Justin.MadIrish.net

It is a professional hazard in security to become stuck in a reactive stance, always running to put out the latest fire. Many security personnel find themselves in this mode and cannot seem to escape it. It is important, from time to time, or especially in the case that it has never happened, to stop and take stock of an organization as a whole. No matter how pressing the issues of the moment seem, it is critical to examine your organization from the top down in order to develop, and maintain, an effective information security program. While this sort of planning can seem like a waste of time when the very real threats are battering down the proverbial door of your defenses, it is critical to take a measured approach to your security response in order to be effective, especially with limited resources. The first step to achieving this goal is to gather effective intelligence, specifically having accurate monitoring systems and incident reports.

Mozilla Firefox released an update to their popular web browsers. Both versions 2 and 3 are affected. Some of the issues the fix address include remote execution of code. This is a particularly nasty vulnerability. If an exploit could be derived (which it most certainly can be now that the patch is available) a malicious website owner could embed code that could compromise any machine visiting the web site with Firefox. Luckily, Firefox is pretty good about updating itself, so anyone connected to the internet and surfing the web should be prompted to install the update. To check for updates, in Firefox, select Help -> Check for updates. To check your Firefox 3 update policy select Tools -> Options, then select the 'Advanced' icon at the top, and then the 'Update' tab.

Recently I've spotted an increasingly tractable argument against pen testing emerging in the computer security industry. Articles such as Problems with Penetration Testing and Tenable Network Security’s CSO Marcus Ranum's talk in Risky Business #85 are widening the dialogue about the issue. Having just returned from InfoSec Institute's Ethical Hacking training I feel pretty close to the issue. Much of the InfoSec Institute training is designed to prepare people to enter the pen testing field and so I basically spent a week observing the industry from within.

I've just finished InfoSec Institute's Ethical Hacking class (http://www.infosecinstitute.com/courses/ethical_hacking_training.html). The last two days were so hectic that I didn't even get a chance to blog about them as I would have liked. Day four went from 8:30 until 6:30, after which we took the CPT (Certified Penetration Tester) exam so we weren't done until about 8. The EC-Council Certified Ethical Hacker (CEH) exam was scheduled for day 5 at 10 AM so we all left the class exhausted, but I went back to my room to study some more. The content of day four was intense, covering topics from web application attacks (SQL injection, cross site scripting, etc.) to sniffers, deep target penetration, and wireless security.

Day three of ethical hacking didn't end until about 7 PM and with the CPT exam scheduled for the end of day four I didn't get a chance to blog. Instead I went back to my room, studied for a bit, and fell asleep. The course is nothing if not exhausting. Day three was another whirlwind. We covered everything from buffer overflows to privilege escalation. The day's slides went from how to break into a server using tools like Metasploit or Canvas, to privilege escalation, to installing backdoors, trojans, and rootkits. The material was far ranging and indepth. The labs covered deploying a rootkit, using Metasploit, information leaking via SUID root bugs and password cracking. While previous days had covered reconnaissance and information gathering, day three was definitely focused on active attack.

I've never been prouder to be an American, with our new president, Barack Obama!!!

I'm so happy that 9/11 won't be the most historically significant day of my life, but that 11/04/08 will overshadow that horrible day, and will be the one I tell my children about.

I contributed to the Obama campaign through LGBT Philadelphia - and saw Barack Obama speak in Philly, standing in a crowd of gay people, cheering for the first African-American president made me prouder than ever to be an American. The healing sentiment that is spreading amongst my countrymen and women, feeling kindred spirit across all forms of diversity, truly inspires me, and has restored my confidence in American democracy.

P.S.: For all my friends - I'd like to point out that I called this one ;)

I've just finished the second day of InfoSec Institute's Ethical Hacking class (http://www.infosecinstitute.com/courses/ethical_hacking_training.html) and the breakneck pace has not let up. Day two went from 8:30 AM until well after 6 PM. The firehose of information did not slack one bit, covering new topics, labs, and exercises. While the pace is intense, the information is all good, and I barely noticed the time flying by.

I've just finished the first day of InfoSec Institute's Ethical Hacking class (http://www.infosecinstitute.com/courses/ethical_hacking_training.html). I'm going to try and write a blog entry each day to keep up with what is going on and provide an overview - if I'm able. This may turn out to be a Sisyphean task, however. Tomorrow is election day and I'm going to stay up and watch the results even if it kills me, because I think this election will be as much a defining moment as 9/11 was in my life - but I digress. I'm also challenged with taking CIT 591 at the University of Pennsylvania, which includes weekly assignments, from which I've been given no respite despite my training, so I'm literally doing all computers all the time. Added to which my carpal tunnel is acting up and, well, you get the idea.