[Update: Added Screenshots]

A long time ago I decided that I would never review software that I was asked to look at, and that I probably wouldn't post deals sent my way unless they were truly valuable to my readers. So when I was contacted by Neobyte Solutions with a "special offer" for my readers, I almost hit the spam button. However, I've recently been considering personal backup software (storage is dropping in price and I have a number of systems with critical files these days), so I looked online and saw some features of Titan Backup that I really liked. The initial offer was a copy of Titan Backup 1.5 [download] for free with this serial: 000020-ACM8KK-1YXTMT-JZT4C6-JF18HG-VTR9BJ-VKM9KR-K2923Y.  They also offered a 50% off discount code [NEOB-SGKO] which could be used here to upgrade to Titan Backup 2.5.

I countered with a request for a few 2.5 keys that I could give away to my readers and they were happy to provide a couple. As such, I'm going to give away a few serials for Tital Backup 2.5 on Friday by selecting random people from the comments. Please be sure to include your email address so I can get back to you.

Read more...

I'll start of by saying the second day of SecTor was amazing compared to the first day. We started off with Stepto giving the opening keynote. While it wasn't anything groundbreaking, it was exactly as advertised and well presented. I fully enjoyed hearing him walk through how he got into security, his time with MSRC and how things he'd learned working in security applied to other aspects of his life... it was great.

Following the keynote, I was torn between Pwning the Proxy and Lock picking. In the end personal interest won out and I attended the lock picking session. There was quite a bit of interest information shared and I managed to take a couple pages of notes. One of the coolest things was the how-to on making a combination lock shim using a piece of aluminum from a pop/beer can.

Following the lock picking session was lunch. The meal was much better than the day before. One thing that I didn't get was why so many tables were reserved and there was staff keeping people from sitting at them. The same thing existed on day 1 and the tables were never used, so why were they there are day 2?

Lunch was also great because Johnny Long was the lunch keynote. If you've never seen Johnny speak... make every attempt you can to see him somewhere. He spoke with regards to his No Tech Hacking book (proceeds of which go to Charity) and the presentation was quite amusing and a lot of fun to watch. He gave examples of information gathered by shoulder surfing, dumpster diving, etc. It essentially centered around the non-technical side of reconnaissance or pen-testing. The entire crowd spent the time laughing and fully enjoying themselves (or at least that's how it seemed).

After lunch I checked in on Hoff's virtualization talk. It actually had some interesting information and I was really glad that I'd attended it. I was unaware that there was a Cisco vSwitch for ESX but I really like the concept. It'll enable some very interesting things to happen.

I had planned on attending the talk on identifying crypto in code for the last session of the day, but a old coworker showed up and we spent the session catching up in the keynote room. Following that there was some brief conversation and the wrap-up (which including the awarding of prizes). I did note that a couple of the prizes weren't given away (Checkpoint wireless router/firewall for instance), so hopefully that wasn't just a scam to get business cards.

Then a small group of us (9 people I believe, both speakers and attendees) went out for all you can eat sushi, and a few drinks. I really enjoyed myself day 2 and really enjoyed the con as a whole, there were just some really bad experience on the first day.

I'm definitely looking forward to SecTor 2009!

I debated what to write here, and if I would present the positive or negative points but I figured the only fair way was to describe both, so without further ado, I present SecTor Day 1 - The Good, The Bad and the Ugly.

I figured I'd describe my day from start to fishing, instead of breaking it up by what I did or didn't enjoy.  The day started off with breakfast at Cora's, a group of us met there only because this years SecTor schedule made no mention of a breakfast similar to the one provided last year. Of course, when we showed up, it turned out there was a provided breakfast... at least we know for tomorrow.

The initial keynote was done by the RCMP and I don't even know what to say. Last year's RCMP presentation was depressing (many people that I spoke to today said it was the worst part of last year, and there was a debate over which RCMP keynote was actually worse. This years was made worse by the fact that it was first thing in the morning. It was presented with little enthusiasm and I'll say it... it sucked.

