"Hacking Exposed" Chat (with our own Tony Bradley) -- June 12, 8pm to 10pm

[Simo]

i was there..heres a transcrip from the session =]
the guys with HE in their names wrote the hacking exposed books (duhh!)
anyways this is for you all who missed it, plus since i was in the chat so long netsecurityadm is sending me a free copy of hacking exposed 4th!



HE-Kurtz has entered the room (hostname: XXX.XXX.XXX.XXX)
<netsecurityadm> Welcome
<HE-Kurtz> test msg
<netsecurityadm> We have a few who got here early. I thought we'd wait a few minutes and see if others join and then I'll formally introduce
you
<netsecurityadm> does that sound alright?
<HE-Kurtz> Yes. My applet is having a problem, but I think I can work through it.
<netsecurityadm> OK
Guest503 has entered the room (hostname: XXX.XXX.XXX.XXX)
HE-Gkurtz has entered the room (hostname: XXX.XXX.XXX.XXX)
<netsecurityadm> is that working any better for you?
<HE-Kurtz> Same. I have two sessions, just in case one goes down.
<netsecurityadm> alright. well, I expect we'll get stragglers and people will come and go throughout the session
<netsecurityadm> but I know your time is valuable so I will kick things off
<netsecurityadm> I would like to welcome George Kurtz to our chat session this evening
<HE-Kurtz> Pleasure to be here.
<netsecurityadm> George Kurtz is the co-founder and CEO Foundstone- an information security software, services and education provider
<netsecurityadm> Prior to starting Foundstone Mr. Kurtz was with Ernst & Young as a leader of the Security Profiling Services Group.
<Simo> hello
<netsecurityadm> With his co-authors Stuart McClure (who will be joining us at 9pm) and Joel Scambray he has written four editions of the
popular Hacking Exposed book which is the core of the Hacking Exposed series of books.
<netsecurityadm> With that, I will let the questions begin. If you have questions on information security, the Hacking Exposed books, how Mr.
Kurtz got involved in information security or whatever feel free to ask.
<netsecurityadm> Please keep things civil and take turns asking questions so we can all follow the dialogue easier.
<Simo> ahhh hes here
<Simo> great
<netsecurityadm> Does anyone have anything they would like to ask, or do you want me to get the ball rolling?
<Simo> you go
<Guest503> Mr. McClure, what are the most common vulnerabilities your company finds?
<Guest503> that is mr. Kurtz
<netsecurityadm> Mr McClure is not here yet- he will join us at 9pm
<netsecurityadm> :-)
<HE-Kurtz> This is Mr. Kurtz, but I will answer
<HE-Kurtz> The most common vul - are related to web applications
<HE-Kurtz> That is, home grown applications that use a web server, and backend database
<Charlie> Mr. Kurtz with that in mind, which is more vulnerable, CGI, PHP, Perl scripts?
<HE-Kurtz> Many are riddled with sql injectioni problems, and just down right poorly written
<Charlie> in your experience
<HE-Kurtz> I can't point to one or another, they all can be made sure. It is really a function of how the programmer constructed the script
<Charlie> thankyou
<Guest503> what do you think of the web security products from sanctum and spi dynamics
<HE-Kurtz> There are many products on the market. Tools from sanctum and spi dynamics are good, but you need to know what you are
doing when you use them.
<HE-Kurtz> If you just fire away and think you will get usefull information, you are mistaken.
<netsecurityadm> That is a common issue. People debate whether this OS or that OS is more secure- would you agree that the user's
knowledge is more important than the choice of platform?
<HE-Kurtz> I would definitely agree. If you misconfigure your system or don't take the time to secure it, it will be hacked
<HE-Kurtz> I happen to like openBSD for security...but that is just me
<netsecurityadm> What operating system do you use on your primary personal computer?
