I know that I do not blog here nearly enough, oh well....

Just read today that ISC2 is updating the CISSP CBK beginning January 1st. https://www.isc2.org/credentials/default.aspx. If you are in my mentor class starting in September, I will make sure that I have the most up todate information that SANS has available.

Came across something cool today. I am a fan of CCleaner. If you are like me, a lot of you buddies see you as some kind of computer geek and so when they have a problem they call. Well most of the time is simply because their computer is running slow and they are running about four anti-virus programs and only one is legit. Then usually I like to use CCleaner to clean out the rest of the garbage that users normally accumulate. So today I was thinking on my own machine, would it be cool if I could just make CCleaner run daily to keep all the junk off my own machine. Well you can do exactly that. CCleaner has command line arguments as can be seen at:

http://www.piriform.com/docs/ccleaner/advanced-usage/command-line-parameters

With the command line arguments you can setup a scheduled task to run CCleaner anytime or as often as you like. Check out this blog out on How-To Geek for setting it up.

Update 3/14/2011:
Looking into the Task Scheduler history I discovered errors that my task had failed to launch. Error value was 2147943645. As the task runs normally manually, I think that what may have been the cause was that I had the check box for "Run only when user is logged on" selected. Changed to "Run whether user is logged on or not."

Well, I have not written anything in a while. Been concentrating on passing the CISSP exam. Well this morning I received the email that I passed!! What a relief. Some folks have told me that the CISSP exam was easy, some told be that when they were done they felt good about what they did. Some said that they were able to complete the exam in three hours and some have told me that they did it using a two pass method. I did not experience any of these as for me it was a hard exam and used all bit maybe five minutes of the time that was allowed. In the event that someone else that in interested in obtaining a CISSP stumbles across this post, this is what I did and my experiences.