When the RCMP speaks, you'd expect to learn something interesting, in fact a number of attendees mentioned that to me today. Yet nothing interesting was learned. I was eager for this talk (as I was eager for the keynote last year), I figured they had learned from last year and that this year the RCMP would do better. I took about a page of notes, but got nothing of interest. The names of a few councils (ITAC Cyber Security Forum and CBOC's Council on Security & Tech) and learned that there was a Cyber Security Conference in Gatineau on Nov. 5 & 6. That could have been a single slide, or better yet a hand-out. The rest was useless, this was evident by the people falling asleep and the notes left on Twitter.m

I was also rather offended by a closing remark that David Black made regarding them looking for trained University graduates. I attempted to open my notebook and write down his email address to contact him but unfortunately the slide was removed from the screen. If anyone wants to pass this along to him, it would be appreciated. [Begin Side Rant] I'm getting really tired of this biased hiring practice in many places that requires a University degree, it's a useless, archaic requirement (much like the requirement for various certifications [which we see more and more people dropping from job postings]).  Many of the really bright IT/IS people that I know have no formal education or a college education... it's a shame to see so many places discriminate... especially places like the government. I'd think that workplace equality would include method of education, and place the importance on actual skills and knowledge[End Side Rant].

Needless to say... KeyNote #1 was a fail.

Up next was the first session. None of the session interested me, so I decided to check out the lock picking village. I was in the hall by the vendor displays, so I visited each display on my way over, and failed to make it to the lock picking village before the first session was over. I did have some great conversations with the vendors that were present though. A big thank you to all of them for the sponsorship that they provide.

While there was nothing that caught my interest, I know people that attended both 'Double Trouble: SQL Rootkits and Encryption' and 'Network Security Stripped: From layered technologies to the bare essentials". I can say that I didn't hear negative reviews about either presentation. In fact most people liked what they saw, and those that didn't like it were fairly neutral in their comments.

Lunch and a Panel Discussion were up next. The lunch was Monday's left overs... my chicken fell off the plate and bounced; there was Twitter discussion around having a chicken bouncing competition. Yet that was almost the highlight of the lunch. The real saving grace on the panel was Hoff. I understand why everyone was up there; a number of them were sponsors and probably wanted to say their piece, but still... We basically had 8-minute, extremely dry lightning talks. A panel usually involves some sort of discussion or interaction, they was basically everyone bragging about themselves and drew quite a bit of twitter traffic

Following lunch, we had what I would call worst organizational decision made by the organizers. They did fairly well this year... there is some good content (you just have to dig to find it -- My favourite part of today was hearing (a couple of times), 'the talk that you submitted would have been much better than this'), the swag was cool, a lot of people had positive comments about the notebooks and the bags and there's an increased social aspect. The mistake however, was a really bad one... it was the mistake of placing the bulk of the good speakers in competing time slots. This happened today by having HD Moore, Jay Beale and Raven in the same time slot. Those are three talks I would have gladly gone to see, and I had to pick one. From what I hear this happens tomorrow as well. I'm really looking forward to Hoff's talk, however I've been told that James Arlen is quite the impressive presenter as well.

In the end I decided to go with Jay Beale's discussion of the concepts behind his new tool, 'The Middler'. It was everything that a tool presentation should be. The tool wasn't shown or mentioned... the concepts and techniques were discussed. Not only did the presentation have some interesting information (I filled three pages in my notebook) but Jay did an amazing job with his presentation. This presentation alone made up for the lackluster performances up to that point (although I was quite disappointed about the stacking of the time slot).

To briefly go back to the time slot, I believe the concept that was tried was to put the big speakers up against each other and then everyone else was grouped together, this was to ensure a somewhat even distribution of attendees and to avoid empty rooms. My feeling on this... if the persons presentation runs the risk of an empty room, regardless of what they are up against... don't accept the presentation. I'll stop ranting on this now... it's done and unfortunately it can't be fixed.

