From tehshape at info-pull.com Mon Sep 3 10:37:22 2007 From: tehshape at info-pull.com (Michael Myers) Date: Mon, 3 Sep 2007 16:37:22 +0200 Subject: [Dailydave] Information security certifications diversity and getting lost Message-ID: <3fd1bcc10709030737q520168aoea080bde0dfc88fe@mail.gmail.com> The CISSP is the undisputed king of information security certifications. Currently, every now and then a security company starts pushing their employees towards certification programs. These are usually known for featuring insanely long exams, absurdly pedantic requirements and other kinds of doubtfully respectable necessities. We all know that there are several other certifications, but CISSP brings, without doubt, the very best. Be it a security operations manager, a field operative or some other kind of consulting freak, a CISSP will always deliver. The problem is that we end with such a diverse, heterogeneous (no sexual connotations here), span of certifications that newcomers really don't know where to start. Thus, most people approaching a prospective career in the information security industry, feel prompted to attempt the long way: getting every certification possible. This is causing disruption by several means, for example with overly intrusive e-mail signatures (not counting the pointless confidentiality disclaimer that plagues us all), wasting quite some expensive network traffic, as well as pine stack-based buffer overruns. My question for people out there, is this madness _that_ necessary? Do we have a good reason for spending loads of budget on certification programs and wasting our companies' money in such investments? Employees feel constrained since they might lose the certification after quitting their jobs, surfing towards another employer as intrusive and wasteful as the previous one, etc. Last but not least, we have the eternal problem of evaluation authorities: How are we supposed to trust a closed organization to evaluate our hard-working employees? Are they skilled enough to determine if our employee is worth his job? Are the operational needs equal to the knowledge that these certifications require? Does a potential attacker need to know what ISO standard describes security guidelines for processing credit card operations? Joseph shouts in the background: "Hey, they just need to know how banks use DES for generating CVV numbers!". I shouldn't hear these details or I will end distrusting my edgy colleagues. But I'm pretty sure the CISSP exam doesn't have such a question. Imagine: "Where does the CVV of credit cards come from?" a) The bank. b) ISO-6667, XYZ-2000, PCI compliant security organization. c) A DES generation system on card series-basis, using a key for each bank branch, which once compromised leaves the poor taxpayers for global fraud and spoliation of their monetary assets, covered by insurance companies who boost these crimes for more profit. Paraphrasing the Christian community, instead of Jesus, What would a CISSP do? If certifications exist for ethical hackers, are we going to see certifications for unethical hackers anytime soon? What if the mob and shady underground organizations needed to certify that they are employing the very best of the federal prison's Module 5? Will a Certified Unethical Software Security Expert (CUSSE) certification ever exist? "My name is Lincoln Six Echo, Certified Information Insecurity Systems Professional". Apparently a company already tried to start such a venture, although it appears to be off-line, probably hacked by Islamic Jihad crackers: http://64.233.183.104/search?q=cache:fItEgjbgRZQJ:cusse.org/+cusse.org http://www.cusse.org Regards, -- Michael Myers - CISSP, CISA, HIV, GCIA, GSEC Chief Security Officer (CSO) - Info-pull.com Inc. "Serious business since the night I came home." +1 (305) 374-8431 - Haddonfield, Illinois (USA). From andreg at gmail.com Mon Sep 3 22:40:26 2007 From: andreg at gmail.com (Andre Gironda) Date: Mon, 3 Sep 2007 21:40:26 -0500 Subject: [Dailydave] Information security certifications diversity and getting lost In-Reply-To: <3fd1bcc10709030737q520168aoea080bde0dfc88fe@mail.gmail.com> References: <3fd1bcc10709030737q520168aoea080bde0dfc88fe@mail.gmail.com> Message-ID: <2fd9390e0709031940x5353e26ao718412331d0a95b2@mail.gmail.com> On 9/3/07, Michael Myers wrote: > The CISSP is the undisputed king of information security > certifications. Two reasons why: 1) The CBK (compare Business Analyst to Security Analyst) 2) The ethical sign-off > Currently, every now and then a security company > starts pushing their employees towards certification programs. These > are usually known for featuring insanely long exams, absurdly pedantic > requirements and other kinds of doubtfully respectable necessities. Instructional capital around a particular technology or sub-set in order to denote specialization within a field. Microsoft, Oracle, and Cisco have their equivalents. These are meant to show domination in those areas of technology by making "learning easy" by providing a path to supposed excellence. > We all know that there are several other certifications, but CISSP > brings, without doubt, the very best. Be it a security operations > manager, a field operative or some other kind of consulting freak, a > CISSP will always deliver. http://en.wikipedia.org/wiki/Business_Analyst > The problem is that we end with such a diverse, heterogeneous (no > sexual connotations here), span of certifications that newcomers > really don't know where to start. There are too many security products/solutions. Thus, analyst level knowledge is most important. Start with CISSP. Specialization areas include: pen-testing (OSSTMM), SDLC/code review (OWASP), auditing/compliance (CISA), and incident response (FIRST). Important areas such as vulnerability management, network security, and process improvement are currently wrapped up under compliance because they are all well-known. Eventually everything will be under the compliance umbrella. Everything else is too narrow, and quickly becomes "spoon-fed" information. Nobody needs a firewall (quick thoughts of Cisco PIX/ASA, CP on Nokia, Netscreen) - what they need is network level access-control. Can a router or software firewall provide that? Nobody needs NAC - what they need is endpoint security. Can Vista and SSL provide that? > My question for people out there, is this madness _that_ necessary? Do > we have a good reason for spending loads of budget on certification > programs and wasting our companies' money in such investments? Investments in individual capital (talent) that can build instructional capital (training) provides a better investment, especially over time. Instructional capital is cheapest when done in-house (Lunch 'n Learn). It is next most cheaply done at local, free events (OWASP, CitySec, 2600) or cheap local events (ISSA). Vendors sometimes offer local events on the cheap or free (Secure Software Forum from SPI). The next comes with the yearly local (or regional) conferences, specifically the cheap forty to eighty dollar ones (ToorCon). I think some certifications are great. One person at my local CitySec recently mentioned a reluctance to get CISSP because it was a lot to spend in one lump. Cheap certs are always possible - CCNA, MCSA, and ITSM being my top favorites (all under 150 dollars), and then possibly CWNA, Oracle, various Linux/Sun, and other Microsoft and Cisco specializations. Some certs are priced somewhere in between the basic level and CISSP such as SANS, Security+, CEH, and the ones that promise "hacker" level skills. I encourage you to not waste your time on these. BTW - training classes for certs are a complete waste of money... at least last I checked. If your company seeks higher levels of expertise and has the money... go with the NSA IAM / IEM classes/certs. Again, these certs provide analyst skills like CISSP, CISA, CISM, etc. Lastly, there are forms of learning left completely unmentioned such as "books". Every serious company will pay for their employees to have SafariBooksOnline Library access, full ACM (including Books24x7 access), Audible.com and an iPod, and a group spending account on Amazon or Bookpool. Want to measure something effective out of this spending? Lunch 'n Learns based on book reports. > If certifications exist for ethical hackers, are we going to see > certifications for unethical hackers anytime soon? ImmunitySec has classes for such. I suppose a good certification measure for unethical hackers would be something akin to: "wrote Metasploit module x. Here is a sample" or "I was responsible for Code Red". It appears that the online organized crime recruitment methods follow the old Andersen Consulting logic of "hire top 5% of ivy league right out of school". Why? Because they make good analysts! They have the money to pull these sorts of stunts off. Then they leverage these individuals to create instructional capital in the very same ways that I described above. Cheers, Andre From lists at bughunter.ca Mon Sep 3 23:26:03 2007 From: lists at bughunter.ca (J.M. Seitz) Date: Mon, 3 Sep 2007 20:26:03 -0700 Subject: [Dailydave] Information security certifications diversity andgetting lost In-Reply-To: <3fd1bcc10709030737q520168aoea080bde0dfc88fe@mail.gmail.com> Message-ID: <001801c7eea3$52efb6b0$6207a8c0@jseitz> Hey Mike, > The CISSP is the undisputed king of information security > certifications. Currently, every now and then a security > company starts pushing their employees towards certification > programs. These are usually known for featuring insanely long > exams, absurdly pedantic requirements and other kinds of > doubtfully respectable necessities. I wouldn't say it's the king, I would say it has some very broad objectives, but is moreso a Security+ on steroids. When the CISSP got traction, you have to look at the timing of the certification, and the fact that the only other certification that would get you a high paying job was a CCIE, and the CCIE is a nasty cert to get to say the least. SANS has put out some incredibly strong programs that can range from technical (GCIH/GCFA/GREM) to CISSP-like certifications. > We all know that there are several other certifications, but > CISSP brings, without doubt, the very best. Be it a security > operations manager, a field operative or some other kind of > consulting freak, a CISSP will always deliver. I still disagree, and to be honest, I have interviewed more CISSP's that couldn't answer questions like "What does PKI stand for?", "Give me an analogy of a buffer overflow.","What is transparent proxying and why is it important in some circumstances?". Come on, certs are as good as the people who take them, I again disagree. > My question for people out there, is this madness _that_ > necessary? Do we have a good reason for spending loads of > budget on certification programs and wasting our companies' > money in such investments? Yep, again it's a baseline, one for HR. The people to watch out for are the ones who go the extra mile, some who has a GCIH most definitely doesn't make me giggle with glee, but someone who has a GCIH Gold I look forward to meeting with, and definitely love to engage on their research topic. It's worth a company's time and money to do it (a) employees are more loyal to companies that give (b) you'd be amazed at how often you will apply things straight from a certification. > Employees feel constrained since they might lose the > certification after quitting their jobs, surfing towards > another employer as intrusive and wasteful as the previous one, etc. Not sure how you would lose a certification if you left your job? Once you write the exam, it's yours not your company's. > If certifications exist for ethical hackers, are we going to > see certifications for unethical hackers anytime soon? What > if the mob and shady underground organizations needed to > certify that they are employing the very best of the federal > prison's Module 5? Will a Certified Unethical Software > Security Expert (CUSSE) certification ever exist? "My name is > Lincoln Six Echo, Certified Information Insecurity Systems > Professional". http://blog.wired.com/27bstroke6/2007/08/a-look-inside-a.html There ya go :) I bet one or two unscrupulous people are "black-belts" :) In the end, certifications are good, but the reality is that they are only good if you are looking for work, and you get what you put into them. You want to get noticed in the security world? Build a tool, join and help people on forums, help Sourcefire write signatures (they need it), contact George Theall at Tenable and ask if you can help write NASL plugins, help the OSVDB with mangling. These are all things that will help round out a newcomer, and add it to the list of things that can benefit you when its time to go job hunting. Now, if you _really_ want to get noticed, tackle the tough problems, write books, and try to talk at Black Hat, etc. Coming from an unknown security guy, low profile, I am still in the phase of doing all of these things. As such I have a Sec+ and a GCIH (which I am wrapping up my research paper on), and I can honestly say I do use some of it in my day-to-day. You don't see these acronyms on my email signature but that's because I am not looking for work :) JS From dave at immunityinc.com Tue Sep 4 16:24:49 2007 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 04 Sep 2007 16:24:49 -0400 Subject: [Dailydave] The IPO of the 0day Message-ID: <46DDBF11.5080401@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Justine (Immunity's CEO) is talking twice this week - so if you missed it in Singapore then this would be a great chance to catch her and ask her questions about it. - -dave 1. OWASP in NYC Thursday * - NYNJMetro (17:30 / 21:00) - "Financial Real-Time Threats: Impacting Trading Floor Operations" - "JBroFuzz: Effective Fuzzing for Network and Web Applications" , Dr. Yiannis Pavlosoglou , Information Risk Management - "Stock fluctuation from an unrecognized influence" , Justine Bone-Aitel , Immunity Security - "Hackers...BotNets oh My! Obtain a briefing on the current BotNet investigations etc.", NYC FBI Cyber Crime Unit - "Why today's vulnerability assessments are failing and a case for industry standardization" - "Blackhat/Defcon", Tom Brennan (President OWASP NY/NJ Metro) - Panel: "Global Security Week What is the current state of Privacy on Web Application Security? What should we be focusing on?" 2. Friday in Orlando ISSA at CISO Executive Forum at 1pm. