Nabble - Security - Linux

Re: Hardening CentOS

2009-11-24T08:25:54Z

Here is a link to a YouTube demo of the 3.1 product that was shot at the RedHat Summit earlier this year. The new product coming out in Dec 2009 will also support Novell SUSE and OpenSUSE and Fedora 11.

http://tcs-security-blanket.blogspot.com/ is the technical blog for the product and has tons of great content.

Demo

David,
Thanks for the mention of Security Blanket. I've written a quick synopsis of the product and provided a link for a free trial here.
Security Blanket by Trusted Computer Systems Linux Solaris Hardening Lockdown
<script src="http://n2.nabble.com/embed/f3121579"></script>

David A. Kennel wrote:

A good place to start would be the Center For Internet Security Red Hat
Enterprise Benchmark and the NSA Secure Configuration Guide. You could
also check out the Security Blanket tool by Trusted Computing Solutions
or Bastille.

Link farm:
http://www.nsa.gov/snac/downloads_redhat.cfm?MenuID=scg10.3.1.1
http://www.cisecurity.org/
http://www.trustedcs.com/SecurityBlanket.html
http://bastille-linux.sourceforge.net/

Florin Iliescu wrote:
> Helo,
>
> Can anybody help me with some procedures to secure a CentOS server? I am going to use it for receiving files over Internet with SFTP.
>
> Thank you,
>
> Florin
>
>
>
>

--
--
David Kennel

Re: Linux Hardening

2009-11-24T08:19:09Z

Security Blanket by TCS is an automated lockdown tool for Linux and Solaris. TCS helped create the linux 2.6 kernel and is listed on the NSA webpage for having created the MLS extensions to SELinux.

The product blog is http://tcs-security-blanket.blogspot.com/ with tons of content, example reports, links to industry recognized lockdown criteria

Security Blanket supports:
RHEL 4 and above
Oracle Ent Linux 4 and above
Fedora 10 and above
SUSE 11 and above
OpenSUSE 11 and above
Solaris 10 x86 and SPARC

It runs on System z, SPARC, 32 bit and 64 bit x86 architectures and PowerPC

Here is a demo of the 3.1 GA version and a newer version from RedHat Summit 2009 and a new product will release Dec 2009

jvicente wrote:

Hi,

I was looking for a Linux hardening tool. I found Bastille. The latest = version that I was able to find is 3.09. I cannot seem to get this = version to work on later versions of Linux (RHEL 5, FC 6,7) = distributions.

Is this tool still being supported? Is there a similar tool out there?

Thanks in advance,

JP

Replicating the Gonzalez Cyber Attacks through Penetration Testing

2009-11-20T16:07:10Z

--------------------------------------------------------------------------------
YOU'RE INVITED: IT SECURITY ON DEMAND WEBCAST

"Replicating the Gonzalez Cyber Attacks through Penetration Testing"
Register: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez
---------------------------------------------------------------------------------

Recently, we saw the indictment of cybercrime kingpin Albert Gonzalez, one of the accused masterminds behind high-profile data breaches at Heartland Payment Systems, Hannaford Bros. Supermarkets, 7-Eleven, and TJX. Next week, Core Security Technologies will present a hands-on look at the attacks Gonzalez and his co-conspirators are believed to have used in breaching these organizations.

Leveraging the actual indictment document as a guide, Core Security senior product manager Alex Horan will use CORE IMPACT Pro penetration testing software to demonstrate the techniques by which Gonzales allegedly stole millions of credit card numbers* - showing you how to identify IT exposures in your own environment before cybercriminals do.

> Register here: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez

During the webcast, you'll see a step-by-step depiction of an attack similar to that described in the Gonzalez indictment, including the following critical stages:

* the initial web application compromise via SQL Injection
* the use of a well-known backend database command to make the attacks even
* more invasive
* the planting of malware on the backend database server
* the collection and transmission of credit card transactions to the
* attackers

Through the demonstration, you'll also learn how commercial-grade penetration testing software enables you to see your IT systems as an attacker would -- not only by determining if the kinds of issues that Gonzalez reportedly leveraged are present in your environment, but also by ...

* assessing how deployed defenses react to specific threats
* revealing what systems and data would be exposed by a breach
* depicting how chains of vulnerabilities open paths to mission-critical
* systems and information
* providing actionable data for immediately mitigating critical exposures
* repeating tests to ensure the effectiveness of remediation efforts

This webcast is ideal for anyone interested in proactively assessing their security posture against real-world cyber threats.

> Register here: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez

Smart-Card Open Test Toolkit

2009-10-28T00:24:30Z

Hi all,

I would like to announce the availability of SCOTT, an open, modular and
extensible smart-card shell, which can be used for interacting with
smart-card devices, i.e., browsing its contents or also using the
on-board capabilities, as well as for automating such smart-card
operations by means of scripts. The envisioned usage scenario is around
automated smart-card configuration like needed during the development of
smart-card based applications, where one may have to repeatedly perform
a set of operations onto a smart-card, usually for testing purposes. For
example, "formatting" a card and loading some certificates and keys, or
loading some (updated version of a) JavaCard Applet. This is the
motivation for the project name: Smart-Card Open Test Toolkit.

The idea is to have a basic core constituted by a command-line
interactive shell, where external plugins define sets of commands which
can be:
-) commands related to some particular smart-card API, like the "system"
scott-pcsc plug-in, which provides shell commands for listing available
readers, checking status, connecting to the inserted device and sending
generic APDUs;
-) commands corresponding to a set of command APDUs defined by some
specific standard, like the scott-iso7816 plug-in, currently supporting
ISO 7816-4 file management commands
-) commands corresponding to the specific set of APDUs supported by a
particular smart-card device, like the scott-cryptoflex8 plug-in,
currently supporting specific capabilities of the Schlumberger
Cryptoflex 8K device.

Other plugins which may come in the future could be for supporting
loading of JavaCard applets, for supporting specific commands of
particular devices, or for supporting other standard APIs.

The shell has a built-in type-system, by which a plug-in can define its
own set of types. This allows for example to exchange high-level
information with the user in a structured form (the classical example is
when one provides the set of information needed to create a new file, or
when one selects an on-board file and retrieves its "descriptor").

Also, it has a built-in variables environment, by which one can assign
return types from commands, then supply them to other commands as input,
etc....

The project has been developed by Andrea Angella for his masters thesis
in Computer Engineering here at the Real-Time Systems Laboratory of
Scuola Superiore Sant'Anna, under my supervision, and it has been
released under GPL open-source license. Code is available on gna.org:

https://gna.org/projects/scott

Any comment/suggestion is of course encouraged and very welcome. You can
also use the mailing-list we set-up for the project:

https://mail.gna.org/listinfo/scott-devel/

Thanks for your attention.

Regards,

Tommaso Cucinotta

--
Tommaso Cucinotta, Computer Engineering PhD, Researcher
ReTiS Lab, Scuola Superiore Sant'Anna, Pisa, Italy
Tel +39 050 882 024, Fax +39 050 882 003
http://retis.sssup.it/people/tommaso

SecurityTubeCon CFP, Venue: Cyberspace!

2009-09-09T21:45:34Z

Dear All,

SecurityTube.net is pleased to announce the CFP for SecurityTubeCon, the
first hacker conference, to be held completely online!

SecurityTubeCon is aimed at democratizing hacker conferences by allowing
any researcher, regardless of his physical location, to share his work
with the community. Unlike other Cons we will not *accept / reject*
speakers. If you have something interesting to share, you WILL be heard.
The idea behind SecurityTubeCon is not to pass judgments on your work,
instead, it aims at providing a platform for knowledge exchange.

Once speakers send in their talk abstracts, we will put it online for
the community members to decide which talks they want to attend. On the
day of the conference, speakers will broadcast their talks using
screencasting software and the interested participants will tune in. The
participants will use IRC / chat rooms to ask questions to the speakers
during the talks.

What else is unique about SecurityTubeCon?

a. This conference will be held completely online!
b. Location No Barrier - speak / attend SecurityTubeCon from your bedroom :)
c. Language No Barrier - though we would recommend English as the
preferred language so you can address a global audience, feel free to
speak in the language you are most comfortable with
d. $0 is the conference registration fees - absolutely free

For the CFP and other details please visit the conference site at
http://www.securitytubecon.org

Here is a quick summary of the CFP in an FAQ format:

-----------------------------------------------------------

1. When and Where will SecurityTubeCon be held?

Venue: Cyberspace
Dates: 6th, 7th and 8th November, 2009

2. How will it all work?

a. Interested speakers will send us their talk details
a. We will post the list of speakers and abstracts online
b. Participants will register for talks and will receive webinar invitations
c. Speakers will broadcast their talks using screencasting / web
conferencing software and invited participants will join in
d. The participants will use IRC / Chat rooms to ask questions to the
speakers during the talks

3. Are there any requirements to become a speaker?

Just two:

1. You should know what you are talking about :)
2. You will need to submit a video recording of your entire talk before
the deadline. This will ensure that participants have something to watch
in case there is a last minute technical issue or some other problem.
These videos will be made available absolutely free to everyone a week
after the conference.

4. Awesome! I want to register as a speaker! How do I apply?

To Become a Speaker at SecurityTubeCon, please follow the following steps:

a. Send an email to submissions@... containing the
following information:

I. Talk Title
II. Abstract: Minimum 250 words
III. Language in which talk will be delivered in
IV. Desired Duration: 15 mins / 30 mins / 60 mins?
V. Speaker Names with Email addresses
VI. Speaker Bios: As detailed as possible

b. Once we receive your email, we will post your talk online and send
you a confirmation
c. You will need to submit the presentation, tools, other relevant
material and a video of the entire talk by October 20th, 2009. We will
send you the details on where to upload via email.
d. If the material mentioned in (c) is not received by the deadline,
your talk will be removed from the website
e. For any additional questions, please contact us at
submissions@...

5. How long can a talk be?

15 mins, 30 mins and 60 mins talk slots are available

6. What are the Deadlines?

1. Deadline to Submit Abstracts: October 10th, 2009
2. Deadline to submit the full presentation and video: October 20th, 2009
3. Conference Dates: 6th, 7th and 8th November

7. What kind of talks will be accepted at SecurityTubeCon?

Very broadly, there will be 4 tracks in SecurityTubeCon:

a. Research Track: Show your bleeding edge research and zero days here
b. Tutorials Track: In-depth Tutorials on security technologies can be
given here by domain experts
c. Tool Demos: Demonstration of new and cutting edge tools by their
original authors
d. Security Product Demos: Demos of state of the art security products
by companies and organizations

Topics can belong to a broad spectrum, here are a couple (neither
exhaustive nor limited to):

a. Protocol / Application based vulnerability in networks and computers
b. Firewall Evasion techniques
c. Intrusion detection/prevention
d. Data Recovery and Incident Response
e. Mobile Security (cellular technologies)
f. Virus and Worms
g. WLAN and Bluetooth Security
h. Analysis of malicious code
i. Cryptography and Cryptanalysis
j. Computer forensics
k. Cyber Crime & law
.....

