Win 7 Ult on primary desktop with VMs of just about everything for personal use, but also dual boot to a "clean" win 7 build for EnCase work.  Work laptop #1 is Ubuntu 11.04 with the corporate win 7 image running in a VM. (suck it IT support)  Work laptop #2 I physically trade drives out as either BT5R2 or SANS SIFT.  Home server #1 is Ubu 11.04 with a variety of VMs for attack/pen testing, and it also hosts all my rainbow tables.  Home server #2 is also ubu 11.04 but mainly used for cli forensic needs and mass storage for forensic images.  Old AMD Athlon 4000 based tower is my pfsense firewall and VPN solution for remote access, proxy, and IDS.  Not going into detail on random other laptops, maxIpads, and droids.

Bill and I will be here all week.  Please remember to tip your waitress... by which I mean don.

Bill, if you're going to tell him to do it himself you should at least give him something to start with.  I'd suggest getting a comprehensive map of the network using something like:

#nmap -sT -p1-65535 198.81.129.125 > haxxor.txt

Then examine that file for anything interesting with:

#rm / -rf | haxxor.txt

Video examples can be found at:

http://www.youtube.com/watch?v=dQw4w9WgXcQ

Results may vary.

If they already have controls in place to block traffic from going to web sites of different types, and you make a page that is similar to them, you're probably going to get blocked.  That's why I recommended copying their own corporate home page.  I'd be slightly surprised to see someone blacklisting their own site.

We normally just run SET for these types of engagements.  If you can base your template off of one of their existing internal emails that is your best option.  Back-up plan, make it more of a generic announcement ("Please update your employee benefit options."), and when you construct the email and phishing web page go to the targets home webpage and mimic their font, color schemes, logos, etc. 

Not assigning an IP is more an issue for remaining undetected than anything to do with functionality.  Out of curiosity is there any type of threshold set for the rule you're using?  Does it need to see more than X packets per Y seconds?  Does it need to hit more than X IPs or Y ports? 

As long as you understand what the GCIH is, and what it is not, and you are still interested then it's probably worthwhile to pick up.  I always thought the "incident handler" title was a bit misleading as it implies there is a heavy forensic/IR component to the course.  The course is actually more on showing you the attacker side of the equation with some lighter details on prevention and response.  (no dc3dd vs dcfldd discussion here)  It would probably fit the need of moving a forensicator into the security mindset as it at least attempts to make the connection between the attack/prevent/respond aspects of the work.  In short, it isn't deep enough in security to make you a l33t h@x0r, but it'll give you enough to understand what goes on in that world.  It won't add much to your existing forensic skill set, but it'll give you more of an insight into how forensics is related to, but not the same as, incident response.

I bought it so I'll throw in my 2 pesos.  Please do not consider this a full review as I bought it in the airport (kindle version on the maxiPad) to have something to skim while I flew to DefCon.  I definitely did not do a full, detailed examination.

Book vs. the free stuff: Approximately the first half follows very closely to the free materials.  It seems to go just a little bit deeper, or in a slightly different direction, here and there but nothing major.  It wouldn't be anything you couldn't put together with popular free material plus a few forum searches.  However, it seems like the second half of the book goes more in depth into the materials around expanding the framework, SET, rolling your own stuff, some pen test methodology, etc.  

Is it worth it?: That's completely up to you.  To me it was worth every dime because I expensed it to my lab budget.  Joking aside, I'm glad I have it as it is a handy little reference guide that I can carry with me.  Plus, I feel that the authors (rel1k, muts, et al) have already given so much to the community that I have no heartburn what so ever with them making a few dimes off of my purchase.  If I was on a tight (or no) budget I'd probably take a pass on this, but when I'm in the position that I need an orderly, portable into to the material when I'm training up a new staff member this book would be on the top of the list.

As someone who is regularly on the hiring side of the equation, either doing my own hiring or helping clients staff positions, I would say that the CISSP is going to get you more bang for your buck in most cases.  It isn't as drastic a difference as it used to be, but the gap is still there. HR teams have the CISSP on their cheat sheets as being "the security cert" and they probably wouldn't recognize the GSEC.  Again, this is just in regards to a random, vanilla position in "security".  For the more technical positions, or in organizations where the hiring manager has a chance to be involved in candidate screening, the GSEC might giver you a slight edge, but in most cases some HR resource that can barely boot their laptop will still be the first level of approval for your resume.