1. Attended the SANS MGT414 course taught by Eric Conrad. Eric is very knowledgeable and the same high quality type of instructor as you would expect from SANS.
2. I went through the SANS MGT414 OnDemand class. This is self paced and an excellent value for the money, especially when bundled with a class. IMO, attending a live class is the best experience, but by doing the OnDemand class, I was able to learn at my pace and thus comprehend much more. The class is done by the author of the MGT414 material, Dr. Eric Cole who is of course an awesome instructor. I really like the assessment questions at the end of each section. You can take it with a passing grade three times and as the questions are randomized, each assessment is different. On sections that i was not confident in, I purposely failed it many times just to be able to take the assessment over and over.
3. I also did a lot of questions from cccure.org. I did all 1000 that I was allowed to for free, 25 at a time. I took each quiz at the "Pro" difficulty level. I never felt that I scored as well as I should have, but it did give me a better understanding of the material and helped hammer home key points.
4. When you sign up for the GIAC GISP exam, you also get access to a complete recording of a previous class in the way of MP3's. Again, these are a class done by the author of the MGT414 material, Dr. Eric Cole who is of course an awesome instructor. I put the MP3's on my phone and then when ever I was out walking or even at night when I was not able to sleep, I would fire up an MP3 and I do not think that there a was a single time when I listened to the MP3s and did not learn something that I had previously missed. The class just covers too much information.
5. I purchased Eric Conrad's book CISSP Study Guide. I wish I could tell you that I read the whole thing, but I cannot. I mainly used it for reference when I can across something in the SANS MGT414 course material or off the cccure.org site that did not make sense to me.
6. On the Wednesday before the ISC2 exam, I took and passed the GIAC GISP exam. This exam was open book, 250 questions with a five hour limit. Even thou I took nearly the whole five hours to take the exam, I did well and at the time thought, how many ways can they ask about any of the particular subjects in each of the domains. Well in hind sight, I did not realized how wrong I was as the way that GIAC asks questions and the way that ISC2 ask questions, are not even close. GIAC will ask you what something is in a nice one liner, ISC2 will ask what something might be in a paragraph. On the ISC2 question, you will spend a fair amount of time eliminating the distractors and then trying to relate whats left with one of the answers. In the MP3 recordings, Dr Cole suggested that you take the ISC2 exam first and then the GISP exam. I asked some other students that had gone through the process and they said that they thought it helped to take the GISP first. Now that its over, I could be convinced ether way. It is nice to have the extra questions leading up to the ISC2 exam, but the type of questions that you get from the GIAC exam did not help me prepare for the ISC2 questions. But after taking the ISC2 exam, I do not know if I would have had the energy to take the GIAC exam and am fairly sure that I would not have done as well. Also, worth noting is that with the GIAC exam, you also get two free practice exams, so 500 additional questions to practice with in addition to the 250 on the GIAC exam itself.
7. So after the GIAC GISP exam, I spent the remainder of my time doing quizzes off the cccure.org site. On Friday night before the exam, I stayed at the hotel that was hosting the ISC2 exam. This was well worth the expense as I was able to get there and chill out before having to go through six hours of torcher. I also recommend taking a couple of five hour energy shots. They will help you stay alert and not make you have to visit the restroom. I am not the type of person that needs any breaks for a six our stretch and so I did not worry about snacks or anything like that, the soft drink that I did bring, I did not even open.
8. Taking the exam was not a bad experience, you get the exam booklet and scan tron all in sealed plastic. The proctor reads his instructions and you just do what he says. When I first started, I felt overwhelmed with the types of questions that I had. I was expecting some analytical questions, but not 250 of them. Once I got to question 50 or so, I was able to just accept it for what it was and settle down. As I read each question I would underline anything that I though was important to the question and try to focus on just those things when choosing an answer. Generally I was able to eliminate two of the four answers right off the bat and then somehow reason what I thought was the best answer of the two that remained. Usually the question did not seem to be asking something that I did not know about, I just was not confident that I knew what they were asking or how the answers related to what they were asking. I got to question 250 when the proctor announce that there was one hour left. At that point, as my goal was to do a second pass to verify my answers, I started all over again. at the five hour and fifty five minute mark, I was about a third of the way through the second pass. I had changed some answers, but was exhausted and unsure if I was doing myself any good or making things worst. I decided that basically I was not going to save myself in that last five minutes and handed it in.
9. After the exam I felt done. Luckily I had the foresight to put a few cool beverages in the car on ice. I felt like I was way under prepared for the exam, felt like none of the practice questions that I had done helped. I felt like all of the preparation of the MGT414 class was for nothing, I just felt like everything I did missed the mark and I had failed. Both Eric Conrad and Eric Cole said that that was normal and they were both right. They were also right about giving me the knowledge that I needed to pass the exam :)

I am currently sitting here in Las Vegas waiting to start a long day to do what I can to help setup SANS Security 2010. It is a lot of work but when I think about it, I owe the SANS people and my employer, Texas A&M University, a lot for providing me this opportunity. Through the SANS work study program, SANS has made the costs economical enough for my employer to be able to send me. I have been able to obtain six GIAC certifications and plan on renewing and obtaining at least one more before the year is out.

Through working with many of the instructors in the work study program, I have gotten to know them behind the scenes. In the last ten years, I have attended a large number of conferences and training sessions and I can tell you that all of the SANS instructors are hands down the best in their fields.

Back at home in Texas, folks have two great opportunities coming up.

SANS San Antonio - http://www.sans.org/san-antonio-2010/
SECURITY 504 in Houston - http://www.sans.org/houston-2010-cs/description.php?tid=4347

Both of these events promise to be the high quality that you normally expect from any SANS conference.

Too cool. Today I started thinking about a wiki that I have running on a Virtual Machine under VMware ESX. Wouldn’t it be cool if I could just down load a Virtual Machine from ESX and start it up under VMware Workstation on my desktop? Well that is absolutely what you can do. It works like a dream.

