Sunbelt Blog: Facebook Remote Login + Flash drive = stolen credentials
Chris Shameless plug: LABrat.com
Thursday, May 6, 2010
Flash drive with fake Facebook login...
I find myself thinking "does anyone fall for this stuff?" Well, obviously the answer to that is "YES!!" Uh, yeah, don't just use something because someone tells you. People, wake up, this stuff isn't real!!! :-)
Sunbelt Blog: Facebook Remote Login + Flash drive = stolen credentials
Chris Shameless plug: LABrat.com
Sunbelt Blog: Facebook Remote Login + Flash drive = stolen credentials
Chris Shameless plug: LABrat.com
Monday, February 22, 2010
Writing Snort Rules is harder than it looks
Rather than reposting the entire article here, I'd prefer to just link to it:
http://blog.joelesler.net/2010/02/writing-snort-rules-is-harder-than-it-looks.html
This post took me a couple hours to write, and I try and illustrate how to take a Snort rule and really take your time when writing it in order to get it right. Understanding the Snort syntax is a huge undertaking, but well worth your time once you get it right.
http://blog.joelesler.net/2010/02/writing-snort-rules-is-harder-than-it-looks.html
This post took me a couple hours to write, and I try and illustrate how to take a Snort rule and really take your time when writing it in order to get it right. Understanding the Snort syntax is a huge undertaking, but well worth your time once you get it right.
Saturday, December 13, 2008
Identifying Garbage Men
Tis the season for tipping garbage men. Here in Brussels, at the end of the year, garbage men would ring your doorbell during their round, presenting you their best wishes for the new year.
This tradition came to an end several years ago. Nowadays, they present you their best wishes when they're off-duty. And in came a new ID problem...
Identifying garbage men at work is quite easy and rather fool-proof. The work-clothing they wear and their activity (filling the garbage truck with your garbage) is a good give-away. Would-be impostors face a rather high cost (obtaining a garbage truck, even stealing one comes with a cost) to impersonate garbage men at work.
Reliably identifying off-duty garbage men is a bigger problem. As you've only their (work-) clothes and verbal claims as evidence to help you in distinguishing real garbage men from impostors, your rate of false positives increases. As the cost of obtaining work-clothes to fool you will probably be outweighed by the amount of collected tips, impostors stand a chance to make a profit, and hence the probability of fake garbage men ringing your doorbell increases.
But is this really your problem? From an economics point of view: no!
Let's assume you tipped an impostor, and a few days later, a real garbage man rings your doorbell. Will you tip him too? I know here in Brussels, a substantial group of people won't. Because you're still facing the same identification problem (is this a real garbage men?), but this time, you're more suspicious. So your rate of false negatives increases.
And your risk of receiving bad service for not tipping the genuine garbage men is rather low. The real garbage men might be disgruntled, but then again, most realize that it's not that you don't want to tip garbage men in general, it's just that they were impersonated.
To summarize: genuine garbage man face an economic loss from the activity of impostors, you don't. Hence the ID problem is really the garbage men's problem, not yours.
The solution the garbage men in Brussels adopted is to deposit some form of photo ID for garbage men in your mailbox, weeks before the tipping occurs. This document will assist you in distinguishing the real from the fake.
I invite you to post comments with ways to improve or break their system.
Somewhere I'm tempted to alter this "photo ID" (i.e. replacing the pictures), and challenge the first garbage man ringing my doorbell. I picture me saying: "Ja mo kadeike, a foto stoet e ni op!" (as Google translate doesn't support Brussels dialect yet, let me translate loosely: "Hey kid, your picture doesn't match!"). But then again, it's the season to be merry, and I'm a satisfied customer, so I won't be a jerk.
This tradition came to an end several years ago. Nowadays, they present you their best wishes when they're off-duty. And in came a new ID problem...
Identifying garbage men at work is quite easy and rather fool-proof. The work-clothing they wear and their activity (filling the garbage truck with your garbage) is a good give-away. Would-be impostors face a rather high cost (obtaining a garbage truck, even stealing one comes with a cost) to impersonate garbage men at work.
Reliably identifying off-duty garbage men is a bigger problem. As you've only their (work-) clothes and verbal claims as evidence to help you in distinguishing real garbage men from impostors, your rate of false positives increases. As the cost of obtaining work-clothes to fool you will probably be outweighed by the amount of collected tips, impostors stand a chance to make a profit, and hence the probability of fake garbage men ringing your doorbell increases.