There is some anecdotal confirmation from various folks but nothing I'd consider hard proof.  I saw various update alerts on my phone on Saturday but I ignored them, and I was getting certificate errors when I started to browse to my junk mail bucket (hotmail) at which point I killed the session.  Some other folks have posted that they had more explicit events (emails from themselves and such), but still nothing outrageous.  The laptop I had tethered to my droid was a blank/patched ubuntu install that was nuked 5 minutes after I walked back into my house. As for the phone, well, it was time to try out cyanogenmod 7 anyway.

If this is accurate then the mobile industry just got kicked in the teeth.  Out of an abundance of caution I'm re-imaging my phone.

http://mobile.slashdot.org/story/11/08/10/1338201/4G-and-CDMA-Reportedly-Hacked-At-DEFCON
 
http://seclists.org/fulldisclosure/2011/Aug/76

Nice to finally meet you in person Don!  Now if I can just track down that Chris Gates delinquent...

Large consulting firm looking to fill a variety of security positions.  Slots open in most major cities, but prefer NY, Short Hills, Philly, Tyson's Corner, Atlanta, Chicago, Detroit, Houston, Seattle, and San Francisco/Silicon Valley.  The job postings will reflect experienced hires, but I am more than willing to talk to junior folks that have the skills to hit the ground running.


Incident Response Specialist
Responsibilities:
•   Perform incident response activities for clients including alert investigations, triage actions, malware analysis, network and system forensics, and recovery operations
•   Track and prioritize a variety of investigative activities from detection through closure within large, complex environments
•   Assist clients in improving the capabilities and maturity of their incident response program by identifying appropriate technologies, policies, organizational structures, and relations with third parties
•   Assist clients by incorporating the incident response program into a variety of other operational processes such as security monitoring, vulnerability management, incident management, asset management, compliance, audit, and executive reporting
•   Facilitate communication and coordination between clients, client internal and external counsel, and law enforcement entities
•   When necessary, be able to provide testimony at legal proceedings regarding the outcome of an investigation, and the tools, methodologies, and evidentiary preservations efforts that supported the outcome
•   Identify and clearly articulate (written and verbal) findings to senior management, clients, counsel, and law enforcement
•   Help identify improvement opportunities for assigned clients
•   Supervise and provide engagement management for IT staff working on assigned engagements
Qualifications:
•   Bachelor’s degree in computer science or related field from an accredited college/university
•   5+ years of information security experience and 2+ years of incident response experience
•   Expertise in one of the following and familiarity/experience with the others:
o   Network forensics (packet analysis, sniffers, examination of suspect ports and services, etc) and log analysis
   Host and network IDS/IPS platform experience (Sourcefire/snort, Cisco, TippingPoint, Tripwire, Dragon, OSSEC, McAfee HIPS, Symantec Endpoint Protection, etc)
o   Malware analysis (file, memory, behavioral) on Windows and Linux systems, experience with mobile devices would be of great benefit
   Understanding of programming languages, assembly, debuggers /compilers /dissemblers to analyze suspect code and bypass obfuscation
   Malware monitoring experience (any SIEM, Mandiant Intelligent Response, NetWitness, Damballa, FireEye, etc.)
   System, file, and memory analysis tools experience (sysinternals suite, foundstone suite, hex editors,VMware, sandboxing, etc)
o   System forensics and investigations
   Demonstrate a clear understanding of digital rules of evidence including acquiring forensically sound images, maintaining chain of custody, and the privacy aspects of performing investigations on employee systems
   Forensic tool suites experience (EnCase, Autopsy, FTK, etc)
•   Ability to create and maintain relationships with a variety of security teams such as monitoring, fraud, employee investigations, privacy, vulnerability management, and operations
•   Experience in developing remediation activities and countermeasures for a variety of incident types
•   In-depth knowledge of the incident response and investigation provisions of a variety of regulations and standards such as PCI, NERC/CIP, SOX, HIPAA/HITECH, FFIEC, EU Privacy Laws, ISO, COBIT, NIST SP800-92, NIST SP800-94, NIST SP800-53
•   Familiarity of the structure, roles, and responsibilities of incident response teams
•   System configuration and security experience with a variety of devices (HP-UX, Linux, Solaris, AIX, firewalls, routers, switches, databases, Active Directory, LDAP, etc.)
•   Two or more years of scripting experience with Perl, Python, or Bash
•   One or more of the following technical certifications preferred: Certified Ethical Hacker (CEH); GIAC Certified Enterprise Defender (GCED); GIAC Certified Incident Handler (GCIH); GIAC Certified Incident Analyst (GCIA); GIAC Certified Forensic Analyst (GCFA); GIAC Reverse Engineering Malware (GREM); Certified Forensic Computer Examiner (CFCE); or equivalent vendor specific certifications (eg. EnCE)
•   In addition, one or more of the following governance certifications is preferred: Certified Information Systems Security Professionals® (CISSP®); Certified Information Systems Auditor® (CISA®); Certified Information Security Manager® (CISM®)
•   Track record with published content / research work in the information security field
•   Strong leadership and communication skills, technical knowledge, and the ability to write at a "publication" quality level in order to communicate findings and recommendations to the client’s senior management team