For the next time slot, I decided on attending Googless. I was excited... it seemed really relevant to some of the work that I do. I don't even want to talk about this presentation... the slide show background was disturbing, and Christian had no life to him, as well he asked for donations on like the third slide (also the first time I've seen a license on a presentation) and informed us that would have to wait until December to see obtain the slide deck. I guess Christian thought that this was the most popular presentation at SecTor... judging by how many of us walked out during the presentation, I really doubt that. It wasn't good.

I spent the last portion of that presentation speaking with colleagues before the rooms emptied out and the last series of sessions were to begin. I had originally intended to see the RFID presentation, however I managed to catch up with Jay Beale to further discuss the Middler as I was rather intrigued. So we were able to sit and discuss it for a short period of time. A few more people joined us and we moved to the keynote room for discussion and to await alcohol. This once again was an amazing opportunity to network with people, and proved to be more useful than attending the talks (or so I read (and heard)). I once again have to say kudos to the organizers for this... Anything that lets you get together with other people to basically 'talk shop' is a great thing and many opportunities were presented.

During the Microsoft sponsored reception our table grew and we had a lot of fun. Then speakers departed and the bar closed, and unfortunately I wasn't able to make it to the party, however the day still had a number of high points. I realize this may seem like a griped a lot, but given that this was year two, I had higher expectations than last year and I'm not sure those expectations were fully met... but as I said, I did enjoy quite a bit of it. Tomorrow is another day, and there are a number of time slots where I'm interested in more than one presenter, so we'll see how it goes.

So I was lucky enough to be able to take part in SecTor training this week (as I previously mentioned). I spent all day Monday in HD Moore's Metasploit training.

Having been been an avid metasploit user for quite some time, I was hoping that the training would include some features that were unknown to me.  I definitely wasn't disappointed.

The initial portion of the training was fairly straight forward and included writing a basic auxiliary module and a plugin. The basics of Metasploit use were also covered.

This occupied roughly half the day, at which point we had lunch... the food wasn't great but it also wasn't awful. Then we were right back into the training.

Over the course of the afternoon we covered meterpreter, NTLM (smb_relay, and some others), Wireless and IPv6. A number of new and interesting things were covered and I really enjoyed the afternoon.

Following the training, myself and a colleague who also attended to the training met up with HD and a few other speakers and attendees to grab dinner. This was the sort of thing that I really enjoy about the cons, sitting around the table with a few beer talking shop. While I enjoy the talks, a lot of the time there's nothing overly new and it's when you're chilling and chatting that you really get a chance to discuss the interesting things.

At the end of the day, the training was definitely worth it. The only real shame (although a bonus for those of us attending) was that the training room was so empty... We had ~11 people. My worry is that SecTor won't be able to get decent trainers next year unless they can increase the attendance numbers.

Stayed tuned for another post on SecTor - Day 1... (which will eventually be followed by SecTor - Day 2).

So I spent today in training @ SecTor. I attending HD Moore's metasploit training and rather enjoyed myself... I picked up a couple of things that I'd been previously unaware of.  Since I was already onsite, I took advantage of the open registration booth and picked up my SecTor goodies.

Instead of the cooler bag (last years very cool SecTor registration goodie), there's a rather nice tote with the SecTor logo on it. Inside the bag was the usual advertising literature, a nice Leed's notebook with a metal (I think) cover, with the SecTor logo, and a pen and BlackBerry screen cleaner.

The badges are quite nice... given that the program includes a picture of the DefCon badge, I imagine they were trying to go with something along those lines. Rather than the hard plastic, "corners will cut you when you attempt to touch it" badge of last year, the badge this year is rather cool. There's a usb cable enclosed on the back of the badge and when you connect it, you find that it's a 1GB storage device. Definitely a step up.

I took pictures to attach, but I'm getting an error, so I won't be uploading them tonight... I'll try again tomorrow.

Now given that it's 2AM and I'm meeting people for breakfast in 5.5 hours, I should probably grab some sleep... but on that note... The program this year doesn't mention a breakfast, so some of us are meeting at Cora's on Spadina (not far from the MTCC) at 7:30 if anyone happens to read this between now and then and wants to join us.

Hey All,

I wanted to do a brief repost over here to direct everyone to the 5-part non-technical blog series that I did on cons (for the most part) and con experiences. This was my contribution to blogging following Blackhat / DEFCON.