<HE-Kurtz> At work I run 2000, but at home I run many O/S. Linux, OpenBSD, windows... my new love is OS X
<netsecurityadm> OS X is alleged to be quite secure and you constantly here that Linux is more secure than Microsoft
<HE-Kurtz> OS X is decent, but I am sure you will start seeing more and more issues
<HE-Kurtz> Anyway, it is a very nice O/S, with a very good UNIX core
<netsecurityadm> It seems to me that Linux has its share of flaws and vulnerabilities, but the media choose to highlight the MS issues more
<HE-Kurtz> People seem to like to pick on MS. They both can be made very secure. Esp when you bolt on other packages
<Charlie> I believe that goes back to Mr Kurtz earlier statement about configuration
<HE-Kurtz> Sure does.
<Charlie> Most Linux users are more educated on configuration MS are not known for telling all
<netsecurityadm> Agreed. I happen to know my way around Microsoft platforms quite well and I only dabble in Linux
<netsecurityadm> I guarantee my MS systems are more secure
<HE-Kurtz> Most home users plug and don't have a clue about security
<HE-Kurtz> Wifi is all over my neighborhood, and nobody bothers to use WEP
<HE-Kurtz> People just don't get it, because they just want to use computers without thinking about security
<HE-Kurtz> Most of them anyway...except for the people that read our books. : )
<netsecurityadm> With broadband and 24/7 connections it seems that these home users are becoming a VERY large weakest link in the
Internet security chain
<Charlie> Again education education education. New users dont use virus scanners until they are hit by one
<HE-Kurtz> they become victims on the information superhighway
<HE-Kurtz> Drive by shootings as I like to say
<netsecurityadm> home users in general want to use a computer like they do their microwave or their TV- turn it on and use it
<Simo> haha
<HE-Kurtz> wrong IP address at the wrong time...
<HE-Kurtz> Yes, that is why OS X is so nice. ; ) Just turn it on and go.
<Guest503> there seems to be a lot of buzz around intrusion prevention. are these products a cure for some of the IDS issues?
<HE-Kurtz> I really like IPS. I have been a big fan of Entercept - now NAI for years. It just plain stops the attacks even if your system is not
patched.
^`0323 has entered the room (hostname: XXX.XXX.XXX.XXX)
<netsecurityadm> Along those same lines- Gartner Group released a report declaring the death of IDS and claiming that more advanced
firewalls will replace it- do you agree with that assessment?
<HE-Kurtz> Maybe... the big issue is fale postives.
<HE-Kurtz> If you react to false postives and block something, you creat denial of service issues
<HE-Kurtz> The technology will have to get better in the comming years to try to address this major issue
<HE-Kurtz> that is false positives... sorry fast on the keyboard today.
<netsecurityadm> the technologies seem to merge and overlap some between the IDS, IPS, firewall- maybe one super combo application
will come out to handle it all?
<HE-Kurtz> A super device is the dream of many vendors. I just don't see anyone there yet.
<Simo> Kurtz, how long do you think when IPv8 will replace IPv6?
<HE-Kurtz> No clue... I don't know much about V8, I think we need to work on V6 first. That will take a long time as well
<Simo> all the subnetting is taking up all the v6 addressing though
<Simo> some colleges are using ipv8 i hear
<netsecurityadm> are you sure you're not confusing V4 and V6?
<Simo> hmmm
<Simo> well im a newbie
<Simo> so i wouldnt know
<netsecurityadm> V4 is the current "standard" and V6 is the new standard being rolled out
<HE-Kurtz> I never heard of V8, but that doesn't mean it isn't a draft
<Simo> ;-)
<Simo> ohhhh
^`0323 Quit (Web Browser closed)
<Simo> thanks i messed up
<netsecurityadm> V6 will help to expand the address pool
<Simo> mixed up my numbers heh
<netsecurityadm> no problem
<Simo> v6 is hex? correct?
<netsecurityadm> I am not that much of a V6 expert- I just know the high level concept behind the new version
<HE-Kurtz> V6 allows for many more addresses and has much better security
<Charlie> how does it provide better security, v6 is just a climb in the number of ips available?
<HE-Kurtz> Authentication and encryption
<netsecurityadm> and you are correct that V6 is being used in some places currently. it is available, but it will take a long time until all V4
devices are replaced
Guest829 has entered the room (hostname: XXX.XXX.XXX.XXX)
Guest829 Quit (Web Browser closed)
<Charlie> I'm sorry can you explain the connectivity between v6 ip addressing and authentication and encryption
<HE-Kurtz> I am not an expert on v6...
