Justin.MadIrish.net

It is a professional hazard in security to become stuck in a reactive stance, always running to put out the latest fire. Many security personnel find themselves in this mode and cannot seem to escape it. It is important, from time to time, or especially in the case that it has never happened, to stop and take stock of an organization as a whole. No matter how pressing the issues of the moment seem, it is critical to examine your organization from the top down in order to develop, and maintain, an effective information security program. While this sort of planning can seem like a waste of time when the very real threats are battering down the proverbial door of your defenses, it is critical to take a measured approach to your security response in order to be effective, especially with limited resources. The first step to achieving this goal is to gather effective intelligence, specifically having accurate monitoring systems and incident reports.

Recently I've spotted an increasingly tractable argument against pen testing emerging in the computer security industry. Articles such as Problems with Penetration Testing and Tenable Network Security’s CSO Marcus Ranum's talk in Risky Business #85 are widening the dialogue about the issue. Having just returned from InfoSec Institute's Ethical Hacking training I feel pretty close to the issue. Much of the InfoSec Institute training is designed to prepare people to enter the pen testing field and so I basically spent a week observing the industry from within.

I've just finished InfoSec Institute's Ethical Hacking class (http://www.infosecinstitute.com/courses/ethical_hacking_training.html). The last two days were so hectic that I didn't even get a chance to blog about them as I would have liked. Day four went from 8:30 until 6:30, after which we took the CPT (Certified Penetration Tester) exam so we weren't done until about 8. The EC-Council Certified Ethical Hacker (CEH) exam was scheduled for day 5 at 10 AM so we all left the class exhausted, but I went back to my room to study some more. The content of day four was intense, covering topics from web application attacks (SQL injection, cross site scripting, etc.) to sniffers, deep target penetration, and wireless security.

Day three of ethical hacking didn't end until about 7 PM and with the CPT exam scheduled for the end of day four I didn't get a chance to blog. Instead I went back to my room, studied for a bit, and fell asleep. The course is nothing if not exhausting. Day three was another whirlwind. We covered everything from buffer overflows to privilege escalation. The day's slides went from how to break into a server using tools like Metasploit or Canvas, to privilege escalation, to installing backdoors, trojans, and rootkits. The material was far ranging and indepth. The labs covered deploying a rootkit, using Metasploit, information leaking via SUID root bugs and password cracking. While previous days had covered reconnaissance and information gathering, day three was definitely focused on active attack.

I've just finished the second day of InfoSec Institute's Ethical Hacking class (http://www.infosecinstitute.com/courses/ethical_hacking_training.html) and the breakneck pace has not let up. Day two went from 8:30 AM until well after 6 PM. The firehose of information did not slack one bit, covering new topics, labs, and exercises. While the pace is intense, the information is all good, and I barely noticed the time flying by.

I've just finished the first day of InfoSec Institute's Ethical Hacking class (http://www.infosecinstitute.com/courses/ethical_hacking_training.html). I'm going to try and write a blog entry each day to keep up with what is going on and provide an overview - if I'm able. This may turn out to be a Sisyphean task, however. Tomorrow is election day and I'm going to stay up and watch the results even if it kills me, because I think this election will be as much a defining moment as 9/11 was in my life - but I digress. I'm also challenged with taking CIT 591 at the University of Pennsylvania, which includes weekly assignments, from which I've been given no respite despite my training, so I'm literally doing all computers all the time. Added to which my carpal tunnel is acting up and, well, you get the idea.

TrueCrypt is a great encryption utility that is available for several operating systems and uses. TrueCrypt will let you create encrypted volumes, encrypted devices, or even do whole disk encryption. I use TrueCrypt on Windows and Linux, and it's handy to be able to move encrypted volume files from one operating system to another and be able to mount them. Unfortunately, due to some disputes over licensing, Mandriva has re-branded TrueCrypt as RealCrypt and distributes it with Mandriva. I've had some problems getting the RealCrypt RPM's to work, and for this reason I decided to go ahead and install TrueCrypt 6.0 on my Mandriva 2008.1 system.

I recently had another occasion to make a full disclosure and was chided by some of my colleagues for doing so. Many thought I shouldn't make a vulnerability announcement to a public list. I assume they felt that working with the vendor to fix the issue was a more responsible course of action.

In this particular case the personal information of organizational members was being leaked through a conference registration application. While I understand the desire to work with vendors to fix problems before "responsible disclosure" I continue to disagree with the practice in most situations.