You can read each article at its corresponding link:

• Part 1 – ARP Cache Poisoning

• Part 2 – DNS Spoofing

• Part 3 – Session Hijacking

• Part 4 – SSL Hijacking

The best resource for more information on CloudShark seems to be their FAQ:

What is CloudShark?

CloudShark is a web site that displays network capture files right in your browser instead of running desktop tools such as Wireshark. You upload, link, or email your capture files and we’ll display them.

Why CloudShark?

We work with network capture files on a daily basis. After trying to view capture files on mobile devices without Wireshark support, we realized it was time to move packets to the cloud. The CloudShark idea was born. CloudShark was created to make viewing capture files easy from any device ranging from desktops to smart phones. After creating our own solution, we decided to make it available to everyone as CloudShark.org.

How does it work?

* Generate your capture file or use an existing capture file
* Email it, upload it, or link it
* CloudShark does the rest by providing a decode session
* If you email CloudShark with an attached capture file, we’ll email you back with a link to your decode session
* Send your capture files as an attachment to cap@cloudshark.org
* If you are in the browser already, we’ll drop you into your decode session

Are my capture files publicly accessible?

While the URLs to your decode session are not publicly shared, we make no claims that you data is not viewable by other CloudShark users. For now, if you want to protect sensitive data in your capture files, don’t use CloudShark.

Is there any limit to the size of the capture file I can upload?

Capture files are currently limited to 512 Kbytes. Larger files will be rejected.

Can I delete my decode session after I am done with it?

Not directly. Eventually it will be deleted when the disk space is recycled.

How long is my decode session available?

CloudShark is not a file storage site. We’ll try to keep your files around, but obviously there is a limit to the amount of files we can keep around. If the link to your decode session is no longer working, you may need to upload the capture file again. In the future we may provide persistent storage, but for now you should store your capture files somewhere else.

What capture formats are supported?

CloudShark uses tshark to do the actual decoding. tshark supports several capture files from other tools besides Wireshark. See http://wiki.wireshark.org/FileFormatReference.

I have a capture file hosted on my web site. Is there an easy way I can link a CloudShark decode session to this capture file?

Yes. You can create a CloudShark link that includes a URL to your capture file. Here is an example:

http://www.cloudshark.org/view?url=http://packetlife.net/captures/TCP_SACK.cap

Who are you?

CloudShark was created by QA Cafe. We are the creators of CDRouter, the leading CPE testing solution. We spend a lot of time working with capture files. You can visit us at qacafe.com.

Is this project connected to Wireshark.org?

No, not directly. We do use Wireshark, tshark actually, on our back end.

How can I contribute?

If you have any ideas, you can contact us at info@cloudshark.org.

Kudos to the folks at QA Cafe for putting this together! You can visit CloudShark at http://www.cloudshark.com and you can follow Cloudshark developments on Twitter at @Cloudshark.

The topic is “Then What Happened…Stories and Lessons in Incident Response”

Dive into recent attack packet analysis with Chris Sanders to reveal the dirty truth about recently investigated incidents.

Learn key factors in how exploits were detected, the analysis method used to determine sources…
You will also see methods used to determine the severity level of exploits and the power they may really have in your environment…

I’ll be covering some exciting things including some of the fundamental skills for intrusion analysts, tips for building your incident handling team, “packet math”, and analysis of recent attacks including a newly release 0-day.

Look forward to seeing you there! For more information including directions, check here http://www.issa-kentuckiana.org/.

• ShmooCon, Washington DC – Feb 5-7
• SANS 2010, Orlando FL – Mar 6-15

I’m also planning on attending HOPE [Tentative] (NYC), Phreaknic (Nashville), Defcon (Vegas), and Black Hat (Vegas) this year.

Please join Mentor Chris Sanders starting on March 18 for Security 504: Hacker Techniques, Exploits and Incident Handling.

Experience this local class and SANS award winning security training first hand in the popular Mentor format!

Chris Sanders will be leading this 36 CPE credit class in Bowling Green, KY.

For complete course details and registration information, please click on http://www.sans.org/info/52263.

About the course:

By helping you understand attackers’ tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan, the in-depth information in this course helps you turn the tables on computer attackers. This course addresses the latest cutting-edge insidious attack vectors and the “oldie-but-goodie” attacks that are still so prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course includes a time-tested, step-by-step process for responding to computer incidents; a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them; and a hands-on workshop for discovering holes before the bad guys do. Additionally, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence.

Students study SANS Hacker Techniques, Exploits & Incident Handling course books at their own pace. Each week, students meet with SANS Local Mentor, who will lead class discussions, provide hands-on demonstrations, point out the most salient features, and answer questions. The Mentor’s goal is to help students grasp the more difficult material, master the exercises, and prepare them for GCIH certification.

This challenging course is particularly well suited to individuals who lead or are a part of an incident handling team. Furthermore, general security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

These courses are great for folks who want SANS level training but don’t have the travel budget to go to a conference for a week. I’m very excited to bring something like this to my area…security training around here is slim pickins! Bowling Green is very centrally located and is only an hour from Nashville, TN, two hours from Louisville, KY, two hours from Lexington, KY, and two hours from Paducah, KY.

Also, I will be donating 20% of my teaching fee to the Rural Technology Fund, a 501(c)(3) non-profit organization which provides scholarships to high school students pursuing technical majors.

Free free to e-mail me with any questions, or visit the course website here: http://www.sans.org/info/52263.