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG3b8PB8JNm+PA+iURAlTrAKC87XZF8JZYzt0IfkAMubF7jJ/anQCg0GoB 3u/uhb7AxXaocekGSFyHfmQ= =sFPr -----END PGP SIGNATURE----- From kiwicon at kiwicon.org Wed Sep 5 11:23:02 2007 From: kiwicon at kiwicon.org (Kiwicon) Date: Thu, 06 Sep 2007 03:23:02 +1200 Subject: [Dailydave] Attention Kiwis & [Sheep, Hobbit, Beer] Fanciers: KiwiCON 2k7 Message-ID: <46DEC9D6.6010206@kiwicon.org> Hi InfoSec Industry Whores! :) Preparations for New Zealand's first community-run security con - KiwiCON 2k7 - are well under way. KiwiCON is scheduled for 17-18th November in Wellington, New Zealand, NZ$50 at the door, or NZ$30 for students, the unemployed, or the derelict. As the CFP says, the cost in dignity for the weekend may be higher. The CFP has been out for a month, and we've already announced the first round of great speakers. There's some well known Kiwis like Brett Moore (his first outing under his new InsomniaSec banner!) and Paul Craig, but because we have no budget for fancy-schmancy international-con-circuit types, you'll get to see some new faces too. The CFP close off date is 1st October, so there's still time if you need an excuse to make your employer fly you to the Antipodes for beer. Full CFP, presentation, event and venue details are available on kiwicon.org, along with an XSS-free online registration form. As an added bonus, our archivists have scoured their ancient Amiga filesystems to bring you the kiwicon.org Way Way Hack Machine - an archive of SuPeR eLiTe NZ tFiLeZ from the last two decades of the NZ h/p/a scene. The infosec industry is littered with expat Kiwis - we know who you are! We went round to your mum's place, and she says she wishes you'd come home to see her more often. You can get some home-made tucker AND drink beer with Kiwi hackers! What more incentive could you need to make the trip home? Pavlova? Vegemite? Views like the top of kiwicon.org[1]? To our sheep-shagging Australian cousins: you've got no Ruxcon this year! We've spent the last 4 years coming to your damn island for Rux, now it's your turn to come here. KiwiCON: More Kiwi Than Other Cons. See you there! -- The KiwiCON Team [1] Yes, the banner at the top of Kiwicon.org is the sunset from one of the organiser's houses, out over the hills in Wellington. From h1kari at toorcon.org Wed Sep 5 14:56:33 2007 From: h1kari at toorcon.org (David Hulton) Date: Wed, 5 Sep 2007 11:56:33 -0700 Subject: [Dailydave] ToorCon 9 CFP Closing & Pre-Registration Increasing Message-ID: <1ccfd6300709051156p5930d8f0g22749093b9d7f76c@mail.gmail.com> Hey guys, Just wanted to let you know that ToorCon's CFP is going to be closing and pre-registration will be increasing on September 9th. We've got our CFP located here: http://toorcon.org/2007/cfp.php And our registration located here: http://toorcon.org/2007/registration.php Thanks, -David From secadmin at netsecdesign.com Wed Sep 5 23:43:14 2007 From: secadmin at netsecdesign.com (Security Admin (NetSec)) Date: Wed, 5 Sep 2007 20:43:14 -0700 Subject: [Dailydave] Information security certifications diversity andgetting lost In-Reply-To: <001801c7eea3$52efb6b0$6207a8c0@jseitz> References: <3fd1bcc10709030737q520168aoea080bde0dfc88fe@mail.gmail.com> <001801c7eea3$52efb6b0$6207a8c0@jseitz> Message-ID: <8D870AB38C30EC4C848A11A3F83D20D80645477EA0@exchange2007.mmicmanhomenet.local> >From someone who has a CISSP, GCIA Gold, GCIH Gold, MCSE+Security and is about to pass (hopefully) the CCIE Security lab exam, some perspective: CISSP: multiple choice parade which gives minimal indication of security professional proficiency. It is the gold standard these days, like it or not CCIE Security: Bitch to get, but all it teaches is how to program Cisco devices, which given a choice we would all prefer something else. Memorizing how to do DMVPNs or security contexts in ASA Firewalls only means you can memorize Cisco commands when asked. I for one, usually grab a reference book like the "The Complete Cisco VPN Configuration Guide" or the Cisco docs when trying to configure Cisco security devices or I assign some underling to do it. The written part is actually better at gauging security knowledge than the lab exam. GCIA Gold, GCIH Gold: By far the best certs to learn from IMHO. Requires writing skills as well as a knowledge of security. If you cannot communicate your ideas effectively, than you are useless. MCSE+Security: more multiple choice exercises. My $0.02 (~0.01 euros) Edward Ray From no-reply at ekoparty.com.ar Fri Sep 7 09:55:34 2007 From: no-reply at ekoparty.com.ar (ekoparty) Date: Fri, 7 Sep 2007 10:55:34 -0300 Subject: [Dailydave] ekoparty 3rd edition CFP Message-ID: <004901c7f156$c32f7fe0$9b00010a@BYFXA011461> CALL FOR PAPERS ekoparty 3rd edition - www.ekoparty.com.ar Information Security/Insecurity Conference. November 30th (Friday)/December 1st (Saturday), 2007 Argentina - Buenos Aires - Capital Federal - Bauen Hotel Ekoparty 3rd edition is recruiting everyone who is interested in showing their researches and/or develops in the field of Information Security/Insecurity in order to be shown on the third edition of this event. Ekoparty will take place during Friday (November 30th) and Saturday (December 1st) 2007 in the amphitheatre of Bauen Hotel - 360 Callao Av. - Capital Federal - Buenos Aires - Argentina. The author of every selected speech will be able to attend as event speaker. In cases the speech should be delievered by several speakers, only 3 speakers will be allowed. Where to send speeches* Speeches shall be sent as attached file to the following email: charlas at ekoparty.com.ar. Speeches will be received until November 10th inclusive. How to send speeches* The following data shall be included in the proposal: * Title * Author(s): First and Last name, short personal description, domicile, association, organization, or company they belong to if applicable. * Estimated delivery time: Speeches usually last 45 minutes. In case of needing more or less time it is going to be evaluated in pre-selection stage. * Short description of the speech: One or two paragraphs explaining -not so briefly- delivery content. * Target speech level: To classify as: newbie (rookie)/intermediate/advanced/expert. * Required skills: Specify required skills of attendants. * Topic: General topic to which the speech belongs to (Network Security, Forensic, Secure Programming, 0day attacks, Wireless Security, etc). * Author/s's Phone number. * Author/s's home address. Deliverers expenses* The expenses of deliverers (passages tickets, transfers, lodgings) of those who are out of Capital Federal will be charged to ekoparty. From halvar at gmx.de Fri Sep 7 12:32:37 2007 From: halvar at gmx.de (Halvar Flake) Date: Fri, 7 Sep 2007 18:32:37 +0200 Subject: [Dailydave] Craziest Spam Message-ID: <003c01c7f16c$b45d3dc0$2db2a8c0@D1NQ6Z1J> Hey all, I just received what I perceive is the craziest spam ever. I might be unjust (and these things might have merit), but the idea of having ISO certifications for reverse engineering and exploit development cracks me up. What ARE the relevant standards, procedures and methods of RCE ? The way I view it RCE/VulnDev are not really standards, procedures, methods based -- in the same manner that math isn't. But I might be wrong. Either way, I find this mail hilarious. Names have been changed to protect the guilty. ===================================================================== Visit our new IT security certification programme at http://www.IRRE.org. The fundamental objective of the IRRE certification programme is to raise qualification as part of business excellence. IRRE certification aims to facilitate iterative-incremental qualification and the dissemination of good practice. The IRRE certified credential is a key differentiator in the selection process for analyst positions, new assignments of the professional expertise and knowledge within the software security profession! If you plan to build up a career in IT one of today's most visible professions and you have at least 2 years of experience in the IT sector then an IRRE certification should be your next career goal. (*** SNIP ***) IRRE Certified Reverse Code Engineering Professional Based on a famous decoration, the IRRE Certified Reverse Code Engineer provides with a high sophisticated certification trail an ultimate way to show your proven excellence in the field of IT-Security and IT-Anti-Security according to ISO/IEC 17024 to address the many challenges of software protection, malware, or exploitation analysis. Participants get trained with relevant standards, procedures, and methods of Reverse Code Engineering and get trained with high practical background. With certification participants are able to fulfil extensive binary security analysis and binary auditing processes on software systems and software security environments. (*** SNIP ***) IRRE Certified Binary Vulnerability Auditor Linux Normally a single exploit can only take advantage of specific software vulnerability. Often, when an exploit is published, the vulnerability is fixed through a patch and the exploit becomes obsolete for newer versions of the software. This is the reason why some black hat hackers do not publish their exploits but keep them private to themselves or other malicious crackers. Such exploits are referred to as 'zero day exploits' and to obtain access to such exploits is the primary desire of unskilled malicious attackers, often nicknamed script kiddies. Participants get trained with relevant standards, procedures, and methods of developing exploits and shell codes and get trained with high practical background. With certification participants are able to fulfil extensive binary security analysis and binary auditing processes on software systems and software security environments. ===================================================================== From info at hack.lu Fri Sep 7 15:30:09 2007 From: info at hack.lu (info at hack.lu) Date: Fri, 7 Sep 2007 21:30:09 +0200 (CEST) Subject: [Dailydave] hack.lu 2007 18-20 October, Luxembourg Message-ID: <20070907193009.A2CEDBF8D98@a.6f2.net> Dear Information Security Freaks, This is to announce that the line-up of the speakers and their subjects is finally up in a draft version on hack.lu 2007 (http://www.hack.lu/). Have a look and register as space is limited and prices go up progressively. We managed again to have speakers from all over the world coming to Luxembourg, the small country in Europe. There is a large diversity of interesting topics covered during the three days of this intimate security conference. This year we will also have a Capture The Flag contest organized by the Kenshoto group running from the beginning of the conference. If you want to test your skills, it's now or never. There is also a Hack/Barcamp on the first day where we can have a participatory workshop-event in an open atmosphere with no limits or boundaries on the information security aspects. We really hope to see you there. Your hack.lu team From tqbf at matasano.com Sat Sep 8 13:47:03 2007 From: tqbf at matasano.com (Thomas Ptacek) Date: Sat, 8 Sep 2007 12:47:03 -0500 Subject: [Dailydave] Craziest Spam In-Reply-To: <003c01c7f16c$b45d3dc0$2db2a8c0@D1NQ6Z1J> References: <003c01c7f16c$b45d3dc0$2db2a8c0@D1NQ6Z1J> Message-ID: <1df0a410709081047h3c99be79mda3119177b372cc4@mail.gmail.com> It's funny that they segmented out "Reverse Code Engineer" and "Binary Vulnerability Auditor". I also feel like "RCE" is kind of the inside-baseball term for reverse engineering; did someone we all know help them? On 9/7/07, Halvar Flake wrote: > Hey all, > > I just received what I perceive is the craziest spam ever. I might be unjust > (and these > things might have merit), but the idea of > having ISO certifications for reverse engineering and exploit development > cracks me up. > > What ARE the relevant standards, procedures and methods of RCE ? > > The way I view it RCE/VulnDev are not really standards, procedures, methods > based -- in > the same manner that math isn't. But I might be wrong. Either way, I find > this mail > hilarious. > > Names have been changed to protect the guilty. > ===================================================================== > Visit our new IT security certification programme at http://www.IRRE.org. > > The fundamental objective of the IRRE certification programme is to raise > qualification as > part of business excellence. IRRE certification aims to facilitate > iterative-incremental > qualification and the dissemination of good practice. > > The IRRE certified credential is a key differentiator in the selection > process for analyst positions, > new assignments of the professional expertise and knowledge within the > software security profession! > If you plan to build up a career in IT one of today's most visible > professions and you have at > least 2 years of experience in the IT sector then an IRRE certification > should be your next career goal. > > (*** SNIP ***) > > IRRE Certified Reverse Code Engineering Professional > Based on a famous decoration, the IRRE Certified Reverse Code Engineer > provides with a high > sophisticated certification trail an ultimate way to show your proven > excellence in the field of IT-Security > and IT-Anti-Security according to ISO/IEC 17024 to address the many > challenges of software protection, > malware, or exploitation analysis. Participants get trained with relevant > standards, procedures, and methods > of Reverse Code Engineering and get trained with high practical background. > With certification participants are > able to fulfil extensive binary security analysis and binary auditing > processes on software systems and software > security environments. > > (*** SNIP ***) > > IRRE Certified Binary Vulnerability Auditor Linux > Normally a single exploit can only take advantage of specific software > vulnerability. Often, when an exploit is > published, the vulnerability is fixed through a patch and the exploit > becomes obsolete for newer versions of the > software. This is the reason why some black hat hackers do not publish their > exploits but keep them private > to themselves or other malicious crackers. Such exploits are referred to as > 'zero day exploits' and to obtain > access to such exploits is the primary desire of unskilled malicious > attackers, often nicknamed script kiddies. > Participants get trained with relevant standards, procedures, and methods of > developing exploits and shell > codes and get trained with high practical background. With certification > participants are able to fulfil extensive > binary security analysis and binary auditing processes on software systems > and software security environments. > > ===================================================================== > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log From jf at danglingpointers.net Sun Sep 9 00:01:51 2007 From: jf at danglingpointers.net (jf) Date: Sun, 9 Sep 2007 04:01:51 +0000 (UTC) Subject: [Dailydave] Craziest Spam In-Reply-To: <1df0a410709081047h3c99be79mda3119177b372cc4@mail.gmail.com> References: <003c01c7f16c$b45d3dc0$2db2a8c0@D1NQ6Z1J> <1df0a410709081047h3c99be79mda3119177b372cc4@mail.gmail.com> Message-ID: you know that rce is not exactly a 'hacker term' or anything of the sort, and is (in my experience) used in more formalized circles to differentiate between people reversing hardware/processors/etc and people reversing software right? i find the idea a little absurd that anyone would need help to use the term, maybe i misunderstood you though. On Sat, 8 Sep 2007, Thomas Ptacek wrote: > Date: Sat, 8 Sep 2007 12:47:03 -0500 > From: Thomas Ptacek > To: Halvar Flake > Cc: dailydave > Subject: Re: [Dailydave] Craziest Spam > > It's funny that they segmented out "Reverse Code Engineer" and "Binary > Vulnerability Auditor". I also feel like "RCE" is kind of the > inside-baseball term for reverse engineering; did someone we all know > help them? > > On 9/7/07, Halvar Flake wrote: > > Hey all, > > > > I just received what I perceive is the craziest spam ever. I might be unjust > > (and these > > things might have merit), but the idea of > > having ISO certifications for reverse engineering and exploit development > > cracks me up. > > > > What ARE the relevant standards, procedures and methods of RCE ? > > > > The way I view it RCE/VulnDev are not really standards, procedures, methods > > based -- in > > the same manner that math isn't. But I might be wrong. Either way, I find > > this mail > > hilarious. > > > > Names have been changed to protect the guilty. > > ===================================================================== > > Visit our new IT security certification programme at http://www.IRRE.org. > > > > The fundamental objective of the IRRE certification programme is to raise > > qualification as > > part of business excellence. IRRE certification aims to facilitate > > iterative-incremental > > qualification and the dissemination of good practice. > > > > The IRRE certified credential is a key differentiator in the selection > > process for analyst positions, > > new assignments of the professional expertise and knowledge within the > > software security profession! > > If you plan to build up a career in IT one of today's most visible > > professions and you have at > > least 2 years of experience in the IT sector then an IRRE certification > > should be your next career goal. > > > > (*** SNIP ***) > > > > IRRE Certified Reverse Code Engineering Professional > > Based on a famous decoration, the IRRE Certified Reverse Code Engineer > > provides with a high > > sophisticated certification trail an ultimate way to show your proven > > excellence in the field of IT-Security > > and IT-Anti-Security according to ISO/IEC 17024 to address the many > > challenges of software protection, > > malware, or exploitation analysis. Participants get trained with relevant > > standards, procedures, and methods > > of Reverse Code Engineering and get trained with high practical background. > > With certification participants are > > able to fulfil extensive binary security analysis and binary auditing > > processes on software systems and software > > security environments. > > > > (*** SNIP ***) > > > > IRRE Certified Binary Vulnerability Auditor Linux > > Normally a single exploit can only take advantage of specific software > > vulnerability. Often, when an exploit is > > published, the vulnerability is fixed through a patch and the exploit > > becomes obsolete for newer versions of the > > software. This is the reason why some black hat hackers do not publish their > > exploits but keep them private > > to themselves or other malicious crackers. Such exploits are referred to as > > 'zero day exploits' and to obtain > > access to such exploits is the primary desire of unskilled malicious > > attackers, often nicknamed script kiddies. > > Participants get trained with relevant standards, procedures, and methods of > > developing exploits and shell > > codes and get trained with high practical background. With certification > > participants are able to fulfil extensive > > binary security analysis and binary auditing processes on software systems > > and software security environments. > > > > ===================================================================== > > > > _______________________________________________ > > Dailydave mailing list > > Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > > > From dave at immunityinc.com Mon Sep 10 09:46:40 2007 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 10 Sep 2007 09:46:40 -0400 Subject: [Dailydave] Information security certifications diversity andgetting lost In-Reply-To: <001801c7eea3$52efb6b0$6207a8c0@jseitz> References: <001801c7eea3$52efb6b0$6207a8c0@jseitz> Message-ID: <46E54AC0.10603@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One thing we've been working on here at Immunity are Network Offense Professional certifications. Essentially it would be practical tests that established someone was capable of doing certain actions we should all be able to do. For example, the first certification was a simple stack overflow against Windows 2000. Testee's would exploit it using Immunity Debugger/WinDBG and VisualSploit, which would keep it as technology agnostic as possible. You can either write a simple Win32 overflow or you can't. We were going to launch it during DefCon, but had a few other things going on. :> - -dave J.M. Seitz wrote: > Hey Mike, > >> The CISSP is the undisputed king of information security >> certifications. Currently, every now and then a security company >> starts pushing their employees towards certification programs. >> These are usually known for featuring insanely long exams, >> absurdly pedantic requirements and other kinds of doubtfully >> respectable necessities. > > I wouldn't say it's the king, I would say it has some very broad > objectives, but is moreso a Security+ on steroids. When the CISSP > got traction, you have to look at the timing of the certification, > and the fact that the only other certification that would get you a > high paying job was a CCIE, and the CCIE is a nasty cert to get to > say the least. SANS has put out some incredibly strong programs > that can range from technical (GCIH/GCFA/GREM) to CISSP-like > certifications. > > >> We all know that there are several other certifications, but >> CISSP brings, without doubt, the very best. Be it a security >> operations manager, a field operative or some other kind of >> consulting freak, a CISSP will always deliver. > > I still disagree, and to be honest, I have interviewed more CISSP's > that couldn't answer questions like "What does PKI stand for?", > "Give me an analogy of a buffer overflow.","What is transparent > proxying and why is it important in some circumstances?". Come on, > certs are as good as the people who take them, I again disagree. > > >> My question for people out there, is this madness _that_ >> necessary? Do we have a good reason for spending loads of budget >> on certification programs and wasting our companies' money in >> such investments? > > Yep, again it's a baseline, one for HR. The people to watch out for > are the ones who go the extra mile, some who has a GCIH most > definitely doesn't make me giggle with glee, but someone who has a > GCIH Gold I look forward to meeting with, and definitely love to > engage on their research topic. It's worth a company's time and > money to do it (a) employees are more loyal to companies that give > (b) you'd be amazed at how often you will apply things straight > from a certification. > >> Employees feel constrained since they might lose the >> certification after quitting their jobs, surfing towards another >> employer as intrusive and wasteful as the previous one, etc. > > Not sure how you would lose a certification if you left your job? > Once you write the exam, it's yours not your company's. > >> If certifications exist for ethical hackers, are we going to see >> certifications for unethical hackers anytime soon? What if the >> mob and shady underground organizations needed to certify that >> they are employing the very best of the federal prison's Module >> 5? Will a Certified Unethical Software Security Expert (CUSSE) >> certification ever exist? "My name is Lincoln Six Echo, Certified >> Information Insecurity Systems Professional". > > http://blog.wired.com/27bstroke6/2007/08/a-look-inside-a.html > > There ya go :) I bet one or two unscrupulous people are > "black-belts" :) > > In the end, certifications are good, but the reality is that they > are only good if you are looking for work, and you get what you put > into them. You want to get noticed in the security world? Build a > tool, join and help people on forums, help Sourcefire write > signatures (they need it), contact George Theall at Tenable and ask > if you can help write NASL plugins, help the OSVDB with mangling. > These are all things that will help round out a newcomer, and add > it to the list of things that can benefit you when its time to go > job hunting. Now, if you _really_ want to get noticed, tackle the > tough problems, write books, and try to talk at Black Hat, etc. > > Coming from an unknown security guy, low profile, I am still in the > phase of doing all of these things. As such I have a Sec+ and a > GCIH (which I am wrapping up my research paper on), and I can > honestly say I do use some of it in my day-to-day. You don't see > these acronyms on my email signature but that's because I am not > looking for work :) > > JS > > > > _______________________________________________ Dailydave mailing > list Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG5Uq/B8JNm+PA+iURAl+CAKDAkJkhJvSNf+lIAtF55A6IotizfgCgtZiP od5Gzue0h/Q6P4MTq5E7/pM= =VXSu -----END PGP SIGNATURE----- From tqbf at matasano.com Mon Sep 10 13:25:36 2007 From: tqbf at matasano.com (Thomas Ptacek) Date: Mon, 10 Sep 2007 12:25:36 -0500 Subject: [Dailydave] Information security certifications diversity andgetting lost In-Reply-To: <46E54AC0.10603@immunityinc.com> References: <001801c7eea3$52efb6b0$6207a8c0@jseitz> <46E54AC0.10603@immunityinc.com> Message-ID: <1df0a410709101025v77284da1v606944e06fa9b43@mail.gmail.com> How do you plan on solving the problems the CISSP has? 1. People will "teach to the test". 2. Certs get stale fast. 3. Cert businesses are high-overhead, but the IP for a cert is hard to protect (if your cert is going to be fair and meaningful). On 9/10/07, Dave Aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > One thing we've been working on here at Immunity are Network Offense > Professional certifications. Essentially it would be practical tests > that established someone was capable of doing certain actions we > should all be able to do. > > For example, the first certification was a simple stack overflow > against Windows 2000. Testee's would exploit it using Immunity > Debugger/WinDBG and VisualSploit, which would keep it as technology > agnostic as possible. You can either write a simple Win32 overflow or > you can't. > > We were going to launch it during DefCon, but had a few other things > going on. :> > > - -dave > > > J.M. Seitz wrote: > > Hey Mike, > > > >> The CISSP is the undisputed king of information security > >> certifications. Currently, every now and then a security company > >> starts pushing their employees towards certification programs. > >> These are usually known for featuring insanely long exams, > >> absurdly pedantic requirements and other kinds of doubtfully > >> respectable necessities. > > > > I wouldn't say it's the king, I would say it has some very broad > > objectives, but is moreso a Security+ on steroids. When the CISSP > > got traction, you have to look at the timing of the certification, > > and the fact that the only other certification that would get you a > > high paying job was a CCIE, and the CCIE is a nasty cert to get to > > say the least. SANS has put out some incredibly strong programs > > that can range from technical (GCIH/GCFA/GREM) to CISSP-like > > certifications. > > > > > >> We all know that there are several other certifications, but > >> CISSP brings, without doubt, the very best. Be it a security > >> operations manager, a field operative or some other kind of > >> consulting freak, a CISSP will always deliver. > > > > I still disagree, and to be honest, I have interviewed more CISSP's > > that couldn't answer questions like "What does PKI stand for?", > > "Give me an analogy of a buffer overflow.","What is transparent > > proxying and why is it important in some circumstances?". Come on, > > certs are as good as the people who take them, I again disagree. > > > > > >> My question for people out there, is this madness _that_ > >> necessary? Do we have a good reason for spending loads of budget > >> on certification programs and wasting our companies' money in > >> such investments? > > > > Yep, again it's a baseline, one for HR. The people to watch out for > > are the ones who go the extra mile, some who has a GCIH most > > definitely doesn't make me giggle with glee, but someone who has a > > GCIH Gold I look forward to meeting with, and definitely love to > > engage on their research topic. It's worth a company's time and > > money to do it (a) employees are more loyal to companies that give > > (b) you'd be amazed at how often you will apply things straight > > from a certification. > > > >> Employees feel constrained since they might lose the > >> certification after quitting their jobs, surfing towards another > >> employer as intrusive and wasteful as the previous one, etc. > > > > Not sure how you would lose a certification if you left your job? > > Once you write the exam, it's yours not your company's. > > > >> If certifications exist for ethical hackers, are we going to see > >> certifications for unethical hackers anytime soon? What if the > >> mob and shady underground organizations needed to certify that > >> they are employing the very best of the federal prison's Module > >> 5? Will a Certified Unethical Software Security Expert (CUSSE) > >> certification ever exist? "My name is Lincoln Six Echo, Certified > >> Information Insecurity Systems Professional". > > > > http://blog.wired.com/27bstroke6/2007/08/a-look-inside-a.html > > > > There ya go :) I bet one or two unscrupulous people are > > "black-belts" :) > > > > In the end, certifications are good, but the reality is that they > > are only good if you are looking for work, and you get what you put > > into them. You want to get noticed in the security world? Build a > > tool, join and help people on forums, help Sourcefire write > > signatures (they need it), contact George Theall at Tenable and ask > > if you can help write NASL plugins, help the OSVDB with mangling. > > These are all things that will help round out a newcomer, and add > > it to the list of things that can benefit you when its time to go > > job hunting. Now, if you _really_ want to get noticed, tackle the > > tough problems, write books, and try to talk at Black Hat, etc. > > > > Coming from an unknown security guy, low profile, I am still in the > > phase of doing all of these things. As such I have a Sec+ and a > > GCIH (which I am wrapping up my research paper on), and I can > > honestly say I do use some of it in my day-to-day. You don't see > > these acronyms on my email signature but that's because I am not > > looking for work :) > > > > JS > > > > > > > > _______________________________________________ Dailydave mailing > > list Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFG5Uq/B8JNm+PA+iURAl+CAKDAkJkhJvSNf+lIAtF55A6IotizfgCgtZiP > od5Gzue0h/Q6P4MTq5E7/pM= > =VXSu > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log From James.R.Lindley at irs.gov Mon Sep 10 13:27:51 2007 From: James.R.Lindley at irs.gov (Lindley James R) Date: Mon, 10 Sep 2007 13:27:51 -0400 Subject: [Dailydave] Information security certifications diversity In-Reply-To: <46E54AC0.10603@immunityinc.com> References: <001801c7eea3$52efb6b0$6207a8c0@jseitz> <46E54AC0.10603@immunityinc.com> Message-ID: <64CB1CAFF7F54943AC711BFA52C54B770242E1C8@NCT0010CP3MB01.ds.irsnet.gov> A non-text attachment was scrubbed... Name: smime.p7m Type: application/x-pkcs7-mime Size: 16201 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20070910/72130269/attachment-0001.bin From dweston at fgm.com Mon Sep 10 14:54:43 2007 From: dweston at fgm.com (Weston, David) Date: Mon, 10 Sep 2007 14:54:43 -0400 Subject: [Dailydave] Information security certifications diversity andgetting lost References: <001801c7eea3$52efb6b0$6207a8c0@jseitz> <46E54AC0.10603@immunityinc.com> Message-ID: Dave, THat sounds like a really interesing idea but wouldnt win xp sp2 be more realistic? I would want someone at the basic level to at least understand trampolines