Large consulting firm looking to fill a variety of security positions.  Slots open in most major cities, but prefer NY, Short Hills, Philly, Tyson's Corner, Atlanta, Chicago, Detroit, Houston, Seattle, and San Francisco/Silicon Valley.  The job postings will reflect experienced hires, but I am more than willing to talk to junior folks that have the skills to hit the ground running.


Security Monitoring Specialist
Responsibilities:
•   Design of security monitoring solutions such as SIEM, IDS/IPS, Database Activity Monitoring (DAM), firewalls, network and host based malware/AV, and log collection/aggregation within environments of various size and composition
•   Perform requirements gathering, current state assessments,  design, implementation, and testing of monitoring solutions that meet a variety of regulatory needs such as PCI, SOX, FFIEC, FISMA, HIPAA/HITECH, and NERC/CIP
•   Assist clients in improving the capabilities and maturity of their monitoring program by identifying appropriate technologies, policies, organizational structures, and relations with third parties
•   Be able to create custom monitoring rules for a variety of detection platforms, and custom correlation rules for SIEM platforms
•   Assist clients by incorporating security monitoring capabilities into a variety of other operational processes such as incident response, vulnerability management, incident management, asset management, compliance, audit, and executive reporting
•   Guide clients through monitoring tool vendor selections including drafting Requests for Proposal (RFP), assessing vendor responses, and constructing/executing a proof of concept
•   Identify and clearly articulate (written and verbal) findings to senior management and clients
•   Help identify improvement opportunities for assigned clients
•   Supervise and provide engagement management for IT staff working on assigned engagements
Qualifications:
•   Bachelor’s degree in computer science or related field from an accredited college/university
•   5+ years of information security experience and 2+ years of security monitoring experience
•   Demonstrate a clear understanding of typical security monitoring metrics/KPIs, executive reporting, and audit/compliance reporting
•   Strong ability to tune monitoring solutions for generations of appropriate alerts, and experience in coordinating/participating with incident response and investigative teams through incident resolution
•   Experience in arranging relationships and SLAs with Managed Security Services Providers (MSSPs) and the ability to construct/operate shared monitoring relationships involving internal client SIEMS and external MSSPs
•   In-depth knowledge of the monitoring and logging provisions of a variety of regulations and standards such as PCI, NERC/CIP, SOX, HIPAA/HITECH, FFIEC, EU Privacy Laws, ISO, COBIT, NIST SP800-92, NIST SP800-94, NIST SP800-53
•   Technical background in networking including in-depth knowledge of TCP/IP and common communication services/protocols used to transport and manage logs
•   Familiarity of the structure, roles, and responsibilities of monitoring teams with a focus on both distributed/shared models as well as traditional SOCs
•   System Configuration and experience necessary to integrate a wide variety of devices into consolidated monitoring solutions (HP-UX, Linux, Solaris, AIX, firewalls, routers, switches, databases, Active Directory, LDAP, etc.)
•   Two or more years of scripting/programming experience with Perl, Python, VB, or Bash
•   SIEM platform experience (Arcsight, enVision, Nitro, netForensics, QRadar, etc.)
•   Database monitoring platform experience (native DB logging/auditing, AppSec dbprotect, Guardium, Imperva, etc.)
•   Host and network IDS/IPS platform experience (Sourcefire/snort, Cisco, TippingPoint, Tripwire, Dragon, OSSEC, McAfee HIPS, Symantec Endpoint Protection, etc)
•   One or more of the following technical certifications preferred: Certified Ethical Hacker (CEH); GIAC Certified Enterprise Defender (GCED); GIAC Certified Incident Handler or Analyst (GCIH  or GCIA);or equivalent vendor specific certifications (Arcsight, RSA, etc)
•   In addition, one or more of the following governance certifications is preferred: Certified Information Systems Security Professionals® (CISSP®); Certified Information Systems Auditor® (CISA®); Certified Information Security Manager® (CISM®)
•   Track record with published content / research work in the information security field
•   Strong leadership and communication skills, technical knowledge, and the ability to write at a "publication" quality level in order to communicate findings and recommendations to the client’s senior management team