But is this really your problem? From an economics point of view: no!
Let's assume you tipped an impostor, and a few days later, a real garbage man rings your doorbell. Will you tip him too? I know here in Brussels, a substantial group of people won't. Because you're still facing the same identification problem (is this a real garbage men?), but this time, you're more suspicious. So your rate of false negatives increases.
And your risk of receiving bad service for not tipping the genuine garbage men is rather low. The real garbage men might be disgruntled, but then again, most realize that it's not that you don't want to tip garbage men in general, it's just that they were impersonated.
To summarize: genuine garbage man face an economic loss from the activity of impostors, you don't. Hence the ID problem is really the garbage men's problem, not yours.
The solution the garbage men in Brussels adopted is to deposit some form of photo ID for garbage men in your mailbox, weeks before the tipping occurs. This document will assist you in distinguishing the real from the fake.
I invite you to post comments with ways to improve or break their system.
Somewhere I'm tempted to alter this "photo ID" (i.e. replacing the pictures), and challenge the first garbage man ringing my doorbell. I picture me saying: "Ja mo kadeike, a foto stoet e ni op!" (as Google translate doesn't support Brussels dialect yet, let me translate loosely: "Hey kid, your picture doesn't match!"). But then again, it's the season to be merry, and I'm a satisfied customer, so I won't be a jerk.
Friday, October 3, 2008
Securing Cisco Routers the Easy Way
After hearing about Fyodor's scanning the Internet project, I started thinking about what he found...My reaction was much the same as Paul's...Telnet??? Really? Then I started thinking about the work I did back in the day when I was dangerously unqualified to do my job and had no idea what I was doing, and how many Cisco routers I left telnet open on the WAN interface simply for convenience. Over the years, I've found most consulting companies do this without telling the customer, and if you're using an outside vendor to manage your Cisco gear, I would check! Having had to do quite a bit of router securing lately, I thought this would be a good time to cover some really simple ways to secure your routers for the non-Cisco guys out there, other than the obvious firmware updates and such. All of these methods should work on the more recent versions of the IOS. This post will cover some very basic router security methods. There is a real science to securing Cisco IOS devices, and it's certainly possible to make your router security scheme very complex, but hopefully this gives you a good starting point if you're not already doing these things.
Adding Local Users
One of the simplest ways to lock down your Cisco gear is by adding a local authentication database to your router. This is something that Cisco simply doesn't stress enough. Even if you go through their CCNA training, they teach you there's a password to log in (telnet, console, etc.) and the enable password, both of which are subject to brute forcing...But think about how much more secure your gear is if an attacker has to guess both a username and a password. It would certainly render brute forcing impossible. Here's a simple example:
Larry(config)#aaa new-model
Larry(config)#username Larry privilege 15 password beer
Larry(config)#aaa authentication login default local
Looking at what we did, we first enabled authentication, authorization, and accounting services on our router. We then created a user named Larry with a password of beer that has a privilege level of 15. We then set the default login method for all management on the router to use the local database (i.e. usernames and passwords we create on the router itself). Now when telnetting in, connecting via a console cable, SSH, whatever, the user must present two sets of credentials. Of course if you make the username admin, cisco, etc. then this isn't a whole lot better, but using an uncommon username and password helps. You can do a lot more with creating limited privilege user accounts, custom views, authenticating and authorizing command execution via TACACS+ and RADIUS, and password policies but that's beyond the scope of this post.
