I think the main issue was that the Air Force was making a power grab to own all CyberSecurity, whereas the Navy and Army with there own Cyber groups had a slight problem with that

I was really impressed with HP WebInspect, it did everything I was looking for. But I'm still evaluating right now, so far all I've compared it to was Accunetix, which I thought was a real value for how cheap it is. The trial version only includes 2 of the many modules it has, but I'm sure you know that.

Haha, yeah I was at something that lasted till 11:30 that night and I didn't know if ya'll would still be there. I should have gone over just in case, oh well next year I will have to make it for sure. And for the record, I'm a big fan of all beer, especially free german beer 

So my first Blackhat is in the books. I thoroughly enjoyed it and got to learn quite a bit and get some networking done as well. My only two complaints would be first, that it was completely overcrowded on the 4th floor and that made getting to a session very difficult. The second being that classic conference paradox. Alot of the great topics with new material were presented by people with poor public presentation skills, whereas alot of the great speakers presented either old stuff or no real useful content. That aside it was a hoot.

    I started the week attending a Malware Analysis class by Mandiant which was excellent. They basically crammed a 4 day course into 2 days, so it move very quick and had lots of content and labs. The teachers were extremely knowledgeable and were able to convey the material well. My only complaint would be that they should have spent more time on Ollydbg, but with the labs I can do that on my own time. They did spend extensive time using IDAPro, which helped me understand assembly code structures much better. I would highly recommend this course.

    The first keynote speech by Ian Angell was very funny, but essentially preached an anti technology message which I think is mostly pointless considered the techno-geek audience. He did have some really fascinating quotes though. My first presentation was Bad Sushi: Beating Phishers at Their Own Game. While presenting nothing new, they did provide much comedy and insight into how spammers routinely try to rip each other off.  They also showed an insane toolkit that traffics in the spam underground that basically contains knock off sites for every large bank in the world. Of course the next session was the highly anticipated DNS Goodness by Dan Kaminsky. This has already been covered to death, so I will only add that it was worth the wait and Dan is the man. Next I attended The Four Horsemen of the Virtualization Security Apocalypse by Chris Hoff. This was probably the most usuful and timely presentation I attended. Chris is a good speaker and I enjoyed how he detailed the current shortcomings of virtualization, while also pointing out VM myths as well. In a nutshell, the HA functionality is not there to do anything more then server/desktop virtualization. Beyond that, you are rolling the dice with your availability and network capacity. After that I hit up Bruce Potter's presentation on Malware Detection Through Network Flow Analysis. This guy is a bad ass and a very good speaker, but he provided nothing relevant in his talk, unless you didn't know Net Flow existed. My last session of the day was Reverse DNS Tunneling Shellcode by Ty Miller. Ty debuted his dns tunneling tool and also a very cool project to create a consolidated framework for shellcode. Once it gets up and running it, check it out at http://projectshellcode.com/ . I liked his talk alot, especially how he demonstrated various attacks through a corporate DMZ. The day ended with beer and pizza, yay!!

    Leading of the second day was a keynote by Rod Beckstrom of the newly created NCSC. His talk was very interesting and had a historical twist to it. I agree with him 10 million percent that the best chance to make a security significant impact is to upgrade our protocols which are mostly outdated. My first  session of the day was No More 0-days by Ohad Ben-Cohen. He showed off a cool new tool called Korset, which will basically create a control flow graph for any Linux compiled binary which prevents anything out of the ordinary from occurring. I like this technology and would like to see it integrated into a windows based AV suite. My only issue with the tool is that it only works based off system calls and doesn't check parameters. So it would be easy to circumvent by creating your own CFG and passing malicious parameters. Very good work though. My second talk of the day was Visual Forensic Analysis and Reverse Engineering of Binary Data by Greg Conti and Erik Dean. The debut 2 new cool tools aimed at shortening the time it takes to inspect a huge file at the hex level. Basically it helps you quickly find areas of interest in a file, as well as lending it self to repeating patterns that can be used in the future once identified. Next I attended Secure the Planet! New Strategic Initiatives from Microsoft to hear the latest from Redmond. I only heard the first half, but they are expanding their vulnerability research efforts to include 3rd party products and adding an exploitability index to their black tuesday reports. I LOL'd when they referred to black tuesday as something stupid like feature upgrade day. I had to cut this meeting short to head over to Deobfuscator: an Automated Approach to the Identification and Removal of Code Obfuscation by Eric Laspe and Jason Raber. Its a very much needed IDAPro plugin that can save us tons of time. I wrapped up the conference by listening to Bruce Dang's talk on Methods for Understanding Targeted Attacks with Office Documents. Bruce is smart as hell, but talked way too fast. He walked through a few of the office documents headers and structure and demo'd and attack. Also, he did mention that many of the current attacks could be avoided by either installing MOICE, Office 2K3 SP3, or Office 2K7.

    On Friday, I was able to make it to most of Defcon. Those badges are freaking sweet. The talks there were mostly the same, but had a much more relaxed, less corporate feel. For only 125 bucks, Defcon is a steal when compared to 1500 for Blackhat. Thats all for now and back to your regularly scheduled programming. 

Yeah I caught that one as well. The Four Horsemen of the Virtual Apocalypse. That line got some good laughs. He pointed out some VM myths about interVM traffic as well as painted a very scary picture of vendors roadmap for pushing virtual networking. I would have to agree with him in that it is a bad idea, due to HA and capacity issues.