as jmping straight to the stack would work on your test but is unrealistic in the real world. Thanks, David Weston FGM, Inc -----Original Message----- From: dailydave-bounces at lists.immunitysec.com on behalf of Dave Aitel Sent: Mon 9/10/2007 6:46 AM To: dailydave at lists.immunitysec.com Subject: Re: [Dailydave] Information security certifications diversity andgetting lost -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One thing we've been working on here at Immunity are Network Offense Professional certifications. Essentially it would be practical tests that established someone was capable of doing certain actions we should all be able to do. For example, the first certification was a simple stack overflow against Windows 2000. Testee's would exploit it using Immunity Debugger/WinDBG and VisualSploit, which would keep it as technology agnostic as possible. You can either write a simple Win32 overflow or you can't. We were going to launch it during DefCon, but had a few other things going on. :> - -dave J.M. Seitz wrote: > Hey Mike, > >> The CISSP is the undisputed king of information security >> certifications. Currently, every now and then a security company >> starts pushing their employees towards certification programs. >> These are usually known for featuring insanely long exams, >> absurdly pedantic requirements and other kinds of doubtfully >> respectable necessities. > > I wouldn't say it's the king, I would say it has some very broad > objectives, but is moreso a Security+ on steroids. When the CISSP > got traction, you have to look at the timing of the certification, > and the fact that the only other certification that would get you a > high paying job was a CCIE, and the CCIE is a nasty cert to get to > say the least. SANS has put out some incredibly strong programs > that can range from technical (GCIH/GCFA/GREM) to CISSP-like > certifications. > > >> We all know that there are several other certifications, but >> CISSP brings, without doubt, the very best. Be it a security >> operations manager, a field operative or some other kind of >> consulting freak, a CISSP will always deliver. > > I still disagree, and to be honest, I have interviewed more CISSP's > that couldn't answer questions like "What does PKI stand for?", > "Give me an analogy of a buffer overflow.","What is transparent > proxying and why is it important in some circumstances?". Come on, > certs are as good as the people who take them, I again disagree. > > >> My question for people out there, is this madness _that_ >> necessary? Do we have a good reason for spending loads of budget >> on certification programs and wasting our companies' money in >> such investments? > > Yep, again it's a baseline, one for HR. The people to watch out for > are the ones who go the extra mile, some who has a GCIH most > definitely doesn't make me giggle with glee, but someone who has a > GCIH Gold I look forward to meeting with, and definitely love to > engage on their research topic. It's worth a company's time and > money to do it (a) employees are more loyal to companies that give > (b) you'd be amazed at how often you will apply things straight > from a certification. > >> Employees feel constrained since they might lose the >> certification after quitting their jobs, surfing towards another >> employer as intrusive and wasteful as the previous one, etc. > > Not sure how you would lose a certification if you left your job? > Once you write the exam, it's yours not your company's. > >> If certifications exist for ethical hackers, are we going to see >> certifications for unethical hackers anytime soon? What if the >> mob and shady underground organizations needed to certify that >> they are employing the very best of the federal prison's Module >> 5? Will a Certified Unethical Software Security Expert (CUSSE) >> certification ever exist? "My name is Lincoln Six Echo, Certified >> Information Insecurity Systems Professional". > > http://blog.wired.com/27bstroke6/2007/08/a-look-inside-a.html > > There ya go :) I bet one or two unscrupulous people are > "black-belts" :) > > In the end, certifications are good, but the reality is that they > are only good if you are looking for work, and you get what you put > into them. You want to get noticed in the security world? Build a > tool, join and help people on forums, help Sourcefire write > signatures (they need it), contact George Theall at Tenable and ask > if you can help write NASL plugins, help the OSVDB with mangling. > These are all things that will help round out a newcomer, and add > it to the list of things that can benefit you when its time to go > job hunting. Now, if you _really_ want to get noticed, tackle the > tough problems, write books, and try to talk at Black Hat, etc. > > Coming from an unknown security guy, low profile, I am still in the > phase of doing all of these things. As such I have a Sec+ and a > GCIH (which I am wrapping up my research paper on), and I can > honestly say I do use some of it in my day-to-day. You don't see > these acronyms on my email signature but that's because I am not > looking for work :) > > JS > > > > _______________________________________________ Dailydave mailing > list Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG5Uq/B8JNm+PA+iURAl+CAKDAkJkhJvSNf+lIAtF55A6IotizfgCgtZiP od5Gzue0h/Q6P4MTq5E7/pM= =VXSu -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070910/432e99ef/attachment.htm From dave at immunityinc.com Mon Sep 10 15:33:06 2007 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 10 Sep 2007 15:33:06 -0400 Subject: [Dailydave] Information security certifications diversity and getting lost In-Reply-To: <1df0a410709101025v77284da1v606944e06fa9b43@mail.gmail.com> References: <001801c7eea3$52efb6b0$6207a8c0@jseitz> <46E54AC0.10603@immunityinc.com> <1df0a410709101025v77284da1v606944e06fa9b43@mail.gmail.com> Message-ID: <46E59BF2.4040604@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thomas Ptacek wrote: > How do you plan on solving the problems the CISSP has? > > 1. People will "teach to the test". > > 2. Certs get stale fast. > > 3. Cert businesses are high-overhead, but the IP for a cert is hard > to protect (if your cert is going to be fair and meaningful). > I would say the problem with the CISSP is "irrelevance" but that's just me. We passed out "Not a CISSP" buttons at DefCon and they were a big hit. To get one you had to not have CISSP on your business card though. :> For practicals like "write me this buffer overflow", it's much harder to "teach to the test" while avoiding imparting useful knowledge. We keep people from rote memorization of the VisualSploit picture by having the executable be randomized for each test taker. """ Dave, THat sounds like a really interesting idea but wouldn't win xp sp2 be more realistic? I would want someone at the basic level to at least understand trampolines as jmping straight to the stack would work on your test but is unrealistic in the real world. Thanks, David Weston FGM, Inc """ Jumping straight to the stack would not work on our test as the stack would be at a semi-random address each time, depending on thread initialization. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG5ZvxtehAhL0gheoRAsD1AJ9vIZDQ837MBJIHl0V6cEvFE6EBHgCfZ6LT 3Msnqp7c5jPkIuAna0P1SO0= =4C2T -----END PGP SIGNATURE----- From kristian.hermansen at gmail.com Mon Sep 10 16:12:01 2007 From: kristian.hermansen at gmail.com (Kristian Erik Hermansen) Date: Mon, 10 Sep 2007 16:12:01 -0400 Subject: [Dailydave] Information security certifications diversity and getting lost Message-ID: On 9/10/07, "Thomas Ptacek" wrote: > How do you plan on solving the problems the CISSP has? > > 1. People will "teach to the test". That is always the case with any test/certification. Sometimes people don't really care about about the topics, just about the financial reward it is presumed to bring them by having the cert. All certs are meant to establish a baseline. If someone has a CISSP, you at least know that they took the time to read about the topics and pass the test successfully. Of course, this doesn't mean that they have any actual experience with security at all. However, it does show that they have the capacity to become somewhat familiar with the material. Think back to that Differential Equations course you took in universuty ... do you still *really* remember how to apply Laplace transformations correctly and in what context :-) > 2. Certs get stale fast. No argument here. Technology is a fast-paced industry... What I think would be interesting is a certification that is meant to only be passed by 1% or so of security professionals. You make the questions so incredibly dependent on a wide array of knowledge, that only people who have done that sort of stuff before can pass. You could market it as something like the CCIE -- even have an 8-hour hands on lab exam. You set up a physical network with various devices to simulate an actual network, and then judge the testing candidate based on their technique and how far they are able to penetrate the network layers. Do they burn one of their 0days to get in, and how elegant was their hack? Of course, I have no idea how many govs/corps/individuals would actually be willing to pay for something like this, but that is not the point. Leave that to the savvy marketing and business people. Maybe such a certification is not viable... The Certified Expert Penetration Test certification is a good start and actually forces the candidate to think. In that cert, they threw in something that fooled a lot of people. One of the three stages was a non-standard printf() vulnerability on Linux. In order to exploit it, you needed to have some basic idea of what was going on. People who were just trying standard techniques and then dropping in shellcode would not succeed. Even writing your own, you had to know what you were doing. Another stage was a publicly disclosed stack-based vulnerability in an FTP server for Windows. And the last stage was a very very simple reverse engineering problem. Oh, and the prerequisite to all this was a written examination, which weeds out the people who don't have any clue at all. I took this while in the presence of Jack Koziol, who was proctoring the exam in person while in Washington, DC for the Infosec Institute. Now, I may know a little bit about security, but I am an amateur in comparison to visionaries like Mr. Aitel (hi dave!), Solar Designer, Halvar, and some of the real Black Hats who don't give talks at public security conferences :-) Even still, a really difficult hands-on security cert in non-existent... -- Kristian Erik Hermansen From phatbuckett at gmail.com Mon Sep 10 17:57:11 2007 From: phatbuckett at gmail.com (Darren Spruell) Date: Mon, 10 Sep 2007 14:57:11 -0700 Subject: [Dailydave] Information security certifications diversity and getting lost In-Reply-To: References: Message-ID: <839aec700709101457u8b74cdcm31e8fdb5cb093efb@mail.gmail.com> On 9/10/07, Kristian Erik Hermansen wrote: > On 9/10/07, "Thomas Ptacek" wrote: > > How do you plan on solving the problems the CISSP has? > > > > 1. People will "teach to the test". > > That is always the case with any test/certification. Sometimes people > don't really care about about the topics, just about the financial > reward it is presumed to bring them by having the cert. Not always the case; SANS decoupled their educational institute from the GIAC certification group, so the SANS training courses are not simply boot camps to help someone prepare for the GIAC cert. Not that SANS training tracks don't help with preparedness, but they're not a "training for the cert" shop. DS From tqbf at matasano.com Mon Sep 10 18:00:59 2007 From: tqbf at matasano.com (Thomas Ptacek) Date: Mon, 10 Sep 2007 17:00:59 -0500 Subject: [Dailydave] Information security certifications diversity and getting lost In-Reply-To: References: Message-ID: <1df0a410709101500r339a111di6e7af69ae930df9e@mail.gmail.com> > > How do you plan on solving the problems the CISSP has? > > 1. People will "teach to the test". > That is always the case with any test/certification. Sometimes people ... > > 2. Certs get stale fast. > No argument here. Technology is a fast-paced industry... ... You need to ask yourself what the purpose of the cert is, and then ask yourself whether the process for acquiring the cert achieves that purpose. Most certs are hiring tools. A "top 1% of the industry" cert is not a particularly valuable hiring tool. If the only goal was to make someone genuinely hard, so that passing it was an accomplishment for almost anyone in the industry, this would be an easy problem. We would just poll for everyone's hardest interview questions. But that's not the goal. The goal is something will scale and will have business value. So far, everything that has tried to achieve both those goals has either withered on the vine or been corrupted. -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log From eballen1 at qwest.net Mon Sep 10 18:02:12 2007 From: eballen1 at qwest.net (Bruce Ediger) Date: Mon, 10 Sep 2007 16:02:12 -0600 (MDT) Subject: [Dailydave] Information security certifications diversity and getting lost In-Reply-To: References: Message-ID: On Mon, 10 Sep 2007, Kristian Erik Hermansen wrote: > What I think would be interesting is a certification that is meant to > only be passed by 1% or so of security professionals. You make the > questions so incredibly dependent on a wide array of knowledge, that > only people who have done that sort of stuff before can pass. You Beware the "Fallacy of the Hard Test": http://unexpectedtruths.blogspot.com/2007/06/fallacy-of-hard-tests.html From andreg at gmail.com Mon Sep 10 18:07:07 2007 From: andreg at gmail.com (Andre Gironda) Date: Mon, 10 Sep 2007 17:07:07 -0500 Subject: [Dailydave] Information security certifications diversity and getting lost In-Reply-To: <46E59BF2.4040604@immunityinc.com> References: <001801c7eea3$52efb6b0$6207a8c0@jseitz> <46E54AC0.10603@immunityinc.com> <1df0a410709101025v77284da1v606944e06fa9b43@mail.gmail.com> <46E59BF2.4040604@immunityinc.com> Message-ID: <2fd9390e0709101507u227ae7dam8120358e5de49171@mail.gmail.com> On 9/10/07, Dave Aitel wrote: > We passed out "Not a CISSP" buttons at DefCon and they were a > big hit. To get one you had to not have CISSP on your business card > though. Did you have to have a business card to get a button? What's wrong with CISSP? I read through all 900 possible questions a few times over the years and it doesn't seem that bad. It doesn't make you a security expert in anything, but it allows you to "talk-the-talk" using meaningful definitions. My biggest gripe with the CISSP is not with the CISSP itself but instead with anyone who would make it a requirement. I have the same gripe with high school or any diploma/degree requirements. Heck, I have the same problem with "years of experience". Interview the people (or accept their RFP response) and ask them the right questions. Hire or no hire. > I would say the problem with the CISSP is "irrelevance" but that's > just me. How is this a response to Tom's very valid questions? How and why is CISSP irrelevant? Please explain. > Thomas Ptacek wrote: > > How do you plan on solving the problems the CISSP has? > > > > 1. People will "teach to the test". > > 2. Certs get stale fast. > > 3. Cert businesses are high-overhead, but the IP for a cert is hard > > to protect (if your cert