8. How can I help?

a. Please forward this CFP link / email to your friends in the security
/ hacking community
b. Send this CFP to any mailing lists related to security
c. Post a link to the conference website on forums, discussion groups
you frequent
d. Particpate either as a Speaker or as an Attendee :)

9. I have a question? Need more info?

Write to us at info@...

-----------------------------------------

Hoping that all of you will attend and participate!

Cheers!

Vivek Ramachandran

http://www.securitytube.net

CHASE - 2009 Lahore Pakistan | Call for Papers

2009-06-24T00:16:31Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ----------------------------------------------------------

C H A S E - 2 0 0 9
Lahore
November 06-10 2009

http://www.chase.org.pk/

- ----------------------------------------------------------

Registration fee for the first day is only Rs. 700/- which
includes lunch, teas and conference material.

A training tool kit of open source software comprising of
a 500 pages book and 9 CDs would be provided FREE OF COST
to the participants of the event.

Limited travel funds are available for speakers coming
outside of Pakistan.

Completely FREE boarding and lodging for all the
international participants of the event.

- ----------------------------------------------------------

CHASE is a unique information and network security event
of its kind being organized in Pakistan since 2006.

In addition to presentations and talks, CHASE-2009 will
include gaming competition and four tracks of trainings.

Limited travel funds are vailable for speakers coming
outside of Pakistan. For details, please visit the website
at:

http://www.chase.org.pk/

[** CALL FOR PAPERS **]

If you are a hacker or a computer and internet security
professional and have something to talk about, then you have
an opportunity to do so at CHASE 2009. Please download and
fill out submission form and send your presentation as early
as possible to:

cfp AT chase DOT org DOT pk

Last date for filing submissions is Friday September 04, 2009.

Limited travel funds are available for international speakers.

All those individuals who would like to present are urged to
at least send their abstracts as early as possible to the
mail above. To see guidelines for submission, please visit
the following page:

http://www.chase.org.pk/en/index.html

[** TRAININGS **]

This event would offer trainings in four tracks. To see
details of the training and to get registered, please visit
the link below:

http://www.chase.org.pk/en/training.html

There is special discount for early registration.

[** Call For Participation **]

Those who just want to participate may please register as
early as possible. Just visit the website or send an email
to:

register AT chase DOT org DOT pk.

Completely FREE boarding and lodging is available for
participants coming outside of Pakistan.

A FREE training kit for Open Source Software comprising of
a 500 pages book and 9 CDs will be provided FREE OF COST to
the participants of the event.

The event comprises of five days. First day is for talks and
remaining four days are trainings. You need to register
separately for talks and trainings. To see details and to
see how you can register, please visit:

http://chase.org.pk/en/register.html

Hoping to see you all at CHASE-2009 Lahore.

- - --
CHASE Team
chase@...

Tel: +92 300 452 4903

Friday June 05, 2009.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkopKbwACgkQaVLjC8ViUeIIeACfdlbzYotS/ebEJyUifnxEccVp
pgYAn2DpWCFcnViU9MAqFpapnYQJf2WN
=fOh8
-----END PGP SIGNATURE-----

--
Muhammad Farooq-i-Azam

lists@...
http://www.chase.org.pk/

Re: Hardening CentOS

2009-06-22T09:45:43Z

David,
Thanks for the mention of Security Blanket. I've written a quick synopsis of the product and provided a link for a free trial here.
Security Blanket by Trusted Computer Systems Linux Solaris Hardening Lockdown
<script src="http://n2.nabble.com/embed/f3121579"></script>

David A. Kennel wrote:

A good place to start would be the Center For Internet Security Red Hat
Enterprise Benchmark and the NSA Secure Configuration Guide. You could
also check out the Security Blanket tool by Trusted Computing Solutions
or Bastille.

Link farm:
http://www.nsa.gov/snac/downloads_redhat.cfm?MenuID=scg10.3.1.1
http://www.cisecurity.org/
http://www.trustedcs.com/SecurityBlanket.html
http://bastille-linux.sourceforge.net/

Florin Iliescu wrote:
> Helo,
>
> Can anybody help me with some procedures to secure a CentOS server? I am going to use it for receiving files over Internet with SFTP.
>
> Thank you,
>
> Florin
>
>
>
>

--
--
David Kennel

RE: curuncula dbr rootkit detection tool

2009-05-25T09:44:32Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

you appear to be running a release candidate kernel instead of a stable
kernel. as you can see, this source relies on the kernel headers. try
compiling it with a stable kernel. if you are using an unstable version
of gcc, this could attribute to this as well. it's really hard to debug
things if you aren't running stable software.

cheers.

- -----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Forums
Sent: Friday, May 22, 2009 3:54 AM
To: focus-linux@...
Subject: Re: curuncula dbr rootkit detection tool

Can't seem to compile this on my system.

(skimmer:~/Xploits/curuncula)% make
make -C /lib/modules/`uname -r`/build M=`pwd` modules
make[1]: Entering directory `/boot/src/linux-2.6.28-tuxonice-r8'
CC [M] /home/circut/Xploits/curuncula/curuncula_26.o
/home/circut/Xploits/curuncula/curuncula_26.c:42:1: warning: "rdmsr"
redefined In file included from
/boot/src/linux-2.6.28-tuxonice-r8/arch/x86/include/asm/processor.h:20,
from include/linux/prefetch.h:14,
from include/linux/list.h:6,
from include/linux/module.h:9,
from /home/circut/Xploits/curuncula/curuncula_26.c:33:
/boot/src/linux-2.6.28-tuxonice-r8/arch/x86/include/asm/msr.h:134:1:
warning: this is the location of the previous definition
/home/circut/Xploits/curuncula/curuncula_26.c: Assembler messages:
/home/circut/Xploits/curuncula/curuncula_26.c:232: Error: suffix or
operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:235: Error: suffix or
operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:238: Error: suffix or
operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:241: Error: suffix or
operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:244: Error: suffix or
operands invalid for `mov'
make[2]: *** [/home/circut/Xploits/curuncula/curuncula_26.o] Error 1
make[1]: *** [_module_/home/circut/Xploits/curuncula] Error 2
make[1]: Leaving directory `/boot/src/linux-2.6.28-tuxonice-r8'
make: *** [curuncula_26] Error 2
(skimmer:~/Xploits/curuncula)% uname -a
Linux skimmer 2.6.28-tuxonice-r8 #2 SMP Mon May 4 15:54:00 CDT 2009
x86_64 Intel(R) Core(TM)2 Duo CPU T7100 @ 1.80GHz GenuineIntel GNU/Linux

- -Erik

On Fri, 24 Apr 2009 00:13:59 +0200
Giuseppe Cocomazzi <sbudella@...> wrote:

> Hi,
> I've released a little program named Curuncula.
> Curuncula is a tool shipped as a loadable kernel module that aims to
> detect rootkits based on the Intel debugging support facilities.
> Rootkits that set the GD access flag are also detected. It makes use
> of the "last branch recording" mechanism provided by the Intel
> architecture. Support both the 2.4 and 2.6 Linux kernels.
> Complete source code can be found here:
> http://packetstormsecurity.org/UNIX/audit/curuncula.tgz
>
> I hope you find it useful.
> Regards,
> Giuseppe Cocomazzi
>
> --
> every day above ground is a good one.

- --
Forums <forums@...>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkoayvAACgkQIBHDN8vm6zuyxACfbQ3xaZ8AwxBtpYGOt8ksdtW3
GzYAoIUBS8gmjrsRdoyKXtnNtX6XHXR/
=hktL
-----END PGP SIGNATURE-----

Re: curuncula dbr rootkit detection tool

2009-05-22T03:53:42Z

Can't seem to compile this on my system.

(skimmer:~/Xploits/curuncula)% make
make -C /lib/modules/`uname -r`/build M=`pwd` modules
make[1]: Entering directory `/boot/src/linux-2.6.28-tuxonice-r8'
CC [M] /home/circut/Xploits/curuncula/curuncula_26.o
/home/circut/Xploits/curuncula/curuncula_26.c:42:1: warning: "rdmsr" redefined
In file included from /boot/src/linux-2.6.28-tuxonice-r8/arch/x86/include/asm/processor.h:20,
from include/linux/prefetch.h:14,
from include/linux/list.h:6,
from include/linux/module.h:9,
from /home/circut/Xploits/curuncula/curuncula_26.c:33:
/boot/src/linux-2.6.28-tuxonice-r8/arch/x86/include/asm/msr.h:134:1: warning: this is the location of the previous definition
/home/circut/Xploits/curuncula/curuncula_26.c: Assembler messages:
/home/circut/Xploits/curuncula/curuncula_26.c:232: Error: suffix or operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:235: Error: suffix or operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:238: Error: suffix or operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:241: Error: suffix or operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:244: Error: suffix or operands invalid for `mov'
make[2]: *** [/home/circut/Xploits/curuncula/curuncula_26.o] Error 1
make[1]: *** [_module_/home/circut/Xploits/curuncula] Error 2
make[1]: Leaving directory `/boot/src/linux-2.6.28-tuxonice-r8'
make: *** [curuncula_26] Error 2
(skimmer:~/Xploits/curuncula)% uname -a
Linux skimmer 2.6.28-tuxonice-r8 #2 SMP Mon May 4 15:54:00 CDT 2009 x86_64 Intel(R) Core(TM)2 Duo CPU T7100 @ 1.80GHz GenuineIntel GNU/Linux

-Erik

On Fri, 24 Apr 2009 00:13:59 +0200
Giuseppe Cocomazzi <sbudella@...> wrote:

> Hi,
> I've released a little program named Curuncula.
> Curuncula is a tool shipped as a loadable kernel module that aims to
> detect rootkits based on the Intel debugging support facilities.
> Rootkits that set the GD access flag are also detected. It makes use of
> the "last branch recording" mechanism provided by the Intel
> architecture. Support both the 2.4 and 2.6 Linux kernels.
> Complete source code can be found here:
> http://packetstormsecurity.org/UNIX/audit/curuncula.tgz
>
> I hope you find it useful.
> Regards,
> Giuseppe Cocomazzi
>
> --
> every day above ground is a good one.

