Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Summer/Winter Vacation Book Suggestions and Hacking Challenges SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Summer/Winter Vacation Book Suggestions and Hacking Challenges
Today?s blog-fest is done?

If you want to read yesterday?s fascinating diary from handler extraordinaire Scott Fendley, click

Update on CA Antivirus Vet Library Vulnerability

Yesterday?s diary mentioned that it could be tough for consumers to determine if they have a vulnerable version of the Vet Library. CA has published detailed directions on how to do this in their advisories, and they?re pretty straightforward. For details, please check out the EZ Antivirus/Armor product support site at

Also, you can look at these detailed instructions for checking product versions:

These links were also included in the original advisory CA sent to
BugTraq, NTBugTraq, SecurityFocus, FrSIRT, Secunia, CERT, US-CERT,
OSVDB, ISS X-Force, SecurityTracker, PacketStorm, Mitre CVE,
SecuriTeam, and Full-Disclosure (among others).

CA pointed out to us: ?Our advisory and web site advisory page both list affected versions, how to determine which version you have, and what you need to do to protect yourself. Vet engine 11.9.1 or later indicates that you are protected if you are using any of our corporate products, or the latest major releases of our consumer products (EZ Antivirus 7.x and EZ Armor 3.x). Users of EZ Armor 2.4.4 should upgrade to v3.1. This is of course a free upgrade for all licensed users.?

A Little Websense Trouble with Google and Other Redirect Issues

Reader Hal Logan wrote in to tell us that his websense proxy started blocking users this morning when they clicked on Google search results done through the Google search bar, or when Google had set a cookie in the browser. It appears that when a user searched for ?Internet Storm Center?, the Google search bar (or regular Google with the cookie) gave results that pointed to Google, but with a redirect to Given this unexpected redirect result, websense filtered this as being ?Phishing or other Fraud.? To handle this, Hal and his team had to put in a whitelist for their Websense systems. Thanks for the heads up!

UPDATE: Christian Wyglendowski (type that 3 times fast) sent us a phish message that included a URL with a redirect off of a server in the domain going to the phisher?s bogus website. The phish dudes must be thinking that URL/URI blocklists will let the request to zdnet through. As of now, it looks like the zdnet folks have disabled the redirector. Watch for more of this redirection nastiness in the near future!

Books for Summer/Winter Vacation/Holiday

I was dreaming when I wrote this.

Forgive me if it goes astray.

But when I woke up this morning,

I was shocked to see the end of May!

Yes, folks, the end of May is upon us. Before long, those of us in the Northern Hemisphere will be lazily frolicking at the beach and enjoying Summer barbeques. Readers in the Southern Hemisphere will soon enjoy hot chocolate at the ski lodge, NOP sledding with the kiddies, and snowball fights in places like the Australian Outback, the Brazilian Rainforests, and Sub-Saharan Africa. With a little time off for vacation/holiday, I like to curl up with an engrossing information security book, as I?m sure all of you do as well.

But, new infosec books are released all the time, and it can be hard to keep up with the latest and greatest. Not all of us have a
ability to devour, analyze, and comment intelligently on each and every book our industry churns out.

Today, we asked for help in creating a summer reading list of infosec books. We asked for tomes that have majorly changed your life, or significantly influenced your thinking. PLEASE DON?T SEND ANY MORE SUGGESTIONS? WE?RE FULL NOW. ; )

Also, please note that we asked folks not to mention my own books, because my adding those to this list would be
. ; )

1) Christopher Croad has a stellar recommendation: _The_Shellcoders_Handbook_: Discovering and Exploiting Security Holes. Chris writes:

?After getting my first peek of the workings of buffer overflows in SANS SEC504, I became somewhat...well... obsessed with the topic. This book has helped to open even more doors on the topic for me, mainly because I have had to read and study other material just to comprehend the tome. A newer book (Category B), it is (at least for me) somewhat advanced, and has taken a bit of effort to get through, but it has been worth the time spent.? ?- Chris Croad

2) Richard R. Carlin has a recommendation for a book I have not read, but which sounds pretty interesting: _The_Process_of_Network_Security_ by Thomas A. Wadlow. Richard writes:

?Well, this book certainly falls into the ?A? category because after reading it I became a believer in the ?process? of security over the paranoid fortress mentality I'd had previously. It is a corporate security professional must-read.? -? Richard R. Carlin

