|
Written by Chris Gates
|
|
Wednesday, 09 April 2008 |
CrackMe 0x03 is ready for your reversing skills.
CrackMe 0x03 is located here
md5: 97fb2c7e859ebcedf2ac057d3da77f61 Crackme03.exe
sha1: 345e58a9a06016bf8d5387676757821650d755e0 Crackme03.exe
The questions:
For this crackme there are no specific question to answer. All that is
required is that you detail how you solved the challenge. Simple?
Any questions can be posted in the forums. No spoilers please.
Good luck,
Dean
Submissions need to be sent to chris //at// learnsecurityonline //dot// com
by 31 April 2008.
The top submission will receive a security book of their choice from amazon up to $50
Show comments (0) - Add comments to this article: |
|
Last Updated ( Wednesday, 09 April 2008 )
|
|
|
Written by j0e
|
|
Sunday, 06 April 2008 |
LSO April 08
Newsletter Hey everybody - sorry it's been so
long since we've put out a newsletter. A lot has
gone on since we sent out the last one back in Dec
2007 (sorry - it's really been pretty hectic around here). We're
interviewing Jeremiah Grossman in this month's newsletter so be sure to
read on for that.
So let's bring you up to speed - I went to ShmooCon with
Chris, Evil1, and my friends from IronGuard
Security (sp00k, and l4w), was in the hospital for
a little while, improved my wifi kung fu thanks to
IronGuard Sec, picked up some pass the hash tricks from Chris, dug into
SQL Injection several times in the forums over the past few months and
my love for hacking is only matched by my love for youtube so of course
almost all of my forum postings have youtube videos in them.
#########################
# Where has Chris
Been? #
#########################
Chris must love doing that secret squirrel hacking stuff at
his new job. It must be awesome because
he can't even tell me about it. He's of a much
higher moral character than I am so he can't hire someone like me -
I but I heard a rumor that his (let's call it "organization") is
looking
for people. So if you have a clearance
and/or have mad hacking skills, live and/or wanna
work in the DC/Metro area, and don't mind not being
able to tell people what you do send Chris an email letting him know
you
are interested.
Chris has a lot of irons in the fire right now
with work, and home life, but he does manage to
update his blog fairly frequently so I think you
should check it out at:
http://wwww.carnal0wnage.blogspot.com
Honestly - right now I can't be happier for
Chris. He started 5 or 6 years ago as a
RootWars.org member/student and now he is the big man on
campus running some secret squirrel hacking squad. He's been a good
friend for years and honestly the ONLY reason that LSO even exists.
Chris has definitely "paid the cost to be da boss".
====================
[ Security Tool #1 ]
====================
Those of you that hang out in the forums know that I've
really been tearing into some SQL Injection
lately. I really wanted to put this stuff in this
newsletter, but I keep having trouble with the formatting
of the attacks or something just cuts off the entire newsletter so from
now on just accept the the fact some of the security tool tips are going
to be links to the LSO website so I can make sure that
everything displays correctly without affecting
the newsletter.
I call this one: "lil jon and sql
injection....WUUUHAATTTT!!!!"
https://www.learnsecurityonline.com/index.php?option=com_mamboboard&Itemid
=69&func=view&id=2795&catid=22
######################################
# What's up with me
in the hospital? #
######################################
Yes, recently I was in the hospital for about a week with some
intestinal issues. The medical staff there didn't let me eat or drink
for nearly the entire week so my IV bag machine was my closest friend
for a while. The one benefit that I got out of it was I lost 10 pounds.
So I'm finally out and back to work (keep your fingers
crossed, and pray for me not to go back please).
=================================
Introductory Private Lesson Offer
=================================
Would you like to try a private lesson in the hacklab with
me?
For just 35.00 I'll spend an hour with you in
the lab working with you on the topic of your choice (Footprinting,
Scanning, Enumeration, Exploitation, Post-Exploitation, Web Application
Security, etc - it's completely up to you). I can evaluate your
skill-set/security goals and give training recommendations as well. The
lab includes Linux, Solaris, FreeBSD, and of course all modern versions
of Windows (2000, XP, 2003) with MS SQL Server all running as target
operating systems. We will schedule the training to meet your
time constraints, meet on line (instant messenger,
IRC, Phone, Skype, etc) and yes I'll make sure we
cover the stuff that you won't learn in the
Hacking Exposed books. Click on the link below to purchase the training:
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=joe%
40learnsecurityonline%2ecom&item_name=Introductory%20Private%
20Lesson&item_number=IPL&amount=35%
2e00&no_shipping=2&no_note=1¤cy_code=USD&bn=PP%
2dBuyNowBF&charset=UTF%2d8 |-- End of link
###############################
# Stories from the
field idea #
###############################
I was talking to Chris yesterday, and I had an idea for a
"Stories From the Field" section of the website.
Basically it would be a section of the website
where security professionals can semi-formally talk about
their day-to-day work. The gist of the idea is to get short articles,
tips, tricks, stories [the good, the bad, the ugly] about things that
people are seeing at work each day, what they are seeing more of, less
of, what types of projects are a pain in their a**. The underlying goal
of the section is to get people that do this for a job day in and day
out to just talk about what's going on out there....hopefully it will
be
something that is helpful to newbies and other current working
professionals.
I'm gonna try to post there at least once a month
with something that I'm doing at work, and
hopefully I can line up some other friends of mine
to do the same. Let me know what you guys think of the idea, and if
you'd like to contribute please email me and let me know.
