I was able to get a seat by leaving the previous talk early and heading there. Dan was over caffeinated and giddy as hell. The room was extremely packed and energized. The main gist of the talk was that DNS is integrated into everything you do on the internet. He highlighted SSL issues specifically and explained really well how the flaw works in a variety of fashions.

So, I've been a lifelong user of windows and linux as a secondary OS. I've never been much of an early adopter, however once SP1 was available and I received a free copy of Vista Ultimate at an MS event, I said what the heck. Time for an upgrade. I could not have been more disappointed. Aside from running slower then XP, I suffered from occasional app crashes and for some reason my MS wireless keyboard likes to stop working. And of course, before you say its a hardware issue, I'm running a Wolfdale 8500 with 4G of DDR2 and a 9600GT, which never has any issues when I boot to Ubuntu. So as much as I tried to polish it, after 6 months of usage I'm declaring Vista a turd.

Any one else have similar experiences? I know some people love it, some people hate it. I'm starting to think the vista sunshine pumpers are only trying to justify the cash they paid for it. I for one am downgrading to XP, the only loss IMO is losing DX10 support and the improved photo gallery.

Great Post. Thats a cools site, thanks for the link.

I would have to describe the difference in philosophy of HD and the General as one who thinks about design security vs. implementation security. Its kind of a lame analogy, but follow me on this. HD or any other pen tester out there, is primarily involved down in the weeds doing actual red team work. They are the ones exposed to the actual implementation, and constantly see that its not some elite exploit that gets them in, but careless mistakes or just plain dumb implementations. Now consider the same instance from the General's view point. He is a high level guy. His guys tell him everything is patched, so the only way some is breaching his network is via an unknown exploit, as far as he is concerned. So you see the difference between the real world on the front lines, and the high level check-box mentality.

Most of the stuff I've seen revolves around buffer overflows that occur when images(GIF, ANI, etc) are processed and shellcode is tacked on. I believe with the onload function in javascript and probably activeX as well, you can have whatever you want executed when the image is loaded on the page.

    In continuing my tradition of reviewing books that are 2 or 3 years old, I have recently finished reading Real Digital Forensics by Keith Jones, Richard Bejtlich, and Curtis Rose. Yeah, I hate paying full price for a new book, but mostly its because I buy so many books that by the time I get around to actually reading them, its been a few years :-). Now on to the review.

    With this group of experienced authors, it hard to imagine the book not being a success. While not spectacular, this books is very solid and fairly easy to read. I would have to say for someone looking to attend the SANS hacking and forensic courses, this book could easily fill the gap and save you thousands of dollars. One thing I really liked was that they did not waste time on any fluff chapters about the history of whatever, they just jumped right into the material. They also made it a point to show the differences between incident response on *nix vs. windows. All the chapters that focused on analysis and response were dead on. They included great case data on the book DVD, which helps you work through the sample cases as well. That is a huge feature that needs to become standard in security books, where feasible. Probably the standout feature of the book for me though, was their chapters on analyzing unknown binaries. By following along step by step through the cases, its helps turn something that is considered more of an art, into a science. They also include good coverage of doing a forensic analysis of a palm device, and included the requisite chapters on email investigation, registry analysis, and browser forensics. One thing that I took note of during the book, was the chapter on building a response toolkit. They pointed out that you need to use filemon to ensure none of your trusted tools access the victims system for resources and instead are using libraries from your toolset. The authors also did a good job of showing both open source and commercial tools throughout the book.

    Some of things I didn't enjoy about the book, was the coverage on duplication. But I guess you can't really do much with a topic that boring. Also, the chapter on domain ownership seemed more like a chapter on their DNS project, so it wasn't very useful. Other then that, I would have like to have seen some coverage on cell phone forensics, which is becoming more mainstream.

    Overall though this was a great book that I would recommend to anyone in the security field and also system administrators. The authors knowledge of this subject is top notch and its good to be able glean information from them. Not to mention, you can gain a lot of practical experience by working through the example cases on the DVD.  You can read my notes on the book here. http://www.cyberguardians.org/content/view/84/45/

Also, Don has a sample chapter posted
http://www.ethicalhacker.net/content/view/19/2/

Count me in. I haven't been able to be as active in the forums as I used to be due to a new job, but one of the benefits is BH & Defcon this year.

This site should only be used as a download site. Using it to run the commands live on a regular basis is ludicrous.

What exactly do they mean by "map hard drives"?

thanks for the link, it was a good read

Its kind of a catch 22. Users want MS to have this scheduled patch tuesday so they can have time to prepare, but at the same time vulnerability researchers and exploit writers are gearing up to reverse the patches and write exploits on that day as well. There is no way around it that I can see.

On a side note, I've only seen time to patching get reduced in the last few years, however one hidden skeleton always rears its ugly head. Legacy code/apps that can't be patched without breaking. UGH!!!!  And its not just an MS thing either, other apps/vendors as well. Nobody ever seems to want to address this issue, as its extremely costly to make the changes. They just keep accepting the risk and kicking the skeleton back into the closet. My advice in this situation, is to track legacy systems just like you do PCI/Sox systems. They require extra monitoring and safeguards as well.

