Don Parker Blog

It really was one of those classic moments of true inspiration for me. A couple of colleagues of mine who are programmers were chewing the fat with me when one of them said that his bike ride to work was too short. It was only fifteen minutes or so for him to pedal in to work. Hmmmmmm, that was when inspiration struck me….. "seen as you are a programmer why don't you just go into a loop?" I said as I began to crack up laughing. He really did me in when he took the joke and ran with it by saying "oh my God! I am stuck in the look I forgot the conditional!". Mwuahahahahahahahha. You really had to be there I suppose, but it really was quite funny.

PRESS RELEASE

For immediate release

Acunetix Web Site Security Centre Exposes Web Site Hacking

New information center offers advice on how to prevent SQL injection, Cross Site scripting, Google hacking and other web application attacks

London, UK – April 19, 2006 – Acunetix has launched the Acunetix Web Site Security Center, a comprehensive web site security information center that educates visitors on the latest and most threatening web application hacking techniques. The new information center is hosted at http://www.acunetix.com/websitesecurity/ and is frequently updated with current information concerning new hacking techniques.

Hi guys,

There is a site survey up on WindowSecurity.com now that is hoping to get some valuable input from you. Please take the minute or so to fill it out. As the saying goes, "help us, help you". Getting some constructive criticism back from you would be great, and help us better the site. Also, don't forget to take the opportunity to say what you would like to see more of on the site. We are looking forward to your input!

http://www.windowsecurity.com/pages/survey.asp

Most everyone dreams of being their own boss one day. In the security world you very much have that option available to you. Problem is though to be a full time consultant you realistically need a regular client base. If not then you are back to the old consultant adage "feast or famine". While that may be alright for a single person if you have kids and a house you may not be willing to take the plunge. Can't say I blame you really as it can be a very daunting step to take.

Have any of you taken the plunge and gone from a good job to the volatile world of the consultant? The money can be very good as a consultant, but then again you have a lot more expenses to pay for as well. I have had some people blink twice when I give them my per diem. Heh, after I explain to them the expenses I have to pay for my per diem does not seem so big suddenly. Any of guys got some stories to share?

It is always the nightmare scenario ie: disk failure! It really sucks when your hard drive cannot be accessed anymore. All of those files that you only wished you had backed up. Well that very thought crossed my mind a while back and almost happened to me. I rebooted my computer a couple of years ago, and nothing happened. Well long story short I was able to get my computer fixed and my data was intact.

With that close call in mind I decided that I really had to start backing up client work that I was doing, and other miscellaneous documentation regarding my contract work. I did this back then with some USB sticks, but last year bought a 160 GB NAS and have been quite happy with it. Though I still have a backup to my backup on my USB sticks it is nice to have peace of mind. I know my clients couldn't care less about my computer problems they just want their work done. With backups close by that is no longer an issue. Any of guys go that route?

Well having pen-tests performed against your network is now an accepted common practice. These can range from the fairly simple to rather complex. It all depends on the outbound facing services, and any backend databases that may be there as well. Not to mention the vagaries of the website itself. Unlike a malicious hacker I can without reservation use something like Nessus or Nikto as I have been legally retained to do the pen-test. Using one of these tools is akin to marching into church with a brass band ie: very, very noisy.

On the other hand I have also done what is less known; the internal pen-test. This is where as you would likely guess are performing a pen-test of the internal network. I would actually be on the inside of the network in the building itself to see what weaknesses can be exploited. Having such a test done is crucial as disenfranchised employees can wreak havok if your internal network is not hardened. Hmmmmmm, not a bad idea to write about actually. Do any of you have some thoughts on internal vs. external pen-tests???

It is rather nice to have a cryptographer on board actually. Better yet, one with a blog to boot! Much as I am sure that Justin can attest to is the fact that for many people cryptography is a subject not understood in the slightest. On that note I shall beetle on over to Justin's blog and make a post asking him how say relate cryptography to the everyday person.

You may or may not know that Justin has actually spoken at several high end security conferences on matters of cryptography. That to me speaks volumes to not only his knowledge of the subject matter, but also his ability to convey a highly technical topic in terms that the layman can understand. Not bad for a Southerner :p

Reverse engineering is really a pretty cool area of computer security. You need not be frightened by it though if you have limited programming knowledge. That said, the more programming knowledge you have the better, especially so as it pertains to Assembly. There are certain things that you will be looking for in an executable that you are attempting to do RCE (reverse code engineering) on. The usual error prone functions such as the str* series is always a good start. Also you may want to go looking for any mathematical functions which could indicate encryption are always a good bet as well. There is some very interesting research being done as I believe I already mentioned by the Metasploit crew on a new tool that will help one do RCE. Anyhow, should any of you have some war stories you would like to share that Reverse Engineering related feel free to share them.

Well we have all heard about the various pieces of legislation that have been passed in the States. Quite a few of them I am sure affect you in the corporate world. That plus the now mandated disclosure of database breaches in certain States in the US makes for some interesting times. Not every corporation has the in-house expertise to get these audits done. Not only that but do you really want your in-house staff doing it to begin with? It is sometimes a good idea to have this type of compliance work done by an outside contractor. No, this is not a advert from me to you, but rather it is always a good idea to get an objective third eye view of your network as it impacts legislation passed. How many of you guys actually do have contractors audit your networks? Anyone care to share some stories? I for one think it is a good idea that such legislation as HIPAA and others have been passed. Anyhow your thoughts if you have any would be good.

Reverse engineering is one of those topics that when discussed few people have anything to add to it. Why? Well simply because it is such a high-end, and niche skill that not too many people practice it. There are a lot of programmers out there, but that said not too many of them debug their code with IDA Pro, SoftICE, or Ollydbg. In other words I don't think there are a ton of programmers out there who have a good familiarity with Assembly. I for one don't consider myself a programmer for I am not. When time permits I continue to attempt furthering my skills in it, which are lame at best in my opinion. But back to revese engineering for a minute. Bruce Potter I think hit it on the head in an interview he did for Security-Forums when he said he knows people who can rev-eng but not necessarily program the exploit for the bug that may be found. A very astute observation I would say. Any of you have any thoughts on this? Oh yes! I almost forgot. The guys over at Metasploit (skape) are working on an automated reverse engineering tool that would automate certain things that you would normally have to do by hand. Looking forward to seeing the tool once Skape has time to finish working on it. For all those of you who do use the Metasploit Framework you may wish to send the crew down there a buck, or two to help them out. The money goes towards the project, and perhaps some pizza and beer. Every dollar helps!