====================
[ Security Tool #2 ]
====================
I don't know how I came across a 2007 Vanilla Ice concert on
youtube recently (yes he looks WAY different these
days). I wish I could tell you why I have such a
sick and twisted sense of humor when I'm
penetration testing. I've found that I like to do anything and
everything that I possibly can to get a reverse command shell pushed
back to me so I can work from my hotel room at night. I'm finding that
during the day I'm constantly going to meetings, and answering
customerquestions, or putting out fires and it really cuts into my
hacking... err...umm... penetration testing time. For some reason I
find
that I do so much better while I'm sitting on the bed in my hotel room
watching the Lakers play or having youtube going. I don't know - but it
works for me.
Vanilla ICE and SQL Injection
https://www.learnsecurityonline.com/index.php?option=com_mamboboard&Itemid=
69&func=view&id=2676&catid=22
########################
# April Course
Special #
########################
Sorry guys - we aren't running any specials this month. Chris
and I are really having a tough time keeping up with writing the new
courses, and our jobs lately. So that's why the next subject is slave
labor....
##################################################
# Slave Labor/Resume
stuffer work/Apprenticeship #
##################################################
Once again we are going to go down this slave labor road
again. I really didn't like how it worked out the last time we tried
it, but
the simple truth is we need 3 or 4 more people to help out.
Basically here is how it is going to work. The candidates
will go through distinct phases:
LSO Slave:
Sorry you will get the grunt work that no one else feels like
doing which is usually things like putting stuff in html so it can
be posted on the website, documenting how security tools work, and
miscellaneous internet research (usually background information for
courses).
Resume
Stuffer:
Helping out with the lab networks, organizing vulnerability
research, organizing regulatory compliance information, documenting
penetration test procedures, testing security tools in our lab. This
job
will come after an undetermined about of grunt work.
Apprenticeship:
This is essentially for people that are really willing to
dedicate the time for at least a year or 2 to really learning this
craft,
and assist with the day-to-day operations of the LSO website. This is
NOT something you can ask for - Chris and I will choose this person
based
on how much he/she contributes to the site during the first 2 phases.
Honestly someone may not be chosen...and we are ok with that.
It's
taken a lot to put this site together, labs, courses, games,
simulators,
content, thousands of dollars blah blah blah blah - so this isn't
something we take lightly.
###############
# Chicago Con #
###############
ChicagoCon 2008s: White Hats Come Together in Defense of the
Digital Frontier
May 12 – 18, 2008
www.chicagocon.com
The Spring Edition of ChicagoCon features all new
keynoters, additional
security boot camps, exams on-site followed by a two-day
ethical hacking
conference. And without an exhibit hall full of sales
pitches, you're
free to learn from the pros, network with peers and advance
your InfoSec career. Not just another boot camp or hacker con,
ChicagoCon
adds value to your training dollars with top instructors and well known
certifications. 13 courses including CISSP, CEH, CHFI,
Advanced Hacking, BackTrack to the Max (First Time EVER), Cisco,
Microsoft,
SANS, SOX, Security+ and more. The 2 days of “Con” Activities May 16 –
17 are only $100 (free for training students) and offers presentations,
breakout sessions & hacking contests. >From the novice,
to the ultimate techie, to the CISO chair... everyone interested in a
career in
security will find something at ChicagoCon, your one-stop shop for
security
training and certification. Keynotes: Geahan (FBI), Echemendia (Hacking
Instructor), McOmie (TruTV's Tiger Team), Murray (Neohapsis)
& Carpenter (SANS, Intelguardians). Presented by www.ethicalhacker.net.
====================
[ Security Tool #3 ]
====================
Ok - I haven't officially made the switch to web app
pentester, but for some reason I have fallen in love with SQL
Injection. You can
do so much, and there are so many little tricks. I really want to
say thanks to all of the people that have been helping me get better,
putting up with my questions. Thanks to evil1, Francious Larouche,
Tyler
Shields, Juan Carlos Calderon, Rafael Silva, and so many others. Next
time I see you guys the drinks are on me my friends. You have no idea
what kind of monster you guys have created, and if you think this is
bad
wait until you see my XSS/XSRF Kung Fu.
Blood pumping sql injection
https://www.learnsecurityonline.com/index.php?option=com_mamboboard
&Itemid=69&func=view&id=2946&catid=22
#######################
# Pentester Workshops #
#######################
Out of sheer frustration with security conferences and
training - I've decided to start putting together a series of
penetration
tester's workshops. These workshops will be for penetration testers,
and taught
by penetration testers. Basically I'll host 1 or 2 of them
per year and they will be 2 full days each. Group sizes of no more than
6
people and I will host them here in Maryland at a local computer
training center. I plan for them to run from Friday to Saturday - as
most of us
have jobs and have a tough time getting away for an entire week.
We will get penetration testers that are
recognized for their skill in attacking specific vulnerability classes,
and/or have
developed tools for exploiting specific vulnerabilities.
Some
subjects I'm thinking of bringing people
in to cover are:
- Auditing WebServices
- Advanced XSS/XSRF
- SQL Injection
- Bypassing Captive Portals/Attacking WPA
- Software Exploitation
-=-=-=-=-Where-=-=-=-=-
My plan is to host the training at a local training center
that I teach at here in Maryland. It's got 3 hotels across the street
from
it (Hilton, Marriot, and something similar - can't remember
right now).
