• SQLi through meta refreshes using cookies or useragents. Making SQLi a client-side attack. How much do you want to bet that the person that visits the site the most is the administrator :)

• Javascript adding hidden files upload form fields that are auto populated with C:\Windows\System32\config\SAM or C:\Windows\Repair .. yadada. You get the idea.

Today I was in a brief / talk / meeting and I just wanted to share with you some of the things that I saw in this event that might better help you know what NOT to do while getting up in front of any size crowd.

• Death by bullets (Yes this is bulleted to be ironic). But seriously, this was a reoccuring theme throughout the meeting. Try and keep it to 3 or 5. *Simple = Better
• The slides should not be more important than the speaker. If your slides can be printed out and disbursed. Don’t waste the time of everyone attending by reading them or having us read them.
• If the audience takes more than 5 seconds to read a slide = FAIL
• If the speaker takes more than 2 seconds to read a slide = FAIL (this is only tolerable at the 2 second limit during long and information intense talks)
• If your text during slide creation is AUTOSIZING DOWN, you are in the process of FAIL
• Visio is a hand out development tool. Using it as a slide development tool = FAIL
• Holding items in your hands without the items being on topic = FAIL (do not figit with a book, or a pen or an award until it is time to use said object)
• Interrupting you co-speaker to enhance points = FAIL (this is NEVER a good thing) You are demeaning your co-speakers presence.
• Making it obvious that you were not paying attention to your co-speaker by stating that you don’t know something that was actually just presented by your co-speaker = MAJOR FAIL

I just wanted to get these off my chest as the speakers were not interested in input. I hope these help you become a better speaker.

I believe there is a fear in the security community about speaking. Most don’t believe they either have something important enough to say, or have some awesome ‘thing’ and are just too afraid of the stage. Here are some resources and videos that have helped me gain the confidence to speak.

Gary Vaynerchuck @ Web 2.0 Expo:

**http://www.youtube.com/watch?v=EhqZ0RU95d4

— Specifically look at how he speaks. How he starts, how he finishes. Does he have slides?

Merlin Mann @ Google:

**http://www.youtube.com/watch?v=uOgHE5nEq04

— Look at his slides, how does he flow through them? Moving from point to point continuously without stopping for the slide change. How does he get the people present to interact with the presentation.

Those are two dynamic (hate that word), and powerful speakers who know how to make IT (not eye-tee) interesting no matter what IT is.

Ok what about slides, well, basically SlideShare is the YouTube for presenters. You can post your slides, get them reviewed by some of the best in the biz, browse and see how the pros do it, etc..

Slide Share – http://www.slideshare.com

Here are some select slides that have made a difference in my presentation style:

Also, Garr Reynolds, one of the masters of presenting can be found at http://www.presentationzen.com/.  You can find him on SlideShare at http://www.slideshare.net/garr/ .

One I couldn’t recover was here: Dead Link – http://www.slideshare.net/fabiancrabus/presentationzen

Security Catalyst

Comments from some of the Security Catalyst members (Used with permission):

Are you a member? Want to be? Here is the link to the thread: http://www.securitycatalyst.org/forums/index.php?topic=1013.0

Andrew Hay – http://www.andrewhay.ca/

writes:

Great post Rob. I know quite a few people who list “public speaking” as their biggest fear. The only way to overcome that fear is to keep doing it and recording “webinars” (I hate that word) is a great way to get over those jitters.

Dave Hull from – http://trustedsignal.com/

writes:

Rob thanks for starting the thread. I’ve been working to increase my face time with groups over the last year plus. I don’t consider myself an extrovert, but do enjoy presenting.

I’ve been studying presentation and teaching styles for the last few years — http://www.presentationzen.com/ is a great site. All the presentations I’ve seen at http://www.ted.com are quite good.

I recently attended a pretty bad presentation. The slides were typical PPT — title, too many bullets with too many words after each bullet. The presenter never moved, was factually wrong on several counts and when he tried to get the audience to participate he flat out insulted one person who mispronounced Ethereal. It was awful, but I learned more about what not to do.