is going to be fair and meaningful). This quickly becomes a catch-22. An organization focused on certification material is attempting to do two things: 1) Teach people how to learn their solutions in a standardized way so that they can be tested in a standardized way 2) Get knowledge of their product out there and available in trade magazines, whitepapers, articles, and even blogs So, if they hide the information needed to pass a test - they lose the marketing potential of instructional capital. Just look at the marketing potential of the original MCSE and CCNA certs. If they make the information too available, they risk constant restructure of the program to hold any value - this was the failure of the MCSE and CCIE certs. Cisco internal had too many programs that made it easy for employees to get CCIE, and thus in the first 5 years it became very polluted with these people. Of the companies that have intellectual property in instructional capital - only a few are currently able to keep their training material and test questions out of reach. They are: Agilent, Altiris, Aruba, Avaya, Brocade, Business Objects, Radware, Riverbed, RSA, SAP, and Siemens. I would add SANS to the list, but I have not done extensive research on GIAC et al. Are there any super secret "SANS Answers" forums or "trading circles" that anybody knows about? Now consider the above 11 companies. Avaya, in particular suffers in the instructional capital marketspace. When was the last time you saw a book on "Installing IP Office" at a bookstore? A magazine article on "tips and tricks". Seen some lines of config explained well in an article or blog post? Went to a free event or conference covering that material? Most of the others fall into this same category. The exceptions are Brocade, Business Objects, and SAP (also Gartner favorites BTW). I'm sure the training material to these does get around, but less-so than any other major organization that has IP in training and certification material. Name somebody else and I'll tell you how bad it is. Some certifications I'm just happy exist, are cheap, and actually do have loads of material available to easily learn the material and pass the test. For example: CWNA and ITSM (ITIL). Others I wish I had access to any information about - OPST, QDSP, or CSTE as great examples of this. Cheers, dre From version5 at gmail.com Mon Sep 10 19:12:38 2007 From: version5 at gmail.com (nnp) Date: Tue, 11 Sep 2007 00:12:38 +0100 Subject: [Dailydave] Information security certifications diversity andgetting lost In-Reply-To: <46E54AC0.10603@immunityinc.com> References: <001801c7eea3$52efb6b0$6207a8c0@jseitz> <46E54AC0.10603@immunityinc.com> Message-ID: <28749c0e0709101612h28bb9d8aj92b410edf58cb379@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sounds like yet another way for a vendor to make money of stupid people to be honest. I mean come on, a certificate saying you can write a stupid Windows 2000 overflow? Who cares? I mean really, who actually cares that you can do something that any donkey with an hour or so free time, a basic understanding of software architecture and a quick guide from one of several sites can do? If so called 'hackers' are so insecure in themselves that they feel they need a certificate to say they can do something that to be honest, is about the bottom rung of the food chain for anyone serious about it then they're not the kind of people I'd want to hire anyway. Its like those certificates for things like 'I swam 10 metres'. Great, congratulations, its good for you and all but you're not exactly on your way to the olympics. A cert like this will be popular with 2 kinds of people, the first are those that collect certs because they believe it gives them bragging rights or something. They may have basic competency but put them up against something requiring a bit of creativity and they're stumped (a common trait with the cert holding elite). The second will be those that don't have the motivation or the ability to learn this stuff on their own and are doing it for either career advancement or because of reasons similar to the first case. If you're hiring someone for a position that will primarily be an offensive role and you're going to go looking for people with certs as a primary recruiting technique then you might as well give up before you've even started. I would imagine that most of the really good people wouldn't insult themselves by feeling they need a silly piece of paper to say they can do something they could do in their sleep and if they see that your organisation is recruiting based on this kind of 'achievement' it already reeks of corporate red tape and the very stuff most hackers will want nothing to do with. Yup... thats my .02 euro. nnp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: http://firegpg.tuxfamily.org iD8DBQFG5c8WwWIBIgfLjmQRAlodAJ0VGJfrqjmchMZx7lo2NgWwRbZHuQCaAh1r CvrvO9+kpMykS3KNjE6M6t4= =Wrdt -----END PGP SIGNATURE----- On 9/10/07, Dave Aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > One thing we've been working on here at Immunity are Network Offense > Professional certifications. Essentially it would be practical tests > that established someone was capable of doing certain actions we > should all be able to do. > > For example, the first certification was a simple stack overflow > against Windows 2000. Testee's would exploit it using Immunity > Debugger/WinDBG and VisualSploit, which would keep it as technology > agnostic as possible. You can either write a simple Win32 overflow or > you can't. > > We were going to launch it during DefCon, but had a few other things > going on. :> > > - -dave > > > J.M. Seitz wrote: > > Hey Mike, > > > >> The CISSP is the undisputed king of information security > >> certifications. Currently, every now and then a security company > >> starts pushing their employees towards certification programs. > >> These are usually known for featuring insanely long exams, > >> absurdly pedantic requirements and other kinds of doubtfully > >> respectable necessities. > > > > I wouldn't say it's the king, I would say it has some very broad > > objectives, but is moreso a Security+ on steroids. When the CISSP > > got traction, you have to look at the timing of the certification, > > and the fact that the only other certification that would get you a > > high paying job was a CCIE, and the CCIE is a nasty cert to get to > > say the least. SANS has put out some incredibly strong programs > > that can range from technical (GCIH/GCFA/GREM) to CISSP-like > > certifications. > > > > > >> We all know that there are several other certifications, but > >> CISSP brings, without doubt, the very best. Be it a security > >> operations manager, a field operative or some other kind of > >> consulting freak, a CISSP will always deliver. > > > > I still disagree, and to be honest, I have interviewed more CISSP's > > that couldn't answer questions like "What does PKI stand for?", > > "Give me an analogy of a buffer overflow.","What is transparent > > proxying and why is it important in some circumstances?". Come on, > > certs are as good as the people who take them, I again disagree. > > > > > >> My question for people out there, is this madness _that_ > >> necessary? Do we have a good reason for spending loads of budget > >> on certification programs and wasting our companies' money in > >> such investments? > > > > Yep, again it's a baseline, one for HR. The people to watch out for > > are the ones who go the extra mile, some who has a GCIH most > > definitely doesn't make me giggle with glee, but someone who has a > > GCIH Gold I look forward to meeting with, and definitely love to > > engage on their research topic. It's worth a company's time and > > money to do it (a) employees are more loyal to companies that give > > (b) you'd be amazed at how often you will apply things straight > > from a certification. > > > >> Employees feel constrained since they might lose the > >> certification after quitting their jobs, surfing towards another > >> employer as intrusive and wasteful as the previous one, etc. > > > > Not sure how you would lose a certification if you left your job? > > Once you write the exam, it's yours not your company's. > > > >> If certifications exist for ethical hackers, are we going to see > >> certifications for unethical hackers anytime soon? What if the > >> mob and shady underground organizations needed to certify that > >> they are employing the very best of the federal prison's Module > >> 5? Will a Certified Unethical Software Security Expert (CUSSE) > >> certification ever exist? "My name is Lincoln Six Echo, Certified > >> Information Insecurity Systems Professional". > > > > http://blog.wired.com/27bstroke6/2007/08/a-look-inside-a.html > > > > There ya go :) I bet one or two unscrupulous people are > > "black-belts" :) > > > > In the end, certifications are good, but the reality is that they > > are only good if you are looking for work, and you get what you put > > into them. You want to get noticed in the security world? Build a > > tool, join and help people on forums, help Sourcefire write > > signatures (they need it), contact George Theall at Tenable and ask > > if you can help write NASL plugins, help the OSVDB with mangling. > > These are all things that will help round out a newcomer, and add > > it to the list of things that can benefit you when its time to go > > job hunting. Now, if you _really_ want to get noticed, tackle the > > tough problems, write books, and try to talk at Black Hat, etc. > > > > Coming from an unknown security guy, low profile, I am still in the > > phase of doing all of these things. As such I have a Sec+ and a > > GCIH (which I am wrapping up my research paper on), and I can > > honestly say I do use some of it in my day-to-day. You don't see > > these acronyms on my email signature but that's because I am not > > looking for work :) > > > > JS > > > > > > > > _______________________________________________ Dailydave mailing > > list Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFG5Uq/B8JNm+PA+iURAl+CAKDAkJkhJvSNf+lIAtF55A6IotizfgCgtZiP > od5Gzue0h/Q6P4MTq5E7/pM= > =VXSu > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- http://www.smashthestack.org http://www.unprotectedhex.com From paul at xelerance.com Mon Sep 10 22:02:29 2007 From: paul at xelerance.com (Paul Wouters) Date: Mon, 10 Sep 2007 22:02:29 -0400 (EDT) Subject: [Dailydave] Information security certifications diversity andgetting lost In-Reply-To: <28749c0e0709101612h28bb9d8aj92b410edf58cb379@mail.gmail.com> References: <001801c7eea3$52efb6b0$6207a8c0@jseitz> <46E54AC0.10603@immunityinc.com> <28749c0e0709101612h28bb9d8aj92b410edf58cb379@mail.gmail.com> Message-ID: On Tue, 11 Sep 2007, nnp wrote: > Sounds like yet another way for a vendor to make money of stupid > people to be honest. I mean come on, a certificate saying you can > write a stupid Windows 2000 overflow? Who cares? I mean really, who > actually cares that you can do something that any donkey with an hour > or so free time, a basic understanding of software architecture and a > quick guide from one of several sites can do? I agree, and I have that problem with the security community in general. Exploits == Media == Attention == Money Blackhat for instance, has drifted more and more to "give us a cool exploit" instead of focussing on the larger picture. So do most other "different from the other conferences" security conferences. And on the other end, we are seeing overly complex super-management 3D representations of technical/policy/legal requirements, and virtual pentesting software that misses the point completely about security. For all its criticism, PCI-DSS is decent. It is a standard to try and develop your security policies. It does not go overboard with management-heavy stuff, and it does more then just asking someone to run nmap/nessus/metasploit/autopwn. If security managers complied with the PCI-DSS for all their servers, things would look much better. CISSP is an okay general background, though it contains too much dated cruft, is not up to date with the latest technologies, and is too US-centric. And the exam is more an exercise in double negatives and mapping the OSI model on TCP/IP and remembering obscure names for modern ciphers, then a test of someone's security skills. But as long as companies pay PWC and co $40k for a nessus scan, even the rudimentary security of CISSP is not going to be applied on a larger scale. Paul From jalexander at plus.net Tue Sep 11 12:32:00 2007 From: jalexander at plus.net (Jason Alexander) Date: Tue, 11 Sep 2007 09:32:00 -0700 Subject: [Dailydave] Information security certifications diversity and getting lost In-Reply-To: Message-ID: <0JO7000703R45I00@calendar.plus.net> I think a lot of the answers on this thread seem to concentrate on pen testing knowledge and techniques. The CISSP is much more than that (theres ten doamins) for example I am a information security manager and I would never pen test our networks. I always call in the "experts" to do this but having a CISSP helped me gain the knopwledge to know if those guys are really earning their cash !! Just my 2 cents. -----Original Message----- From: dailydave-bounces at lists.immunitysec.com [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Kristian Erik Hermansen Sent: 10 September 2007 13:12 To: dailydave at lists.immunitysec.com Subject: Re: [Dailydave] Information security certifications diversity and getting lost On 9/10/07, "Thomas Ptacek" wrote: > How do you plan on solving the problems the CISSP has? > > 1. People will "teach to the test". That is always the case with any test/certification. Sometimes people don't really care about about the topics, just about the financial reward it is presumed to bring them by having the cert. All certs are meant to establish a baseline. If someone has a CISSP, you at least know that they took the time to read about the topics and pass the test successfully. Of course, this doesn't mean that they have any actual experience with security at all. However, it does show that they have the capacity to become somewhat familiar with the material. Think back to that Differential Equations course you took in universuty ... do you still *really* remember how to apply Laplace transformations correctly and in what context :-) > 2. Certs get stale fast. No argument here. Technology is a fast-paced industry... What I think would be interesting is a certification that is meant to only be passed by 1% or so of security professionals. You make the questions so incredibly dependent on a wide array of knowledge, that only people who have done that sort of stuff before can pass. You could market it as something like the CCIE -- even have an 8-hour hands on lab exam. You set up a physical network with various devices to simulate an actual network, and then judge the testing candidate based on their technique and how far they are able to penetrate the network layers. Do they burn one of their 0days to get in, and how elegant was their hack? Of course, I have no idea how many govs/corps/individuals would actually be willing to pay for something like this, but that is not the point. Leave that to the savvy marketing and business people. Maybe such a certification is not viable... The Certified Expert Penetration Test certification is a good start and actually forces the candidate to think. In that cert, they threw