1. Being a Research Engineer at a Blackhat Booth
2. Competitors Can Be Civil
3. Why DEFCON Sucks
4. Why the Social Aspect of Cons is Important
5. What Can Be Done to Improve the Cons.

Enjoy!

Hey Everyone,

So Blackhat/Defcon is behind us... Instead of blogging about the talks, I've taken a different approach and I've been doing some non-technical blogging. In the end it will be a 5-part series, but the first three are already up.

They are:

1. Being a Research Engineer at a Blackhat Booth
2. Competitors Can Be Civil
3. Why DEFCON Sucks

The last two will most likely appear early next week.

Also, now that Blackhat/ DEFCON are over... What's next? As far as I know the next Con I'll be attending is SecTor. Last year was the first SecTor and I had the opportunity to attend. SecTor will actually make it's way into my upcoming blog series (from above) on the VERT Blog. That being said, I wanted to remind people that it's coming up, after all... it's held in Toronto and I live in Toronto, so the more people that attend, the more people I get to meet.

For anyone who didn't get a chance to visit SecTor last year and is curious about the quality / style of the talks, I tried to write-up everything that I saw.

• Overview
• Growing the Security "Profession"
• TCP/IP Perversion
• Zen and the Art of Cybersecurity
• Web Application Works - The Future of Browser Insecurity
• Exploit-Me Series
• Defending Layer 8
• Black Ops 2007: DNS Rebinding Attacks
• Hacking Hollywood
• Modern Trends in Network Fingerprinting.

Of course, these are biased because they're all my opinion, but I do recommend the Con for anyone that can make it up this way. Let me know if you'll be coming up and we'll make arrangements to get together for a beer.

The other day I posted raw data comparing nmap, PortBunny and Unicornscan... I thought today I'd provide some of my thoughts on what the data shows us.

In the end I scanned 5 hosts running a variety of operating systems and I think I gave a fairly decent small scale spread and one initial comment I'd like to make is on the scanning of the HP LaserJet 4MV... While not all scanners found all the ports, they were all able to scan it... which I found fairly impressive... especially considering I've crashed it numerous times in the past playing with advanced options in port scanners and packet creation programs.

Now for the anlysis... Was there a winner? At first I didn't think so... but once I created the graph it became fairly evident that there was. Before I declare the winner... let's take a look at what we saw.

Unicornscan

I was fairly impressed with unicornscan the first time it ran... at least from a speed standpoint. That is until I ran nmap and PortBunny. While unicornscan (on a standard scan, default ports) was able to provide consistent speeds... it was clear that on systems with fewer open ports... there was a huge disadvantage in the design of unicornscan... The consistent speeds were still occurring. If we look at my shell box for example (Ubuntu 6.06 PPC on an old 350Mhz iMac), we see that unicornscan took what appears to be a respectable 9.2 seconds. However, nmap took only 1.5 seconds and PortBunny was less than a second at 0.7 seconds.

The full port scan also didn't bode well for unicornscan. On two hosts, the printer and the gateway, it failed to find any open ports... These are both slower systems (the older printer, and a soekris 486 for the gateway) so perhaps they couldn't keep up with the speed of the scan... or perhaps unicornscan was scanning too fast even for itself.

In the end, after seeing the results of nmap and PortBunny I was rather unimpressed with unicornscan.

nmap

I was quite impressed with nmap. During the default scan it tied PortBunny with lowest number of missed ports (of course this is due primarily to the various scanners default port list) and on a full port scan, it was the only scanner to find all open ports. In addition to having the lowest miss port rate... it boasted the fastest times... coming in 17.5 minutes faster than PortBunny on a full port scan, and 16 seconds faster on a default scan.

Additionally when I provided nmap with the '-T5 --max-retries 0' options, it blew PortBunny out of the water... it missed two additional ports over PortBunny on one of the 5 hosts, however the time difference was 5.3 seconds to 74 seconds... nmap was 68.7 seconds faster.