--
Forums <forums@...>

EUSecWest 2009 (May27/28) London Agenda and PacSec 2009 (Nov 4/5) Tokyo CFP deadline: June 1 2009

2009-05-06T15:28:45Z

EUSecWest 2009 Speakers

Efficient UAK Recovery attacks against DECT
- Ralf-Philipp Weinmann, University of Luxembourg
A year in the life of an Adobe Flash security researcher
- Peleus Uhley, Adobe
Pwning your grandmother's iPhone
- Charley Miller, Independent Security Evaluators
Post exploitation techniques on OSX and Iphone and other TBA matters.
- Vincent Iozzo,Zynamics
STOP!! Objective-C Run-TIME.
- nemo
Exploiting Delphi/Pascal
- Ilja Van Sprundel, IOActive
PCI bus based operating system attack and protections
- Christophe Devine & Guillaume Vissian, Thales
Thoughts about Trusted Computing
- Joanna Rutkowska, Invisible Things Lab
Nice NIC you got there... does it come with an SSH daemon?
- Arrigo Trulzi
Evolving Microsoft Exploit Mitigations
- Tim Burrell & Peter Beck, Microsoft
Malware Case Study: the ZeuS evolution
- Vicente Diaz, S21Sec
Writing better XSS payloads
- Alex Kouzemtchenko, SIFT
Exploiting Firefox Extensions
-Roberto Suggi Liverani & Nick Freeman, Security-Assessment.com
Stored Value Gift Cards, Magstripes Revisited
- Adrian Pastor, Gnucitizen, Corsaire
Advanced SQL Injection to operating system control
- Bernardo Damele Assumpcao Guimaraes, Portcullis
Cloning Mifare Classic
- Nicolas Courtois, University of London
Rootkits on Windows Mobile/Embedded
- Petr Matousek, Coseinc

PacSec 2009 CALL FOR PAPERS

World Security Pros To Converge on Japan

TOKYO, Japan -- To address the increasing importance of information
security in Japan, the best known figures in the international
security industry will get together with leading Japanese researchers
to share best practices and technology. The most significant new
discoveries about computer network hack attacks will be presented at
the seventh annual PacSec conference to be discussed.

The PacSec meeting provides an opportunity for foreign specialists to
be exposed to Japanese innovation and markets and collaborate on
practical solutions to computer security issues. In an informal
setting with a mixture of material bilingually translated in both
English and Japanese the eminent technologists can socialize and
attend training sessions.

Announcing the opportunity to submit papers for the PacSec 2009
network security training conference. The conference will be held
November 4/5th in Tokyo. The conference focuses on emerging
information security tutorials - it is a bridge between the
international and Japanese information security technology communities..

Please make your paper proposal submissions before June 1st, 2009.
Slides for the papers must be submitted for translation by October 1,
2009 (Which, oh so rarely, happens we are going to start asking for
them earlier :-P --dr).

A some invited papers have been confirmed, but a limited number of
speaking slots are still available. The conference is responsible for
travel and accomodations for the speakers. If you have a proposal for
a tutorial session then please email a synopsis of the material and
your biography, papers and, speaking background to . Tutorials are
one hour in length, but with simultaneous translation should be
approximately 45 minutes in English, or Japanese. Only slides will be
needed for the October paper deadline, full text does not have to be
submitted.

The PacSec conference consists of tutorials on technical details about
current issues, innovative techniques and best practices in the
information security realm. The audiences are a multi-national mix of
professionals involved on a daily basis with security work: security
product vendors, programmers, security officers, and network
administrators. We give preference to technical details and education
for a technical audience.

The conference itself is a single track series of presentations in a
lecture theater environment. The presentations offer speakers the
opportunity to showcase on-going research and collaborate with peers
while educating and highlighting advancements in security products and
techniques. The focus is on innovation, tutorials, and education
instead of product pitches. Some commercial content is tolerated, but
it needs to be backed up by a technical presenter - either giving a
valuable tutorial and best practices instruction or detailing
significant new technology in the products.

Paper proposals should consist of the following information:

1) Presenter, and geographical location (country of origin/passport)
and contact info (e-mail, postal address, phone, fax).
2) Employer and/or affiliations.
3) Brief biography, list of publications and papers.
4) Any significant presentation and educational experience/background.
5) Topic synopsis, Proposed paper title, and a one paragraph
description.
6) Reason why this material is innovative or significant or an
important tutorial.
7. Optionally, any samples of prepared material or outlines ready.
8. Will you have full text available or only slides?
9. Language of preference for submission.
10. Please list any other publications or conferences where this
material has been or will be published/submitted.

Please include the plain text version of this information in your
email as well as any file, pdf, sxw, ppt, or html attachments.

Please forward the above information to to be considered for
placement on the speaker roster.

cheers,
--dr

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
London, U.K. May 27/28 2009 http://eusecwest.com
Tokyo, Japan November 4/5 2009 http://pacsec.jp
Vancouver, Canada March 22-26 2010 http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp

curuncula dbr rootkit detection tool

2009-04-23T15:13:59Z

Hi,
I've released a little program named Curuncula.
Curuncula is a tool shipped as a loadable kernel module that aims to
detect rootkits based on the Intel debugging support facilities.
Rootkits that set the GD access flag are also detected. It makes use of
the "last branch recording" mechanism provided by the Intel
architecture. Support both the 2.4 and 2.6 Linux kernels.
Complete source code can be found here:
http://packetstormsecurity.org/UNIX/audit/curuncula.tgz

I hope you find it useful.
Regards,
Giuseppe Cocomazzi

--
every day above ground is a good one.

RE: [tool] Unix auditing, Lynis 1.2.5

2009-04-01T17:18:36Z

Michael,

Lynis looks like it has a good future and potential.

I've noticed that several bugs have been reported against the your recently
published edition.
I'm curious if you've a production 'schedule' of any sort?
Are you doing all the work on this, or do you have some assistance?
Will you be releasing a new version with bug-corrections anytime soon?
Would you have something like Bugzilla where bugs can be submitted and tracked
(or considered it)?

I look forward to trying it out and would be willing to give feedback on what I
find. Other than
the public mailing list where other bugs have been reported recently, do you have
another method
you prefer for bug reports?

Good luck with your Linux security audit tool!

R,
-Joe Wulf, CISSP, VCP, USN(RET)
Senior IA Engineer
ProSync Technology Group, LLC
www.prosync.com

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of M. Boelen
Sent: Friday, March 27, 2009 13:55
To: focus-linux@...
Subject: [tool] Unix auditing, Lynis 1.2.5

A new version of Lynis is available, which includes currently over 200 tests to
assist auditors and security administrators to audit their Unix machines. The
tool can be executed without a required installation and displays the outcome of
the tests on the screen. Extended information can be found in the log file,
including all the results of tests.

After many releases I want to ask to try this new version and give me input about
what you like to see when checking Unix systems for their security strenghts and
weaknesses.

More information and a download link can be found on the project page:
http://www.rootkit.nl/projects/lynis.html

Regards,

Michael Boelen
--
Original author of Rootkit Hunter and Lynis - http://www.rootkit.nl

EUSecWest 2009 CFP (May 27/28, Deadline April 7 2009)

2009-04-01T14:31:57Z

Call For Papers

The EUSecWest 2009 CFP is now open.

Deadline is April 7th, 2009.

EUSecWest CALL FOR PAPERS

LONDON, U.K. -- The third annual EUSecWest applied
technical security conference - where the eminent figures
in the international security industry will get together
share best practices and technology - will be held in
downtown London at the Sound Club in Leicester Square
on May 27/28, 2009. The most significant new discoveries
about computer network hack attacks and defenses,
commercial security solutions, and pragmatic real world
security experience will be presented in a series of
informative tutorials.

The EUSecWest meeting provides international researchers
a relaxed, comfortable environment to learn from
informative tutorials on key developments in security
technology, and collaborate and socialize with their peers
in one of the world's most most important technology
hubs and scenic cities. The timing of the conference
allows international travelers to travel to Berlin for
FX's Ph-Neutral on the weekend, and Rennes the
following week for SSTIC.

We would like to announce the opportunity to submit
papers, and/or lightning talk proposals for selection by
the EUSecWest technical review committee. This year we
will be doing one hour talks, and some shorter talk
sessions.

Please make your paper proposal submissions before
April 7th, 2009.

Some invited papers have been confirmed, but a limited
number of speaking slots are still available. The
conference is responsible for travel and accommodations for
the speaker (one speaker airfare and one room). If you
have a proposal for a tutorial session then please email
a synopsis of the material and your biography, papers
and, speaking background to secwest09 [at] eusecwest.com .
Only slides will be needed for the paper deadline, full text
does not have to be submitted - but will be accepted if
available.

The EUSecWest 2009 conference consists of tutorials on
technical details about current issues, innovative
techniques and best practices in the information security
realm. The audiences are a multi-national mix of
professionals involved on a daily basis with security
work: security product vendors, programmers, security
officers, and network administrators. We give preference
to technical details and new education for a technical
audience.

The conference itself is a single track series of
presentations in a lecture theater environment. The
presentations offer speakers the opportunity to showcase
on-going research and collaborate with peers while
educating and highlighting advancements in security
products and techniques. The focus is on innovation,
tutorials, and education instead of product pitches. Some
commercial content is tolerated, but it needs to be backed
up by a technical presenter - either giving a valuable
tutorial and best practices instruction or detailing
significant new technology in the products.

Paper proposals should consist of the following
information:
1. Presenter, and geographical location (country of
origin/passport) and contact info (e-mail, postal
address, phone, fax).
2. Employer and/or affiliations.
3. Brief biography, list of publications and papers.
4. Any significant presentation and educational
experience/background.
5. Topic synopsis, Proposed paper title, and a one
paragraph description.
6. Reason why this material is innovative or significant
or an important tutorial.
7. Optionally, any samples of prepared material or
outlines ready.
8. Will you have full text available or only slides?
9. Language of preference for submission.
10. Please list any other publications or conferences
where this material has been or will be
published/submitted.

Please include the plain text version of this information
in your email as well as any file, pdf, sxw, ppt, or html
attachments.

Please forward the above information to secwest09 [at]
eusecwest.com to be considered for placement on the
speaker roster, or have your lightning talk scheduled. If
you contact anyone else at our organization please ensure
you also cc the submission address with your proposal or
it may be omitted from the review process.

cheers,
--dr

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
London, U.K. May 27/28 2009 http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp

Re: [tool] Unix auditing, Lynis 1.2.5

2009-03-30T05:13:30Z

hi,

very fine!!

here are some errors on debian (5.0) lenny:

- Locate database... [ NOT FOUND ]
Aufruf: locate [-d path | --database=path] [-e | -E | --[non-]existing]
[-i | --ignore-case] [-w | --wholename] [-b | --basename]
[--limit=N | -l N] [-S | --statistics] [-0 | --null] [-c | --count]
[-P | -H | --nofollow] [-L | --follow] [-m | --mmap ] [ -s | --stdio ]
[-A | --all] [-p | --print] [-r | --regex ] [--regextype=TYPE]
[--max-database-age D] [--version] [--help]
Muster...

locate-database was present!