in something that fooled a lot of people. One of the three stages was a non-standard printf() vulnerability on Linux. In order to exploit it, you needed to have some basic idea of what was going on. People who were just trying standard techniques and then dropping in shellcode would not succeed. Even writing your own, you had to know what you were doing. Another stage was a publicly disclosed stack-based vulnerability in an FTP server for Windows. And the last stage was a very very simple reverse engineering problem. Oh, and the prerequisite to all this was a written examination, which weeds out the people who don't have any clue at all. I took this while in the presence of Jack Koziol, who was proctoring the exam in person while in Washington, DC for the Infosec Institute. Now, I may know a little bit about security, but I am an amateur in comparison to visionaries like Mr. Aitel (hi dave!), Solar Designer, Halvar, and some of the real Black Hats who don't give talks at public security conferences :-) Even still, a really difficult hands-on security cert in non-existent... -- Kristian Erik Hermansen _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave From ben at projectskyline.com Tue Sep 11 09:06:00 2007 From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine)) Date: Tue, 11 Sep 2007 09:06:00 -0400 Subject: [Dailydave] Fw: Information security certifications diversityand getting lost Message-ID: <007701c7f474$8080b210$6401a8c0@gamebox> Look, If you have the portfolio and work experiance you don't need a cert. If your job makes you get one, fine get one. If your just starting out and can't get clients, having a cert might help. If you don't like it, don't get one. Of course its bullshit, just corp. trying to make money doing what they love, which is making money by exploiting trends. But hey, don't we all want to do what we love, and make money? sk From mwollenweber at gmail.com Tue Sep 11 10:07:28 2007 From: mwollenweber at gmail.com (matthew wollenweber) Date: Tue, 11 Sep 2007 10:07:28 -0400 Subject: [Dailydave] Information security certifications diversity andgetting lost In-Reply-To: <46E54AC0.10603@immunityinc.com> References: <001801c7eea3$52efb6b0$6207a8c0@jseitz> <46E54AC0.10603@immunityinc.com> Message-ID: <42210a440709110707k4c52db2dveb89557d7aa8ce49@mail.gmail.com> This is the type of certification that I like to see. A couple other places have similar certs or at least philosophies. Jack Koziol and HBGary's classes come to mind. I think the exams are fun and generally worth it. But I'm still not sure of the "cert" part. Essentially the cert boils down to writing an exploit. Couldn't you just say that and/or point to existing work? I think the fact that the cert would say Immunity and/or Dave Aitel would go along way in the right crowds -- though those crowds are typically small enough that if you're serious about the job people at least already know your name. regarding disclosure, but I find the difficulties tremendous. Who owns the exploit my c On 9/10/07, Dave Aitel wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > One thing we've been working on here at Immunity are Network Offense > Professional certifications. Essentially it would be practical tests > that established someone was capable of doing certain actions we > should all be able to do. > > For example, the first certification was a simple stack overflow > against Windows 2000. Testee's would exploit it using Immunity > Debugger/WinDBG and VisualSploit, which would keep it as technology > agnostic as possible. You can either write a simple Win32 overflow or > you can't. > > We were going to launch it during DefCon, but had a few other things > going on. :> > > - -dave > > > J.M. Seitz wrote: > > Hey Mike, > > > >> The CISSP is the undisputed king of information security > >> certifications. Currently, every now and then a security company > >> starts pushing their employees towards certification programs. > >> These are usually known for featuring insanely long exams, > >> absurdly pedantic requirements and other kinds of doubtfully > >> respectable necessities. > > > > I wouldn't say it's the king, I would say it has some very broad > > objectives, but is moreso a Security+ on steroids. When the CISSP > > got traction, you have to look at the timing of the certification, > > and the fact that the only other certification that would get you a > > high paying job was a CCIE, and the CCIE is a nasty cert to get to > > say the least. SANS has put out some incredibly strong programs > > that can range from technical (GCIH/GCFA/GREM) to CISSP-like > > certifications. > > > > > >> We all know that there are several other certifications, but > >> CISSP brings, without doubt, the very best. Be it a security > >> operations manager, a field operative or some other kind of > >> consulting freak, a CISSP will always deliver. > > > > I still disagree, and to be honest, I have interviewed more CISSP's > > that couldn't answer questions like "What does PKI stand for?", > > "Give me an analogy of a buffer overflow.","What is transparent > > proxying and why is it important in some circumstances?". Come on, > > certs are as good as the people who take them, I again disagree. > > > > > >> My question for people out there, is this madness _that_ > >> necessary? Do we have a good reason for spending loads of budget > >> on certification programs and wasting our companies' money in > >> such investments? > > > > Yep, again it's a baseline, one for HR. The people to watch out for > > are the ones who go the extra mile, some who has a GCIH most > > definitely doesn't make me giggle with glee, but someone who has a > > GCIH Gold I look forward to meeting with, and definitely love to > > engage on their research topic. It's worth a company's time and > > money to do it (a) employees are more loyal to companies that give > > (b) you'd be amazed at how often you will apply things straight > > from a certification. > > > >> Employees feel constrained since they might lose the > >> certification after quitting their jobs, surfing towards another > >> employer as intrusive and wasteful as the previous one, etc. > > > > Not sure how you would lose a certification if you left your job? > > Once you write the exam, it's yours not your company's. > > > >> If certifications exist for ethical hackers, are we going to see > >> certifications for unethical hackers anytime soon? What if the > >> mob and shady underground organizations needed to certify that > >> they are employing the very best of the federal prison's Module > >> 5? Will a Certified Unethical Software Security Expert (CUSSE) > >> certification ever exist? "My name is Lincoln Six Echo, Certified > >> Information Insecurity Systems Professional". > > > > http://blog.wired.com/27bstroke6/2007/08/a-look-inside-a.html > > > > There ya go :) I bet one or two unscrupulous people are > > "black-belts" :) > > > > In the end, certifications are good, but the reality is that they > > are only good if you are looking for work, and you get what you put > > into them. You want to get noticed in the security world? Build a > > tool, join and help people on forums, help Sourcefire write > > signatures (they need it), contact George Theall at Tenable and ask > > if you can help write NASL plugins, help the OSVDB with mangling. > > These are all things that will help round out a newcomer, and add > > it to the list of things that can benefit you when its time to go > > job hunting. Now, if you _really_ want to get noticed, tackle the > > tough problems, write books, and try to talk at Black Hat, etc. > > > > Coming from an unknown security guy, low profile, I am still in the > > phase of doing all of these things. As such I have a Sec+ and a > > GCIH (which I am wrapping up my research paper on), and I can > > honestly say I do use some of it in my day-to-day. You don't see > > these acronyms on my email signature but that's because I am not > > looking for work :) > > > > JS > > > > > > > > _______________________________________________ Dailydave mailing > > list Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFG5Uq/B8JNm+PA+iURAl+CAKDAkJkhJvSNf+lIAtF55A6IotizfgCgtZiP > od5Gzue0h/Q6P4MTq5E7/pM= > =VXSu > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- Matthew Wollenweber mwollenweber at gmail.com | mjw at cyberwart.com www.cyberwart.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070911/0c341571/attachment-0001.htm From andreg at gmail.com Tue Sep 11 12:06:06 2007 From: andreg at gmail.com (Andre Gironda) Date: Tue, 11 Sep 2007 11:06:06 -0500 Subject: [Dailydave] Information security certifications diversity and getting lost In-Reply-To: <0JO7000703R45I00@calendar.plus.net> References: <0JO7000703R45I00@calendar.plus.net> Message-ID: <2fd9390e0709110906n5ba0d9a5m64e68f95136dad1@mail.gmail.com> On 9/11/07, Jason Alexander wrote: > I think a lot of the answers on this thread seem to concentrate on pen testing knowledge and techniques Not exactly, but you're on the right track. Dave and others have a fixation on buffer overflows and "breaking code(s)". Some people simply feel that they are the best in the world at "security" because their hex knowledge goes the deepest. It's a penis-size matching contest that is actually worse than having the letters CISSP on your business card (although I admit that I'm a poser/wannabe in both these categories of snobbery/elitism). Besides, with specific regard to pen-testing: a full vulnerability assessment is best done by looking at other softer aspects - such as code reviews, strategy consulting around how software is purchased/built/integrated, incident response, threat-modeling, and http://en.wikipedia.org/wiki/Certified_Social_Engineering_Prevention_Specialist (just to throw that in there to see what reactions I get). When and if I get a CISSP, I'm going to make the letters "CISSP" my entire business card. You'll be able to punch out the letters (like you can remove the lockpicks from Mitnick's card), they'll be made out of fuzzy material with magnets on the back, and the cardback will be scratch and sniff. dre From tehshape at info-pull.com Tue Sep 11 16:27:09 2007 From: tehshape at info-pull.com (Michael Myers) Date: Tue, 11 Sep 2007 22:27:09 +0200 Subject: [Dailydave] Pwnpress: the blog guerrilla is cumming Message-ID: <3fd1bcc10709111327s67596187x103663cda838847a@mail.gmail.com> As the Chief Security Officer of Info-pull.com Inc., I'm very proud and excited to announce the availability of "Pwnpress", a Wordpress exploitation toolkit for the masses. We finally decided to drop this public, since most of the exploits available fail horribly at doing their job. Pwnpress is available at: http://www.info-pull.com/code/pwnpress.rb Thanks to Lance M. Havok or developing such a wonderful and complete exploit. Hopefully this will settle down the discussion about what a "weaponized" exploit actually is. We are not taking about Deaf BlindEye Views nor Python Italian Massive Pasta (PIMP), but the real deal. -- The mandatory industry plug Info-pull.com Inc. provides synergistic services to demanding customers that require especial skill-sets for developing the requested solutions. These cover from information security management compliance to on-site training and synergy transactions. Customers are free to complain as of their complaints and concerns, refusing to approve a particular engagement in business with Info-pull.com Inc, the agreement set between the customer and the consulting sales management team, who will draw altogether a plan for providing solutions as the customer demands. Etc. All in all, we promise to deliver best-in-class-and-beyond security services, including but not limited to real exploit development and human penetration testing (not involving automated tools such as Nessus or the powerful almighty Nmap). If you made it to this point, call us at 555-SLOWPOKE for a free quote! -- Enjoy. -- Michael Myers - CISSP, GNA, HIV Chief Security Officer (CSO) - Info-pull.com "Serious business since the night I came home." October 31, 1963 - Haddonfield, Illinois (USA). From krahmer at suse.de Wed Sep 12 10:12:09 2007 From: krahmer at suse.de (Sebastian Krahmer) Date: Wed, 12 Sep 2007 16:12:09 +0200 (CEST) Subject: [Dailydave] libpcap C# binding Message-ID: Hola, For those who always seeked for dumb-easy packet capturing in .NET/C#: http://c-skills.blogspot.com/2007/09/pcapsharp.html its a first draft version, but it worked for me with mono. Maybe even works on Win environment. Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer at suse.de - SuSE Security Team ~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) From lmh at info-pull.com Wed Sep 12 15:51:57 2007 From: lmh at info-pull.com (Lance M. Havok) Date: Wed, 12 Sep 2007 21:51:57 +0200 Subject: [Dailydave] Pwnpress: the blog guerrilla is cumming In-Reply-To: <3fd1bcc10709111327s67596187x103663cda838847a@mail.gmail.com> References: <3fd1bcc10709111327s67596187x103663cda838847a@mail.gmail.com> Message-ID: Amusing. >From the securosis.com post (argh, a blog!) by our very own Rich "Too Concerned" Mogull neighbor... this comment is just plain hilarious: cutaway Sep 12 Moving the xmlrpc.php file should work for a temp fix until it can be upgraded. I believe that this will disable adding posts and possibly other features. But at least your content can stay up until time is available for updating. If I am wrong, please let me know. Thank you, Cutaway Alright ladies, my fellow Jesus H. Christ could explain it himself but I believe it's beneficial to say that the affirmation by the security professional "Cutaway", is just simply wrong. Without any animosity... (I remember, this was one of the passengers of the widely renowned Icer's Bang Bus, on it's way to "LMH Outtaland, where anonymous security posers get outed for the buck", although I could be wrong since it's fairly difficult to remember the names and marketing motto(s) of all these random professional bloggers). The problem is not in xmlrpc.php, you are just trying to solve the (public) exploit, not the flaw itself. While this is a daily musing for IDS vendors and fans of the signature based detection crowd (ALERT ALERT "\x41\x41\x41\x41..."), it's kinda whack coming from a recognized security pro. I mean, come on, this dude is freaking securing Fortune 500 and what not. Serious business there. CISSP, GIAC. Like Myers, just better. >From xmlrpc.php (2.2.2) pingback function: $post_ID = url_to_postid($url); if (!$post_ID) { (...) } url_to_postid() comes from rewrite.php (wp-includes): // examine a url (supposedly from this blog) and try to // determine the post ID it represents. function url_to_postid($url) { global $wp_rewrite; $url = apply_filters('url_to_postid', $url); // First, check to see if there is a 'p=N' or 'page_id=N' to match against preg_match('#[?&](p|page_id)=(\d+)#', $url, $values); $id = intval($values[2]); if ( $id ) return $id; Problem there is that it fails to properly sanitize input (how surprising! OMG it's PHP!), and this can be abused when rewrite-style (ex. http://www.cutawaysecurity.com/blog/archives/167/trackback) permalinks are enabled. Buried in the function is a call to WP_Query(), which leads to magic, and magic leads to anger, and anger leads to user credentials outing. if ( preg_match("!^$match!", $request_match, $matches) ) { // Got a match. // Trim the query of everything up to the '?'. $query = preg_replace("!