-=-=-=-=-TimeFrame-=-=-=-=-
Within the next 6 months I plan to host the first one. Like I
said I'd like to do it on a Friday so people can fly out Thursday
evening, and then fly home either Saturday evening, or Sunday. I think
this would be the easiest for people like myself that have a tough time
getting away from work.
-=-=-=-=-Required Skill Level/Course
Goals-=-=-=-=-
NONE of these will be beginner classes. Students will be
expected to penetration testers with an understanding of the subject
being covered. The goal of this type of training is to give
IT Auditors and
security professionals two full days of access to a person that
actively works with the subject being covered and provide security
professionals attending the training with insights into the subject
based
on the instructor's professional experience, realistic labs that the
student can replicate at home, and tips/tricks/resources that the
instructor uses when dealing with subject.
THIS IS NOT FOR BEGINNER'S!!!!!!!!!
Contact
me if you are interested in this.
##########
# DefCon #
##########
Def Con is on the horizon guys. I'm thinking that we'll do
something again - maybe another LSO beer call. I'm not sure exactly
what or where, but of course I want to hang out with my peoples ;P
================================
Interview with Jeremiah Grossman
================================
Everybody - this guy has some serious web app sec game.
Jeremiah Grossman is one of the most notable web application security
professionals in our field and I'm very happy that he agreed
to this interview. I'm not going to waste any time - let's get right
to it.
# LSO #
How about some background about
yourself, who you are? What you do? Who you work for? Location?
#
JG #
I
started out as a graphic designer; turned to a Web developer then UNIX
admin, then Web security guy. Today, I’m founder and CTO of WhiteHat
Security, a leading provider of website vulnerability management
services headquartered in Santa Clara, Ca.
I
was raised in
Maui, Hawaii and grew up in Silicon Valley. I’ve been commonly referred
to as one of the top Web security experts, recognized as one of
InfoWorld 2007 Top 25 CTOs, and all that sort of fluffy stuff.
Personally, I prefer engineer and entrepreneur. My daily job consists
of delivering presentations, R&D for future products and
services,
speaking with a lot of companies and learning about their Web security
challenges, and helping out with the Web Application Security
Consortium (WASC). I write a lot too. Blog, books, articles,
interviews. :-)
# LSO #
How did you
get into the security business (your specific field)?
#
JG #
While
working at Yahoo pen-testing websites, I found I had far too much work
and not enough time to do it. If every one of the 600 websites took 40
hours to assess for vulnerabilities, it would take me roughly 11.5
years to finish. Unless we hired a team of 10, no solution available
was going to meet our needs. This was not a problem unique to Yahoo:
Many companies across the industry were experiencing the same dilemma.
They know they have vulnerabilities needing to be fixed and no idea
where they’re located. I saw a market opportunity, set out to build a
better solution, and jumped in with both feet. WhiteHat’s executive
staff envisioned a highly scalable vulnerability assessment
Software-as-a-Service solution incorporating proprietary, automated
scanning with expert analysis. Six years later here we are.
Now,
how I got my Job at Yahoo is a whole other story. ;)
http://jeremiahgrossman.blogspot.com/2007/04/how-i-got-my-start.html
#
LSO #
You
are considered to be on of the forerunners of Web Security. I remember
seeing your talks at Blackhat in 2002 when you released the WhiteHat
Arsenal and being totally blown away at what you could do with a web
browser and the browser has only become more and more powerful over the
years. In your opinion, Are we past the worst of web vulnerabilities,
there now, or is the worst yet to come?
# JG #
Wow,
has
it been that long? On the positive side, unless someone finds a truly
new attack technique, the number of vulnerabilities in the average
website will likely slowly decline in the years to come. The downside
is the attackers will have a lot of green field to exploit and they
haven’t even really begun to hack. Unfortunately the worst is yet to
come and we’ve already seen some fairly bad stuff happen to date.
#
LSO #
Web 2.0 and Ajax. Is it the end of the world
as we know it? or just another technology in the mix?
#
JG #
Y2K
didn’t end the world, so why should Web 2.0 and Ajax? Web 2.0 is the
way we’re using the Web, and Ajax is a set of technologies developers
used to build it. Others don’t share my view, but I don’t think either
Web 2.0 or Ajax makes a website more susceptible to attack. They all
have the same problems in the same ways, just a lot faster and easier
to make mistakes. What has changed though is our capacity to find
vulnerabilities in Ajax-laced websites. You see, the bad guys really
don’t need or use scanners to hack websites because they only need to
find one issue; and, it’s faster to do it by hand. The good guys on the
other hand have to find all issues and protect against them all - all
the time. That means the good guys need scanners to keep up. The
problem with scanners though is they’ve shown to be severely lacking in
Ajax support despite the marketing claims. Not to mention the
volume of false positives they generate.
# LSO #
How
do you think technical aspects of web hacking have changed over time
and how does one keep up with the current advances?
#
JG #
The
basics have been the same for quite a while, but the advanced stuff is
getting fairly large, sophisticated, and constantly evolving. The
nuances of Web security takes a while to learn if you start from zero.
The only way I’m personally able to keep up is by reading a tremendous
amount and communicating as often as I can with others. So, I read
white papers, mailing lists, blogs, news stories, etc. I also attend
conferences, contribute to community projects, and utilize email quite
heavily.
# LSO #
Say I want to get
into web security, it HUGE, where do i start?