Enabling SSH
Solving the problem of telnet's plain text transmission is actually quite simple. Before starting make sure you are on IOS version 12.1(19)E because that's the first revision that supports SSHv2. Enabling SSH on a router requires two lines:
Larry(config)#ip domain-name pauldotcom.com
Larry(config)#crypto key generate rsa modulus 1024 general-keys
The name for the keys will be: Larry.pauldotcom.com
% The key modulus size is 1024 bits% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Larry(config)#*Mar 1 00:19:52.391: %SSH-5-ENABLED: SSH 1.99 has been enabled
First we have to specify a domain name using the ip domain-name command so our router has an FQDN, then generate our keys. You can specify whatever key size you want (I used 1024 in the above example). After that SSH is automatically turned on for you. To get rid of telnet management completely, we have to do one more thing:
Larry(config)#line vty 0 4
Larry(config-line)#transport input ssh
Router Auto Secure
Cisco routers have lots of services running on them, most of them totally useless. Cisco has now provided an easy way to disable these services and enhance the security of your router in a number of ways with one command. Also if you use Cisco Secure Device Manager (SDM) for router management, it features a security audit tool and a one click lockdown tool for disabling these services. I'm still a console guy though, so I like this method. Look at how much useless stuff is turned off just after the first step, and how much you get by running one simple command:
Larry#auto secure
Is this router connected to internet? [no]:
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Finger? Come on. There wizard does a lot more, allowing you to set your login banner (and providing a pretty scary default one), configure an enable secret, set up blocking periods when login attacks are detected, and enabling the CBAC firewall.
So there you have it. I hope this was interesting, and be sure to find me lurking around #pauldotcom if you have any questions or comments.
Adding Local Users
One of the simplest ways to lock down your Cisco gear is by adding a local authentication database to your router. This is something that Cisco simply doesn't stress enough. Even if you go through their CCNA training, they teach you there's a password to log in (telnet, console, etc.) and the enable password, both of which are subject to brute forcing...But think about how much more secure your gear is if an attacker has to guess both a username and a password. It would certainly render brute forcing impossible. Here's a simple example:
Larry(config)#aaa new-model
Larry(config)#username Larry privilege 15 password beer
Larry(config)#aaa authentication login default local
Looking at what we did, we first enabled authentication, authorization, and accounting services on our router. We then created a user named Larry with a password of beer that has a privilege level of 15. We then set the default login method for all management on the router to use the local database (i.e. usernames and passwords we create on the router itself). Now when telnetting in, connecting via a console cable, SSH, whatever, the user must present two sets of credentials. Of course if you make the username admin, cisco, etc. then this isn't a whole lot better, but using an uncommon username and password helps. You can do a lot more with creating limited privilege user accounts, custom views, authenticating and authorizing command execution via TACACS+ and RADIUS, and password policies but that's beyond the scope of this post.
Enabling SSH
Solving the problem of telnet's plain text transmission is actually quite simple. Before starting make sure you are on IOS version 12.1(19)E because that's the first revision that supports SSHv2. Enabling SSH on a router requires two lines:
Larry(config)#ip domain-name pauldotcom.com
Larry(config)#crypto key generate rsa modulus 1024 general-keys
The name for the keys will be: Larry.pauldotcom.com
% The key modulus size is 1024 bits% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Larry(config)#*Mar 1 00:19:52.391: %SSH-5-ENABLED: SSH 1.99 has been enabled
First we have to specify a domain name using the ip domain-name command so our router has an FQDN, then generate our keys. You can specify whatever key size you want (I used 1024 in the above example). After that SSH is automatically turned on for you. To get rid of telnet management completely, we have to do one more thing:
Larry(config)#line vty 0 4
Larry(config-line)#transport input ssh
Router Auto Secure
Cisco routers have lots of services running on them, most of them totally useless. Cisco has now provided an easy way to disable these services and enhance the security of your router in a number of ways with one command. Also if you use Cisco Secure Device Manager (SDM) for router management, it features a security audit tool and a one click lockdown tool for disabling these services. I'm still a console guy though, so I like this method. Look at how much useless stuff is turned off just after the first step, and how much you get by running one simple command:
Larry#auto secure
Is this router connected to internet? [no]:
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Finger? Come on. There wizard does a lot more, allowing you to set your login banner (and providing a pretty scary default one), configure an enable secret, set up blocking periods when login attacks are detected, and enabling the CBAC firewall.
So there you have it. I hope this was interesting, and be sure to find me lurking around #pauldotcom if you have any questions or comments.
Tuesday, September 30, 2008
Installing The mod_security Module for Apache on Ubuntu
What is mod_security?
Mod_security is a filter for requests and responses sent to and from an Apache web server. It is the "snort" of web applications.
As an example, lets say "super haxor," starts up their kiddie "Auto Haxs 4000" script and begins to pummel your web server with every known vulnerability for every known web application - perhaps even vulnerabilities that are not known the public. As mod_security parses each request to your web server, it matches super haxor's requests to patterns that indicate attempts to exploit SQL injections, command injections, XSS attacks, etc. and it displays a generic error message. The attack attempts from super haxor never touch your web application.
