crazylazy.info

How to think security

by Ivan Ristic, just a part of it

People in application development generally have different perspectives. Developers often focus on getting stuff up and running in an efficient feature-rich way, testers focus on confidentiality, integrity or stability/availability issues... Marketing focuses on getting Outlook to display yesterday's i-Mails with smilies. :) Well, lets forget these people here.

All these protocols are belong to Metasploit

If you want to create a network-fuzzer you have to transport your inputs through a specific protocol. Performance in most cases isn't an issue. While I'd prefer to use ICC or at least efficient C for file-fuzzing or other CPU intensive programs, network fuzzing doesn't have this requirement. The Metasploit framework implemented a nice suite of libraries adaptable for network-fuzzing which helps to create a new fuzzer within minutes. Furthermore within ruby 1.9 there're performance enhancements that soon will be supported officially ;). So let's fuzz faster.

There're certain interesting fragments:

A collection of tutorials, videos and fun

I think it's an amazing site. There're many video tutorial sites these days. However the quality differs a lot. In the following I listed stuff I like so far. Feel invited to watch everything:

Programming

Python programming course from MIT - the advanced stuff may be of some interest, however it starts of with fairly trivial and introductorily mentioned stuff.

Calm down - nowadays you just get a killbit, sweetie.

Exploitation is...

... a very fascinating and challenging topic in IT. Like programming or algorithm design it has no real limits if you explored the depths. People nowadays are easily impressed: exploits can harm their expectations. Nevertheless most often their expectations are created through advertisement, sales persons or clueless IT people who just repeat the prospects. Expect exploits.

Believe in it: awareness

It seems a minority of IT security professionals writes exploits. Obvious reasons are, that it requires some luck and instinct to get through the attack surface into the depth. And it's getting more complicated through operating system's innovations like ASLR, Library Randomization, DEP, NX bits, RBAC... a whole lot of things. However I truly miss innovations in security from Oracle. That is to be said.

Teaching?

What took the most of us to learn,
is what we teach best.

I found a good collection of IT security specific learning materials. Even if you're an old hand in the fields, you might catch something new, nevertheless I guess it's a university course intended for starters.

Introduction and Source Code Analysis, Dan Guido
Reverse Code Engineering, Stephen A. Ridley
Memory Corruption, Dino Dai Zovi
Fuzzing, Mike Zusman
Client-side attacks and Post-Exploitation, Dean De Beer
Web Hacking, Erik Cabetas

About good people in IT being too good and bad guys playing better

Bugs flew in the Eniac and caused errors. Since ages bugs cause trouble in IT. Now it's time to exterminate them?

Setting up the server

If you do this, you want three things:

• a clean and secure setup, that ensures your availability - even if you're working on a remote-server
• easy steps
• drinking a coke or a coffee during this setup. No beer. Because kernel-upgrades and beer don't work together

Okay, what's grsecurity and why do I need it

Easily said: it's doing everything to prevent successful exploitation, like we recently saw happening on Linux through SCTP, ptrace or UDEV.