#
JG #
At
the beginning! No seriously. If I had to start again, the first thing
I’d do is pick up a programming language like Java or C# and develop my
own super simple Web applications to get the basic concepts. Then, I’d
seek to understand how the Web is architecturally put together from the
ground up. That means learning everything I could about TCP/IP, HTTP,
DNS, SSL, and general encryption. I’d make my own Web servers and Web
browsers, create little tools to create packets in the various protocol
layers, and basically play around with all the technology till I felt
really comfortable. Then, I’d work my way back up the stack learning
HTML, JavaScript, and the DOM, all the while making little applications
to keep my interest. But, what you’re probably asking at this point is
“where is the security,” right?
From my point of
view,
security is a state of mind more than anything else. I’ve always felt
that if I understood all aspects of the technology to an intimate
degree, then “security” portions became super easy. If I knew how
everything worked, was meant to work, then I could proceed to test if I
could make it work in ways other than intended.
Some
early books on my bookshelf:
The Protocols
(TCP/IP Illustrated, Volume 1)
http://www.amazon.com/Protocols-TCP-IP-Illustrated/dp/0201633469/ref=
pd_bbs_sr_1/104-1693213-7738351?ie=UTF8&s=books&qid=1193682211&sr=8-1
TCP/IP
Network Administration (3rd Edition; O'Reilly Networking)
http://www.amazon.com/TCP-Network-Administration-OReilly-Networking/dp/0596002971
/ref=pd_bbs_sr_1/104-1693213-7738351?ie=UTF8&s=books&qid=1193682225&sr=8-1
UNIX
System Administration Handbook (3rd Edition)
http://www.amazon.com/UNIX-System-Administration-Handbook-3rd/dp/0130206016/ref=
pd_bbs_sr_1/104-1693213-7738351?ie=UTF8&s=books&qid=1193682255&sr=8-1
Applied
Cryptography: Protocols, Algorithms, and Source Code in C, Second
Edition
http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099/ref=
pd_bbs_sr_1/104-1693213-7738351?ie=UTF8&s=books&qid=1193682281&sr=8-1
DNS
and BIND
http://www.amazon.com/DNS-BIND-5th-Cricket-Liu/dp/0596100574/ref=pd_bbs_2/104-1693213-7738351?
ie=UTF8&s=books&qid=1193682300&sr=8-2
Mastering
Regular Expressions
http://www.amazon.com/Mastering-Regular-Expressions-Jeffrey-Friedl/dp/0596528124/ref=pd_bbs_sr_
1/104-1693213-7738351?ie=UTF8&s=books&qid=1193682314&sr=8-1
JavaScript:
The Definitive Guide
http://www.amazon.com/JavaScript-Definitive-Guide-David-Flanagan/dp/0596101996/ref=
pd_bbs_sr_1/104-1693213-7738351?ie=UTF8&s=books&qid=1193682325&sr=8-1
#
LSO #
You
mention in your interview with Colleen Frye about the disclosure
dilemma. What are your thoughts on disclosure? I
think its
a double edged sword because, let's face it, 0-days and worms keep
system admin, network managers, pen-testers, and consultants in
business but it seems alot of vendors are pushing the no-disclosure (or
only to us) route.
# JG #
For
the most part, I’m
in the non-disclosure camp. Meaning: I only privately disclose
vulnerabilities when I have a good working relationship with the other
party. And, if I release something publicly, it’s only because I feel
the attack technique is new and has further implications that would
benefit by public research. Be mindful though that I would not
recommend people blindly follow my philosophy. Instead, they should
find a system that works within their personal code of ethics, morals,
professionalism, and level of risk acceptance. Because let’s face it,
the industry is not what it used to be 10 to 15 years ago and already
has pushed much of the research underground.
#
LSO #
do you think that's good for the industry? is it good
to push all that research underground?
# JG #
I
take a pragmatic approach to security and I feel that business owners
and software vendors have a responsibility for the data they protect
and the products they sell. We all must take into consideration the
environment around us, and understand that it’s hostile. We should have
no expectation that anyone is going to share any vulnerability
information ahead of time. We can hope they will before going
public. But, do not depend on it and frankly it’s hopeless to demand
it.
# LSO #
on a similar note, what
are your thoughts
on the German anti-hacking laws and what do you think would happen to
security industry if the US went that route?
#
JG #
I
don’t think we have to wait for that to happen; it’s probably already
here and just haven’t realized. When considering our current political
climate and recent legal changes in the U.S., it seems to me that any
one of us could easily be accused of committing an illegal act and be
held to account. All that really has to happen is for a few more high
profile prosecutions to impact security researchers to have a nasty and
lasting side effect. What I do think is coming is export controls
placed on vulnerability information (0-days), just like they do on
encryption - because of their potential impact on national security.
It’s a brave new world.
#
LSO #
Do you think JavaScript is the new shellcode? If so
why?
# JG #
Yes, definitely, because
Cross-Site Scripting in the new buffer overflow. ;)
#
LSO #
Tell
us what you think of the future of network enumeration via JavaScript.
What are the attacks that we should look for in the coming years from
JavaScript?
# JG #
It’s difficult
predicting the future
in security, but if I had to guess, I could see phishers using XSS a
lot more. The malware guys will continue defacing highly trafficked and
trusted websites to exploit their visitors’ Web browsers. And the
high-end espionage attack types will go for the Intranet hacking stuff
using JavaScript malware. It’s the latter that’ll be hard to track,
measure, and defend.
# LSO #
Can you
compare/rate the criticality of XSS, XSRF, SQLI?
#
JG #
Unfortunately
no. It’s hard to generalize their severity, criticality, threat, etc.
