security.crudtastic.com

Well, It’s day 4 of SANS Canberra .. I’m doing SEC504 – Hacker Techniques, Exploits, and Incident Handling. All I can say is WOW!

John Strand (check out www.pauldotcom.com) is taking the class .. he’s an awesome guy with some great stories (and he’s pretty smart too)!

I must say that the course is making me look at a lot of things differently .. and I’m pretty sure (from what I’ve seen) that most corporate networks would be compromised in one way or another (even mine), in fact, I’d be surprised if my computers at home aren’t shady in one way or another!

Anyway .. enough rambling. Once I get back home after the course, I’ll do a write up on here. My one regret was missing the bootcamp tonight where they made a malicious USB stick with U3 that launched metasploit as soon as it was inserted.

So, tomorrow I will sit the ISACA CISA exam.

I’m feeling fairly well prepared .. I had a fair bit of time to study leading up to the exam. Here’s a few things I noted while getting ready for the exam.

1. Don’t bother with testkings or braindump or any of those sites. I spent a few hundred dollars on sims/practice exams .. all pretty well worthless in my eyes.
2. Only use the ISACA CISA review manual .. they’re the ones writing the questions from THEIR manual .. all the answers are in there
3. Make sure you actually have some working experience for this exam. Although your job may not cover all of the subject areas, you are likely to have touched on a few, and that makes life a lot easier
4. The exam was written with the company in mind. A lot of things boil back to “what’s best for the company”
5. Try and get along to some review courses before the exam date. this year there were none in my area .. but luckily SANS put on a free 3hr review session (it was good too)

So today has been a day of very light review, it was time to relax. What I don’t know now .. well .. I probably won’t remember anyway! I’ll have a nice dinner tonight, watch a bit of TV, and then head off to bed nice and early.

Hopefully in 6-8 weeks you’ll be seeing a post here saying that I’ve passed

Good luck to anyone else sitting their exam tomorrow

** UPDATE **

I just thought I’d add a little more information in here (just to keep in the back of your mind). The exam weightings .. you should have probably taken note of those before now (if you haven’t .. I’m sure you’ll be fine) are as follows

• Ch1 – IS Audit Process – 10%
• Ch2 – IT Governance – 15%
• Ch3 – Systems and Inf Life Cycle Management – 16%
• Ch4 – IT Service Delivery – 14%
• Ch5 – Protection of Info Assets – 31%
• Ch6 – BCP & DR – 14%

So, Chapter 5 is the big one – Protection of Information Assets. If you have a working technical knowledge, most of this stuff you will know, If you’re a Financial auditor wanting to get your CISA, this could be a bit more of a challenge. The other dark horse here is Chapter 3, it’s a big section of the book that not a lot of places do (or at least do it well) .. keep that one in your mind

Now everyone relax, take some time out .. and make sure you’re ready for tomorrow. Make sure you know where you’re going and how to get there (don’t get caught in traffic – give yourselves plenty of time to travel). Have a nice breakfast, nothing too big that will put you to sleep, take a light jacket to keep yourself warm (in case the air con is a bit cold), take some water and some snacks (and not the annoying loud one in wrappers – damn you guy from my CISM exam!!).

I, like a lot of people out there, use Firefox to try and make my life easier by not using a browser that has always been fraught with danger. The newer versions of IE8 are a good step in the right direction .. but lets face it, track records have proven it to be a poor choice.

Microsoft do try to keep all their software as safe and secure as possible, but unfortunately the Microsoft juggernaut is a massive target due to the amount of their software being used world-wide. Every now and then though, Microsoft take it upon themselves to do something that they think is in every users best interest without consulting them .. this post from annoyances.org is about such an event!

Please note: The following article has been copied straight from annoyances.org, full credit goes to them – always great work guys!

“ Remove the Microsoft .NET Framework Assistant (ClickOnce) Firefox Extension

Intended For Windows 2000 Windows 7 Windows XP Windows Vista

The Microsoft .NET Framework 3.5 Service Pack 1 update, pushed through the Windows Update service to all recent editions of Windows in February 2009, installs the Microsoft .NET Framework Assistant firefox extension without asking your permission.

This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for websites to easily and quietly install software on your PC. Since this design flaw is one of the reasons you may’ve originally choosen to abandon IE in favor of a safer browser like Firefox, you may wish to remove this extension with all due haste.

Unfortunately, Microsoft in their infinite wisdom has taken steps to make the removal of this extension particularly difficult – open the Add-ons window in Firefox, and you’ll notice the Uninstall button next to their extension is grayed out! Their reasoning, according to Microsoft blogger Brad Abrams, is that the extension needed “support at the machine level in order to enable the feature for all users on the machine,” which, of course, is precisely the reason this add-on is bad news for all Firefox users.