########################################

- Checking Exim status... [ NOT FOUND ]

but running exim4
debian source-package self-compiled but std. installation path not changed:
/usr/sbin/exim4
/etc/exim4

########################################

[+] Scheduled tasks
------------------------------------
find: "/var/spool/crontabls": Datei oder Verzeichnis nicht gefunden

########################################

thats it!!

cheers,
chris

---------- Ursprüngliche Nachricht ----------

Von: "M. Boelen" <"M. Boelen" <michael@...>>
An: "focus-linux@..." <focus-linux@...>
Betreff: [tool] Unix auditing, Lynis 1.2.5

Am Freitag, 27. März 2009 schrieb M. Boelen:

> A new version of Lynis is available, which includes currently over 200
> tests to assist auditors and security administrators to audit their Unix
> machines. The tool can be executed without a required installation and
> displays the outcome of the tests on the screen. Extended information
> can be found in the log file, including all the results of tests.
>
> After many releases I want to ask to try this new version and give me
> input about what you like to see when checking Unix systems for their
> security strenghts and weaknesses.
>
> More information and a download link can be found on the project page:
> http://www.rootkit.nl/projects/lynis.html
>
> Regards,
>
> Michael Boelen
> --
> Original author of Rootkit Hunter and Lynis - http://www.rootkit.nl

-------------------------------------------------------

Re: [tool] Unix auditing, Lynis 1.2.5

2009-03-30T01:33:56Z

from fune2fs man page:
-o [^]mount-option[,...]
Set or clear the indicated default mount options in the filesystem. Default mount options can be overridden by mount options specified either in /etc/fstab(5) or on the command line arguments to mount(8). Older kernels may not support this feature; in particular, kernels which predate 2.4.20 will almost certainly ignore the default mount options field in the superblock.
More than one mount option can be cleared or set by separating
features with commas. Mount options prefixed with a caret character ('^') will be cleared in the filesystem's superblock; mount options without a prefix character or prefixed with a plus character ('+') will be added to the filesystem.
The following mount options can be set or cleared using
tune2fs:

see also http://magazine.redhat.com/2007/06/07/tips-from-an-rhce-new-default-mount-options-in-red-hat-enterprise-linux-5/
Tips from an RHCE: New default mount options in Red Hat Enterprise Linux 5

Best Regards, Quentin
BBA, CISSP #322276, MHKIM, PMHKLA, RHCE, BCCPP, BCWAA, LPIC-1
candidate of PMP, C|EH, C|HFI, ECSA, CIA
----- Original Message -----
From: "Zhang Huangbin" <zhbmaillistonly@...>
To: "Quentin Chung@Programmer" <quentin.chung@...>
Cc: "M. Boelen" <michael@...>; <focus-linux@...>
Sent: Monday, March 30, 2009 4:13 PM
Subject: Re: [tool] Unix auditing, Lynis 1.2.5

> Quentin Chung@Programmer wrote:
>> are you sure there has no "acl" option ?
>
> Absolutely.
>
> On my laptop (RHEL 5.3, x86_64):
> ----
> # cat /etc/fstab |grep '/ '
> LABEL=/ / ext3 defaults 1 1
>
> # e2label /dev/sda3
> /
>
> # tune2fs -l /dev/sda3 |grep acl
> Default mount options: user_xattr acl
> ----
>
> --
> Best regards.
>
> Zhang Huangbin
>
> - Open Source Mail Server Solution for RHEL/CentOS 5.x:
> http://code.google.com/p/iredmail/

Re: [tool] Unix auditing, Lynis 1.2.5

2009-03-30T01:13:01Z

Quentin Chung@Programmer wrote:
> are you sure there has no "acl" option ?

Absolutely.

On my laptop (RHEL 5.3, x86_64):
----
# cat /etc/fstab |grep '/ '
LABEL=/ / ext3 defaults 1 1

# e2label /dev/sda3
/

# tune2fs -l /dev/sda3 |grep acl
Default mount options: user_xattr acl
----

--
Best regards.

Zhang Huangbin

- Open Source Mail Server Solution for RHEL/CentOS 5.x:
http://code.google.com/p/iredmail/

Re: [tool] Unix auditing, Lynis 1.2.5

2009-03-29T19:49:36Z

quoted from man mount

Mount options for ext2
The 'ext2' file system is the standard Linux file system. Since Linux 2.5.46, for most mount options the
default is determined by the filesystem superblock. Set them with tune2fs(8).

acl / noacl
Support POSIX Access Control Lists (or not).

are you sure there has no "acl" option ?

Best Regards, Quentin
BBA, CISSP #322276, MHKIM, PMHKLA, RHCE, BCCPP, BCWAA, LPIC-1
candidate of PMP, C|EH, C|HFI, ECSA, CIA
----- Original Message -----
From: "Zhang Huangbin" <zhbmaillistonly@...>
To: "M. Boelen" <michael@...>
Cc: <focus-linux@...>
Sent: Saturday, March 28, 2009 5:49 PM
Subject: Re: [tool] Unix auditing, Lynis 1.2.5

> M. Boelen wrote:
>> A new version of Lynis is available
>
> filesystem ACL support detect is incorrect on CentOS/RHEL 5.x.
>
> It doesn't include 'acl' option in /etc/fstab, but you can check it like
> below:
>
> ----
> # mount | grep '/ '
> /dev/hda1 on / type ext3 (rw)
>
> # tune2fs -l /dev/hda1 | grep -i acl
> Default mount options: user_xattr acl
> ----
>
> --
> Best regards.
>
> Zhang Huangbin
>
> - Open Source Mail Server Solution for RHEL/CentOS 5.x:
> http://code.google.com/p/iredmail/

Re: [tool] Unix auditing, Lynis 1.2.5

2009-03-28T03:30:41Z

M. Boelen wrote:
> A new version of Lynis is available, which includes currently over 200

Another error on RHEL/CentOS 5.x platform:

----
- Checking PAM modules [ FOUND ]
passwd: bad argument --all: unknown option
----

In passwd(1), doesn't metion '--all'.

--
Best regards.

Zhang Huangbin

- Open Source Mail Server Solution for RHEL/CentOS 5.x:
http://code.google.com/p/iredmail/

Re: [tool] Unix auditing, Lynis 1.2.5

2009-03-28T02:49:19Z

M. Boelen wrote:
> A new version of Lynis is available

filesystem ACL support detect is incorrect on CentOS/RHEL 5.x.

It doesn't include 'acl' option in /etc/fstab, but you can check it like
below:

----
# mount | grep '/ '
/dev/hda1 on / type ext3 (rw)

# tune2fs -l /dev/hda1 | grep -i acl
Default mount options: user_xattr acl
----

--
Best regards.

Zhang Huangbin

- Open Source Mail Server Solution for RHEL/CentOS 5.x:
http://code.google.com/p/iredmail/

Re: [tool] Unix auditing, Lynis 1.2.5

2009-03-28T02:42:57Z

M. Boelen wrote:
> A new version of Lynis is available, which includes currently over 200
>

Great work. :)

But i found it doesn't include the openldap configuration directory
(/etc/openldap) for RHEL/CentOS.
Patch attached:

--- include/tests_ldap.orig 2009-03-28 17:40:45.000000000 +0800
+++ include/tests_ldap 2009-03-28 17:41:00.000000000 +0800
@@ -22,7 +22,7 @@
#
#################################################################################
#
- SLAPD_CONF_LOCS="/usr/local/etc/openldap /etc/ldap"
+ SLAPD_CONF_LOCS="/usr/local/etc/openldap /etc/ldap /etc/openldap"
SLAPD_CONF_LOCATION=""
SLAPD_RUNNING=0
#

--
Best regards.

Zhang Huangbin

- Open Source Mail Server Solution for RHEL/CentOS 5.x:
http://code.google.com/p/iredmail/

[tool] Unix auditing, Lynis 1.2.5

2009-03-27T10:55:11Z

A new version of Lynis is available, which includes currently over 200
tests to assist auditors and security administrators to audit their Unix
machines. The tool can be executed without a required installation and
displays the outcome of the tests on the screen. Extended information
can be found in the log file, including all the results of tests.

After many releases I want to ask to try this new version and give me
input about what you like to see when checking Unix systems for their
security strenghts and weaknesses.

More information and a download link can be found on the project page:
http://www.rootkit.nl/projects/lynis.html

Regards,

Michael Boelen
--
Original author of Rootkit Hunter and Lynis - http://www.rootkit.nl

CanSecWest 2009 Speakers and Dojo courses (Mar 14-20)

2009-02-15T18:50:55Z

Final Speaker Lineup for CanSecWest 2009 (March 18-20):
===============================================

The Smart-Phones Nightmare - Sergio 'shadown' Alvarez

Getting into the SMRAM: SMM Reloaded - Loíc Duflot

Network design for effective HTTP traffic filtering - Jeff "rfp"
Forristal, Zscaler

Ninja Scanning - Fyodor, Insecure.org

On Approaches and Tools for Automated Vulnerability Analysis - Tanmay
Ganacharya & Nikola Livic & Abhishek Singh & Swapnil Bhalode & Scott
Lambert, Microsoft

Kicking It Old School: No DNS Packets Were Harmed In The Making Of
This Presentation - Dan Kaminski, IOActive

Binary Clone Wars: Software Whitelisting for Malware Prevention and
Coordinated Incident Response. - Shane Macaulay, Sean Comeau, and
Derek Callaway, Security Objectives

.NET Rootkits - Erez Metula

The Evolution of Microsoft's Exploit Mitigations - Matt Miller and Tim
Burrell, Microsoft

An overview of the state of videogame console security. - Victor Muñoz

A Look at a Modern Mobile Security Model: Google's Android - Jon
Oberheide

Bug classes we have found in *BSD, OS X and Solaris kernels - Christer
Oberg and Neil Kettle, Convergent Network Solutions

Multiplatform Iphone/Android Shellcode, and other smart phone
insecurities - Alfredo Ortega and Nico Economou, Core

Platform-independent static binary code analysis using a meta-assembly
language - Sebastian Porst & Thomas "halvar" Dullien, zynamics

Persistent BIOS Infection - Anibal Sacco & Alfredo Ortega, Core

Decompiling Dalvik and other JavaFX - Marc Schoenefeld

Automated Real-time and Post Mortem Security Crash Analysis and
Categorization - Jason Shirk & Dave Weinstein, Microsoft

SSL, The Sequel: MD5 collisions and EV certificates - Alexander
Sotirov & Mike Zusman

Exploiting Unicode-enabled software - Chris Weber

Chinese Infosec & Malware Overview - Wei "icbm" Zhao, 365menshen

Hacking Macs for Fun and Profit - Dino Dai Zovi & Charlie Miller

...and a variety of lightning talks...