I’d like to start submitting talks to conferences. My problem is a form of writer’s block — what to talk about. But I know from having attended numerous talks where I didn’t learn anything new, that having a brilliant new idea is not a prerequisite to giving a talk. There’s always going to be folks in the audience who know more and less than you do.

I was fortunate to be invited to speak at my local ISSA and HTCIA chapter meetings this month. It was a last minute invitation due to cancellations of previously scheduled speakers. Both groups needed to hear back right away and when I asked my employer about it, I was told I would have to get the approval of the Ethics Committee. Since that process was going to take some time, I had to decline the invitations. However, I did finally get standing approval for future engagements. Lesson learned, make sure you check with your employer and get your ducks in a row.

I recently checked out the Stand And Deliver audiobook from my local library. It’s not revolutionary, but it’s worth a listen/read for anyone who is interested in public speaking.

Thanks again for the links and the thread.

Security4all – http://security4all.blogspot.com/

writes:

A favorite topic of mine.

Don’t forget the excellent blog Slide:ology from Nancy Duarte who worked on the book with Gar and now has her own book. http://slideology.com/

I have yet to buy and read her book myself (due to lack of time).

You might also want to have a look at my own blog for some pointers here and there. I still have a lot to learn and practice but you might find some useful info in there:

http://blog.security4all.be/search/label/presentations

Also, have a look at my Slideshare favorites. Sometimes because of the slides, sometimes because of the topic

http://www.slideshare.net/security4all/favorites

Wim Remes – http://domdingelom.blogspot.com/

writes:

Ain’t that the truth.

I am an introvert, no doubt about that.

If there is one thing that helps to get over ‘the fear’, it’s dry-runs, and lots of them. There’s no substitute for training your public speaking skills in front of an audience of people that you know and trust. People that you know will be honest with you and push you forward. 

I think most of the sites have already been mentioned PZ, Slideology, TED, Google Video (Authors@google are good sometimes too),

Youtube, at this moment I can’t think of any other.

Didier Stevens – https://didierstevens.com/

writes:

Most don’t believe they either have something important enough to say
I believe this idea is also enforced because of the extra media attention one type of IT security speakers get: “The Sky Is Falling” speakers.
It’s not because you’ve not broken something, or you have no prediction of impending doom, that you’ve nothing valuable to say. To the contrary.
Another hint to help you overcome your fear of speaking in public, is to start with a subject you’re passionate about (or at least interested).
Your passion/subject-expertise will help you gain confidence.
Analyze your fear of speaking in public. Try to identify which particular aspects of speaking in public cause you to fear it.
Are you afraid to
– draw a blank?
– get audience questions?
– look unprepared?
– speak to ranking officers?
– speak to a large public?
– …
If you can identify precisely what worries you, you can start to work on that specific point to gain confidence.
Example: afraid to draw a blank? Rehearse! Use notes, bullet points, mindmaps, …

Kevin Riggins – http://infosecramblings.wordpress.com/

writes:

The suggestions and resources offered so far on this thread are excellent. I would like to add Toastmasters.  I believe it is one of the best venues available for developing your speaking skills.

As alluded to previously, several studies have shown that the most common fear people have is speaking in public. Toastmasters helps overcome this fear or at least be able to perform in spite of it in the following ways:

• Speaking often – you have the opportunity to speak frequently. As the saying goes, practice makes perfect.

• Trusted audience – the people you are speaking to are supportive and understand exactly what you are dealing with.

• Constructive feedback – your audience is expected and in essence required to provide you with feedback. However, it is not rah rah session. I have gotten many helpful tips. Plus there is a designated evaluator for each of your speeches with very focused feedback.

• Great materials – the training materials are great for helping you learn how to develop good speeches and how to deliver them effectively.

Toastmasters is an international organization, so you can find clubs all over the world.

Ron Woerner

writes:

How ironic.  (ISC)2 has an article in their winter magazine on speaking: – (https://www.isc2.org/uploadedFiles/%28ISC%292_Member_Content/Member_Resources/infosecmag-winter2008.pdf).  

It’s cool to see the message is getting across.

Although, it’s like golf; the only way to get better is to (a) practice and (b) get qualified feedback.  You can read all you want about it, but that won’t make you a good presenter.