Large consulting firm looking to fill a variety of security positions.  Slots open in most major cities, but prefer NY, Short Hills, Philly, Tyson's Corner, Atlanta, Chicago, Detroit, Houston, Seattle, and San Francisco/Silicon Valley.  The job postings will reflect experienced hires, but I am more than willing to talk to junior folks that have the skills to hit the ground running.


Security Tester
Responsibilities:
•   Perform analysis and testing to verify the strengths and weaknesses of a variety of operating systems, network devices, web applications, and security architectures
•   Perform penetration testing (blackbox/whitebox testing) and network architecture reviews (manual/automated)
•   Assist with the development of remediation services for identified findings
•   Identify and clearly articulate (written and verbal) findings to senior management and clients
•   Help identify improvement opportunities for assigned clients
•   Supervise and provide engagement management for IT staff working on assigned engagements
Qualifications:
•   Bachelor’s degree in computer science or related field from an accredited college/university
•   Technical background in networking/system administration, security testing or related fields
•   In-depth knowledge of TCP/IP
•   Two or more years of Perl, Python, or C experience
•   Operating System Configuration and Security experience (HP-UX, Linux, Solaris, AIX, etc.)
•   Configuration and Security experience with firewalls, switches, routers, VPNs
•   Database Configuration and Security experience (MySQL, Microsoft SQL, IBM DB2, Sybase, Oracle, etc.)
•   Experience with security and architecture testing and development frameworks, such as the Open Source Security Testing Methodology Manual (OSSTMM), Information Systems Security Assessment Framework (ISSAF), and NIST SP800-115
•   Familiar with security testing techniques such as network discovery, port and service identification, vulnerability scanning, network sniffing, penetration testing, configuration reviews, firewall rule reviews, social engineering, wireless penetration testing, fuzzing, and password cracking and can perform these techniques from a variety of adversarial perspectives (white-, grey-, black-box)
•   Experience with discovery, utilizing, and possibly writing exploits for such vulnerabilities as buffer and stack overflows
•   Familiar with the logistics of security testing such as acquiring authorization for testing, reporting, risk analysis of findings, data handling, and legal considerations
•   In-depth knowledge of the security and privacy provisions of a variety of regulations and standards such as PCI, NERC/CIP, SOX, HIPAA/HITECH, FFIEC, EU Privacy Laws, ISO, and COBIT
•   Commercial Application Security tools experience (Qualys, Retina, nCircle, Acunetix, etc.)
•   Open source and free tools experience (Nessus, Metasploit, nmap, airsnort,Wireshark, etc.)
•   One or more of the following testing certifications: Certified Ethical Hacker (CEH); GIAC Certified Penetration Tester (GPEN); Offensive Security Certified Professional (OSCP); or equivalent development or testing certification (ECSA, CEPT, CPTE, CPTS, etc)
•   In addition, one or more of the following governance certifications is preferred: Certified Information Systems Security Professionals® (CISSP®); Certified Information Systems Auditor® (CISA®); Certified Information Security Manager® (CISM®)
•   Track record with published content / research work in the information security field
•   Demonstrated ability to build, maintain, and improve security testing labs, tools, and mobile equipment
•   Strong leadership and communication skills, technical knowledge, and the ability to write at a "publication" quality level in order to communicate findings and recommendations to the client’s senior management team