Security Masters Dojo courses (March 14-17):
====================================

Metasploit: Asymmetric Warfare - H D Moore, BreakingPoint Systems

Advanced Honeypots - Thorsten Holz

IPv6 Network Security - Nico Fishbach & Guillaume Valadon, COLT & CNRS

Ultimate Web Hacking (One Day Edition) - Mike Andrews, Foundstone

TCP/IP Network Security In Depth - Andrea Barisani, inverse path

Effective Fuzzing using the Peach Fuzzing Platform - Michael
Eddington, Leviathan Security

Secure Java Programming and Auditing - Marc Schoenefeld

Practical 802.11 WiFi (In)Security - Cédric Blancher, EADS

Q/SSE Qualified/ Software Security Expert Certification Bootcamp -
Security University

Q/SA Qualified Security Analyst Penetration Tester - Security University

Advanced Linux Hardening - Andrea Barisani & Jay Beale, inverse path &
Intelguardians

Physical Security and Lock Technology - Deviant Ollam

The Exploit Laboratory - Advanced Edition - Saumil Shah, Net-Square

Mastering the Network with Scapy - Phillipe Biondi, EADS

Pwn2Own Contests:
================

There will be TWO Pwn2Own contests this year.
Generous cash prize(s) for exploits will be sponsored by Tipping Point,
and a Sony VAIO P fresh from Japan and a new loaded Apple Macbook
will be amongst the prizes.

The targets this year will be mobile smart-phones, and browsers.

Mobile targets:
iPhone
Android
Symbian
RIM/BlackBerry
Windows Mobile

Browser Targets:
IE8
FF3
Safari
Opera

The contest will like in previous years feature a progressively
expanding attack surface over the three day duration of the
conference. Final prizes and rules will be announced shortly.

Post-Conference Whistler Expedition:
=============================

We have secured some rooms at good rates at the Westin in Whistler
and reserved a cluster of four, 3-5 bedroom, cabins for the weekend
after the conference. Contact dr@... if you wish to be included
in the planning, final accommodation rates will be announced shortly.

Conference Hotel Block:
===================

The room rates at the Sheraton Wall Center hotel where the conference
is being held have been reduced from $183 to $169, and still includes
a waived $15/day free internet access in the rate.

Tenth Anniversary Gala Event:
========================

Since this is our tenth anniversary for the conference, we will
be having a party on Thursday night. Venue TBD. We're pretty
sure there will be a cake. No word yet on whether there will
be dancers inside it. ;-)

Day-Care Facilities will be available:
=============================

As a nod to the shifting demographic of early gen. security
researchers we will be trying a new experiment this year
and we will be providing day-care facilities for those
traveling with kids. We will try to arrange some group
discounts with our provider once we know how many
kids and what ages and times will have to be
accommodated. If you are interested in this service
please send a note to yuriko@... and let
her know ages and times.

We will try to get them started on exploit writing
courses for pre-schoolers :-). Does this mean
we are all grown up now?

It promises to be another fun conference again this
year. See you all there.

cheers,
--dr

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada March 16-20 2009 http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp

DEFCON 17 CFP now open

2009-02-15T14:45:20Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

xxxxxxxxxxxxxxxxxx xxx xx x xx DEF CON 17, Las Vegas 2009
xxxxxxxXXXXxxxxxxxxxxxxx xx x x July 31st - August 2nd
xxxxxxXXXXXXxxxxx x x x The Rivera Hotel and Casino
xxxxxXXXXXXXXxxxxx xx x x Las Vegas, Nevada, USA
xxxxXXXXXXXXXXxxx x xxxxxxxx x https://www.defcon.org/
xxxXXXXXXXXXXXXxxxxxxxxxx x
xxXXXXXXXXXXXXXXxxxxxx xx x Call for Papers Call for Papers
xxxXXXXXXXXXXXXxxxxxxxx Call for Papers Call for Papers
xxxxXXXXXXXXXXxxxxxxxx x x xx Call for Papers Call for Papers
xxxxxXXXXXXXXxxxxxxx xxx xx x Call for Papers Call for Papers
xxxxxxXXXXXXxxxxxxx x x x Call for Papers Call for Papers
xxxxxxxXXXXxxxxxxxxxxx xx x x Call for Papers Call for Papers
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx x Call for Papers Call for Papers

Dark monks of techno-fu, it is that time of the year again! The DEFCON CFP
is now open!

What: DEFCON 17 Call For Papers
When: The Call for Papers will close on May 15, 2009
How: Complete the Call for Papers Form and send to talks at defcon dot org

Papers and presentations are now being accepted for DEFCON 17, the
conference your mother and ISC(2) warned you about. DEFCON will take place
at the Riviera in Las Vegas, NV, USA, July 31 - August 2, 2009.

https://www.defcon.org/html/defcon-17/dc-17-cfp.html

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.1 (Build 287)
Charset: us-ascii

wsBVAwUBSZibKA6+AoIwjTCUAQK86Qf/RnSG6c8k0iy/NPrO1JDmLUr7qJzjsVwd
yPwHUAjIR+Kp7gwi5me/DFhPu7TRPitHlV6VmZpQGrWTwRLPXimpM7fFpJQKX+Ea
YSk1CLsktenSKo57nXPIs0MjVIFivmkVPuQzRCMwA/sORBCp1xuNITqsD9w7azAA
CcsZXNRDZ8UnNNr2Vyr+LFXE/06ETMWyskKxEs9z3WOigqgb+zNG0ylqmS1SBhQN
klZVdPFTmgfsDjmhvYvfjJTrOpxOwlLLjV8hqwR4CpbOgm0RWsbH42CAmJ0mJ9qt
+JlPTVWEQEgwQIDjbkRuBPkn+CKxz+45c7aa1PPN/JxAHa/k6V5Cxw==
=IBnB
-----END PGP SIGNATURE-----

Training & jobs

2009-01-27T23:34:24Z

“Join us to make future”
FOR OPT/F-1 STUDENTS
FREE TRAINING
FOOD ACCOMODATION
H1B PROCESSING
FOR L1/ L2/ H1/ H4/ EAD/ GC
EXCELLENT OPPRTUNITIES
TRAINING
PLACEMENT
Highly Competitive offers for New H1b Transfers

About Us:
V2 technology inc is serving NJ since 2005, for us our employees are
of utmost importance. Our highly skilled and dedicated instructors
train you explicitly in market-related technologies for today and
tomorrow. We will work with you in developing marketing strategies
and finding the assignments of your choice.
We not only help you get a job but we build your long lasting
careers!!!
What are we Looking for:
Excellent communication skills.
Valid F1/ OPT/ CPT/ H1/ H4/ L1 or valid work status
(EAD, GC).
Bachelors’ degree in CS/ IT or previous IT experience.
Preferably (not mandatory) Master's Degree in Computers/
Electronics or previous IT experience.
Willing to relocate anywhere in USA.

What’s The Deal:
H1-B sponsorship to F1/ OPT/ H4/ L1/ L2/ E3/ EAD
Transfer of H1 & L1 visas.
Green Card sponsorship through PERM
Job focused professional training in
Java/ J2EE
.NET
Documentum
Share point
Oracle
Data Modeling
Relocation assistance- airfare, hotel accommodation, car rental
etc
Guarantee lowest bench period.
Employee referral program.
Effective Resume writing help, Marketing and Placement.
Technical mock interviews. Preparation of In Person Interviews

100% Guaranteed placement
Get in Touch:
write mail at jobs@v2techinc.com

CfP DIMVA 2009

2009-01-21T01:30:06Z

(We apologize if you receive multiple copies of this message.)
----------------------------------------------------------------------

FIRST
CALL FOR PAPERS

DIMVA 2009

Sixth International Conference on
Detection of Intrusions and Malware & Vulnerability Assessment

Organized by GI SIG SIDAR
In Cooperation with
IEEE Computer Society Task Force on Information Assurance

Milan, Italy
June / July, 2009

http://www.dimva.org/dimva2009
mailto:info@...

----------------------------------------------------------------------

The annual DIMVA conference serves as a premier forum for advancing
the state of the art in intrusion detection, malware detection, and
vulnerability assessment. Each year DIMVA brings together
international experts from academia, industry and government to
present and discuss novel research in these areas. DIMVA is organized
by the special interest group Security - Intrusion Detection and
Response (SIDAR) of the German Informatics Society (GI). The
conference proceedings are planned to appear in Springer's Lecture
Notes in Computer Science (LNCS) series.

DIMVA solicits submission of high-quality, original scientific work.
This year we invite two types of paper submissions:

* Full papers, presenting novel and mature research results. Full
papers are limited to 20 pages, prepared according to the
instructions provided below. They will be reviewed by the program
committee, and papers accepted for presentation at the conference
will be included in the proceedings.

* Short papers (extended abstracts), presenting original, still
ongoing work that has not yet reached the maturity required for a
full paper. Short papers are limited to 10 pages, prepared according
to the instructions provided below. They will also be reviewed by
the program committee, and papers accepted for presentation at the
conference will be included in the proceedings (containing Extended
Abstract in the title).

DIMVA's scope includes, but is not restricted to the following areas:

* Intrusion Detection
+ Approaches
+ Insider detection
+ Applications to business level fraud
+ Implementations
+ Prevention and response
+ Result correlation and cooperation
+ Evaluation
+ Potentials and limitations
+ Operational experiences
+ Legal and social aspects

* Malware Detection
+ Techniques
+ Acquisition of specimen
+ Detection and analysis
+ Automated behavior model generation
+ Early warning
+ Prevention and containment
+ Trends and upcoming risks
+ Forensics and recovery
+ Economic aspects

* Vulnerability Assessment

+ Vulnerabilities
+ Vulnerability detection and analysis
+ Vulnerability prevention
+ Classification and evaluation
+ Situational awareness

DIMVA 2009 particularly encourages papers that discuss applications of
intrusion detection methods for fraud detection in business level
processes and composite Web Services.

Organizing Committee

General Chair: Danilo M. Bruschi,
Università degli Studi di Milano, Italy (info@...)
Program Chair: Ulrich Flegel,
SAP Research CEC Karlsruhe, Germany (pc-chair@...)
Rump Session Chair: Sven Dietrich,
Stevens Institute of Technology, U.S.A. (rump-chair@...)
Sponsorship Chair: Thorsten Holz,
University of Mannheim, Germany (sponsor-chair@...)
Publicity Chair: Sebastian Schmerl
University of Technology Cottbus, Germany (publicity-chair@...)