Get out there and do it.  Then ask a trusted friend what you can do better.

(Of course, Toastmasters provides this)

Anyways, I hope this helps. From pro to n00b, the day we stop improving is the day we start dying, As for not having anything good to say, stop fooling yourself.

Rob

http://www.slideshare.net/mubix/ — No posted slides yet, mine will be in que for http://informer.ihackstuff.com/ — Johnny Long’s brilliant idea for raising money for charity by having people release to people early based on subscriptions, all proceeds go to children in need.

This is an untested theory, but I don’t see why it wouldn’t work. Anyone who wants to prove it either way is very welcome to comment on the matter below.

Ok. Say you have the following exerpt from an /etc/shadow file:

1
2

root:awac7eQv2CT0g:12685:0:10000::::
billybob:$7$b1XHzqR5$RJxOyHRAix2rVmtXyHkLikmnod.z94P6vSL1h8ZeUdY/urvOvkvJjg2hn/J0r90YAdAA8HedGIPR2D7.zIzJS0:14438:0:99999:7:::

Both passwords in clear text are “uncrackable”. Here is where the trick comes into it. We use the weakness in LM hashes to crack the password (as long as it’s under 15 characters of course). We do this by slamming the password into our system, installing SAMBA, and telling it to use our UNIX users/pass combos for authenitcation. Then we use the LM cracking method of choice, and you get the clear text password.

Using one cracking method to crack other encryptions. Again, just a theory as I haven’t tested it, but I don’t see why this wont work. I would say it’s about time for you to start using 15+ character passwords if you haven’t already.

Merry Christmas!

Alright you all have heard of some of the annoying items that make ThinkGeek a one stop shop for cube warfare, such as the Annoy-a-tron and the Phantom Keystroker. Well nothing can hold a candle to the BSODomizer. Along the lines of the Annoy-a-tron and the Phantom Keystroker, this device is hardware and messes with your target on a timer based method. But what gets added to the mix is the fact that it has an IR reciever as well, so while you are giggling in your cube trying not to bust up laughing, you can actually use any Universal Remote set to the Sony TV code, a TV-B-Gone (Mitch Altman’s awesome invention), or even a computer that it set to send that signal from it’s IR port. There are a bunch of settings on the BSODomizer, including the NSFW option that spawned it’s name. It has both Windows and Mac blue screens and a multitude of timings. It also works with VGA to DVI converter and rumors have been heard of a two port and / or a DVI based one. I liked this thing so much I ventured into making my first video (which I begged Darren Kitchen to help edit, and he graciously did). 

Joe Grand of Kingpin Empire and Zoz released the BSODomzier on the world this year at DefCon 16.  Here is what they they say about it on their site:

BSODomizer is a small, battery-powered, mischievous electronic gadget that interfaces between a laptop or desktop and VGA monitor and flashes a fake BSOD (Blue Screen of Death) onto the monitor at random time intervals or when triggered by an infrared remote control. This will cause the user to become confused and turn off or reset his or her machine. You can also choose to pop up a much more sinister BGOD (Blue Goatse of Death) after the BSOD has been visible for a few seconds. The BSODomizer will automatically detect when the computer has been turned off or restarted and will revert to the harmless video pass-through mode, leaving the user unaware of any wrongdoing. Legitimate uses of the BSODomizer include monitor/projector/video calibration or as a simple timer to remind the user to take a break from sitting in front of the computer. Various configuration settings are selected via on-board DIP switches.

BSODomizer Review from mubix on Vimeo.

Check out the Manual for all of the possible options and the site for details on how to make one for your self or buy a pre-built.

Yesterday on Twitter I posed 3 questions:

Question 1: Now that Clickjacking has faded away from “Newest Greatest BAD STUFF”, how many implemented NoScript personally? What about Enterprise wide?

Question 2: Now, everyone who responded that you are still at IE in the enterprise. Why? Did you show the powers that be clickjacking and it’s effects?

Question 3: Ok here is the final question of the trio, Why, since we rely on IE, aren’t we screeming at M$ to implement NoScript-like features?

