N.Y. Times with more Stuxnet details – what’s the conclusion?
It feels like all has been said about Stuxnet from a technical perspective that is even of remote interest to the average security professional but yesterday the N.Y. Times published an article titled “Israel Tests on Worm Called Crucial in Iran Nuclear Delay“ shining some light on the political and intelligence side of the story. Before you run off to read the piece (and you absolutely should) i have to add that it doesn’t reveal any groundbreaking new details but pieces the various bits of publicly available information nicely together.
As i was reading that article the effort put into the creation and testing of the core payload amazed me; while the security community mainly focused on the sophistication of the exploits and – to an lesser extend – on the interaction with the PLCs the impressive amount of logistics and pulled strings to acquire and reproduce the targeted environment went somewhat unnoticed. The presentation “Adventures in analyzing Stuxnet” by Microsoft’s Bruce Deng given during the 27th Chaos Computer Club in Berlin, as interesting and entertaining it was, reinforced the perception that Stuxnet was notable mainly because of the amount of previously unknown or forgotten vulnerabilities leveraged to compromise the operating system supporting the real target. But (in my view at least) the lesson is far from Microsoft Windows being insecure, not fit for purpose, stuffed with security holes or similar comments observed during Bruce’s presentation – these remarks completely miss the point and momentousness of this operation. William J. Broad, John Markoff and David E. Sanger’s article should make it abundantly clear that compromise of the target is a minor obstacle at best and it wouldn’t have made any difference if the underlying Operating System is Microsoft Windows, Linux, BSD, Solaris or other. There is no point in me repeating what has been said about APT before but your standard controls and countermeasures will not discourage, deter or prevent an attacker as determined as in this scenario. I will refer to Mandiants excellent blog for further reading however. Great point to start would be “M-Trends: The Advance of the Persistent Threat“.
Security bSides – now with british accent
“It was the year everything changed.” – Babylon 5
Well, maybe not that dramatic but there can be little doubt that the idea and most of all the people taking action to bring that idea to life have changed the way the community is engaging with information security events globally. Originally bSides was created to provide a forum to speakers that didn’t make the (CFP) cut for the usual suspects (BlackHat, DefCon,..) but were far to valuable to not share with the community. That probably still holds true but bSides became far more than that; and a good example of this is bSides London. Even tho running in parallel with InfoSecurity Europe 2011 it is hardly a basin for overflowing talks considering that InfoSec Europe is neither a Con nor do they seem to accept speakers without commercial involvement in the event anyway. bSides rather gave the interested folks in London a reason and framework to start organizing one of the (unfortunately few) security events of this kind in town. Could an event like this be organized not running under the bSides flag? Absolutely. Would it draw the same amount of interest from both volunteers and participants? Hardly. Looking back to InfoSec Europe 2010 where there was not even enough interest to start an informal SecurityBloggers meetup the excitement and enthusiasm the bSides movement brings to the table becomes obvious.
While there are still several months to go until we get to hear (not only) United Kingdom’s most talented, interesting and without a doubt most attractive speakers bSides London already took its first hurdle by showing that there is a great interest in this event. Assuming that the word continues to spread and that at least some of those thousands of security enthusiasts and InfoSec professionals will get bored in the labyrinth of security booths at InfoSecurity Europe the first ever bSides UK event could be off to a great start.
If you want to know more don’t dawdle and check out the bSides London wiki page. Seats are going quick (no, really) and there is still the option to submit a proposal for a talk (CFP) for a chance to tell your grandchildren that you were one of those (in)glorious basterds speaking at the first bSides London.
If Twitter is your thing make sure to follow @BSidesLondon or the hashtag #bsideslondon as well.
The event information at a glance:
Information Security events London
Just a quick update that i’ve added a bunch of events for the first quarter 2011 to the InfoSec calendar. As usual they are all more or less in London/UK. I’ll keep adding events as they are confirmed (e.g. ISSA UK, ISC2 London, DC4420, 2600 London, etc) so stop by from time to time. If you know of an event that might be interesting please let me know.
VMWare Hacking Uncovered
As I’ve mentioned earlier this year i was looking at specialized virtualization security training options aiming to attend one or more throughout the year. Fortunately i was not only able to find a course close to me, i also managed to convince my boss to fund the training (thanks boss). Originally my favourite was SANS 577 but at the time it was not offered in EMEA. Of course as soon as i committed to VMWare Hacking Uncovered SANS announced they would run their “Virtualization Security Fundamentals” during SANS London.
Originally called “VMWare Hacking Uncovered” the course owner VMTraining meanwhile decided to re-brand it to “Advanced VMWare Security” which didn’t affect the actual course content. In the UK the training is formally provided by Firebrand but the course material and trainer are from VMTraining. With the scene set let’s look at the details.
Training facilities & organisation
As said VMTraining is leveraging Firebrand to host their training. What this means is that the booking, organisation, facilities, etc. is provided by Firebrand. Firebrand has quite a good reputation and from my experience rightfully so; their training advisor did his best in a pre booking conversation to ensure the training is suitable for me (or rather that I’m able to keep up with the course material) and kept in contact once the training was booked to inform me of changes. The training location, a conference/training centre somewhat north of London, was a perfect environment to study long hours. Three very edible meals a day were included in the training fee (as well as a constant supply of fresh fruit) and, much to my delight, hot filter/drip coffee – not that despicable instant stuff out of a push button machine – was provided throughout the day (so were tea, water and various soda drinks). The class rooms were modern pretty modern sporting new’ish 20″+ TFT screens and air condition.