Program Committee

Thomas Biege (Novell, Germany)
Gunter Bitz (SAP AG, Germany)
Herbert Bos (Vrije Universiteit Amsterdam, Netherlands)
Roland Büschkes (RWE AG, Germany)
Marc Dacier (Symantec Research, France)
Hervé Debar (France Télécom, France)
Sven Dietrich (Stevens Institute of Technology, U.S.A.)
Thomas Dullien (Zynamics, Germany)
Thorsten Holz (University of Mannheim, Germany)
Engin Kirda (Eurecom, France)
Christian Kreibich (ICSI, U.S.A.)
Christopher Kruegel (UC Santa Barbara, U.S.A)
Klaus Julisch (IBM Zurich Research Laboratory, Switzerland)
Pavel Laskov (Fraunhofer FIRST and University of Tuebingen, Germany)
Wenke Lee (Georgia Institute of Technology, U.S.A.)
Javier Lopez (University of Malaga, Spain)
John McHugh (University of North Carolina and Dalhousie University, Canada)
Michael Meier (Technical University of Dortmund, Germany)
George Mohay (Queensland University of Technology, Australia)
Martin Rehák (Czech Technical University, Czech)
Konrad Rieck (Technical University of Berlin, Germany)
Robin Sommer (ICSI/LBNL, U.S.A.)
Salvatore Stolfo (Columbia University, U.S.A)
Peter Szor (Symantec, U.S.A.)

Important Dates

Deadline for paper submission: February 6, 2009
Notification of acceptance or rejection: March 30, 2009
Final paper camera ready copy: April 10, 2009
Conference dates: June/July, 2009

Paper Submission

All papers must be submitted electronically in PDF format via the
conference Web site. Submissions must be formatted according to the
instructions provided by Springer Verlag.

Submitted papers must be in English and must not substantially
overlap work that has been published before, or that is
simultaneously in submission to a journal or a conference with
proceedings. Simultaneous submission, submission of previously
published work, and plagiarism constitute dishonesty or fraud. DIMVA
prohibits these practices and may take appropriate action against
authors who have committed them.

For accepted papers, it is required that at least one of the authors
attends the conference to present the paper. Presentations must also
be held in English.

Details about the electronic submission procedure will be provided on
the conference Web site by end of January 2009. Authors of accepted
papers must follow the Springer LNCS guidelines for the preparation
of camera-ready copies. Details of the process will be provided to
the authors in time.

Rump session

As in previous years, DIMVA 2009 will hold a Rump Session: a series
of short and entertaining talks where attendees can present recent
research results, work in progress, or other topics of interest to
the community. Please contact the Rump Session Chair for submission
questions.

Sponsorship Opportunities

We solicit interested organizations to serve as sponsors for DIMVA
2009; please contact the sponsorship chair for information regarding
corporate sponsorship.

Steering Committee

Chairs:
* Ulrich Flegel, SAP Research CEC Karlsruhe
* Michael Meier, Technical University of Dortmund

Members:
* Roland Büschkes, RWE
* Hervé Debar, France Telecom R&D
* Bernhard Hämmerli, Acris GmbH, HSLU
* Marc Heuse, Baseline Security Consulting
* Klaus Julisch, IBM Zurich Research Lab
* Christopher Kruegel, UC Santa Barbara
* Pavel Laskov, Fraunhofer FIRST and University of Tuebingen
* Robin Sommer, ICSI/LBNL
* Diego Zamboni, IBM Zurich Research Lab

--
_____________________________________________________________________
Sebastian Schmerl Tel: +49 (0) 355 69 20 29
sbs@... Fax: +49 (0) 355 69 21 27
BTU Cottbus

Computer Networks and Communication System
P.O.Box 10 13 44, 03013 Cottbus, Germany
http://www-rnks.informatik.tu-cottbus.de
_____________________________________________________________________

smime.p7s (9K) Download Attachment

CfP DIMVA 2009

2009-01-05T01:21:39Z

(We apologize if you receive multiple copies of this message.)
----------------------------------------------------------------------

PRELIMINARY
CALL FOR PAPERS

DIMVA 2009

Sixth International Conference on
Detection of Intrusions and Malware & Vulnerability Assessment

Organized by GI SIG SIDAR
In Cooperation with
IEEE Computer Society Task Force on Information Assurance

Milan, Italy
June / July, 2009

http://www.dimva.org/dimva2009
mailto:info{at}dimva.org

----------------------------------------------------------------------

The annual DIMVA conference serves as a premier forum for advancing
the state of the art in intrusion detection, malware detection, and
vulnerability assessment. Each year DIMVA brings together
international experts from academia, industry and government to
present and discuss novel research in these areas. DIMVA is organized
by the special interest group Security - Intrusion Detection and
Response (SIDAR) of the German Informatics Society (GI). The
conference proceedings are planned to appear in Springer's Lecture
Notes in Computer Science (LNCS) series.

DIMVA solicits submission of high-quality, original scientific work.
This year we invite two types of paper submissions:

* Full papers, presenting novel and mature research results. Full
papers are limited to 20 pages, prepared according to the
instructions provided below. They will be reviewed by the program
committee, and papers accepted for presentation at the conference
will be included in the proceedings.

* Short papers (extended abstracts), presenting original, still
ongoing work that has not yet reached the maturity required for a
full paper. Short papers are limited to 10 pages, prepared according
to the instructions provided below. They will also be reviewed by
the program committee, and papers accepted for presentation at the
conference will be included in the proceedings (containing Extended
Abstract in the title).

DIMVA's scope includes, but is not restricted to the following areas:

* Intrusion Detection
+ Approaches
+ Insider detection
+ Applications to business level fraud
+ Implementations
+ Prevention and response
+ Result correlation and cooperation
+ Evaluation
+ Potentials and limitations
+ Operational experiences
+ Legal and social aspects

* Malware Detection
+ Techniques
+ Acquisition of specimen
+ Detection and analysis
+ Automated behavior model generation
+ Early warning
+ Prevention and containment
+ Trends and upcoming risks
+ Forensics and recovery
+ Economic aspects

* Vulnerability Assessment

+ Vulnerabilities
+ Vulnerability detection and analysis
+ Vulnerability prevention
+ Classification and evaluation
+ Situational awareness

DIMVA 2009 particularly encourages papers that discuss applications of
intrusion detection methods for fraud detection in business level
processes and composite Web Services.

Organizing Committee

General Chair: Danilo M. Bruschi, Università degli Studi di
Milano, Italy (info{at}dimva.org)
Program Chair: Ulrich Flegel, SAP Research CEC Karlsruhe,
Germany (pc-chair{at}dimva.org)
Rump Session Chair: Sven Dietrich, Stevens Institute of Technology,
U.S.A. (rump-chair{at}dimva.org)
Sponsorship Chair: Thorsten Holz, University of Mannheim, Germany
(sponsor-chair{at}dimva.org)
Publicity Chair: Sebastian Schmerl, Brandenburg University of
Technology Cottbus (publicity-chair{at}dimva.org)

Program Committee

To be determined for final Call for Papers.

Important Dates

Deadline for paper submission: February 6, 2009
Notification of acceptance or rejection: March 30, 2009
Final paper camera ready copy: April 10, 2009
Conference dates: June/July, 2009

Paper Submission

All papers must be submitted electronically in PDF format via the
conference Web site. Submissions must be formatted according to the
instructions provided by Springer Verlag.

Submitted papers must be in English and must not substantially
overlap work that has been published before, or that is
simultaneously in submission to a journal or a conference with
proceedings. Simultaneous submission, submission of previously
published work, and plagiarism constitute dishonesty or fraud. DIMVA
prohibits these practices and may take appropriate action against
authors who have committed them.

For accepted papers, it is required that at least one of the authors
attends the conference to present the paper. Presentations must also
be held in English.

Details about the electronic submission procedure will be provided on
the conference Web site by mid of January 2009. Authors of accepted
papers must follow the Springer guidelines for the preparation of
camera-ready copies. Details of the process will be provided to the
authors in time.

Rump session

As in previous years, DIMVA 2009 will hold a Rump Session: a series
of short and entertaining talks where attendees can present recent
research results, work in progress, or other topics of interest to
the community. Please contact the Rump Session Chair for submission
questions.

Sponsorship Opportunities

We solicit interested organizations to serve as sponsors for DIMVA
2009; please contact the sponsorship chair for information regarding
corporate sponsorship.

Steering Committee

Chairs:
* Ulrich Flegel, SAP Research CEC Karlsruhe
* Michael Meier, Technical University of Dortmund

Members:
* Roland Büschkes, RWE
* Hervé Debar, France Telecom R&D
* Bernhard Hämmerli, Acris GmbH, HSLU
* Marc Heuse, Baseline Security Consulting
* Klaus Julisch, IBM Zurich Research Lab
* Christopher Kruegel, UC Santa Barbara
* Pavel Laskov, Fraunhofer FIRST and University of Tuebingen
* Robin Sommer, ICSI/LBNL
* Diego Zamboni, IBM Zurich Research Lab

--
_____________________________________________________________________
Sebastian Schmerl Tel: +49 (0) 355 69 20 29
sbs@... Fax: +49 (0) 355 69 21 27
BTU Cottbus

Computer Networks and Communication System
P.O.Box 10 13 44, 03013 Cottbus, Germany
http://www-rnks.informatik.tu-cottbus.de
_____________________________________________________________________

smime.p7s (9K) Download Attachment

CanSecWest 2009 CFP (March 18-20 2009, Deadline December 8 2008)

2008-11-24T21:16:57Z

Call For Papers

The CanSecWest 2009 CFP is now open.

Deadline is December 8th, 2008.

CanSecWest CALL FOR PAPERS

VANCOUVER, Canada -- The tenth annual CanSecWest applied
technical security conference - where the eminent figures
in the international security industry will get together
share best practices and technology - will be held in
downtown Vancouver at the the Sheraton Wall Centre on
March 18-20, 2009. The most significant new discoveries
about computer network hack attacks and defenses,
commercial security solutions, and pragmatic real world
security experience will be presented in a series of
informative tutorials.

The CanSecWest meeting provides international researchers
a relaxed, comfortable environment to learn from
informative tutorials on key developments in security
technology, and collaborate and socialize with their peers
in one of the world's most scenic cities - a short drive
away from one of North America's top skiing areas.

The CanSecWest conference will also feature the
availability of the Security Masters Dojo expert network
security sensei instructors, and their advanced, and
intermediate, hands-on training courses - featuring small
class sizes and practical application excercises to
maximize information transfer.

We would like to announce the opportunity to submit
papers, and/or lightning talk proposals for selection by
the CanSecWest technical review committee. This year we
will be doing one hour talks, and some shorter talk
sessions.

Please make your paper proposal submissions before
December 8th, 2008.