For the most part, website vulnerabilities have to be rated
individually, while taking into consideration the value of the website,
the data it contains, and the sophistication of the attack required.
#
LSO #
Have you or anyone you are aware of made any progress
on your non-JavaScript port scanning idea that you posted here at:
(http://jeremiahgrossman.blogspot.com/2006/11/browser-port-scanning-without.html)
#
JG #
Ilia
Alshanetsky certainly took the next step by improving the speed of my
original designs, but I think I’ve personally taken that concept about
as far as I need to. The Intranet zone has been breached and the rest
just seems to be adding insult to injury. No need to make exploitation
easy for the bad guys. It’s the browser vendors turn to remediate the
problem architecturally.
# LSO #
How
real of an attack vector is DNS-Rebinding? How prevalent do you think
it is in the wild?
# JG #
DNS-Rebinding
(Anti-DNS Pinning) spent several years in the realm of the theoretical
obscurity, but that changed recently when more researchers demonstrated
creative Proof of Concepts. It’s a very powerful attack vector with a
lot of potential damage. Worse still is that I think the browser
vendors are at a loss for how to deal with the problem. It’s also
difficult to tell if the bad guys are using this in the wild
maliciously. Unfortunately, we’ll know when the side effects get really
bad and we’ll find the attack being used in a piece of malware.
#
LSO #
Are people really vulnerability scanning internal
networks with Nessus/Metasploit through a socks proxy?
#
JG #
Not that I’m aware of.
# LSO #
Can
you tell us a little bit about WhiteHat Sentinel? Have appliances
taking the human out of the network security and web security loop
(minus the people writing the checks for the appliances)?
#
JG #
Nah,
human expertise will be a vital part of any comprehensive Web
application vulnerability assessment process, forever. Unless of course
someone solves the halting
problem or websites magically become “secure
enough”, but I doubt it.
WhiteHat Sentinel is
a website
vulnerability assessment and management service that is customer
controlled and expert managed. Without the marketing-fu, that means our
customers websites receive a complete vulnerability assessment whenever
they’d like or as often as their website changes, with the security of
knowing they have the expertise of WhiteHat engineers as support.
Presently, we’re performing hundreds of vulnerability assessments each
week, many orders of magnitude above anyone else, with the significant
added benefit of the false positives weeded out. To deliver this type
of service is no small task and it’s really our SaaS technology that
enables WhiteHat to have this incredibly efficient process. Our
remotely hosted vulnerability scanning infrastructure does all the
heavy lifting and also allows us to configure custom tests for each
website to identify those pesky business logic flaws.
#
LSO #
What
can i do to keep mom and dad safe on the net? Or anyone who
gives
you the "huh" when you go into phishing, hacking, XSS, CRSF, malware,
etc?
# JG #
The most effective way to
keep them safe is
to switch them to a Mac. Sorry Windows people, but your operating
system is target #1. And, for the same reason swap out Internet
Explorer for Firefox, Mozilla, or Opera. These two acts alone will
significantly reduce the likelihood of their machine getting hacked.
Then, disable Active X, java, and unless they really complain about it,
flash to. And, for good measure, install SafeHistory and Adblock Plus.
To keep them from getting phished, teach them to be skeptical of any
email from someone they don’t know, especially the ones with links
and/or attachments. Instead of clicking on links in their email, set up
a list of bookmarks to select for their bank and other important
business oriented websites.
# LSO #
How
important do
you feel that programming is for this field, specifically how do you
feel about Web Language programming? If yes, what language(s) do people
need to know well?
# JG #
The best
Web security experts
in my experience have Web development background. Most any Web language
works just fine, since we’re all niche practitioners anyway.
HTML/JavaScript are a must no matter what. But if you had to start now.
.Net and Java and their development frameworks are what you need to
know to an intimate degree.
# LSO #
What
tools need to be in every web application pen-tester's toolkit?
#
JG #
Three different Web browsers (at least), a proxy or
two, and some text encoders and decoders.
# LSO #
What
are the basics that you think every security person should know?
#
JG #
For
me, the key things that I’ve come to appreciate are that technology
skills can be learned over time, but for many it’s difficult to grasp
certain fundamental information security concepts. That security is a
state of mind, that it is a process and not a product, and that it is
our responsibility to mitigate risk. Anyone can spend a bit of time to
learn how to properly configure a firewall, but do they know why they
are doing it? What are the attacks they hope to thwart or don’t
address? What business challenges crop up as a result of firewall
implementation?
The point is we have to
question our
assumptions, our conventional wisdom, and constantly check to ensure
they still hold true. Often they do not.
# LSO #
Any
suggestions on breaking into the security field? Or someone considering
security for a career?
# JG #
Get
involved in anyway and at any level you can. This could be an
entry-level job, contributing to a community effort, or participating
in a mailing list discussion. Read everything (white papers, articles,
blogs, etc). Email the authors and ask tough questions. Attend
conferences and local chapter meetings.
The
whole idea is
to meet people, build relationships, and learn everything you can by
helping out. This also demonstrates your passion and value to those you
interact with. Nothing says more to an employer (or a recruiter) than
personal initiative and self-motivation.
# LSO #
Jeremiah,
thanks tons for all your work in the industry and for agreeing to the
interview.
Jeremiah Grossman
Blog: http://jeremiahgrossman.blogspot.com/
Book:
XSS
Attacks: Cross Site Scripting Attacks and Defense
===
EOF
===
I really want to give a shout out to some good friends.