^.+\?!", '', $query); // Substitute the substring matches into the query. eval("\$query = \"$query\";"); $query = new WP_Query($query); if ( $query->is_single || $query->is_page ) return $query->post->ID; else return 0; } One (female) lap dance to the first CISSP who finds the cookie in the code above. Trim trim, dun dun... xmlrpc.php is just a code path to trigger this issue (check the pingback function). My recommendation is to execute the following commands in a shell with write privileges for the Wordpress installation directory: $ rm -rf wordpress If that doesn't work, in order to troubleshoot all your security woes and also prevent others from wasting their time reading your rants or click revenue powered Google Ads: # rm -rf / Revenge is definitely a dish to be served cold. Now the question, when did the US Marine Corps stop requiring its recruits to have less than 13% bodyfat? The answer, only the Bush administration knows. Sigh, another day serving. God loves America, and me too. Have a good one! PS: Myers, are you coming home tonight? From lmh at info-pull.com Thu Sep 13 18:39:30 2007 From: lmh at info-pull.com (Lance M. Havok) Date: Fri, 14 Sep 2007 00:39:30 +0200 Subject: [Dailydave] Pwnpress 0.2 out (with the infamous GUI suggested by few people) Message-ID: Well, that's pretty much the whole thing. A post-auth (least privileges required) exploit for 2.1.2 will be added soon, as well fixing any remaining issues (and implementing the 2.0.5 exploit too). Right now the interesting thing is the GUI. With music (Jesus H. Christ suggested The Final Countdown, by Europe, since there's a common belief about the end of blogging, circa 2008. I'm eager to see it happening!). I heard someone modified the code to work for MU versions of Wordpress, just for kicks. Hope the development folks at wordpress.org release a (backdoor-free) update this time. >From now on I might try to waste my time playing something else, since I'm falling in boredom once again. Nothing new around, Myers is still able to troll a whole crowd of certification hungry professionals and I didn't manage to start blogging pictures of the random underage women who had the fate of visiting my twilight zone. Someone likes guns and he shows photos of his desk loaded of plastic pellet guns and what not [1]. The security industry doesn't change, the same disclosuretards keep flaming the unethicaltards and the ARC (Association of Retarded Citizens) [2] keeps the politically incorrect advertisements (I sort glass too, please don't throw me away). I think I'm going to get a trip to Germany, visit the place where the F?hrerbunker is supposed to be, and start digging with my bare hands. Then seize some random Arian woman into the bunker, and commit suicide while singing Am Adolf Hitler platz, dancing to the rhythm of the Mickey Mouse squadron, err, symphony. That said, you can find the latest Pwnpress code and GUI at: http://www.info-pull.com/code.dynp http://www.info-pull.com/code/pwnpress.rb http://www.info-pull.com/code/pwnpress-gui.rb http://www.info-pull.com/code/pwnpress-gui.rb.html http://www.info-pull.com/code/pwnpress.rb.html GUI screen-shot: http://www.info-pull.com/code/pwnpress-gui.png For amazing video collections from my friend Mr. Green, just run heiseNikto against that. I have yet to pick my favorite one, with such gems I feel tempted to pick 'em all. They are in fact safe for work, since most security vendors don't bother buying speakers for the workstations, and we all know what everyone does when lurking lonely inside a small cubicle. Don't be an hypocrite, we know you like strip clubs and stuff! Obviously Scatman John songs are not lapdance friendly, unless you are into disgusting fetishes. 1: http://www.info-pull.com/code/maynor-home-office.jpg 2: http://www.youtube.com/watch?v=LtIStHj7o3k PS: Don't start sending infinite Wordpress advisories please, give me a break. And trust me when I say that if Myers confirms the trollability of someone or something else, it's really trollable. And there's no other way around it. He's got the final, last word on all that is demagogic in this world. And you should fear him, by all means. It takes him a one liner to break a sane mind into a wasted bunch of shards! From irby at sliphead.com Fri Sep 14 12:06:36 2007 From: irby at sliphead.com (Irby Thompson) Date: Fri, 14 Sep 2007 11:06:36 -0500 Subject: [Dailydave] Microsoft on Hypervisor-based Rootkits Message-ID: <46EAB18C.6080202@sliphead.com> >From the horse's mouth: http://www.microsoft.com/whdc/system/platform/virtual/CPUVirtExt.mspx Choice quote #1: "a rogue hypervisor can be detected using standard rootkit detection mechanisms because the [hypervisor-based] rootkit cannot protect itself from the operating system running on top of it" The golden nugget: "Rootkit developers have traditionally shown a strong desire to write code that runs in user mode rather than in kernel mode." That's news to me. -irby From bbinger123 at yahoo.com Sat Sep 15 01:17:18 2007 From: bbinger123 at yahoo.com (Bee Binger) Date: Fri, 14 Sep 2007 22:17:18 -0700 (PDT) Subject: [Dailydave] a beatiful event Message-ID: <991874.479.qm@web56005.mail.re3.yahoo.com> http://torrentfreak.com/mediadefender-emails-leaked-070915/ "Unfortunately for Media Defender - a company dedicated to mitigating the effects of internet leaks - they can do nothing about being the subject of the biggest BitTorrent leak of all time. Over 700mb of their own internal emails, dating back over 6 months have been leaked to the internet in what will be a devastating blow to the company. Many are very recent, having September 2007 dates and the majority involve the most senior people in the company." We can only hope that there will be many lost jobs and ruined families of all the people that work for the scum known as media defender. --------------------------------- Need a vacation? Get great deals to amazing places on Yahoo! Travel. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070914/fcc40873/attachment.htm From bbinger123 at yahoo.com Sun Sep 16 14:52:40 2007 From: bbinger123 at yahoo.com (Bee Binger) Date: Sun, 16 Sep 2007 11:52:40 -0700 (PDT) Subject: [Dailydave] more MD fun Message-ID: <759325.27423.qm@web56013.mail.re3.yahoo.com> http://thepiratebay.org/tor/3809004/MediaDefender.Phonecall-MDD http://thepiratebay.org/tor/3808220/Gnutella.Tracking.Database.Leak.INDEPENDENT its rumored MDD has stolen media defenders tracking source code and will be releasing it soon it will be an awesome day when SCO and MD employees are next to each other in the unemployment line --------------------------------- Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070916/510252bc/attachment.htm From dave at immunityinc.com Tue Sep 18 15:10:30 2007 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 18 Sep 2007 15:10:30 -0400 Subject: [Dailydave] You say "Potatoe" I say "Kartoffel" ? Message-ID: <46F022A6.8020504@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://kartoffel.reversemode.com/downloads/kartoffel-video.zip This is a tool I came across recently with a funny name. It's a decent video - worth a watch in between laughing at the MediaDefender people, who clearly brought a knife to a battlemech fight. Weirdly, back when Immunity first started my very first customer was a DRM VC who wanted to fund something just like MediaDefender. DRM makes you feel all squishy inside, so it didn't end up happening. Who else here is going to http://powerofcommunity.net/home.html ? I'm going to try very hard to learn some Korean before I go. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG8CKiB8JNm+PA+iURAgPLAJ9NMfRhDs4q1zmX9F/nv1hSCAQS+QCfRuRP L726GcCnvZ62udlH5vXtjUQ= =ITWx -----END PGP SIGNATURE----- From dailydave at digitaloffense.net Tue Sep 18 15:55:28 2007 From: dailydave at digitaloffense.net (Uninformed Staff) Date: Tue, 18 Sep 2007 14:55:28 -0500 Subject: [Dailydave] Uninformed Journal Release Announcement: Volume 8 Message-ID: <200709181455.28377.dailydave@digitaloffense.net> Uninformed is pleased to announce the release of its eighth volume. This volume includes 6 articles on a variety of topics: - Covert Communications: Real-time Steganography with RTP Author: I)ruid - Engineering in Reverse: PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3 Author: Skywing - Exploitation Technology: Getting out of Jail: Escaping Internet Explorer Protected Mode Author: Skywing - Exploitation Technology: OS X Kernel-mode Exploitation in a Weekend Author: David Maynor - Rootkits: A Catalog of Local Windows Kernel-mode Backdoor Techniques Authors: skape & Skywing - Static Analysis: Generalizing Data Flow Information Author: skape This volume of the journal can be found at: http://www.uninformed.org/?v=8 About Uninformed: Uninformed is a non-commercial technical outlet for research in areas pertaining to security technologies, reverse engineering, and low level programming. The goal, as the name implies, is to act as a medium for providing informative information to the uninformed. The research presented in each edition is simply an example of the evolutionary thought that affects all academic and professional disciplines. - The Uninformed Staff staff [at] uninformed.org From tehshape at info-pull.com Tue Sep 18 17:10:49 2007 From: tehshape at info-pull.com (Michael Myers) Date: Tue, 18 Sep 2007 23:10:49 +0200 Subject: [Dailydave] Uninformed Journal Release Announcement: Volume 8 In-Reply-To: <200709181455.28377.dailydave@digitaloffense.net> References: <200709181455.28377.dailydave@digitaloffense.net> Message-ID: <3fd1bcc10709181410t15fec1e5h34c5dbd132ac539e@mail.gmail.com> > - Exploitation Technology: OS X Kernel-mode Exploitation in a Weekend > Author: David Maynor The Question: Is this the real David Maynor? And the 'in a weekend' bit proves he is really a genius among humans. "It takes David Maynor a weekend to ....", like those MTV catch phrases: "SUP DAWG, WE HEARD YOU LIKE DRAMA, SO WE PUT A DAVID MAYNOR COMPUTER IN YOUR CAR (SO YOU CAN BLOG WHILE YOU DRIVE)." Or my favorite: "SUP DAWG. WE HEARD YOU LIKE OBNOXIOUSLY RUDE JEWS WITHOUT HUMOR, SO WE PUT 600 GADI EVRONS IN THE ASHTRAY." In other news: http://www.youtube.com/watch?v=sE76LQwT6qA A student invades John Kerry, for a priceless session of IRL trolling and speech devastation, only to get taser-shot by a few Mensa members (otherwise known as COPS). This guy is an hero (note the cops laughing their ass off while the guy is crying due to taser loving). This is why we all love America. Have a juicy one. From jv274 at cl.cam.ac.uk Tue Sep 18 18:28:28 2007 From: jv274 at cl.cam.ac.uk (JFV) Date: Wed, 19 Sep 2007 00:28:28 +0200 Subject: [Dailydave] Uninformed Journal Release Announcement: Volume 8 In-Reply-To: <200709181455.28377.dailydave@digitaloffense.net> References: <200709181455.28377.dailydave@digitaloffense.net> Message-ID: <46F0510C.2030800@cl.cam.ac.uk> Uninformed Staff a ?crit : > Uninformed is pleased to announce the release of its eighth volume. This > volume includes 6 articles on a variety of topics: > [...] > > - Static Analysis: Generalizing Data Flow Information > Author: skape > Its wonderful how the output of Phoenix and a couple of generic data structures alltogether with a DFS algorithm leads to the creation of a 20 pages paper. The ERESI project uses this technique by introducing a "container" data structure carying abstract input and output information for acheiving what is described in this paper. Really, no need to brag so much about such thing, but at least now you are eligible for a new pwnie Take it easy Julien Vanegue From dave.aitel at gmail.com Tue Sep 18 22:13:57 2007 From: dave.aitel at gmail.com (Dave Aitel) Date: Tue, 18 Sep 2007 22:13:57 -0400 Subject: [Dailydave] Completely unhackable Airbus's and stuff... Message-ID: http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2007/09/12/cndsei212.xml Ah yes, the unhackable EADS technology! I assume it's built on scapy? Speaking of DRM though, I notice PDP has been pluggin away at Media Player, and I can't help but remember that last time I looked the DRM stuff built into Media Player was pretty useful.... -dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070918/1a6f8628/attachment.htm From paul at xelerance.com Tue Sep 18 22:48:53 2007 From: paul at xelerance.com (Paul Wouters) Date: Tue, 18 Sep 2007 22:48:53 -0400 (EDT) Subject: [Dailydave] Completely unhackable Airbus's and stuff... In-Reply-To: References: Message-ID: On Tue, 18 Sep 2007, Dave Aitel wrote: > http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2007/09/12/cndsei212.xml > > Ah yes, the unhackable EADS technology! I assume it's built on scapy? Hah. I was once approached by someone bidding on the IPsec testing gig for that plane, but he didn't get it. I wonder if this means they don't trust AES. Maybe I should switch to Twofish :) Paul From rhyskidd at gmail.com Wed Sep 19 04:48:41 2007 From: rhyskidd at gmail.com (Rhys Kidd) Date: Wed, 19 Sep 2007 16:48:41 +0800 Subject: [Dailydave] Completely unhackable Airbus's and stuff... In-Reply-To: References: Message-ID: <68dd869f0709190148j175c0a78vabb68b4a55c699e@mail.gmail.com> Sounds very much like a system that uses in-band rekeying. Bit like WPA really. I had a poke around the EADS site to get more information on the cryptographic algorithm it employs, but seeing as their sales manager doesn't promote any "mathematical" advantages of it, I'd say it's most likely already known to the public/or adapted from GCHQ. It pains me to see the term "hacker-proof" once again means merely "the architecture is assuredly well designed", rather than additionally including "the particular implementation and code is assuredly well designed". Yes, EADS may have done PKI right, but did they do strcpy()/memcpy() right? -Rhys -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070919/580ae5d4/attachment.htm From johan2sson at gmail.com Wed Sep 19 06:53:09 2007 From: johan2sson at gmail.com (Johan Johansson) Date: Wed, 19 Sep 2007 12:53:09 +0200 Subject: [Dailydave] Uninformed Journal Release Announcement: Volume 8 In-Reply-To: <46F0510C.2030800@cl.cam.ac.uk> References: <200709181455.28377.dailydave@digitaloffense.net> <46F0510C.2030800@cl.cam.ac.uk> Message-ID: I'm sure the Uninformed Staff would have considered your article for publication, had you bothered to send one to them. Really, no need to whine so much when someone actually does something. Hejd?. Johan On 9/19/07, JFV wrote: > Uninformed Staff a ?crit : > > Uninformed is pleased to announce the release of its eighth volume. This > > volume includes 6 articles on a variety of topics: > > [...] > > > > - Static Analysis: Generalizing Data Flow Information > > Author: skape > > > > Its wonderful how the output of Phoenix and a couple > of generic data structures alltogether with a > DFS algorithm leads to the creation of a 20 pages > paper. > > The ERESI project uses this technique by introducing > a "container" data structure carying abstract input > and output information for acheiving what is described > in this paper. > > Really, no need to brag so much about such thing, but > at least now you are eligible for a new pwnie > > Take it easy > > Julien Vanegue > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From jv274 at cl.cam.ac.uk Wed Sep 19 09:12:46 2007 From: jv274 at cl.cam.ac.uk (JFV) Date: Wed, 19 Sep 2007 15:12:46 +0200 Subject: [Dailydave] Uninformed Journal Release Announcement: Volume 8 