3) Chris Compton, a brilliant guy whom I respect very much, recommends _Spec_Ops:_Case_Studies_in_Special_Operations_Warfare:_Theory_and_Practice_ by William H. McRaven. Although I haven?t personally read it, I?m definitely going to add it to my own summer reading list! Chris writes:

?While not directly about information security, this book develops a theoretical model for small-unit asymmetrical operations that has direct implications for the successful planning and implementation of InfoSec objectives. The books is engagingly and concisely written, using examples of both successful and failed missions to identify key elements of success in a tactical environment. I've found that these principles directly and neatly map to the InfoSec mission, where we have small, highly-skilled teams engaging a much larger opposing force of u1+r4 1337 script kiddies and black-hats.? ?- Chris Compton

4) Brian sent in a recommendation for a non-technical infosec book that I totally loved. It?s a classic in our field, and if you haven?t read it yet, I both feel sorry for and envy you. I feel sorry for you because you?ve missed it so far, but I envy you for getting to experience that exciting wonder at first reading it! The book is _The_Cuckoo?s_Egg_, by Clifford Stoll. Brian writes:

?This book, while technologically ancient, is still an entertaining read about tracking bad guys through the maze. It covers (sometimes) less than helpful telecom/ISPs, open networks (universities) and attacks through private govt networks. All still relevant in today's infosec world.? -- Brian

5) Terence E. Shelton has a recommendation that I recommend all the time as well: _The_Art_of_War_ by Sun Tzu. If you haven?t read this with an infosec frame of mind, you must do so! This summer is your chance? Make a commitment to doing it! You?ll be pleased you did so. Terence writes:

?I view [this book] as the original security book. It is not an easy read, but I enjoy pondering its applicability to today?s challenges while laying around on lazy summer vacation days. (Of course, even my own kids think I?m weird.? -- Terence E. Shelton? Welcome to the club, Terence. : )

6) Brian Coyle, GCIA, recommends _The_Soul_of_a_New_Machine_ by Tracy Kidder. I haven?t read this one myself yet, but it sounds intriguing. Brian writes:

?This Pulitzer winner delves into the design and construction of a new computer; hardwiring circuits, writing emulation code, debugging setbacks ? a perfect diversion for the InfoSec professional! I dig this out whenever I feel overworked or need a break.? -? Brian Coyle.

7) Gary Hinson recommends a book I haven?t heard of, but which sounds pretty cool. It?s called _Testing_Computer_Software_ by Cem Kaner, Jack Falk, and Hung Quoc Nguyen. According to Gary:

?This book proves beyond doubt that it *is* possible to write an informative yet enjoyable textbook. I stil lfind it an extremely useful gued to systems testing as part of numerous information security management and IT audit assignments. Their description of the internal politics that surrounds the testing process definitely rings true.? ? Gary Hinson

8) Chris Byrd recommends _Inside_the_Security_Mind:_Making_the_Tough_Decisions_ by Kevin Day. Chris says:

?This book is a must-read for new and seasoned InfoSec professionals alike. It presents a simple list of rules and ideas that encompass why even well funded and well staffed security efforts can fail. Kevin Day presents this information in a likeable, easy-to-read manner.? -- Chris Byrd

9) Danny Quist has a great great great recommendation: _Hacking:_The_Art_of_Exploitation_ by Jon Erickson. Any book that numbers its chapters in Hex is alright by me!! : ) According to Danny:

?This book contains hands-on technical information on all sorts of exploitation methods and techniques. This isn?t a defense book so much as offense. Understanding the deep, dark technical side of the vulnerabilities is an important part for defensive computing.? ? Danny Quist

10) Andre? M. Di Mino cites another one of my favorites: _Know_Your_Enemy_ by the Honeynet Project. That?s a fine tome, my friend. Andre? (who really does have an apostrophe in the first name) says:
?When I read this book several years ago, it truly motivated me to learn as much as I could about the offensive maneuvers in the infosec war, rather than just the defensive tactics. Reading this book provided me with a great springboard into studying more about data analysis, forensics, honeypots, IDS, and firewalls?.? ? Andre? M. Di Mino

11) Jerry Hailey cited one of my all time favorite non-tech books: _The_Code_Book_ by Simon Singh. Jerry himself didn?t describe the book, but I?m telling you? this one is awesome. It?s a history of cryptography and cryptanalysis and a description of how the two influence history, from ancient times to today. It?s great, and Simon Singh is a marvelous author. I loved his other book, _Fermat?s_Enigma_, and have added his new book on cosmology, _Big_Bang_ to my own Summer reading list!

