Wednesday, September 02, 2009

More Links

I found another review of WFA 2/e this morning, this one on the ISC^2 web site, from Jesse Lands...thanks! I greatly appreciate when folks take the time to let me know what they thought (what they liked or disliked) about the book. To whomever...Thanks! This is in addition to the 14 reviews on the Amazon page for WFA 2/e...

Seems the folks at SpiderLabs will be putting on a Malware Freakshow presentation at a conference in Toronto coming up soon. Also, it sounds as if the presentation is going to be pretty interesting...take a look at this excerpt from the DarkReading article:

In a memory-dumping attack, the attacker reads the unencrypted transaction or other information that sits in memory before it goes to the actual application. The hotel attack included several pieces of malware, including code that dumps the contents of the memory onto the attacker's machine, and another that performs data parsing. "One piece installs itself as a service so the malware can come back when it needs to boot up," Ilyas says.

I'd run into the same malware myself during an exam, and one of our team members had seen an earlier version a year so prior to that. This shows how pervasive this stuff can get! In the instances I'm aware of, the intruder gained access to the internal network and then gained domain admin access...most often due to weak passwords...and then targeted very specific systems, and installed the software mentioned in the article.

Also, if you're going to the conference, be sure to check out Chris Pogue's Sniper Forensics presentation.

On the topic of visualization, check out the VizSec2009 conference. This looks really interesting, as visualizing malware program flow, for example, can be extremely helpful. One of the things I've been struggling with is to understand how to graphically represent timeline data so that an analyst can use that to determine what happened and when; however, there's just potentially so much data that I've been having a very difficult time trying to come up with some way to represent what happened. Right now, its a manual process to sift through the data looking for the smoking gun(s), and representing the findings can be done with a table or an Excel spreadsheet.

It looks like I'll be attending HackerHalted in Miami later this month, and Syngress is not only a sponsor but will have books available. I'll try to be available to sign books...if I'm not at the booth, just grab me (beer's always welcome!!).

And finally, for the VMI alumni in the readership, I picked up follower number 89 today!


Jesse said...

My name is on the review, but it doesn't matter. It's a great book. I've already convinced three people on my team to read it. Good work.

H. Carvey said...

Sorry, Jesse...missed that. Corrected the post. Thanks again.