Here’s the bafflingly-convoluted procedure required to remove this garbage from Firefox:

1. Open Registry Editor (type regedit in the Start menu Search box in Vista/Windows 7, or in XP’s Run window).
2. Expand the branches to the following key:
   • On 32-bit systems: HKEY_LOCAL_MACHINE \ SOFTWARE \ Mozilla \ Firefox \ Extensions
   • On x64 systems: HKEY_LOCAL_MACHINE \ SOFTWARE \ Wow6432Node \ Mozilla \ Firefox \ Extensions
3. Delete the value named {20a82645-c095-46ed-80e3-08825760534b} from the right pane.
4. Close the Registry Editor when you’re done.
5. Open a new Firefox window, and in the address bar, type about:config and press Enter.
6. Type microsoftdotnet in the Filter field to quickly find the general.useragent.extra.microsoftdotnet setting.
7. Right-click general.useragent.extra.microsoftdotnet and select Reset.
8. Restart Firefox.
9. Open Windows Explorer, and navigate to %SYSTEMDRIVE%\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation.
10. Delete the DotNetAssistantExtension folder entirely.
11. Open the Add-ons window in Firefox to confirm that the Microsoft .NET Framework Assistant extension has been removed.

It will be a great day when PC users no longer have to waste this much time to protect themselves from those who write the software they use. (And if you’re thinking, “Why not just use a Mac,” may I remind you of the MobileMe junk recently installed on so many Windows machines without their owners’ permission!)

Written by: Annoyances.org
Last updated: Friday, February 27, 2009″

So there you have it!! It would be prudent for all Windows users to remove this add-on (if you haven’t already done so)!!

SANS will be returning to Sydney from November 16th – 21st 2009. They will be running the following four tracks this year

• SEC 401 SANS Security Essentials – Bootcamp Style (Mark Hofman)
• SEC 501 Advanced Security Essentials – Enterprise Defender (Eric Cole, PhD)
• SEC 542 Web App Penetration Testing and Ethical Hacking (Johannes Ullrich PhD)
• SEC 560 Network Penetration Testing and Ethical Hacking (Stephan Sims)

The event will be held at Shangri-La Sydney (at the Rocks – very nice!), and promises to be another event that should not be missed!

More information can be found at http://www.sans.org/sydney09

I will post more info as it comes to hand

Hey security chums!!

The ISACA CISA certification exam is coming up (June 13th if memory serves me correctly). So for those of you who haven’t started studying yet, it’s time to get crackin!

I’m publishing some of my study notes as I go along through all my material .. this information is more so for myself to keep my brain bombarded with all this knowledge in preparation, but it could be of some use to someone (who knows). You can find it HERE. As usual I have used the trusty ZOHO.COM for this

If you’re registered for the CISA exam in Brisbane Australia, there is a review course about to start every Wednesday night that goes until the exam date. If you need any more details drop me a line or leave me a comment.

NEWS JUST IN

SANS Canberra 2009 is coming up soon on 29 June – 4 July. The deadline
to receive a $350 tuition fee discount is 20 May. 2009. So don’t delay
- to get the best savings, start making your training and travel plans
now! (http://www.sans.org/info/41308)

First things first – make your course selection from the following top
SANS courses:

– SEC401: SANS Security Essentials Bootcamp Style – Mark Hofman
– SEC504: Hacker Techniques, Exploits & Incident Handling – John Strand
– SEC560: Network Penetration Testing and Ethical Hacking – Bryce Galbraith
– SEC508: Systems Forensics, Investigation & Response – Rob Lee

Complete course descriptions can be found by clicking on the links at
http://www.sans.org/info/41313.

Classes will be held at the National Convention Centre. This
contemporary facility places you close to accommodations as well as
stylish restaurants, trendy cafes, boutique shopping, and entertainment.
See our Web site for links to assist in finding accommodations.
(http://www.sans.org/info/41318)

Don’t miss the following evening events, the additional content that
makes SANS such a great value for your security training:

– SANS Welcome – Mark Hofman
– GIAC Program Overview – John Strand
– Incorporating Advanced MitM Attacks in Your Penetration Testing
Regimen — Bryce Galbraith
– Production Honeypots – John Strand
– State of the Hack: The Chinese Threat – Rob Lee
– SOA and XML security – Mark Hofman

“Lots of valuable info was provided that will be very helpful &
applicable to my work environment.” – Ian Phan, Centrelink

“It is excellent seeing technical implementations of attacks that I
have studied theoretically!” – Julian Gutmanis, CSC

SANS is the most trusted source for information security training, so
why go anywhere else? Register today for SANS Canberra 2009 at
http://www.sans.org/info/41318. We’ll see you there!

So we all know Conficker is meant to explode our brains, empty our bank accounts and then run off with our dog on the 1st of April right? There’s a bunch of people that have applied the MS08-067 patch that basically stops all this nastiness, they’re probably also the same people that have strong passwords and an up to date antivirus solution.

So I guess the next thing is trying to track down machines that are already infected. The guys at SkullSecurity have a great blog article on how to use nmap to scan your network and detect these infected hosts.

If you get any errors it’s really worth reading through all the comments, Ron has done a great job in trying to respond to everyone. There are apparently some other tools coming out soon from other vendors .. but who doesn’t love an excuse to bust out nmap in anger!

Why not try the SANS Internet Storm Center?? They have handlers on keeping an eye on everything you should be keeping an eye on! The internet is a big bad world, make sure you are aware of everything as it happens or even before it happens!

Also, don’t forget to see if there’s some training in your local town .. You won’t regret it!