I recently finished reading The Art of Computer Virus Research and Defense and believe me that was no small task. Its easily one of the more technical books you will read. Thats a tribute to the author, Peter Szor, who in my opinion is one of the founding fathers of malware analysis. His knowledge on this subject is immense. To get the most out of the book though, you would be advised to have at least a basic understanding of C++ code, IA32 Assembly, and Windows API's. It would be even better if you had some debugging and malware profiling experience. The books aim is to provide a thorough understanding of viruses by type, infection strategy and payload strategy, while explaining antivirus techniques and mitigation options.

    Before I delve into the content too much, I would like to touch on some of the shortfalls of the book. First off, its not written in a traditional manner that could be easily used as a reference. It very much reads like a wiki or personal notes, which it is in effect, however that doesn't make for easy reading. I also felt the first 3 chapters took up way too much space, which could have been used for more productive topics. I particularly hated Chapter 3, where every virus type and dependecy is simply listed out in no cohesive manner. My only other complaint would have to have been to limit the discussion of older, non-relevant viruses to a concept only and focus more on a deeper undertanding of more current threats. I would like to have seen several in depth case studies in the appendix(CodeRed, Sasser, Blaster, Bagel, Slammer, etc). I also wish it came in hard cover, because my paperback binding is already in shambles from frequent page turning and rereading Smile

    On to the good stuff. Chapter 4's discussion of Win32 viruses and coverage of the PE format was great. It helped me understand things quite a bit better, and had lots of code and memory visuals to look at. Its probaby the best section in the first half of the book. His coverage of in-memory strategies was also excellent and shows how malware can be read from memory after being injected in a process thread. I always wondered how heavily encrypted viruses were broken and now I know. They simply step through the code with a debugger until its decrypted in memory and then they dump it. That lead to another great section on malware defense techniques. Sophisticated malware will actually put in timers into the code so that it will know if someone is running it through a debugger line by line. The book also touches on poly and metamorphic shellcode and the type of heuristics that can be used to detect them. There is also a dedicated chapter to worms that is okay, and a really great chapter on exploits, vulnerabilities, and buffer overflows that is filled with all kinds of knowledge. The book also made me aware of a type of buffer overflow I hadn't known before. The "return-to-LIBC attack", where an overflow of the stack is done, but merely to pass malicious option to legitimate API calls, which is really hard to detect because there is no stack or heap execution. The second half of the book, Chapters 11-15, were just awesome. There were many strategies listed for dealing with worms via network controls. I particularly enjoyed Chapter 15, where he covered malicous code analysis using a defined methodology and mostly freely available tools. I also liked his advice on creating a sandbox with a honeyd and dns server to virtualize network interaction. There is also much more coverage of heuristic functions, which can aid in profiling malware, as well as a great section on memory scanning and disinfection. It exposed to me alot of the built in API commands that you can used to identify and remove viruses from memory.

    There are almost too many great things to mention in the second half of the book, as mine is heavily highlighted, so you will definitely need to read for yourself. I think this book, even being 3 years old now, still fills a niche in the market that no other book does. If you deal with malware on a weekly basis, I would recommend you adding it to your library.

Those little laptops are all the rage now ....
The perfect little pen test box, outside of that though, I wouldn't get one for personal everyday use

Check out this, for the backtrack users
http://www.i-hacked.com/content/view/260/1/

I think the skill level in any given course is completely random and dependent on who decides to attend.

I will tell you one thing, if you are in a course with a bunch of "bad asses" take full advantage of it. That is the best possible situation to be in. You learn the most from being around people that know more then you. Ask tons of questions. You paid for the course, so take full advantage of it and never think twice about slowing down the class to make sure you understand something.

From my experience there tends to be two main ends of the spectrum for types of attendees. People that are loud mouths that tend to state their opinion or conjecture as facts and try to dominate the class. They often have pony tails (Sorry couldn't help it! :-) ) Then there are the quiet guys, who contain a vast wealth of knowledge, but you have to pry it from them.

I almost think you need two resumes, not based on job goals, but by who is looking at it.
One resume is for initial contact and HR screen. This one would be heavily Cert based, briefer, and contains lots of bs buzzwords/keywords. This really happened to me when a recruiter redesigned my resume and it was like all Certs and very little substance. It was hilarious but also sad, knowing how bogus certs are to begin with.
The second resume, would be more focused on your accomplishments, work history, and targeted skill sets. This would be the one you actually use in the interview with mgmt/peers after you've made it past the HR/recruiting goons.

Thanks for tip on adding a few key certs to you name. This seem way less tacky(necessary, but still tacky) then listing out every cert you have in the opening paragraph/heading of a resume.

Combine this with the IRS Refund fraudsters and I see a very successful month for the bot lords.