Some invited papers have been confirmed, but a limited
number of speaking slots are still available. The
conference is responsible for travel and accomodations for
the speakers. If you have a proposal for a tutorial
session then please email a synopsis of the material and
your biography, papers and, speaking background to
secwest09 [at] cansecwest.com . Only slides will be needed
for the March paper deadline, full text does not have to
be submitted - but will be accepted if available. This
year we will be opening up the presentation guidelines to
include talks not in English (particularly Chinese) which
we will offer to translate for the speaker if they are not
a native English speaker.

The CanSecWest 2009 conference consists of tutorials on
technical details about current issues, innovative
techniques and best practices in the information security
realm. The audiences are a multi-national mix of
professionals involved on a daily basis with security
work: security product vendors, programmers, security
officers, and network administrators. We give preference
to technical details and new education for a technical
audience.

The conference itself is a single track series of
presentations in a lecture theater environment. The
presentations offer speakers the opportunity to showcase
on-going research and collaborate with peers while
educating and highlighting advancements in security
products and techniques. The focus is on innovation,
tutorials, and education instead of product pitches. Some
commercial content is tolerated, but it needs to be backed
up by a technical presenter - either giving a valuable
tutorial and best practices instruction or detailing
significant new technology in the products.

Paper proposals should consist of the following
information:
1. Presenter, and geographical location (country of
origin/passport) and contact info (e-mail, postal
address, phone, fax).
2. Employer and/or affiliations.
3. Brief biography, list of publications and papers.
4. Any significant presentation and educational
experience/background.
5. Topic synopsis, Proposed paper title, and a one
paragraph description.
6. Reason why this material is innovative or significant
or an important tutorial.
7. Optionally, any samples of prepared material or
outlines ready.
8. Will you have full text available or only slides?
9. Language of preference for submission.
10. Please list any other publications or conferences
where this material has been or will be
published/submitted.

Please include the plain text version of this information
in your email as well as any file, pdf, sxw, ppt, or html
attachments.

Please forward the above information to secwest09 [at]
cansecwest.com to be considered for placement on the
speaker roster, or have your lightning talk scheduled. If
you contact anyone else at our organization please ensure
you also cc the submission address with your proposal or
it may be ommitted from the review process.

cheers,
--dr

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada March 16-20 2009 http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp

ANNOUNCE: New iptables(8) firewall script release, many new features

2008-10-19T07:33:42Z

Note to Mods: If this is considered SPAM, please drop it in the
bit-bucket. This appeared to me to be acceptable according to the FAQ
for the list.

Hello all!

A week or so ago I added several new features to my firewall script
that I had been considering. This brings me to release 1.8.2.
The script is for Linux-systems only, using the netfilter/iptables
tools to create a secure firewall for almost any situation. This
newest release
brings many new levels of flexibility and customization. The initial
purpose of this firewall script was to be able to create a secure
ruleset from the very beginning; and then allowing easy addition of
rules to manage services in an obvious way. I believe that by
naming a file something like /etc/firewall/tcp.ssh, and adding one
subnet/host per line, I make it fairly straight-forward to build a
secure
ruleset, even with minimal experience.

A quick rundown on features are as follows:
- All services configurable via flat text files, such as tcp.ssh, one
subnet/host per line
- Ability to add "deny" entries from service files by prefixing
subnet/host with a !
- Ability to let non-root users to manage rules, setup information is
in the README
- Stateful firewall, allows outbound-connection-related packets (ICMP
host-unreach, time-exceeded, TCP RST, etc) back in automatically
- A secure, "deny all except what's explicitly allowed" default configuration
- Ability to allow/deny any packets from a subnet/host (use of this is
discouraged)
- Simple masquerading configuration by adding subnet/hosts to "masquerade" file
- Ability to set up TCP and UDP port-forwarding, details in the README
- Configuration variables such as $FWCONF, where the service files are
located, can be set in /etc/sysconfig/network
- A "status" and "running" parameter that shows the firewall status
and running ruleset, respectively
- Rate-limits control the amount of outbound replies to minimize
damage in a DoS or reflective DoS
- Rate-limits control the number of entries that get logged per second
to mitigate overloading the syslog system
- All files/scripts are distro-agnostic
- Use of $FWCONF/rc.local.{nat,rules} to allow advanced users the
ability to write their own rules,
or manipulate the automatically generated rules.

For complete details, see the README file available at:
http://tje.ssllink.net/firewall/README

Release 1.8.2 can be found here:
http://tje.ssllink.net/firewall-1.8.2.tar.gz
66d04d274cfb06a6b7968a1c10d3d3ff

As always, I welcome all comments, questions, complaints, flames, cash
donations, etc. Please CC me on
all replies as I have not been on the focus-linux list for some time
now. Thanks!

-tje-

Regards,
TJ Easter
--
"Being a humanist means trying to behave decently without expectation
of rewards or punishment after you are dead." -- Kurt Vonnegut, 1922
- 2007
http://keyserver1.pgp.com/vkd/DownloadKey.event?keyid=0x5EB6E92FE2340DEF

Re: Pandora FMS 1.2 released

2008-09-08T17:26:35Z

Pandora FMS (Flexible Monitoring System) is a monitoring application to watch systems, applications or process, that allows to know the status of any element of your systems, watch for your hardware, your software, your multilayer system and of course your Operating System.

Development of stable version 2.0 of Pandora FMS is over. After a long period of testing, Pandora FMS team has finished development for this version that introduces great features from previous version.

Some changes from last version are.

* WMI Remote Monitoring Server (Windows) and Plugin Server (UNIX).
* Prediction Server.
* Export Server.
* Network Map.
* New Visual Console in AJAX for interactive map creation.
* Agent remote configuration from the Console.
* Coumpound alerts.

You can download Pandora FMS v2.0 or migrate tool from http://www.pandorafms.com/index.php?sec=pandora&sec2=download&lang=en

pandorainfo wrote:

Pandora FMS (Free Monitoring
System) is a monitoring application to watch systems and applications, that allows to know the status of any element of your systems, watch for your hardware, your software, your multilayer system and of course your Operating System.

Development of stable version 1.2 of Pandora FMS is over. After a
long period of testing, Pandora FMS team has finished development for
this version that introduces great features from previous version.

Pandora FMS is a Free Software project. Pandora FMS monitor systems,
network elements and applications in any operating systems. It's
published under GPL license.

Some changes from last version are.

-Network monitoring without need to install agents.
-SNMP console to receive traps
-Better alerts.
-Better user visualization
-Internal messages between teams and operators.
-Better usability.
-Pandora FMS also includes a new Windows Agent, with graphical
installer, that allows to monitor easily Windows hosts.
-Individual module interval for each module.
-On-demand agent polling (for network modules).
-Other minor features.

You can download Pandora FMS v1.2 from http://pandora.sourceforge.net

PacSec 2008 CFP (Deadline Sept. 1, Conference Nov. 12/13) and BA-Con 2008 Speakers (Sept. 30/ Oct. 1)

2008-08-26T13:09:28Z

Spanish url: http://ba-con.com.ar/speakers.html?language=es

Speaker list and Dojos for BA-Con, September 30, October 1st.
(all presentations in both Spanish and English)

Presentations:

WPA/WPA2: how long is it gonna make it - Cédric Blancher & Simon Maréchal,
EADS & SGDN
Security Concerns of Firmware Updates (SPI System BIOS and Embedded
Controller) - Sun Bing
A Practical Approach to Mitigate and Remove Malware - Ching Tim Meng
Advances in Attacking Interpreted Languages: Javascript - Justin
Ferguson
Understanding eVoting in post Everest, TTBR world - Harri Hursti
SecViz 007 - Raffael Marty, Splunk
Pass-the-hash Toolkit for Windows - Hernan Ochoa, Core
Linux 2.6 kernel rootkits - Daniel Palacio, Immunity
Reverse Engineering Dynamic Languages, a Focus on Python - Aaron
Portnoy & Ali Rizvi-Santiago, TippingPoint
All the Crap Aircrafts Receive and Send - Hendrik Scholz
Teflon: anti-stick for the browsers attack surface - Saumil Shah,
Net-Square
Hacking PXE without reboot (using the BIOS network stack for other
purposes) - Julien Vanegue, CESAR
LeakedOut: the Social Networks You Get Caught In - Jose Orlicki, Core

Dojos (September 28/29):
Reverse Code Engineering - Edgar Barbosa, COSEINC
Practical 802.11 Wi-Fi (In)Security - Cédric Blancher, EADS
Effective Fuzzing using the Peach Fuzzing Platform (2 days) - Michael
Eddington, Leviathan
Assembler for Exploits - Gerardo Richarte, Core
The Exploit Lab - Saumil Shah, Net-Square

We would like to especially thank the gracious sponsorship of Core,
Microsoft, and Symantec/SecurityFocus, without whom this event
would not be possible and/or would be a lot more expensive for attendees.
We also suggest that conference attendees stay a couple of days
longer and go to ekoparty right after this event.

cheers,
--dr

--8<--kyx--8<--

English url: http://pacsec.jp/speakers.html?language=en
Japanese url: http://pacsec.jp/speakers.html?language=ja
(the following should be up soon...)
Spanish url: http://pacsec.jp/speakers.html?language=es
Chinese url: http://pacsec.jp/speakers.html?language=cn

PacSec 2008 CALL FOR PAPERS

World Security Pros To Converge on Japan

TOKYO, Japan -- To address the increasing importance of information
security in Japan, the best known figures in the international
security industry will get together with leading Japanese
researchers to share best practices and technology. The most
significant new discoveries about computer network hack attacks
and defenses will be presented at the sixth annual PacSec conference.

The PacSec meeting provides an opportunity for foreign specialists
to be exposed to Japanese innovation and markets and collaborate
on practical solutions to computer security issues. In an informal
setting with a mixture of material bilingually translated in both
English and Japanese the eminent technologists can socialize and
attend training sessions.

Announcing the opportunity to submit papers for the PacSec 2008
network security training conference. The conference will be held
November 12/13th in Tokyo at the Aoyama Diamond Hall above
Omotesando station. The conference focuses on emerging
information security tutorials - it is a bridge between the
international and Japanese information security technology
communities..

Please make your paper proposal submissions before September 1st,
2008. Slides for the papers must be submitted for translation by
October 1, 2008.

A some invited papers have been confirmed, but a limited number of
speaking slots are still available. The conference is responsible
for travel and accomodations for the speakers. If you have a
proposal for a tutorial session then please email a synopsis of
the material and your biography, papers and, speaking background
to secwest08 [at] pacsec.jp . Tutorials are one hour in length, but
with simultaneous translation should be approximately 45 minutes
in English, or Japanese. Only slides will be needed for the October
paper deadline, full text does not have to be submitted.

