web programming a couple of years ago so I know some of the nasty things that can be done there.

I guess my question to anyone who's taken the exam is how difficult was it and what was your experience going in?  I'd be challenging the cert, out of pocket, so I don't want to blow it.  OTOH, I've spent way too much time studying for some other exams...  When I read through the very small objective list here but honestly it seems pretty non-descriptive when compared to some of the other SANS certs.

http://www.giac.org/certbulletin/grem.php

Thanks in advance for any insight you can provide.

I'm with Sil on using Voltage.  They simplify key management and data recovery, which will be your biggest concerns in any company of more than say five employees...  A truly stable PKI implementation for a company of your size will cost a LOT to deploy in terms of man hours. I have to assume that you have a full time job before trying to develop and deploy a PKI so something that is more or less plug and play is probably your best option (as it doesn't sound like you have enough people to justify a consultant to deploy the infrastructure for you.

Whatever you do, don't cut corners.  A bad PKI design likely makes your information MORE vulnerable.  People start to consider all critical information being encrypted as a mitigating factor for other vulnerabilities (which is really isn't).  Then people leave holes open that they wouldn't otherwise.  Bad situation all around.

Good luck.

I haven't taken GREM so I can't speak to that (yet).  Although I am getting ready to challenge it so I can mentor a course in my area.  I did pass the CREA after taking the accompanying InfoSec Institute course.  InfoSec and IACRB have the same type of relationship as SANS/GIAC (just so you know).

Several people I work with have taken the GREM course and some of us have taken the InfoSec course.  I've had a chance to look at the material for both.  The GREM seems to focus a LOT on dynamic analysis and not much on actual reversing.  The CREA does require you to reverse engineer a binary.  That being said, the InfoSec course sucked.  The material was not QC'd like I see at SANS courses.  The only thing that kept the course going was the knowledge of the contract instructor (who was clearly disappointed with the state of the material).

The people I work with that went to the SANS course can't come back and do reverse engineering.  The people who attend the InfoSec course can at least hit the ground running (although they complain about the material).  Many of the InfoSec labs are centered on cracking, but I guess you are doing RE when cracking an application.  The rest of the course is largely based on the "Reversing" book you can buy on amazon.

If you have the money, I'd do the SANS course.  Neither course will really teach you reversing but the SANS course is better structured.

I'm with you guys.  I think this is sensationalist journalism at its best (or at least as good as it gets when it comes to technical topics).  I strongly suspect the original article uses selective quoting quite liberally (where they only publish quotes from sources that support the article without acknowledging competing viewpoints).  Bad journalism.

Let me know when it is ready for testing.

That is pretty slick, but I don't regularly log into a form just because it is there.  The power of suggestion is strong, but not that strong (for me anyway).

There are a good number of users that will fall for that though.  Thanks for the heads up.