Some experimental notes

Learn more about security

2013-07-16T16:54:03Z

Do you want to know more?

Want to learn more about memory analysis?

Install Volatility or grab SIFT VM
Get memory image samples from:
- Volatility wiki: https://code.google.com/p/volatility/wiki/PublicMemoryImages
- HoneyNet: http://honeynet.org/challenges/2010_3_banking_troubles
- Book:
Practice, practice, practice
- Image your own hosts and analyze them
Write about what you find out!

Want to learn more about (web) application security?

Install proxy tools and browser plugins or get Samurai WTF
Get sample vulnerable web apps :
- Samurai includes WebGoat, Mutilidae, and others
- Google Gruyere: http://google-gruyere.appspot.com/
- BodgeIt Store : http://code.google.com/p/bodgeit/
- Book: The Tangled Web : http://lcamtuf.coredump.cx/tangled/
- Read, participate: OWASP: https://www.owasp.org/index.php/Main_Page
Practice, practice, practice
- Test your own apps in the lab
Write about what you find out!

What to learn more about host forensics?

Get SIFT and FTK Imager (etc)
Get sample images and challenges:
- HoneyNet Challenges: http://honeynet.org/challenges
- EH Net Challenges: https://www.ethicalhacker.net/category/features/skillz
- Advanced Digital Corpora: http://digitalcorpora.org/corpora/scenarios
- Book: File System Forensics Analysis: http://www.digital-evidence.org/
Practice, practice, practice
- Image your own hosts and analyze them
Write about what you find out!

Want to learn more about network monitoring, network forensics?

Get Security Onion and SIFT
Get some sample captures and logs:
- /opt/samples in SecurityOnion
- Wireshark's samples wiki :http://wiki.wireshark.org/SampleCaptures
- (Network) Forensics Contest . com : http://forensicscontest.com/
- Advanced: Johannes packet challenges: http://johannes.homepc.org/packet.txt
- Book: Practice of NSM and samples : http://nostarch.com/nsm
Practice, practice, practice
- Record, monitor, analyze your own networks
Write about what you find out!

Want to learn more about artifact analysis and reverse engineering malware?

Get REMnux and demos of IDA, Hopper. Download OllyDbg
Get some sample files:
- Contagio : http://contagiodump.blogspot.com/
- VirusShare : https://virusshare.com/
- your inbox
- Book: Practical Malware Analysis and exercises: http://practicalmalwareanalysis.com/
Practice, practice, practice
- Dissect and analyze the files around you
Write about what you find out!

^.*$

Compete in the DC3 Challenge! http://www.dc3.mil/challenge/

Comments appreciated. Live wiki doc is at http://f.adric.net/index.cgi/wiki?name=LearnMoreSecurity

comments

Static analysis:Sometime an icon is just an icon?

2013-04-30T14:53:46Z

I try to take advantage of the malware samples in my inbox every day to practice analysis and learn cool news tools. A previous post covers some of the basics.

This week I got an "eFAX" message with a zip file attachment that was quite suspicious so I dug right into it. It's defintiely a Win32 PE file (exe) inside the zip despite the Adobe-esque PDF icon it's using and although ClamAV didn't find anything VirusTotal confirms that most of the planet thinks it is bad news indeed. Here's the VT and Annubis reports for the binary.

From there I tried to apply some of the techniques I am reading about in Practical Malware Analysis¹ an awesome book that walks through the proceedures and tools needed to disect and analyze files. I'm just starting the book and have been reading about the Windows Portable executable format, so PE header analysis, I chose you!

( PE Header analysis, I chose you to battle the mysterious eFAX DIGIT 30! )

comments

Recent online discussions about security awareness training and education effectiveness

2013-03-20T14:33:36Z

Bruce Schneier's 19 March 2013 blog on DarkReading "On Security Awareness Training: The focus on training obscures the failures of security design" is making headlines with his bold assertion that "training users in security is generally a waste of time and that the money can be spent better elsewhere". The piece argues by examples from other fields of health and safety education that complex decision making can't be easily taught to a large population in an effective way and that if security awareness training as enacted in the past 20 years was effective we would see commensurate change in the behaviour of the population. Schneier’s standing as a cryptographer and esteemed author gives tremendous weight to this controversial argument.

Although Schneier's editorial is more persuasively written and less overtly provocative he is essentially arguing a similar point as Immunity's Dave Aitel did in his 18 July 2012 editorial on CISO Magazine "Why you shouldn't train employees for security awareness: Dave Aitel argues that money spent on awareness training is money wasted". Aitel’s recommendation is to eliminate awareness training and instead fund secure development and software testing to harden systems so that user behaviour isn’t so dangerous to the organization: “It's a much better corporate IT philosophy that employees should be able to click on any link, open any attachment, without risk of harming the organization”.

Aitel's piece provoked much discussion and many online rebuttals¹ and Schneier's post has already generated some well-reasoned responses. Benjamin Mauch commented to link to his spirited rebuttal "Security Awareness Education". He is quite passionate about security awareness and has given talks on security education including one recently at Derby Con. Mauch argues that the mechanisms of training in common use, such as computer based training and quizzes, perform poorly but that engagement and education of users to develop a User Defense "layer" is effective and vital to defense.

Mauch's colleague Dave Kennedy, Founder and Principal Security Consultant at TrustedSec, posted his own response to Schneier's post titled "The Debate on Security Education and Awareness". Kennedy outlines his concerns with the general ideas in Schneier's post and then examines a handful of the arguments quote by quote from the DarkReading post. He on expands a few of the metaphors (eg driver education) and shows how a broader interpretation of them supports a different view.

¹ Rebuttals to Aitel include:

http://www.infosecisland.com/blogview/21981-Throwing-the-Baby-Out-with-the-Bath-Water.html

http://www.iamit.org/blog/2012/07/security-awareness-and-security-context-aitel-and-krypt3ia-are-both-wrong/

http://www.infosecisland.com/blogview/21990-You-Shouldnt-Train-Employees-for-Security-Awareness-Rebuttal.html

comments

DC3 Forensics Challenge 2012: Well, that went quite a bit better than expected!

2012-12-07T00:56:01Z

This was us:

See all the results for the 2012 competition at http://www.dc3.mil/challenge/2012/stats/leaderboard.php

Registration for the 2013 challenge opens on the 17th, so get ready!

comments