Curriculum & course material
There were no real surprises with the actual course content as it was quite close to what’s listed in the course description. I was a bit disappointed that the course is not quite up to date which means that, at least in courses running late 2010, VMWare ESX 4.1 vShield technologies (App,Endpoint,Edge) are actually part of the material; VMSafe/vShield zones is however. The trainer, a knowledgeable and nice chap called Aman, made sure that he understood the background and experience of each student to tailor the focus for week accordingly. As expected the obligatory virtualization and VMWare administration basics took most of Sunday evening (yes, you’re starting Sunday 6pm. Don’t expect much leisure time while you’re on this course) and Monday/Tuesday. Depending on your experience and background (VI, storage, network) this can be a bit of a drag but in my case the trainer managed to keep it interesting for everyone.
The mid week deals mainly with penetration testing topics progressing through footprinting, scanning, enumeration and penetration. There are several labs on these topics which are scheduled to take most of the afternoons. The problem with this is that if you are already familiar with the tools discussed you’re are likely spending most of the day bored and wondering what they have to do specifically with virtualization security. If you were always wondering what NMAP, Cain & Able, Nessus, Saint, etc. are and what they do you’re gonna enjoy this part of course. The best part in my view was playing with Metasploit’s VASTO module and discussing the background, implementation and implications.
Towards the end of the week the focus shifts to the hands on/operational topics – namely ‘Hardening’. This is exactly what you’d expect and if you are looking for information what to watch out for and how to increase the security posture of your VI environment the sections and labs are just the thing for you. That said, if you are already very familiar with Linux and or ESX console security (e.g. SSH, SUDO, …) you might want to get an extra cup of coffee. The last chapter consists of a selection of 3rd party security solutions for VMWare (usual suspects – Catbird, Hytrust, Altor, TrendMicro,..) and what they do/don’t do for you. I found this section to be somewhat shallow and half hearted which resulted in a bit of a ‘meh’ feeling but if you never looked at these vendors it certainly is a good starting point to go off and read (a lot) more about their respective solutions.
The exam
So you want to be a Certified Virtualization Security Expert (CVSE)? We’ve been warned (more a heads up really) by the trainer that the exam, which you are going to take on Friday afternoon, is a difficult one. What i realized during the quiz (sample questions for the exam) that wrapped up each day is that the exam is not difficult as in – need to be smart and experienced – but more as in – have to be lucky enough to think like the guy who authored the question. The students and the trainer got into more than one intense discussion about the answer and the way questions were formulated sometimes resulting in the conclusion on both sides that the question is rubbish. Lots of feedback was provided how to improve exam questions and – not entirely surprising – none of the students passed the exam. It is very much possible however but a bit frustrating experience; that said i will probably give it another try in a few weeks when our feedback was hopefully included in the exam pool. (I missed by 1% in case you wondered)
So would i recommend this course to someone who is interested in virtualization security in general and VMWare security specifically? Absolutely. I would recommend to wait another few months however to see if the new security features of ESX 4.1 are then integrated in the course material and – if that is of importance to you – whether the exam matured somewhat more. And now lets see how i get onto that SANS 577.
CSA CCSK, what to expect?
I was planning on doing the CloudSecurityAlliance “Certificate of Cloud Security Knowledge” for a few weeks now (from the day when they announced it to be more precise) and was looking around for some more information as to what i can expect during the certification process. Unfortunately the usual search engine investigation didn’t turn up too much information so i decided to go ahead and give it a try to see what it is all about. Key points to know about the certification process
- Read the FAQ, it contains lots of useful information
- The certification fee is 195 USD until end of 2010. After that it will go up to 295USD.
- You’ll get a second chance if you fail your first try (only 2010)
- The test consists of 50 questions of which you need to answer 80% correctly within 60 minutes
As described in the FAQ the questions are based on the common body of knowledge (CBK) which includes at this time the CSA “Security Guidance for Critical Areas of Focus in Cloud Computing V2.1” and ENISAs “Cloud Computing Risk Assessment“. The weighting given in the CCSK prep guide (70% CSA guide, 20% ENISA report, 10% applied knowledge) seems fairly accurate.
So how does it work? This is something where i hoped for a bit more guidance from the CSA as there is no information on the actual registration and testing process available. In their defense – there isn’t much to it. If you want to take the test you have to register here. Once you are registered you can buy the token to attempt the test. The purchasing process is handled via PayPal (either your usual PayPal account or via PayPal moderated CreditCard payment) or prepaid invoice. Assuming the purchase process completed successfully you are good to go; just click on that big button to start the test. There is no need to attempt the test right after purchase, you can log back in later from anywhere you like to start the process.
The test itself is very straight forward; as soon as you start the test the timer ticks down from 60 Minutes and you go through the questions. No (too) confusing wording [...] just 50 multiple choice questions with the option to mark for later and direct link to all of the questions for review. When you’re done answering just hit the button “Submit for marking” (forgot the correct wording here, sorry) and you’ll get the result right away with a small breakdown how well/bad you did by domain very much comparable to Microsoft tests and similar.
Looking back i thought the test would be a bit more difficult. Not necessarily the knowledge that is required but from the time you have to complete the questions. Many of the questions are very quick to read so most people will be able to go through them at a comfortable pace and still have plenty time left for review. I think the certification would benefit from additional questions (maybe 60-75 overall) to verify that the test taker really has the key parts of the CBK memorized and provides more detailed guidance in the domain breakdown rating as to which areas might need more attention.
If you pass the test you’ll have the option to download the certificate in PDF or in HTML format. Alternatively you can use your email address with which you registered for the test and your CCSK code, which you receive once you passed, and validate that you’re really certified. On the CCSK page look for the validation check box.
If the email address and validation code are recognized you should see a result similar to this.