And Andrew Hay (twitter), one of the crazy smart guys from the party house above the US posted a great blog article (kinda redundant to say posted a blog post eh?) (and no that wasn’t a Canadian joke). And the following is my rebuttal to some of the things he said.

First he goes into training. And I agree with him for the most part. The support teams are going to need to be trained to support Firefox, but exactly how many calls do you really expect that to be? The address bar is in the same place, tabs work the same, as do bookmarks. Importing bookmarks is a rather simple process as well, FF does it by default on first use. I guess the only person who can answer this is someone who has actually made the move from one browser to another.

Second he touches on money. I take a bit of a different approach to this. I think that they (Cx0s) should spend the money on the Mozilla Foundation to build an enterprise deployment package, including an addon (extension) deployment engine and GPO tie in. But as far as as the testing, Q&A, and support, if your company offers to work with Mozilla on an enterprise deployment, I am sure they will fall over themselves to help make it happen. Sure, there will be training to go along with the new deployment and management pieces, but most likely the people working with Mozilla to get it working will have such an indepth knowledge of the product by the time it gets rolled out enterprise wide that they will not need training. And finally, are you really telling me that any company on the planet pays to train all of their staff? In my limited experience it’s always been, send one, and he/she will train the rest.

Third, Deus Ex Machina, when I first read this I instantly thought of the game Deus Ex, but basically as Andrew put it, it’s explaining in business terms, what the threat / risk is, what the FOI / ROI is, and how the deployment can happen to the mangement (Cx0? Writers of the check, WOTC is much less sexy than CSO eh?). My answer to this is that I agree compeltely. Enterprieses, be it corporate or government, are like giants. They can see much farther (industry insight is usually the main job of a CxO), they are very slow making steps (changes of any size).

But here is the tweak, I think when they do make changes, like giants, they are huge steps forward. And, Andrew is right again, it usually takes a dedicated individual in the organization to push it to the point where finally people start listening. That person is going to the be the least popular person in the buisness but at the end of the ordeal, he/she will most likely either become very high ranking in the organization, or another company will take notice of the game changer, and pull them into their company hoping for the same fighting spirit to help their company flourish. But then again, it could end much worse. Some companies are so set in their ways that they refuse change and will repremand those who push it too hard. Check out out Marcus Carey of Sun Tzu Data’s post that sums up Deus Ex Machinca in one image.

Last, Andrew point out the Blind Eye technique. Ostriches play this game and it never really ends well for them. This is a base (I have started to hate the word “fundemental” sine the elections) difference between security pros in the biz, some if they don’t see a risk, or it wide spread in the wild, they don’t see a rush. Marcin from TS-SCI Security made some twitter posts (#1, #2, #3) making some valid points. Are they wrong? No, not all, it’s just a different approach to security. I am more optimistic than I think I should be, I see the potential for bad stuff to happen and I want to fix it immediately, because there are definitely bad guys out there that are much smarter than I am.

In conclusion to this already too long post, I think it’s a struggle, and we, as security people, will fight it forever. Cops have been hated since the dawn of time, and we are basically computer security guards right?

Tell me what you think, I am always open to being proven wrong, it’s then that we learn right?

 It’s official Burp Suite 1.2 is officially released to the masses. It includes a whole host of new features. Mainly (the ones spoke of in the blog post about the release):

• Site map showing information accumulated about target applications in tree and table form

• Suite-level target scope configuration, driving numerous individual tool actions

• Display filters on site map and Proxy request history

• Suite-wide search function

• Support for invisible proxying

• Fully fledged web vulerability scanning (pro version only)

• Ability to save and restore state (pro version only)

You can download the new version at http://www.portswigger.net/suite/download.html

It’s not quite the snooze button I asked for, but it will do. Google implemented Gmail Tasks inside of Gmail Labs. Here is the blog post about  it: http://gmailblog.blogspot.com/2008/12/new-in-labs-tasks.html

 If you haven’t seen it yet, I posted about a Nerv-Labs Live DVD that included all kinds security distros in one bootable DVD. Which was also featured in Episode 0x415 of Hak5. Well, there were some things that it was kinda lacking, mainly Helix and Samurai.