Thanks for all of the support and well wishes when I was in the
hospital.
Chris (my brotha from another mutha), Sp00k, l4w, MC, Donald Donzal
(ethicalhacker.net), Zero Chaos, grimmlin, lepht, phn1x, and
everybody else. I really appreciate it pplz.
Well guys let's put this newsletter to bed. As
always I never feel like I tell all of you just how much I appreciate
your membership.
I really do feel like LSO members are truly my family. Some of you
have been with us for a few years now. The website is changing because
Chris, and I are changing, but the sense of family stays the same.
--
Joe McCray
Learn Security Online, Inc.
* Security
Games
* Simulators
* Challenge Servers *
Courses
* Hacking Competitions * Hacklab Access
"The only thing worse than training good
employees and losing them
is NOT training your employees and keeping them."
- Zig Ziglar
Show comments (0) - Add comments to this article: |
|
Last Updated ( Sunday, 06 April 2008 )
|
|
|
Written by Chris Gates
|
|
Sunday, 02 March 2008 |
LSO
- Jeremiah Grossman Interview
# LSO #
How about some background
about yourself, who you are? What you do? Who you work for? Location?
#
JG #
I
started out as a graphic designer; turned to a Web developer then UNIX
admin, then Web security guy. Today, I’m founder and CTO of WhiteHat
Security, a leading provider of website vulnerability management
services headquartered in Santa Clara, Ca.
I
was raised in
Maui, Hawaii and grew up in Silicon Valley. I’ve been commonly referred
to as one of the top Web security experts, recognized as one of
InfoWorld 2007 Top 25 CTOs, and all that sort of fluffy stuff.
Personally, I prefer engineer and entrepreneur. My daily job consists
of delivering presentations, R&D for future products and
services,
speaking with a lot of companies and learning about their Web security
challenges, and helping out with the Web Application Security
Consortium (WASC). I write a lot too. Blog, books, articles,
interviews. :-)
# LSO #
How did you
get into the security business (your specific field)?
#
JG #
While
working at Yahoo pen-testing websites, I found I had far too much work
and not enough time to do it. If every one of the 600 websites took 40
hours to assess for vulnerabilities, it would take me roughly 11.5
years to finish. Unless we hired a team of 10, no solution available
was going to meet our needs. This was not a problem unique to Yahoo:
Many companies across the industry were experiencing the same dilemma.
They know they have vulnerabilities needing to be fixed and no idea
where they’re located. I saw a market opportunity, set out to build a
better solution, and jumped in with both feet. WhiteHat’s executive
staff envisioned a highly scalable vulnerability assessment
Software-as-a-Service solution incorporating proprietary, automated
scanning with expert analysis. Six years later here we are.
Now,
how I got my Job at Yahoo is a whole other story. ;)
http://jeremiahgrossman.blogspot.com/2007/04/how-i-got-my-start.html
#
LSO #
You
are considered to be on of the forerunners of Web Security. I remember
seeing your talks at Blackhat in 2002 when you released the WhiteHat
Arsenal and being totally blown away at what you could do with a web
browser and the browser has only become more and more powerful over the
years. In your opinion, Are we past the worst of web vulnerabilities,
there now, or is the worst yet to come?
# JG #
Wow,
has
it been that long? On the positive side, unless someone finds a truly
new attack technique, the number of vulnerabilities in the average
website will likely slowly decline in the years to come. The downside
is the attackers will have a lot of green field to exploit and they
haven’t even really begun to hack. Unfortunately the worst is yet to
come and we’ve already seen some fairly bad stuff happen to date.
#
LSO #
Web 2.0 and Ajax. Is it the end of the world
as we know it? or just another technology in the mix?
#
JG #
Y2K
didn’t end the world, so why should Web 2.0 and Ajax? Web 2.0 is the
way we’re using the Web, and Ajax is a set of technologies developers
used to build it. Others don’t share my view, but I don’t think either
Web 2.0 or Ajax makes a website more susceptible to attack. They all
have the same problems in the same ways, just a lot faster and easier
to make mistakes. What has changed though is our capacity to find
vulnerabilities in Ajax-laced websites. You see, the bad guys really
don’t need or use scanners to hack websites because they only need to
find one issue; and, it’s faster to do it by hand. The good guys on the
other hand have to find all issues and protect against them all - all
the time. That means the good guys need scanners to keep up. The
problem with scanners though is they’ve shown to be severely lacking in
Ajax support despite the marketing claims. Not to mention the
volume of false positives they generate.
# LSO #
How
do you think technical aspects of web hacking have changed over time
and how does one keep up with the current advances?
#
JG #
The
basics have been the same for quite a while, but the advanced stuff is
getting fairly large, sophisticated, and constantly evolving. The
nuances of Web security takes a while to learn if you start from zero.
The only way I’m personally able to keep up is by reading a tremendous
amount and communicating as often as I can with others. So, I read
white papers, mailing lists, blogs, news stories, etc. I also attend
conferences, contribute to community projects, and utilize email quite
heavily.
# LSO #
Say I want to get
into web security, it HUGE, where do i start?
#
JG #
At
the beginning! No seriously. If I had to start again, the first thing
I’d do is pick up a programming language like Java or C# and develop my
own super simple Web applications to get the basic concepts. Then, I’d
seek to understand how the Web is architecturally put together from the
ground up. That means learning everything I could about TCP/IP, HTTP,
DNS, SSL, and general encryption. I’d make my own Web servers and Web
browsers, create little tools to create packets in the various protocol
layers, and basically play around with all the technology till I felt
really comfortable. Then, I’d work my way back up the stack learning
HTML, JavaScript, and the DOM, all the while making little applications
to keep my interest. But, what you’re probably asking at this point is
“where is the security,” right?
