Justin.MadIrish.net

As promised here is my full review of The New School of Information Security by Adam Shostack and Andrew Stewart:

The New School of Information Security is one of the most timely and radical books on computer and information security that I've ever read. Adam Shostack and Andrew Stewart help to stimulate a significant paradigm shift that has been brewing in the infosec sphere for some time. With solid evidence and well grounded arguments Shostack and Stewart advocate for a new, and much needed, approach to information security: the New School.

I'm taking the Advanced Ethical Hacking training this week from Infosec Institute. The course is a five day 'boot camp' style training designed to teach reverse engineering, hand writing exploits (buffer and heap overflows), web application security, and other penetration testing techniques. The class is pretty unique in it's material.

The class was held at the Comfort Suites in Manassas, VA. It turns out the location was my first disappointment. Although the course is advertised as taking place in Washington, DC, it is in fact offered in Manassas, Virginia. This is about 45 minutes outside of the city and isn't metro accessible so you pretty much have to drive to get there. The Comfort Suites conference room where the training was held was reasonably comfortable. The internet connection is slow and the rooms leave a lot to be desired. It's very loud in the hotel so I never got much sleep.

If you've ever done a Google search for your name you'll be shocked at how much information comes up. There are customer profiles on commerce websites, your profile on social networking sites, heck, perhaps even the deed transfer information from when you bought your house. Of course, we all want our friends to be able to find us online, but often times too much information about who we are gets leaked onto the internet. I'm fine with people finding my e-mail address, but finding out where I work, where I live, my phone number and my Amazon wish list is a little too much for me. There are even new sites like http://pipl.com that do deep searching and pull all these details our for any casual searcher.

Public key encryption (or asynchronous encryption) is pretty tricky stuff. Encrypting a message provides confidentiality, signing provides assurance. If I sign a message the message is hashed and the hash is encrypted with my private key. This 'signature' can be verified by anyone with my public key - a process that proves the holder of my private key signed the message and that the message (and signature) have not been altered since I sent the message. So I sign all my messages so you can verify that the message came from me and not some impostor. Because e-mail doesn't provide any native verification there's really no way to tell if an e-mail from my address is really from me without digital signatures.

A recent post on the Tao Security Blog got me thinking about what I feel is probably the most important book on computer security in the market today. Whether overt or by influence, this book is making waves in the computer security industry and hopefully changing things for the better. In the case of the Tao Security Blog it seems that Richard Bejtlich borrows directly from the book. In fact his entire post appears to be a synopsis of Chapter 3. Bejtlich swears he hasn't read the book - which for me is just further evidence of how accurate the book is in reflecting emerging trends and new philosophies evolving in computer security.

There's a very interesting write up of the recent denial of service attack against Revision3 on the company's blog. For those who aren't aware, this high profile attack hit the news with ferocity when it was discovered that the company MediaDefender, which works to stop illegal file sharing and has done work for organizations like the RIAA, was the culprit in the attack. Revision3 was using BitTorrent for perfectly legitimate reasons and MediaDefender crippled Revision3's internet connection over the Memorial Day weekend.

Of course, a lot of questions arose immediately following the attack. People wondered if it was a mistake, or perhaps a misconfiguration. Denial of service attacks are illegal, and for one US company to carry one out against another is pretty serious business. It turns out that Revision3 has contacted the FBI, who are investigating.

Security Focus is reporting a new, as of yet patched, exploit that targets Adobe Flash, are circulating. Apparently a Chinese malware package (MPack exploit kit) now includes attacks against Flash. The trouble thing about the report is that there are few details, and the software in question cannot be patched to prevent exploit (a so-called zero day, or 0day).

While reading the F-Secure blog today I came across an interesting service that I hadn't know about before. PhishTank (http://www.phishtank.com/) is a service that allows you to submit suspected phishing sites and tracks their status. With an open API, PhishTank even lets you write tools to query their data.

This is a really neat development. It's about time that phishing sites faced the same sort of scrutiny that e-mail has in the past with sites like Spamhaus (http://www.spamhaus.org/sbl/). Unfortunately that sort of scrutiny led spammers to utilize infected end users systems rather than open e-mail relays or compromised servers. With botnets providing much of the SMTP service these days it isn't feasible any more to block specific sender IP addresses (with hundreds of thousands of bots, the herders just promote one after another to be an SMTP server until it's blocked, with a nearly inexhaustible pool).