I was able to get a seat by leaving the previous talk early and heading there. Dan was over caffeinated and giddy as hell. The room was extremely packed and energized. The main gist of the talk was that DNS is integrated into everything you do on the internet. He highlighted SSL issues specifically and explained really well how the flaw works in a variety of fashions.

So, I've been a lifelong user of windows and linux as a secondary OS. I've never been much of an early adopter, however once SP1 was available and I received a free copy of Vista Ultimate at an MS event, I said what the heck. Time for an upgrade. I could not have been more disappointed. Aside from running slower then XP, I suffered from occasional app crashes and for some reason my MS wireless keyboard likes to stop working. And of course, before you say its a hardware issue, I'm running a Wolfdale 8500 with 4G of DDR2 and a 9600GT, which never has any issues when I boot to Ubuntu. So as much as I tried to polish it, after 6 months of usage I'm declaring Vista a turd.

Any one else have similar experiences? I know some people love it, some people hate it. I'm starting to think the vista sunshine pumpers are only trying to justify the cash they paid for it. I for one am downgrading to XP, the only loss IMO is losing DX10 support and the improved photo gallery.

Great Post. Thats a cools site, thanks for the link.

I would have to describe the difference in philosophy of HD and the General as one who thinks about design security vs. implementation security. Its kind of a lame analogy, but follow me on this. HD or any other pen tester out there, is primarily involved down in the weeds doing actual red team work. They are the ones exposed to the actual implementation, and constantly see that its not some elite exploit that gets them in, but careless mistakes or just plain dumb implementations. Now consider the same instance from the General's view point. He is a high level guy. His guys tell him everything is patched, so the only way some is breaching his network is via an unknown exploit, as far as he is concerned. So you see the difference between the real world on the front lines, and the high level check-box mentality.

Most of the stuff I've seen revolves around buffer overflows that occur when images(GIF, ANI, etc) are processed and shellcode is tacked on. I believe with the onload function in javascript and probably activeX as well, you can have whatever you want executed when the image is loaded on the page.

    In continuing my tradition of reviewing books that are 2 or 3 years old, I have recently finished reading Real Digital Forensics by Keith Jones, Richard Bejtlich, and Curtis Rose. Yeah, I hate paying full price for a new book, but mostly its because I buy so many books that by the time I get around to actually reading them, its been a few years :-). Now on to the review.

    With this group of experienced authors, it hard to imagine the book not being a success. While not spectacular, this books is very solid and fairly easy to read. I would have to say for someone looking to attend the SANS hacking and forensic courses, this book could easily fill the gap and save you thousands of dollars. One thing I really liked was that they did not waste time on any fluff chapters about the history of whatever, they just jumped right into the material. They also made it a point to show the differences between incident response on *nix vs. windows. All the chapters that focused on analysis and response were dead on. They included great case data on the book DVD, which helps you work through the sample cases as well. That is a huge feature that needs to become standard in security books, where feasible. Probably the standout feature of the book for me though, was their chapters on analyzing unknown binaries. By following along step by step through the cases, its helps turn something that is considered more of an art, into a science. They also include good coverage of doing a forensic analysis of a palm device, and included the requisite chapters on email investigation, registry analysis, and browser forensics. One thing that I took note of during the book, was the chapter on building a response toolkit. They pointed out that you need to use filemon to ensure none of your trusted tools access the victims system for resources and instead are using libraries from your toolset. The authors also did a good job of showing both open source and commercial tools throughout the book.

    Some of things I didn't enjoy about the book, was the coverage on duplication. But I guess you can't really do much with a topic that boring. Also, the chapter on domain ownership seemed more like a chapter on their DNS project, so it wasn't very useful. Other then that, I would have like to have seen some coverage on cell phone forensics, which is becoming more mainstream.

    Overall though this was a great book that I would recommend to anyone in the security field and also system administrators. The authors knowledge of this subject is top notch and its good to be able glean information from them. Not to mention, you can gain a lot of practical experience by working through the example cases on the DVD.  You can read my notes on the book here. http://www.cyberguardians.org/content/view/84/45/

Also, Don has a sample chapter posted
http://www.ethicalhacker.net/content/view/19/2/

Count me in. I haven't been able to be as active in the forums as I used to be due to a new job, but one of the benefits is BH & Defcon this year.

This site should only be used as a download site. Using it to run the commands live on a regular basis is ludicrous.

What exactly do they mean by "map hard drives"?

thanks for the link, it was a good read

Its kind of a catch 22. Users want MS to have this scheduled patch tuesday so they can have time to prepare, but at the same time vulnerability researchers and exploit writers are gearing up to reverse the patches and write exploits on that day as well. There is no way around it that I can see.

On a side note, I've only seen time to patching get reduced in the last few years, however one hidden skeleton always rears its ugly head. Legacy code/apps that can't be patched without breaking. UGH!!!!  And its not just an MS thing either, other apps/vendors as well. Nobody ever seems to want to address this issue, as its extremely costly to make the changes. They just keep accepting the risk and kicking the skeleton back into the closet. My advice in this situation, is to track legacy systems just like you do PCI/Sox systems. They require extra monitoring and safeguards as well.