The PacSec conference consists of tutorials on technical details
about current issues, innovative techniques and best practices in the
information security realm. The audiences are a multi-national mix
of professionals involved on a daily basis with security work: security
product vendors, programmers, security officers, and network
administrators. We give preference to technical details and
education for a technical audience.

The conference itself is a single track series of presentations in a
lecture theater environment. The presentations offer speakers the
opportunity to showcase on-going research and collaborate with peers
while educating and highlighting advancements in security products
and techniques. The focus is on innovation, tutorials, and education
instead of product pitches. Some commercial content is tolerated,
but it needs to be backed up by a technical presenter - either giving
a valuable tutorial and best practices instruction or detailing
significant new technology in the products.

Paper proposals should consist of the following information:
1. Presenter, and geographical location (country of
origin/passport) and contact info (e-mail, postal address,
phone, fax).
2. Employer and/or affiliations.
3. Brief biography, list of publications and papers.
4. Any significant presentation and educational
experience/background.
5. Topic synopsis, Proposed paper title, and a one paragraph
description.
6. Reason why this material is innovative or significant or an
important tutorial.
7. Optionally, any samples of prepared material or outlines
ready.
8. Will you have full text available or only slides?
9. Please list any other publications or conferences where
this material has been or will be published/submitted.
10. Do you have any special demo or network requirements
for your presentation?

Please include the plain text version of this information in
your email as well as any file, pdf, sxw, ppt, or html
attachments.

Please forward the above information to secwest08 [at]
pacsec.jp to be considered for placement on the speaker
roster, or have your lightning talk scheduled. The deadline
is soon for this one: September 1st 2008.

cheers,
--dr

P.S. We have also set the dates for CanSecWest 2010 for Mar. 22-26.
With the Olympics in the neighborhood a month before we have to
plan way ahead.
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Buenos Aires, Argentina Sept. 30 / Oct. 1 - 2008 http://ba-con.com.ar
Tokyo, Japan November 12/13 2008 http://pacsec.jp
Vancouver, Canada March 16-20 2009 http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp

Re: problems cloning a hard drive with dcfldd

2008-08-13T01:25:32Z

Hi Don,

I think it's bit too late for this reply. But you can find whether DD
is failing or DD is failing due to NC failure if you look at the
PIPESTATUS envar from bash.

Kosala

On Wed, Aug 6, 2008 at 11:14 PM, <DON.RAIKES@...> wrote:

> Hello,
>
> I am a newbie to this whole digital forensics world, and am having a problem cloning a hard drive.
>
> Setup:
> laptop with 40gb harddrive with 2 partitions. The laptop had/has windows xp on it, but it won't boot any longer.
> desktop system running fedora 9 as my forensics lab machine.
> fedora livecd containing dcfldd and some other tools.
>
> Situation:
> I boot the laptop using the livecd and login no problem.
> I can see the hard drive as /dev/sda.
>
> Both systems are connected to my local network.
>
> I want to make a clone of the laptop harddrive so that I can use it to learn some of the forensic tools available like sleuthkit mac-robber etc.
>
> Steps:
> on desktop: start netcat in listening mode port 1234
> on laptop run:
> dcfldd if=/dev/sda1 conv=noerror,sync hash=md5 hashlog=md5.log | nc desktopsystem 1234 -w 3
>
> All seems to be going just fine the netcat connection is made and dcfldd is displaying its progress.
> However, at block 98513, I get an error from dcfldd saying:
>
> error:/dev/sda1 input output error
>
> and the whole process stops.
>
> I tried:
> $ dcfldd if=/dev/sda1 of=/dev/null conv=noerror,sync
>
> and it processed the entire 34gb without an error.
>
> Any suggestions would be appreciated for how to get this drive cloned.
>

--
Kosala
--------------------------------------------
Disclaimer: Views expressed in this mail are my personal views and
they would not reflect views of the employer.
--------------------------------------------
blog.kosala.net
www.linux.lk/~kosala/
www.kosala.net

RE: problems cloning a hard drive with dcfldd

2008-08-11T14:47:12Z

Don,

I think you've found the issue - you were acquiring the first partition,
and _not_ the physical device. Remove the partition from your command
and you should be golden, no need to pull the drive.

Cheers!

farmerdude

http://www.forensicbootcd.com

http://www.onlineforensictraining.com

On Mon, 2008-08-11 at 12:11 -0700, DON.RAIKES@... wrote:

> Farmerdude,
>
> Here are the results of the commands you suggested:
>
> blkid:
> /dev/sda1: UUID="D08405CF8405B94C" TYPE="ntfs"
> /dev/sda2: UUID="423B-2BDF" TYPE="vfat"
>
> fdisk:
>
>
> Disk /dev/sda: 40.0 GB, 40007761920 bytes
> 255 heads, 63 sectors/track, 4864 cylinders
> Units = cylinders of 16065 * 512 = 8225280 bytes
> Disk identifier: 0x4b36bdea
>
> Device Boot Start End Blocks Id System
> /dev/sda1 * 463 4863 35351032+ 7 HPFS/NTFS
> /dev/sda2 1 462 3710983+ b W95 FAT32
>
> Partition table entries are not in disk order
>
> While I don't have a usb or firewire drive I can use to clone to directly, I do have an external harddrive enclosure for a laptop drive, so I will be pulling the drive from the laptop and connecting it to my forensics workstation using the enclosure.
>
> I will try cloning the entire drive instead of just the ntfs partition also.
>
> Thanks for the tips.
>
> -----Original Message-----
> From: farmerdude [mailto:subscribe@...]
> Sent: Friday, August 08, 2008 6:40 PM
> To: DON.RAIKES@...
> Cc: focus-linux
> Subject: Re: problems cloning a hard drive with dcfldd
>
>
> Don,
>
> Can you provide the output of these commands issued from the laptop
> system;
>
> fdisk -l
>
>
> blkid /dev/sda*
>
>
>
> Instead of blowing across the network, are you able to attach a firewire
> or USB hard drive to the laptop and blow your acquisition file via one
> of those ports locally?
>
>
> Also, based on your dcfldd command, you know that you are acquiring only
> the first partition on the physical device, /dev/sda, yes?
>
> If you want the physical device, remove the number from your command.
> If you want only the partition continue on with your command then!
>
> Cheers!
>
> farmerdude
>
> http://www.forensicbootcd.com
>
> http://www.onlineforensictraining.com
>
>
>

RE: problems cloning a hard drive with dcfldd

2008-08-11T12:11:11Z

Farmerdude,

Here are the results of the commands you suggested:

blkid:
/dev/sda1: UUID="D08405CF8405B94C" TYPE="ntfs"
/dev/sda2: UUID="423B-2BDF" TYPE="vfat"

fdisk:

Disk /dev/sda: 40.0 GB, 40007761920 bytes
255 heads, 63 sectors/track, 4864 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x4b36bdea

Device Boot Start End Blocks Id System
/dev/sda1 * 463 4863 35351032+ 7 HPFS/NTFS
/dev/sda2 1 462 3710983+ b W95 FAT32

Partition table entries are not in disk order

While I don't have a usb or firewire drive I can use to clone to directly, I do have an external harddrive enclosure for a laptop drive, so I will be pulling the drive from the laptop and connecting it to my forensics workstation using the enclosure.

I will try cloning the entire drive instead of just the ntfs partition also.

Thanks for the tips.

-----Original Message-----
From: farmerdude [mailto:subscribe@...]
Sent: Friday, August 08, 2008 6:40 PM
To: DON.RAIKES@...
Cc: focus-linux
Subject: Re: problems cloning a hard drive with dcfldd

Don,

Can you provide the output of these commands issued from the laptop
system;

fdisk -l

blkid /dev/sda*

Instead of blowing across the network, are you able to attach a firewire
or USB hard drive to the laptop and blow your acquisition file via one
of those ports locally?

Also, based on your dcfldd command, you know that you are acquiring only
the first partition on the physical device, /dev/sda, yes?

If you want the physical device, remove the number from your command.
If you want only the partition continue on with your command then!

Cheers!

farmerdude

http://www.forensicbootcd.com

http://www.onlineforensictraining.com

Re: problems cloning a hard drive with dcfldd

2008-08-08T18:40:28Z

Don,

Can you provide the output of these commands issued from the laptop
system;

fdisk -l

blkid /dev/sda*

Instead of blowing across the network, are you able to attach a firewire
or USB hard drive to the laptop and blow your acquisition file via one
of those ports locally?

Also, based on your dcfldd command, you know that you are acquiring only
the first partition on the physical device, /dev/sda, yes?

If you want the physical device, remove the number from your command.
If you want only the partition continue on with your command then!

Cheers!

farmerdude

http://www.forensicbootcd.com

http://www.onlineforensictraining.com

Re: problems cloning a hard drive with dcfldd

2008-08-07T23:21:57Z

Dave Hull schrieb:

> On Wed, Aug 6, 2008 at 3:14 PM, <DON.RAIKES@...> wrote:
>
>> I am a newbie to this whole digital forensics world, and am having a problem cloning a hard drive.
>>
>> Setup:
>> laptop with 40gb harddrive with 2 partitions. The laptop had/has windows xp on it, but it won't boot any longer.
>> desktop system running fedora 9 as my forensics lab machine.
>> fedora livecd containing dcfldd and some other tools.
>>
>> Situation:
>> I boot the laptop using the livecd and login no problem.
>> I can see the hard drive as /dev/sda.
>>
>
> You might try pulling the drive out of the laptop and connecting it to
> your PC directly using a USB external drive adapter. Mount the drive
> on your forensics lab machine read-only and try acquiring the image
> with dcfldd. You could also acquire the entire drive, rather than
> individual partitions and then carve out the partitions from that
> image, again using dcfldd. The Sleuthkit command mmls will display the
> partition table information it finds in the image and you can feed
> that information into dcfldd to carve out the partitions.
>
>
>> dcfldd if=/dev/sda1 conv=noerror,sync hash=md5 hashlog=md5.log | nc desktopsystem 1234 -w 3
>>
>
> Looks good to me. Have you tried specifying a blocksize via bs=?
>
>
>> All seems to be going just fine the netcat connection is made and dcfldd is displaying its progress.
>> However, at block 98513, I get an error from dcfldd saying:
>>
>> error:/dev/sda1 input output error
>>
>> and the whole process stops.
>>

If there is an error an the disk dd will fail, if you really dont need
the forensic features
of dcfldd you can also use ddrescue.
ddrescue is different than dd, a dd fails when there is a read error on
the disk, ddrescue will
continue (have a look at the man).
God luck
> I have seen similar problems when trying to acquire using Helix and
> USB mounted drives on laptops. I generally have better luck attaching
> and mounting the drives in my forensic workstation.
>
> Good luck.
>
>