The following was performed with vSpear Client version 4.1.0 and VMware workstation 6.5.4.

Bring up the VMware vSpear console and select the VM view its settings. Open the Summary, right click on the datastore volume under the Resources window and select “Datastore Browser”. From there, in the popup window you browse to the directory that contains the Virtual Machine of interest. Once the directory is selected you can click on the “Download a file from this datastore to your local machine” button at the top and select a location on the local machine. Once the download is complete, simply open VWware Workstation and selected the “.vmx” file that was downloaded and VMware workstation will happily read it in.

The next thing that I recommend is that you edits its settings and disable its network interface so that you do not create any unforeseen issues on the network. Start the virtual machine and configured it to use DHCP rather than the static IP address that was previously configured. Shutdown the machine and configured the network to use NAT and enabled it. Start the virtual machine back up and it was good to go. You are now able to connect to the local wiki just as I am able to connect to the one on ESX and in production.

I am confident that I could have just started the virtual machine and reconfigured the network and restarted and all would have worked as well. But I wanted to make sure that everything is nice and clean and set the way that it is supposed to be. That way, after I have slept and forgotten everything, it still works the next time that I start it.
So what does this mean? The good thing is that it that the WIKI that has all of our documents on how we have machines set up and configured can now be downloaded and brought up anywhere in the case of disaster recovery. The bad thing is that it means that anyone that has access to your datastore can easily download a copy of your virtual machine and bring it up anywhere and you will/may never know. I guess that if someone has access to your VMware datastore, you have far bigger issues than worrying about whether they have downloaded a virtual machine, they can simply delete it, so make sure you know who has access to it and how.

So occasionally I need to transmit files securely without the worry of it somehow falling into the hands of an unintentional recipient. I remember during one security incident, the security personal correctly requested that all evidence be encrypted. This seems a simple enough of a task. But wait, without any kind of infrastructure set up, how? I do not want to email them a password to decrypt the file, same as I do not want them knowing my password, I do not want to know theirs. In a perfect world, all of our email would be encrypted to start with, but again without the infrastructure in place, getting a certificate and configuring your email client to encrypt your email can be a real pain in the rear when all you want to do is securely send someone a file. And once the intended recipient receives it, are they going to just leave an unencrypted copy lying around? I hope not.

Well one really simply way is to use PGP or the open source GPG. Now there are lots of how-tos, quick starts and cheat sheets on how to use these tools and so it is well worth your time to do a few Google searches and get a wealth of information.

GPG can be downloaded for your particular platform from http://www.gnupg.org/. You will need it and your intended file recipient will need it as well. Once downloaded, it is always a good idea to make sure that you downloaded what you think you downloaded and check the checksum.

Rather than duplicating yet another how-to, quick start or cheat sheet, a good place that I have found to start is http://www.madboa.com/geek/gpg-quickstart/. They have outline a good process of creating a key pair, encrypting a file and then decrypting it. No need for me to waste your time here.

One more tip, if you have probems importing your recipenients public key, don't forget about the good ol unix2dos and dos2unix tools to remove any carriage returns. Shouldn't be necessary, but may be worth keeping it in the back of your head.

So, the next time that you happen to be in a mentor training session and someone named John Three, that knows way more than you, asks you about TCP fragmentation, don't be like me and say that it does not exist. It does. Not in the IP header where you have the MF/DF flags along with the fragment offset, but in over lapping TCP data segments which may get sent in the wrong order.

Mark Baggett discusses the issue in his blog.

The two things that I would add to his research are that when using fragroute, you have to do an initial ping to the host to get the path into the ARP table. As Mark indecates, his done using BackTrack 3. To get the same results in BackTrack 4, you first have to disable reverse-path filtering by doing a:

"echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter"

This was discoverd by searching and finding a post to the Ubuntu Forums.

In a follow up with Mark, he brought to my attention another potential issue with reverse-path filtering.