In-Reply-To: References: <200709181455.28377.dailydave@digitaloffense.net> <46F0510C.2030800@cl.cam.ac.uk> Message-ID: <46F1204E.4000406@cl.cam.ac.uk> Johan Johansson a ?crit : > I'm sure the Uninformed Staff would have considered your article for > publication, had you bothered to send one to them. > This is not the point > Really, no need to whine so much when someone actually does something. > So the articles are not made for being read and criticized ? They are written for what then ? I have freedom to express myself and I usually enjoy sending good feedback to *great* articles, wherever they are published. "Ohhhh skape, thats incredible, you've done it again, congrats !" -jfv From tehshape at info-pull.com Wed Sep 19 10:13:08 2007 From: tehshape at info-pull.com (Michael Myers) Date: Wed, 19 Sep 2007 16:13:08 +0200 Subject: [Dailydave] Uninformed Journal Release Announcement: Volume 8 In-Reply-To: References: <200709181455.28377.dailydave@digitaloffense.net> <46F0510C.2030800@cl.cam.ac.uk> Message-ID: <3fd1bcc10709190713v3515d099vae23fe6e29bc7872@mail.gmail.com> One of our kids here happens to known lambdawar since some time ago (years). It seems that after all this time, there's this weird, annoying assumption (or misconception depending on how tired you feel about it) that everything that isn't public, doesn't exist. The crowd of home wifes that represents maybe the highest percent of female population in the whole world, knows this since taper ware became mainstream. How comes that the VERY BEST of the IT security industry still don't get it? Let's put a simple example, 'real world case': One day you get up, jump out of your bed and quickly go to read your GMail account inbox, where a French man lost in da UK has delivered an e-mail, '"whining" about something that he probably knows better than quite some people out there (...the early elfsh days to ERESI now). Maybe his English is not perfect. Maybe he is in fact whining. But something in your brain ticks, and you click at the Settings link. Promptly you change to the POP and forwarding settings, only to find that magically POP access has been enabled for your account. But you never, ever, did it yourself, or at least can't remember enabling it since you like to use TOR and your web browser, for everything else (from personal e-mail, to business, to LinkedIn spamming). This dilemma drives you insane, and suddenly you realize that someone has had 'his jenkem', otherwise popularly known as 'inbox juarez'. Then you ask yourself: Since nobody actually forwarded a tarball with my Inbox to lulz-disclosure, you obviously didn't get hacked by negroidians from Pluto! Is that assumption wrong? I think so. But ,this just an example! (well I'm not sure but I damn promise I just popped it out of my mind at this very moment, any relation or connection with reality is purely coincidental and involuntary). Please be careful about assuming that everything that isn't public hasn't been done by someone else before. The security industry is so full of shit that apparently there's nothing interesting but competing against each other to see who gets the jenkem first. One security researcher's poo is another's treasure. Security research? Just another non-sense. If you wanna do research, go mess with cancer patients. Writing some half-assed crap or bragging about Asterisk 0day is not research. The short answer to your e-mail, which I carefully considered: just shut the fuck up, get your ass moving and actually do something _yourself_. These chubby security popstar groupies phenomenon is really getting annoying. We've got Schneider groupies, Matasano groupies, Maynor groupies, Metasploit groupies (Lance, I see you there!), Honeynet groupies, etc. Oh, and I missed the Immunity groupies. But we never see them wasting their time on bullshit. Aueheuehieheuhaihaia. On 9/19/07, Johan Johansson wrote: > I'm sure the Uninformed Staff would have considered your article for > publication, had you bothered to send one to them. > > Really, no need to whine so much when someone actually does something. > > Hejd?. -- Michael Myers - CISSP, GNA, HIV Chief Security Officer (CSO) - Info-pull.com "Serious business since the night I came home." October 31, 1963 - Haddonfield, Illinois (USA). From johan2sson at gmail.com Thu Sep 20 05:51:55 2007 From: johan2sson at gmail.com (Johan Johansson) Date: Thu, 20 Sep 2007 11:51:55 +0200 Subject: [Dailydave] Uninformed Journal Release Announcement: Volume 8 In-Reply-To: <46F1204E.4000406@cl.cam.ac.uk> References: <200709181455.28377.dailydave@digitaloffense.net> <46F0510C.2030800@cl.cam.ac.uk> <46F1204E.4000406@cl.cam.ac.uk> Message-ID: On 9/19/07, JFV wrote: > Johan Johansson a ?crit : > > I'm sure the Uninformed Staff would have considered your article for > > publication, had you bothered to send one to them. > > > This is not the point [cut and paste] > "Ohhhh skape, thats incredible, you've done it again, congrats !" Actually it is exactly the point. The point is not that what he's done is new, fantastic or even useful (or not). Hell, I haven't even read the article yet. What counts is that he bothered to write the article and have it published. That's a lot more useful than you curing cancer and not telling anyone. > So the articles are not made for being read and criticized ? > They are written for what then ? I have freedom to express > myself and I usually enjoy sending good feedback to *great* > articles, wherever they are published. Yes, of course they are. But criticizing its publication rather than its content seems counterproductive. I'm looking forward to your article in the next issue whether its brilliant or pointless. j From dave at immunityinc.com Thu Sep 20 09:45:45 2007 From: dave at immunityinc.com (Dave Aitel) Date: Thu, 20 Sep 2007 09:45:45 -0400 Subject: [Dailydave] Congrats to Ryan Smith and Neel Mehta! Message-ID: <46F27989.8050903@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For their VMWare DHCP bug: This release fixes several vulnerabilities in the DHCP server that could enable a specially crafted packets to gain system-level privileges. (CVE-2007-0061, CVE-2007-0062, CVE-2007-0063) I wonder if there's any way to trigger that when you're not behind the VMWare NAT or in Host-Only mode. Also this bug from Rafal Wojtchzvk looks really cool (and quite vague - - does it work without VMWare tools installed? Going to have to say he plays with the paravirtualization stack maybe?). This release fixes a security vulnerability that could allow a guest operating system user with administrative privileges to cause memory corruption in a host process, and thus potentially execute arbitrary code on the host. (CVE-2007-4496) - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG8nmHB8JNm+PA+iURAqr7AJ9EvT31TADKMJzwfAfYHLyctFvpFACeI/Id QIHXZcz/OnIk0cU1inlPTXE= =ViUZ -----END PGP SIGNATURE----- From dave at immunityinc.com Thu Sep 20 13:12:46 2007 From: dave at immunityinc.com (Dave Aitel) Date: Thu, 20 Sep 2007 13:12:46 -0400 Subject: [Dailydave] Wireless spaces Message-ID: <46F2AA0E.6060709@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Are any of the major vendors doing this? 1. Take any three wireless access points and have them each track client wireless signal strength. (This will map to physical space almost) 2. At the same time, have them track traffic type this client is doing and use this to generate a number of some sort. 3. Map these four things into a space and all your clients will be divided into "rooms" that you can draw bounding boxes around (much like Reliance HIDS did). 4. Do simple anomaly detection and you'll see a SILICA user in the parking lot stand out like a Suicide Girl in Utah. I think if you can tie the traffic clients generate with "where" the clients are, you'll get an interesting picture of things in general. You don't care in real world terms where they are, just where they are in the mathematical space. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG8qoNB8JNm+PA+iURAu1kAKDR4BJfFya+CqUFqgbNV5QCuhwH3QCglbNq X/jcsr5cCfbZ5+1sae7g47o= =mrwt -----END PGP SIGNATURE----- From zpayton at gmail.com Thu Sep 20 14:05:26 2007 From: zpayton at gmail.com (Zack Payton) Date: Thu, 20 Sep 2007 14:05:26 -0400 Subject: [Dailydave] Wireless spaces In-Reply-To: <46F2AA0E.6060709@immunityinc.com> References: <46F2AA0E.6060709@immunityinc.com> Message-ID: I've heard of some wireless authentication systems that use the clients triangulated position to decide whether or not to allow you on the network. I think the US Senate uses a system much like this. Imagine being able to insert an architectural layout drawn up in Visio into your AP and saying anything outside the perimeter of the building won't be able to use AP. Z On 9/20/07, Dave Aitel wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Are any of the major vendors doing this? > > 1. Take any three wireless access points and have them each track > client wireless signal strength. (This will map to physical space almost) > 2. At the same time, have them track traffic type this client is doing > and use this to generate a number of some sort. > 3. Map these four things into a space and all your clients will be > divided into "rooms" that you can draw bounding boxes around (much > like Reliance HIDS did). > 4. Do simple anomaly detection and you'll see a SILICA user in the > parking lot stand out like a Suicide Girl in Utah. > > I think if you can tie the traffic clients generate with "where" the > clients are, you'll get an interesting picture of things in general. > You don't care in real world terms where they are, just where they are > in the mathematical space. > > - -dave > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFG8qoNB8JNm+PA+iURAu1kAKDR4BJfFya+CqUFqgbNV5QCuhwH3QCglbNq > X/jcsr5cCfbZ5+1sae7g47o= > =mrwt > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070920/697e78cf/attachment.htm From pmelson at gmail.com Thu Sep 20 14:39:01 2007 From: pmelson at gmail.com (Paul Melson) Date: Thu, 20 Sep 2007 14:39:01 -0400 Subject: [Dailydave] Wireless spaces In-Reply-To: <46F2AA0E.6060709@immunityinc.com> References: <46F2AA0E.6060709@immunityinc.com> Message-ID: <005d01c7fbb5$84bc3e10$4d00300a@ad.priorityhealth.com> > Are any of the major vendors doing this? > > 1. Take any three wireless access points and have them each track client wireless signal strength. (This will > map to physical space almost) You can do this with Cisco/Airespace switches. They will triangulate clients and rogue access points. Plus you can upload purdy maps to WCS and overlay triangulation with floor plans, campus maps, pictures of your dog, etc. > 2. At the same time, have them track traffic type this client is doing and use this to generate a number of > some sort. > 3. Map these four things into a space and all your clients will be divided into "rooms" that you can draw > bounding boxes around (much like Reliance HIDS did). > 4. Do simple anomaly detection and you'll see a SILICA user in the parking lot stand out like a Suicide Girl > in Utah. > > I think if you can tie the traffic clients generate with "where" the clients are, you'll get an interesting > picture of things in general. > You don't care in real world terms where they are, just where they are in the mathematical space. I don't know a single vendor today that has sniffer, IDS, SIM, and triangulation built into their product. I can't imagine that'd be a profitible niche. PaulM From lists at bughunter.ca Thu Sep 20 16:01:07 2007 From: lists at bughunter.ca (J.M. Seitz) Date: Thu, 20 Sep 2007 13:01:07 -0700 Subject: [Dailydave] Wireless spaces In-Reply-To: Message-ID: <002601c7fbc0$fe8c5210$6207a8c0@jseitz> > Imagine being able to insert an > architectural layout drawn up in Visio into your AP and > saying anything outside the perimeter of the building won't > be able to use AP. You may not be able to do that in Visio, but you can build the Internet in Visio http://www.shunra.com/network_simulation_products now THAT's badass! JS From h1kari at toorcon.org Thu Sep 20 19:04:59 2007 From: h1kari at toorcon.org (David Hulton) Date: Thu, 20 Sep 2007 16:04:59 -0700 Subject: [Dailydave] ToorCon Final Lineup Announcement Message-ID: <1ccfd6300709201604h22961679tb6579268ab146a27@mail.gmail.com> Hey guys, Just thought I'd shoot out a quick shameless plug for ToorCon and mention that we've published our full speaker lineup and have finalized our Seminars and Workshops schedule. We will be increasing the registration prices on Sunday, September 23rd so if you're interested in coming out, make sure you register before then or you'll be stuck paying extra later. More information about ToorCon this year can be found at http://www.toorcon.org. WORKSHOPS - Thu, Oct 18th - $900 *NEW* - Penetrating the Epoxy Curtain: Hands-On Silicon Hacking Instructors: Bunnie & Christopher Tarnovsky Availability: 9 seats left I'm really excited about this workshop. It'll involve dissecting a stored value smart card die and reverse engineering the transistors to determine what the different parts of the chip do and by the end of the course be able to circumvent some of the card's hardware access controls. We're gearing this workshop towards software reverse engineerers that want to learn more about how the hardware ticks and get a better understanding for how things are implemented at the even lower levels. People attending this course will receive decaped parts, large format prints of the die, flash drives with high-resolution pictures of the die, and hands-on access to chip reverse engineering equipment. Building/Hacking Open Source Embedded Wireless Routers Instructor: Ken Caruso & Matt Westervelt Availability: 9 seats left This workshop is setup to teach people how to deploy real-world large scale wireless networks using open source hardware and software. People attending this class will receive a free Soekris access point setup and will get all of the software pre-packaged to readily boot it up and run any of the standard mesh-networking protocols. This workshop is run by the guys that run the Seattle Wireless community network and have extensive experience with setting up wireless networks all around the world. Crash Course in Penetration Testing Instructor: Joseph McCray Availability: 5 seats left This workshop has received a lot of attention recently and is filling up quick. The premise behind this workshop is that the first half of the class teaches the basics of penetration testing and the second half involves running wild on a rootwars network setup in the classroom and learning techniques with hands-on exercises. People attending this workshop will leave with a 250GB 2.5" harddrive filled with vmware images of challenge VMs and an attack VM pre-loaded with all of the basic hacking tools needed to start playing. The goal is that after people leave the class they'll be able to continue developing their skills by completing further challenge levels in the rootwars VMs. All of these workshops are taking place at the Hotel Solamar in Downtown San Diego on Thursday, October 18th. Workshop admission is currently $900 which includes entrance to the general ToorCon conference and we're offering a discount for people who wish to also attend our Seminars on Friday, October 19th for only $1100, a $300 savings! SEMINARS - Fri, Oct 19th - $500 - Gabriel Lawrence, Linux Kernel Rootkit Detection and Analysis during Incident Response - Andre Gironda, Continuo