Well, my buddy Marcus Carey from SunTzu Data did it up right. Let me introduce SumoLinux. SumoLinux has the following linux distributions on it:

• Backtrack 3

• Helix 2.0

• Samurai Linux

• DBAN

• DVL

DOWNLOAD IT HERE: http://thepiratebay.org/torrent/4527605/SUMO_Linux

You probably know what Backtrack 3 is, it’s the distro that is produced by the guys at Offensive Security. Helix 2.0 is the forensics distro, and Samurai is the awesome web application attack/assessment distro put out by InGuardians. But the last two you may not have heard of. DBAN (Darik’s Boot and Nuke) is a disk wiping boot cd that has templates for DoD, Gutmann, and PCMP wiping standards. And last but not least is DVL (Damn Vulnerable Linux) which is a distro where you can learn security, starting from basic netcat listening to exploit development.

Thanks go to Marcus for making our dreams come true, now if I could just get another USB stick to put this on. Unetbootin here I come!

Guest Article By: Ryan Pfleghaar (post_break) of iamthekiller.net

DEFENDING AGAINST JASAGER

Jasager has been making people question wireless security since episode one of season four on Hak5. The number one question besides “How do I get this to work” is ”How do I protect myself?”. This exploit in wireless security has been somewhat of a challenge to protect against and with this article I am going to detail how Mubix and I came up with a quick and easy fix.

A few recommendations to safe guard yourself were using a VPN or turning off wireless and using a 3G card while in the public. These two options do work however they can be expensive and not user friendly. After brainstorming a bit I came up with the idea of an application you could run while out in public airspace to check for multiple access points originating from a single point. This could be done by querying the access points and checking the signal strength against the BSSID. By knowing that a single MAC address is broadcasting multiple access points you can consider it a Jasager like device.

My theory is broken when you factor in a device such as a FON that legitimately broadcasts multiple access points during normal operation. My university does this with Cisco access points broadcasting a PEAP encrypted connection and an unencrypted network to which you must accept a TOS in order to connect from a single device.

Taking a step back we looked at how this exploit actually operates. When you turn on your laptop it will send out probes to see which networks are available and connect to the access point highest on the priority list. This default action is the key to the puzzle. By creating an access point in your preferred networks list titled “Jasager Detected” and pushing it to the highest priority you will now know when a Jasager device is being used. If you ever scan to see what networks are available and see the access point “Jasager Detected” then itʼs a good idea to check your email at home instead of the coffee shop or airport.

There are a few pitfalls to this method however. If you scan the area with anything other than what you use to connect your laptop to the network “Jasager Detected” will not show up in the access point list. Chances are you will see a hidden network with no security, that being the airbase-ng or jasager access point. You need to scan the area using either windowʼs built in wireless connection utility or that provided for your wireless card. This same theory goes for Macs as well. 

Another pitfall to this quick fix is that you could in theory join the “Jasager Detected” access point without realizing it and quickly become a victim. You need to be alert when you go to public places with your laptop and make sure your dummy access point is not within range.

What I like about this fix is how theoretically low tech it is. This is not a software or hardware specific guide and you can tell just about anyone how to do it regardless of skill level. I was even able to reproduce the fix on an iPhone so you should be able to protect yourself on mobile devices.

Now Iʼd like to say something about this fix. This is not a complete patch in wireless security. I could modify my airbase script to not publish the access point “Jasager Detected” and if you were following this guide then you could easily become a victim [Thanks to Robin Wood who develops Jasager for out this caveat]. 

Another thing is that some operating systems have trouble with these preferred networks. If you really want to make sure you are in somewhat safe airwaves make up a completely random name for an access point and try to join it. If you connect then you know for a fact a Jasager device is in range.

I would like to reiterate Ryan’s last point. Think up so random name that you think you would never see, and put it in your prefered list at the top. If it pops up, you know that their is something fishy going on.

Another mesaure you can take, and thanks goes rAWjAW of rawjaw-security.blogspot.com for this idea. You can edit the preferences of each of your prefered networks and tell them not to connect automatically. This way, you will simply be alerted to their presence and have that half second of judgement kick in, instead of automatically connecting. Again, none of these are 100% solutions, but get close, and are all something you could help your grandmother implement. 

Merry Surfing.