In another scenario, Paul and Larry are doing a penetration test on your web server. They find a page that produces a 404 error, hoping to get the details of the operating system and web server in order to gather information about the box. As the response is returned to Paul and Larry, mod_security matches the server information in the response and changes it to a generic, administrator defined message.
Obviously mod_security adds another layer of protection to your web server and the applications it hosts in keeping with pauldotcom.com's "defense in depth" mantra.
How do I install mod_security?
This guide covers installing mod_security on Ubuntu 7.10 for Apache 2. Since there is no package for mod_security in Ubuntu due to licensing issues, and we have to install it from source.
Use the Source, Luke
Download the latest mod security tars from the mod_security site. http://www.modsecurity.org/download/direct.html . You will only need the current modsecurity-apache archive.
Now get the necessary packages for compiling mod_security on Ubuntu with this command:
sudo apt-get install automake g++ apache2-threaded-dev \
dpkg-dev libxml2 libxml2-dev
Now compile and install mod_security with the following commands:
cd <modsecurity download directory>/apache2
./configure
make
sudo make install
Apache Conf Files
Now that the mod_security binary is installed in your Apache 2 modules folder, we have to make a few configuration files so that Apache knows to use the module.
Create a file called /etc/apache2/mods-available/security2.load with the following contents:
LoadFile /usr/lib/libxml2.so
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so
<IfModule !mod_security2.c>
error_mod_security2_is_not_loaded
</IfModule>
<IfModule mod_security2.c>
Include /etc/apache2/modsecurity_crs/*.conf
</IfModule>
Next create a /etc/apache2/modsecurity_crs directory and move all of the Core Rules into it.
sudo mkdir /etc/apache2/modsecurity_crs
sudo cp -R <mod_security download directory> \
/rules/*.conf /etc/apache2/modsecurity_crs/
You should now take a look at the rule files to make sure the settings are as you like them. For the most part I only modified lines in the modsecurity_crs_10_config.conf file. This file will allow you to enable different portions of the engine. I enabled the directives to scan all XML content. In particular you will want to look at the paths that mod_security stores its log files. I changed all of the log directories to the following:
SecUploadDir /var/log/modsecurity/SecUploadDir
SecAuditLog /var/log/modsecurity/SecAuditLog/modsec_audit.log
SecAuditLogStorageDir /var/log/modsecurity/SecAuditLogStorageDir
SecDebugLog /var/log/modsecurity/SecDebugLog/modsec_debug.log
SecDataDir /var/log/modsecurity/SecDataDir
SecTmpDir /var/log/modsecurity/SecTmpDir
After the settings were made I created the directories and set proper permissions with the following commands:
sudo mkdir /var/log/modsecurity
sudo mkdir /var/log/modsecurity/SecDataDir
sudo mkdir /var/log/modsecurity/SecTmpDir
sudo mkdir /var/log/modsecurity/SecUploadDir
sudo mkdir /var/log/modsecurity/SecAuditLog
sudo mkdir /var/log/modsecurity/SecAuditLogStorageDir
sudo mkdir /var/log/modsecurity/SecDebugLog
sudo chown -R www-data:www-data /var/log/modsecurity
sudo chmod -R a-rwx /var/log/modsecurity/
sudo chmod -R u+rwx /var/log/modsecurity/
I also had some trouble using mod_security with my Drupal installation. Mod_security was rejecting the application/xml request type, so I added "application/xml" to the regular expression in modsecurity_crs_30_http_policy.conf on line 72. It now looks like this:
:SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml|application/xml)"
There are also some other rule sets in the modsecurity-apache_2.1.5/rules/optional_rules/ directory. You may want to take a look at them and place them into your /etc/apache2/modsecurity_crs/ if desired.
Enable and Test
You should now have everything in place to run Apache 2 with mod_security. It is time to enable the module and restart apache.
sudo a2enmod security2
sudo /etc/init.d/apache2 reload
Hopefully Apache 2 restarts fine with no errors. Once Apache 2 has restarted, go ahead and test your web application with mod_security enabled. If you find that your web application is now working improperly, you can debug the mod_security rule that is blocking it by taking a look at the audit log and using the fabulous web application debugging tool Firebug.