PortBunny

Given all the hype surrounding PortBunny and the fast that is is a "Linux Kernel-Based Port Scanner" (which is supposed to work to it's benefit), I was expecting great things... instead I was seriously disappointed. There wasn't a single scan where PortBunny fully out performed nmap... You have to set nmap to get ridiculous scan speed (scanning "almost too fast") in order for PortBunny to even manage to find more ports than nmap and then it takes ~15 times longer to find those 2 extra ports... Without those "almost too fast" options, nmap still performs faster than PortBunny and with more accuracy.

There was one host where PortBunny was able to outperform nmap, however that was with nmap doing a default scan... when timing options were adjusted, once again PortBunny failed to beat nmap.

Decision

When I started this challenge, I wasn't sure what the outcome would be... the only prediction I had was that unicornscan would be defeated by both PortBunny and nmap. This proved to be true... Between nmap and PortBunny, due to the hype around PortBunny and the claims that I had seen... I really wasn't sure. I expected it to be a close battle between the two... at most a TKO... but in the end it was a straight-up KO and in reality PortBunny was never really a contender.

Winner: nmap

There's been quite a bit of mention lately of PortBunny, the new port scanner from Recurity Labs. The scanner is Linux kernel-based and provides a TCP SYN Scan. I figured that I'd put the scanner to the test against nmap and Unicornscan.

Here's the rundown of the setup used:

Software + Version:

• Unicornscan 0.4.7-2
• nmap 4.53
• PortBunny 1.0

Scanning Host:
OS: Ubuntu 7.10
Kernel: 2.6.22-14-generic
Processor: Intel Pentium M 2.13Ghz
RAM: 1GB

Install Process:

1. Obtain archive
2. Extract archive
3. ./configure *No custom config options used for any of the software*
4. make
5. make install

Tested via Python:
Test Script (Note: I can't get my lines to tab properly, so tab over the four lines following def test):

import time, os

def test ( prog ) :
startTime = time.time()
os.system( prog )
endTime = time.time()
print ( 'Execution Time: %f' % ( endTime - startTime ) )

Targets:

• vista - Vista Home Premium
• shell - Ubuntu 6.06.1 LTS (2.6.15-28-powerpc)
• minibox - OS X 10.4.11
• printer - HP LaserJet 4MV
• gateway - m0n0wall 1.231

Scan Notes:

• PortBunny requires an IP Address, it won't run against hostnames.
• PortBunny doesn't sort the results list.
• Unicornscan missed all ports on printer and gateway when scanning ports 1 - 65535.
• PortBunny missed a port on printer when scanning ports 1 - 65535.
• nmap missed 2 ports on printer when scanning with -T5 --max-retries 0.

Results:

Raw Data, including ports found, after the jump.

Read more...

SecTor Day #2
Speakers: Ryan Poppa and Jay Graver
Presentation (pdf)
Download Audio (with Slide Deck) (wmv)

This was the final talk that I attended prior to the wrap up. I already knew what to expect for the most part, since Ryan and Jay are colleagues at nCircle.

The hour long presentation started with 30 minutes of background presented by Jay. The discussion itself focused around network fingerprinting (detecting versions of operating systems and listening services over a network) and, more specifically, HTTP server fingerprinting. The background included a comparison of currently available tools and included nmap, amap and httprint. Jay looked at the results of these tools against modern servers... first while displaying their standard banners and then using obfuscated banners. When faced with obfuscated banners the tools didn't fare so well.

The second half of the presentation, presented by Ryan, included what was really the "meat" of the presentation... the discussion of a new tool, httpfp [link coming as soon as the tool is released], which uses a new approach to fingerprinting. Ryan pointed out numerous aspects of a HTTP Server response that can be used to determine the type of software that the server is running, even if banner obfuscation is being used. Some of the included identification points were:

• Case of the Content-Length header (Content-Length/Content-length/content-length)
• The existence of Public or Allow headers
• The order of the options presented in the Public/Allow header

The concept is definitely cool and I'm really looking forward to see what advancements and improvements will be made in the future. It was also a great way to round-up the conference.

[Updated Links]