I participated in the CTF event that was put together by Adrian “Irongeek” Crenshaw (http://www.irongeek.com and @irongeek_adc). This is only the second CTF I’ve participated in (the first being the SANS Sec 504 CTF in San Diego) and I was really pleased with it.

You can view a write up and a brief video on the technical details of the CTF here: http://www.irongeek.com/i.php?page=videos/louisville-infosec-ctf-2009.

My team ended up coming in fourth. The winning team was led by Dave Kennedy (http://securestate.blogspot.com/) who won by a pretty good margin, and the second, third, and fourth place teams all finished within about ten minutes or so of each other.

This was the second event I’ve attended that involved the Kentuckiana ISSA and Adrian and I’ve really enjoyed being involved. I think I’ll be joining ISSA in the very near future.

I wasn’t able to attend many of the talks due to being involved with the CTF but my colleagues who did spoke very highly of all of the speakers.

A big thanks to Adrian and the Kentuckiana ISSA for organizing this! I can’t wait until next year!

I wanted to take a moment and link a pair of recent articles I’ve written for WindowsSecurity.com.

September 2nd – Securing Application Execution with Microsoft AppLocker

September 23rd – Maintaining, Mandating, and Mitigating Privacy in Internet Explorer 8

Enjoy!

I’ve used various GFI products for several years and remember using LANguard many years ago while working for the Department of Education. As I have taken on a more security-focused role in my new position with EWA GSI I have found myself using LANguard again and am enjoying the newest version of the product just as much as I did the older versions.

The big three features LANguard boasts are vulnerability management, patch management, and network auditing. I’ll address each of those individually.

Vulnerability Management

My primary use of LANguard has always been in this category. Some of my earliest learning experiences with network security were centered on LANguard security scans and in my current security role I’m making use of it right where I left off.

The scanning engine boasts over 15,000 scanning signatures and does seem to be quite thorough. I compared GFI LG scans side by side with Nessus scans on the same hosts and found the reporting from the LG scans were picking up quite a few more items of interest when it came to Windows hosts. The scanning options are quite robust and the reporting and remediation interface couldn’t be much better. 

Patch Management

I’ve previously always used WSUS for patch management. However, if you’ve used WSUS you know that it can sometimes be unreliable and the reporting and troubleshooting features associated with it are still greatly lacking. I’m no longer directly managing a network so I evaluated the patch management features of LG on my home network and was pleasantly surprised.

I ran several scans against the devices on my networks and some of the virtual machines in my test networks that I had purposely halted automatic updates on. LG reported the missing updates on these machines and I was able to efficiently deploy those updates to the machines. I’ve always thought OS updates should be something that “just works” and LG fit the bill on this.

Network Auditing

There is a LOT of competition in this area but I was really impressed with what LG could offer here. I think a network auditing solutions biggest weak point is usually the reporting interface, and just as with the other areas of LG, the reporting is pristine. Not only can you perform on the spot audits, but you can also check for things such as illegal software installations by running comparisons against baseline audits.

Pricing

GFI has released a full-featured FREE version of LANguard to be used for up to 5 IPs. After that, pricing is done on a per-IP basis with prices starting from around $32USD per IP for a 10-24 IP block.

Conclusion

I’ve always thought GFI was a great company with some really great products and LANguard 9.0 only helps to reinforce this opinion. I will continue to use the product alongside Nessus for my security scanning needs and would fully recommend it for network management and auditing.

You can check out LANguard and other GFI products at http://www.gfi.com.

Article Introduction:

The tricky thing about a wireless network is that you can’t always see what you’re dealing with. In a wireless network, establishing connectivity isn’t as simple as plugging in a cable, physical security isn’t nearly as easy as just keeping unauthorized individuals out of a facility, and troubleshooting even trivial issues can sometimes result in a few expletives being thrown in the general direction of an access point. That being said, it shouldn’t come as a surprise that analyzing packets from a wireless network isn’t as uninvolved as just firing up a packet sniffer and hitting the capture button.

 
In this article I’m going to talk about the differences between capturing traffic on a wireless network as opposed  to a wired network. I’ll show you how to capture some additional wireless packet data that you might not have known was there, and once you know how to capture the right data, I’m going to jump into the particulars of the  802.11 MAC layer, 802.11 frame headers, and the different 802.11 frame types.

The goal of this article is to provide you with some important building blocks necessary for properly analyzing wireless communications.

 

 

You can view the full article in the (In)Secure Magainze June issue, which can be obtained here: http://www.net-security.org/insecuremag.php.

You can view the article here:

http://www.windowsecurity.com/articles/Locking-Down-Windows-Server-2008-Terminal-Services.html

There are two main ways this is done -

Scholarships – This year the RTF is giving away two $500 scholarships. Hopefully we can give away much much more next academic year.

The Genesis program – Working with county youth service centers and local businesses, this program aims to utilize area volunteers to refurbish donated business PC’s for donation to students who do not have computers at home. The Genesis program gives birth to opportunities for these students and their families.

How can you help?

Packet Analysis Training - A portion of the income from EVERY training program I do goes directly to the RTF. This includes live training downloadable videos (coming soon).

Monetary Donations – The RTF is accepting donations, and all of those donations are tax deductible.

Computer and Equipment Donations – The Genesis Program is accepting donated computers to be refurbished and donated to students in needs. These computers should be in fairly decent condition and at least have a functioning motherboard and processor. We are also accepting monitor, keyboard, mouse, and software donations.

For more information on the Rural Technology Fund, check out www.ruraltechfund.org.

You can see a schedule of Laura’s training at http://www.chappellseminars.com/schedule-name.html.