Conclusion
If you are deploying an Apache 2 server that is going to be running any sort of web application, I highly recommend that you take a look at mod_security. The hour you spend installing it could save you from a lawsuit or embarrassing explanations to your customers.
Mod_security is a filter for requests and responses sent to and from an Apache web server. It is the "snort" of web applications.
As an example, lets say "super haxor," starts up their kiddie "Auto Haxs 4000" script and begins to pummel your web server with every known vulnerability for every known web application - perhaps even vulnerabilities that are not known the public. As mod_security parses each request to your web server, it matches super haxor's requests to patterns that indicate attempts to exploit SQL injections, command injections, XSS attacks, etc. and it displays a generic error message. The attack attempts from super haxor never touch your web application.
In another scenario, Paul and Larry are doing a penetration test on your web server. They find a page that produces a 404 error, hoping to get the details of the operating system and web server in order to gather information about the box. As the response is returned to Paul and Larry, mod_security matches the server information in the response and changes it to a generic, administrator defined message.
Obviously mod_security adds another layer of protection to your web server and the applications it hosts in keeping with pauldotcom.com's "defense in depth" mantra.
How do I install mod_security?
This guide covers installing mod_security on Ubuntu 7.10 for Apache 2. Since there is no package for mod_security in Ubuntu due to licensing issues, and we have to install it from source.
Use the Source, Luke
Download the latest mod security tars from the mod_security site. http://www.modsecurity.org/download/direct.html . You will only need the current modsecurity-apache archive.
Now get the necessary packages for compiling mod_security on Ubuntu with this command:
sudo apt-get install automake g++ apache2-threaded-dev \
dpkg-dev libxml2 libxml2-dev
Now compile and install mod_security with the following commands:
cd <modsecurity download directory>/apache2
./configure
make
sudo make install
Apache Conf Files
Now that the mod_security binary is installed in your Apache 2 modules folder, we have to make a few configuration files so that Apache knows to use the module.
Create a file called /etc/apache2/mods-available/security2.load with the following contents:
LoadFile /usr/lib/libxml2.so
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so
<IfModule !mod_security2.c>
error_mod_security2_is_not_loaded
</IfModule>
<IfModule mod_security2.c>
Include /etc/apache2/modsecurity_crs/*.conf
</IfModule>
Next create a /etc/apache2/modsecurity_crs directory and move all of the Core Rules into it.
sudo mkdir /etc/apache2/modsecurity_crs
sudo cp -R <mod_security download directory> \
/rules/*.conf /etc/apache2/modsecurity_crs/
You should now take a look at the rule files to make sure the settings are as you like them. For the most part I only modified lines in the modsecurity_crs_10_config.conf file. This file will allow you to enable different portions of the engine. I enabled the directives to scan all XML content. In particular you will want to look at the paths that mod_security stores its log files. I changed all of the log directories to the following:
SecUploadDir /var/log/modsecurity/SecUploadDir
SecAuditLog /var/log/modsecurity/SecAuditLog/modsec_audit.log
SecAuditLogStorageDir /var/log/modsecurity/SecAuditLogStorageDir
SecDebugLog /var/log/modsecurity/SecDebugLog/modsec_debug.log
SecDataDir /var/log/modsecurity/SecDataDir
SecTmpDir /var/log/modsecurity/SecTmpDir
After the settings were made I created the directories and set proper permissions with the following commands:
sudo mkdir /var/log/modsecurity
sudo mkdir /var/log/modsecurity/SecDataDir
sudo mkdir /var/log/modsecurity/SecTmpDir
sudo mkdir /var/log/modsecurity/SecUploadDir
sudo mkdir /var/log/modsecurity/SecAuditLog
sudo mkdir /var/log/modsecurity/SecAuditLogStorageDir
sudo mkdir /var/log/modsecurity/SecDebugLog
sudo chown -R www-data:www-data /var/log/modsecurity
sudo chmod -R a-rwx /var/log/modsecurity/
sudo chmod -R u+rwx /var/log/modsecurity/
I also had some trouble using mod_security with my Drupal installation. Mod_security was rejecting the application/xml request type, so I added "application/xml" to the regular expression in modsecurity_crs_30_http_policy.conf on line 72. It now looks like this:
:SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml|application/xml)"
There are also some other rule sets in the modsecurity-apache_2.1.5/rules/optional_rules/ directory. You may want to take a look at them and place them into your /etc/apache2/modsecurity_crs/ if desired.