From my point of
view,
security is a state of mind more than anything else. I’ve always felt
that if I understood all aspects of the technology to an intimate
degree, then “security” portions became super easy. If I knew how
everything worked, was meant to work, then I could proceed to test if I
could make it work in ways other than intended.
Some
early books on my bookshelf:
The Protocols
(TCP/IP Illustrated, Volume 1)
http://www.amazon.com/Protocols-TCP-IP-Illustrated/dp/0201633469/ref=
pd_bbs_sr_1/104-1693213-7738351?ie=UTF8&s=books&qid=1193682211&sr=8-1
TCP/IP
Network Administration (3rd Edition; O'Reilly Networking)
http://www.amazon.com/TCP-Network-Administration-OReilly-Networking/dp/0596002971
/ref=pd_bbs_sr_1/104-1693213-7738351?ie=UTF8&s=books&qid=1193682225&sr=8-1
UNIX
System Administration Handbook (3rd Edition)
http://www.amazon.com/UNIX-System-Administration-Handbook-3rd/dp/0130206016/ref=
pd_bbs_sr_1/104-1693213-7738351?ie=UTF8&s=books&qid=1193682255&sr=8-1
Applied
Cryptography: Protocols, Algorithms, and Source Code in C, Second
Edition
http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099/ref=
pd_bbs_sr_1/104-1693213-7738351?ie=UTF8&s=books&qid=1193682281&sr=8-1
DNS
and BIND
http://www.amazon.com/DNS-BIND-5th-Cricket-Liu/dp/0596100574/ref=pd_bbs_2/104-1693213-7738351?
ie=UTF8&s=books&qid=1193682300&sr=8-2
Mastering
Regular Expressions
http://www.amazon.com/Mastering-Regular-Expressions-Jeffrey-Friedl/dp/0596528124/ref=pd_bbs_sr_
1/104-1693213-7738351?ie=UTF8&s=books&qid=1193682314&sr=8-1
JavaScript:
The Definitive Guide
http://www.amazon.com/JavaScript-Definitive-Guide-David-Flanagan/dp/0596101996/ref=
pd_bbs_sr_1/104-1693213-7738351?ie=UTF8&s=books&qid=1193682325&sr=8-1
#
LSO #
You
mention in your interview with Colleen Frye about the disclosure
dilemma. What are your thoughts on disclosure? I
think its
a double edged sword because, let's face it, 0-days and worms keep
system admin, network managers, pen-testers, and consultants in
business but it seems alot of vendors are pushing the no-disclosure (or
only to us) route.
# JG #
For
the most part, I’m
in the non-disclosure camp. Meaning: I only privately disclose
vulnerabilities when I have a good working relationship with the other
party. And, if I release something publicly, it’s only because I feel
the attack technique is new and has further implications that would
benefit by public research. Be mindful though that I would not
recommend people blindly follow my philosophy. Instead, they should
find a system that works within their personal code of ethics, morals,
professionalism, and level of risk acceptance. Because let’s face it,
the industry is not what it used to be 10 to 15 years ago and already
has pushed much of the research underground.
#
LSO #
do you think that's good for the industry? is it good
to push all that research underground?
# JG #
I
take a pragmatic approach to security and I feel that business owners
and software vendors have a responsibility for the data they protect
and the products they sell. We all must take into consideration the
environment around us, and understand that it’s hostile. We should have
no expectation that anyone is going to share any vulnerability
information ahead of time. We can hope they will before going
public. But, do not depend on it and frankly it’s hopeless to demand
it.
# LSO #
on a similar note, what
are your thoughts
on the German anti-hacking laws and what do you think would happen to
security industry if the US went that route?
#
JG #
I
don’t think we have to wait for that to happen; it’s probably already
here and just haven’t realized. When considering our current political
climate and recent legal changes in the U.S., it seems to me that any
one of us could easily be accused of committing an illegal act and be
held to account. All that really has to happen is for a few more high
profile prosecutions to impact security researchers to have a nasty and
lasting side effect. What I do think is coming is export controls
placed on vulnerability information (0-days), just like they do on
encryption - because of their potential impact on national security.
It’s a brave new world.
#
LSO #
Do you think JavaScript is the new shellcode? If so
why?
# JG #
Yes, definitely, because
Cross-Site Scripting in the new buffer overflow. ;)
#
LSO #
Tell
us what you think of the future of network enumeration via JavaScript.
What are the attacks that we should look for in the coming years from
JavaScript?
# JG #
It’s difficult
predicting the future
in security, but if I had to guess, I could see phishers using XSS a
lot more. The malware guys will continue defacing highly trafficked and
trusted websites to exploit their visitors’ Web browsers. And the
high-end espionage attack types will go for the Intranet hacking stuff
using JavaScript malware. It’s the latter that’ll be hard to track,
measure, and defend.
# LSO #
Can you
compare/rate the criticality of XSS, XSRF, SQLI?
#
JG #
Unfortunately
no. It’s hard to generalize their severity, criticality, threat, etc.
For the most part, website vulnerabilities have to be rated
individually, while taking into consideration the value of the website,
the data it contains, and the sophistication of the attack required.