12) Andreas cites a must-have reference book for the shelf: _TCP/IP_Illustrated,_Volume_1:_The_Protocols_. Andreas writes: ?There?s no better guide to TCP/IP than this book? I still use it in my everyday work.? -- Andreas.

13) Lucky thirteen goes to Charles Hamby, who points out the great book _Intrusion_Signatures_and_Analysis_ by Cooper, Northcutt, Fearnow (not yesterday, not tomorrow, but fear right NOW), and Frederick. Charles writes: ?I picked up this book when it first came out. It was very technical and I had to read it several times? You could say that this really was what turned me on to InfoSec.?

14) Ray Ellington mentioned a book that sounds fascinating, but could be pretty scary: _Aggressive_Network_Self_Defense_ by Neil R. Wyler. The book has caused quite a stir, based on its analysis of potential strike back options. I?ll be reading it this summer myself. Ray says:
?This book? changed my thinking in a big way. I don?t think I?ll go so far as to implementing the strike-back methods mentioned in the book, but it gave me insight into what ?could? be done? The hacking techniques which take place in the fictitious stories are very advanced and realistic, which make for a fun read.? ? Ray Ellington

15) Robert Arrison points us to _Network_Security:_A_Beginner?s_Guide_ by Eric Maiwald, explaining that, ?No matter how far you are into security, you would be surprised as to how much you forgot? This book runs the gamut on all things security??

16) Matthew C. Huntley mentioned, _Who_Moved_My_Cheese?_ by Johnson and Blanchard. This touching allegory contains various business lessons, and according to Matthew, it is, ?essential for keeping your sanity.?

Hacking Challenges: Know Any Good Ones?

Another topic very near and dear to my heart is the hacking challenges and Capture the Flag events various organizations set up on the Internet. These games involve one or more Internet accessible servers run by the challenge organizers that you are called upon to hack. Fun, mayhem, and sometimes prizes ensue. I frequently get asked about which ones are best. My favorites games like this include something for everyone: simple challenges for newbies ranging all the way up to very complex hacking designed for freakazoid geniuses (there ya go? Soon you?ll be able to Google up: freakazoid ?Internet Storm Center?!).

We asked to hear from you about challenges that you?ve actually played and enjoyed? not ones that you?ve heard about or Googled up. Any of us can simply Google on ?Hacking Challenges?. PLEASE DON?T SEND ANY MORE SUGGESTIONS? WE?RE FULL NOW HERE AS WELL. ; )

I) Four great challenges at the
. These wonderful challenges range from easy to quite tricky. Lots of fun!

sponsored by WindowsITPro.

III) Alex Everett writes in about this challenge, which looks fantastic:

?By far my favorite hacking challenge site is There are so many available hacking areas from web application attacks, SQL Injection, encryption/decryption, disassembly, etc. They also sponsor a real hack challenge entitled ?root this box? where secured servers such as a brickserver reside. Once you sign up you can compete in the challenges and earn points. They also have extensive forums and chat rooms. I suggest you mention this site. I think that it can be very useful to security analysts and pen testers.? ?- Alex Everett

IV) Mark Pettifor brings up something cool from the cobwebs of history, which is apparently still alive today:

?Your request for ?capture the flag? programs reminded me of the original ?Core Wars? article in Scientific American that I read over 20 years ago. Apparently a modern version of Core Wars is still going on. Here's a short article describing the older Core Wars: . If you go to the root of the web site, you'll find out more about the modern Core Wars being played.? ?- Mark Pettifor

V) Brian Coyle, of ?The Soul of the New Machine? recommendation fame, cites the Honeynet Project as a great source of challenges with their Scan of the Month, at Indeedy! It?s got some great stuff, including Brian?s own work on Scan #29 at

VI) James Walden has created a Capture the Flag environment you can download, and has included target server filesystems (RH 9.0 images for User Mode Linux) and the source code of his Scorebot! All of this and more is available for free at

Thanks for reading--

--Ed Skoudis

Handler On Duty


ed (the ?at? symbol? that SHIFT+2 thingy)


57 Posts
May 26th 2005

Sign Up for Free or Log In to start participating in the conversation!