Enable and Test
You should now have everything in place to run Apache 2 with mod_security. It is time to enable the module and restart apache.
sudo a2enmod security2
sudo /etc/init.d/apache2 reload
Hopefully Apache 2 restarts fine with no errors. Once Apache 2 has restarted, go ahead and test your web application with mod_security enabled. If you find that your web application is now working improperly, you can debug the mod_security rule that is blocking it by taking a look at the audit log and using the fabulous web application debugging tool Firebug.
Conclusion
If you are deploying an Apache 2 server that is going to be running any sort of web application, I highly recommend that you take a look at mod_security. The hour you spend installing it could save you from a lawsuit or embarrassing explanations to your customers.
Wednesday, July 2, 2008
(Blog wakeup call) Tip of the Moment: Zip Traversal
Well I didn't think this was worth a post before, but its been ages since the last post, so its about time something got stuck up here. So I bring you my handy tip of the moment: Zip traversal.
Sometimes you come across a system that allows upload in zip format to save bandwidth. The zip file is then decompressed by the system after upload. Anywhere there's file upload should get your arbitrary file upload senses tingling, but unfortunately it (hopefully) does the same to developers. The upload destination folder may not allow execution, have any mappings to run web scripts or may be outside of the webroot if a website is being targeted.
But depending how the unzip routine used by the application works, there may yet be a way to upload files to arbitrary locations. By editing a zip file to give certain files in the archive names that start with a series of "../" you can traverse back up to the root of the file system and then specify whatever path you feel like. This can be done, for example, by zipping a file with a long file name and editing the zip file in a hex editor, changing the extra letters of the file name to ../ as needed.
This of course depends on the local file permissions and the user the unzipping process runs under. It also depends if the unzip algorithm detects the dangerous behaviour or allows it, as some background unzipping processes do.
So there it is, my tip of the moment. Nothing impressive, but kind of nifty. And maybe we will wake up some other bloggers :)
Sometimes you come across a system that allows upload in zip format to save bandwidth. The zip file is then decompressed by the system after upload. Anywhere there's file upload should get your arbitrary file upload senses tingling, but unfortunately it (hopefully) does the same to developers. The upload destination folder may not allow execution, have any mappings to run web scripts or may be outside of the webroot if a website is being targeted.
But depending how the unzip routine used by the application works, there may yet be a way to upload files to arbitrary locations. By editing a zip file to give certain files in the archive names that start with a series of "../" you can traverse back up to the root of the file system and then specify whatever path you feel like. This can be done, for example, by zipping a file with a long file name and editing the zip file in a hex editor, changing the extra letters of the file name to ../ as needed.
This of course depends on the local file permissions and the user the unzipping process runs under. It also depends if the unzip algorithm detects the dangerous behaviour or allows it, as some background unzipping processes do.
So there it is, my tip of the moment. Nothing impressive, but kind of nifty. And maybe we will wake up some other bloggers :)
Saturday, April 19, 2008
Taking the GSSP-C Exam
On a sunny day in March, I strolled through the Begijnhof in Leuven, Belgium (pictures here). My destination was a nice medieval house where I would take the GSSP-C exam (GIAC Secure Software Programmer - C).
This exam is not your usual SANS exam, it's a proctored paper exam, containing 100 multiple-choice questions and has a six hour time limit. Unlike other GIAC certifications, this exam is not offered online and is not open book. The GSSP certification exam is only offered at specific locations given on a number of dates through the year. This time, SANS teamed up with secappdev to organize this exam in Belgium (I believe it was the first time this exam was organized in Europe). Proctor was Pieter Danhieux (GSE).
You have to be fluent in C to attempt this exam (I believe I wrote my first C program in 1984), because a lot of the questions will be code listings where you have to identify errors. The SANS C-handbook has sample questions that give a good idea what to expect. And if you just learned to program in C, you might be able to answer many questions, but I highly doubt you'll manage to provide enough correct answers in the allotted time limit.
Brush up your knowledge of the basic C I/O functions: what is their signature, how do they behave? Trust me, you'll need this during the exam (remember, this exam is not open book).
Read a couple of the recommended books, like Exploiting Software: How to Break Code and Writing Secure Code, Second Edition.