#
LSO #
Have you or anyone you are aware of made any progress
on your non-JavaScript port scanning idea that you posted here at:
(http://jeremiahgrossman.blogspot.com/2006/11/browser-port-scanning-without.html)
#
JG #
Ilia
Alshanetsky certainly took the next step by improving the speed of my
original designs, but I think I’ve personally taken that concept about
as far as I need to. The Intranet zone has been breached and the rest
just seems to be adding insult to injury. No need to make exploitation
easy for the bad guys. It’s the browser vendors turn to remediate the
problem architecturally.
# LSO #
How
real of an attack vector is DNS-Rebinding? How prevalent do you think
it is in the wild?
# JG #
DNS-Rebinding
(Anti-DNS Pinning) spent several years in the realm of the theoretical
obscurity, but that changed recently when more researchers demonstrated
creative Proof of Concepts. It’s a very powerful attack vector with a
lot of potential damage. Worse still is that I think the browser
vendors are at a loss for how to deal with the problem. It’s also
difficult to tell if the bad guys are using this in the wild
maliciously. Unfortunately, we’ll know when the side effects get really
bad and we’ll find the attack being used in a piece of malware.
#
LSO #
Are people really vulnerability scanning internal
networks with Nessus/Metasploit through a socks proxy?
#
JG #
Not that I’m aware of.
# LSO #
Can
you tell us a little bit about WhiteHat Sentinel? Have appliances
taking the human out of the network security and web security loop
(minus the people writing the checks for the appliances)?
#
JG #
Nah,
human expertise will be a vital part of any comprehensive Web
application vulnerability assessment process, forever. Unless of course
someone solves the halting problem or websites
magically become “secure
enough”, but I doubt it.
WhiteHat Sentinel is
a website
vulnerability assessment and management service that is customer
controlled and expert managed. Without the marketing-fu, that means our
customers websites receive a complete vulnerability assessment whenever
they’d like or as often as their website changes, with the security of
knowing they have the expertise of WhiteHat engineers as support.
Presently, we’re performing hundreds of vulnerability assessments each
week, many orders of magnitude above anyone else, with the significant
added benefit of the false positives weeded out. To deliver this type
of service is no small task and it’s really our SaaS technology that
enables WhiteHat to have this incredibly efficient process. Our
remotely hosted vulnerability scanning infrastructure does all the
heavy lifting and also allows us to configure custom tests for each
website to identify those pesky business logic flaws.
#
LSO #
What
can i do to keep mom and dad safe on the net? Or anyone who
gives
you the "huh" when you go into phishing, hacking, XSS, CRSF, malware,
etc?
# JG #
The most effective way to
keep them safe is
to switch them to a Mac. Sorry Windows people, but your operating
system is target #1. And, for the same reason swap out Internet
Explorer for Firefox, Mozilla, or Opera. These two acts alone will
significantly reduce the likelihood of their machine getting hacked.
Then, disable Active X, java, and unless they really complain about it,
flash to. And, for good measure, install SafeHistory and Adblock Plus.
To keep them from getting phished, teach them to be skeptical of any
email from someone they don’t know, especially the ones with links
and/or attachments. Instead of clicking on links in their email, set up
a list of bookmarks to select for their bank and other important
business oriented websites.
# LSO #
How
important do
you feel that programming is for this field, specifically how do you
feel about Web Language programming? If yes, what language(s) do people
need to know well?
# JG #
The best
Web security experts
in my experience have Web development background. Most any Web language
works just fine, since we’re all niche practitioners anyway.
HTML/JavaScript are a must no matter what. But if you had to start now.
.Net and Java and their development frameworks are what you need to
know to an intimate degree.
# LSO #
What
tools need to be in every web application pen-tester's toolkit?
#
JG #
Three different Web browsers (at least), a proxy or
two, and some text encoders and decoders.
# LSO #
What
are the basics that you think every security person should know?
#
JG #
For
me, the key things that I’ve come to appreciate are that technology
skills can be learned over time, but for many it’s difficult to grasp
certain fundamental information security concepts. That security is a
state of mind, that it is a process and not a product, and that it is
our responsibility to mitigate risk. Anyone can spend a bit of time to
learn how to properly configure a firewall, but do they know why they
are doing it? What are the attacks they hope to thwart or don’t
address? What business challenges crop up as a result of firewall
implementation?
The point is we have to
question our
assumptions, our conventional wisdom, and constantly check to ensure
they still hold true. Often they do not.
# LSO #
Any
suggestions on breaking into the security field? Or someone considering
security for a career?
# JG #
Get
involved in anyway and at any level you can. This could be an
entry-level job, contributing to a community effort, or participating
in a mailing list discussion. Read everything (white papers, articles,
blogs, etc). Email the authors and ask tough questions. Attend
conferences and local chapter meetings.
The
whole idea is
to meet people, build relationships, and learn everything you can by
helping out. This also demonstrates your passion and value to those you
interact with. Nothing says more to an employer (or a recruiter) than
personal initiative and self-motivation.
# LSO #
Jeremiah,
thanks tons for all your work in the industry and for agreeing to the
interview.
Jeremiah Grossman
Blog: http://jeremiahgrossman.blogspot.com/
Book:
XSS
Attacks: Cross Site Scripting Attacks and Defense
Show comments (0) - Add comments to this article: |
|
Last Updated ( Monday, 03 March 2008 )
|
|
| | << Start < Previous 1 2 3 4 5 6 Next > End >>
| | Results 1 - 6 of 31 |
|