Be prepared for some really hard puzzles, I remember one question where I would have overlooked the error in the C program. It's only because I new the program was faulty, that I persevered and found the f*ing bug!
Another hurdle is the exam format. Tackling 100 questions in 6 hours and transcribing 100 answers correctly with a number 2 pencil on a form is not so trivial. I followed the same strategy I successfully applied during my CISSP exam. Here is my recipe:
I read the first question. If I don’t understand the question, or if I don’t like the question, or if I even don’t feel like answering the question right now, I just move on to the next question. However, even if I skip a question but I’m certain that one or more of the answers are not correct, I cross them out (every time I tell I write something down or make a mark, I do it on the question booklet, unless stated otherwise).
This exam is not your usual SANS exam, it's a proctored paper exam, containing 100 multiple-choice questions and has a six hour time limit. Unlike other GIAC certifications, this exam is not offered online and is not open book. The GSSP certification exam is only offered at specific locations given on a number of dates through the year. This time, SANS teamed up with secappdev to organize this exam in Belgium (I believe it was the first time this exam was organized in Europe). Proctor was Pieter Danhieux (GSE).
You have to be fluent in C to attempt this exam (I believe I wrote my first C program in 1984), because a lot of the questions will be code listings where you have to identify errors. The SANS C-handbook has sample questions that give a good idea what to expect. And if you just learned to program in C, you might be able to answer many questions, but I highly doubt you'll manage to provide enough correct answers in the allotted time limit.
Brush up your knowledge of the basic C I/O functions: what is their signature, how do they behave? Trust me, you'll need this during the exam (remember, this exam is not open book).
Read a couple of the recommended books, like Exploiting Software: How to Break Code and Writing Secure Code, Second Edition.
Be prepared for some really hard puzzles, I remember one question where I would have overlooked the error in the C program. It's only because I new the program was faulty, that I persevered and found the f*ing bug!
Another hurdle is the exam format. Tackling 100 questions in 6 hours and transcribing 100 answers correctly with a number 2 pencil on a form is not so trivial. I followed the same strategy I successfully applied during my CISSP exam. Here is my recipe:
I read the first question. If I don’t understand the question, or if I don’t like the question, or if I even don’t feel like answering the question right now, I just move on to the next question. However, even if I skip a question but I’m certain that one or more of the answers are not correct, I cross them out (every time I tell I write something down or make a mark, I do it on the question booklet, unless stated otherwise).
If I try to answer the question but I’m not sure of the right answer, I will cross out the incorrect answers and move on to the next question.
If I answer a question I’m sure about, I put a circle around the number of the question and another one around the letter of the correct answer.
After tackling the last question, I just start the process again from the beginning, skipping the questions I already answered (remember, there’s a circle around the number of an answered question). I repeat this process several times, each cycle gives me more answers. After a couple of hours, I’ve answered about 80% of the questions and I decide to transcribe my answers to the form (I have to be careful to skip the unanswered questions on the form). I review each answered question and transcribe the correct answer to the form. At the same time, I compile a list of all unanswered questions.
I decided to transcribe the answers after completing about 80% because:
1) I want to take the time to correctly transcribe the answers, I don’t want to make mistakes by rushing the job at the end of the 6 hour period allowed for the exam
2) I don’t want to start second-guessing my answers
After 30 minutes, I’ve transcribed all answered questions.
Now I focus on the list of remaining questions. I try to answer each question by eliminating all incorrect answers: what remains must be the correct answer. If more than one answer remains, I select one at random. I start guessing because I don’t want to stay until the end of the exam trying to find the correct answers, I feel confident because of all the other questions I answered. Since a wrong answer does not negatively impact your score, you’re better of answering all questions than leaving some unanswered. The main reason why I tackle the remaining questions like this, is that I don't want to start second-guessing my answers to the questions I felt confident about. Trust me, if you spend too much time toiling over a question where you're clueless, you'll start to doubt everything.
Finally, I transcribe the remaining answers to the form. The list of remaining questions I compiled helps me to identify which answers remain to be transcribed.
It's the first certification exam I really enjoyed, I had fun reviewing all that C code, it's a bit like discovering vulnerabilities.
Six weeks later, I got my detailed score report from SANS. Did I pass? I'll leave you too in suspense, for a couple of seconds...
http://www.giac.org/certified_professionals/listing/gssp-c.php
Subscribe to:
Posts (Atom)