<HE-Kurtz> google ip v6 ; )
<HE-Kurtz> 12www.ipv6.org
<Charlie> ok cheers
<netsecurityadm> Aside from your own books, what one book would you say is a ^`201cmust read^`201d for those in information security?
<Simo>
<HE-Kurtz> special ops - from Erik Birkholz
<netsecurityadm> any particular reason? is it just well-written or does it offer some unique perspective or information that isn't found in other
books?
<HE-Kurtz> Great authors and covers a lot of topics
<Charlie> Have you come across the software UPLINK and what are your views on this type of software
<HE-Kurtz> I don't have any experience with it
<netsecurityadm> Charlie- what is Uplink? What is its function?
<Charlie> Allegedly it is a game, but one that teaches users how to bypass logging/proxies and the like
<Charlie> you are given tasks like changing social security numbers, hacking into banks
<Charlie> it teaches you about hacking tools for covering your tracks
<Charlie> etc etc
<netsecurityadm> hhmmm. there are a number of "wargames" sites out there that let you test out your hacking skills on a real server
<netsecurityadm> I have not heard of that one though
<netsecurityadm> Mr. Kurtz- do you get many people complaining that books like Hacking Exposed teach people how to be hackers more
than they help us defend against them?
<HE-Kurtz> No. In fact, people are very happy that we put info out to help them protect their own systems
<netsecurityadm> I agree completely. Have you followed any of the recent debate about the new malware class at the University of Calgary?
<Charlie> I agree. It is better to understand the attack when trying to stop it rather than just instigating a patch.
<HE-Kurtz> I only saw some brief info on it. What do you think?
<netsecurityadm> I agree with the University. I think that, similar to the concept of your books, we need to teach exactly how the malicious
code writers do what they do so we can better understand how to defend against it
<Guest503> i read about dostracker in your book, but it is no longer on the web anywhere. was that tool removed by MCI? if so, are there any
good tools for tracking spoofed attacks?
<HE-Kurtz> Outside of that one, I don't know of any others
<netsecurityadm> The AV community is always in a reactive posture- they can't develop the vaccine until the virus is out so the malicious
code writers get the first move
<netsecurityadm> What do you feel is the area in most need of improvement for corporate information security?
<HE-Kurtz> Education
<HE-Kurtz> If you can just educate people, it would help 10 fold in keeping down break-ins
<netsecurityadm> with budgets as tight as they are- training was one of the first things to go. do you think companies need to re-think how
those dollars are being spent?
<HE-Kurtz> Yes. Even though money is tight, it is worth every penny. 1$ now, will save $10 later.
<netsecurityadm> Have you read Kevin Mitnick's book? It seems that the best of security measures can be broken by one user writing a
password on a sticky-note
<netsecurityadm> One problem with IT in general - and Information Security specifically- is that ROI is hard to prove.
<HE-Kurtz> I have a copy, but haven't read it yet
<netsecurityadm> Do you think it helps to have an understanding of program languages?
<HE-Kurtz> Yes. If you know how the language works, it will help you secure your apps
<netsecurityadm> what programming language are you most proficient in?
<HE-Kurtz> Basic. ; )
<netsecurityadm> What was your first computer?
<HE-Kurtz> TI-994a... and loved it!
<HE-Kurtz> Then went to an Atari
<HE-Kurtz> Then IBM, Sun, and so on
<netsecurityadm> As if you have so much free time (ha ha) ^`2013 what is your favorite hobby outside of your information security life?
<HE-Kurtz> I like to spend time with my family... which is always tough given my schedule
<netsecurityadm> I can relate- 6 kids, 2 cats and a "day job" aside from being the About.com Guide for Internet / Network Security
<netsecurityadm> I'm sure I have more free time than you though
<netsecurityadm> Mr. McClure should be joining us soon- did you have any final thoughts you wanted to share? Does anyone have any last
questions for Mr. Kurtz?
<Charlie> Yes please, do you do this type of thing often and if so where??
<HE-Kurtz> A chat session?
<Charlie> yes
<HE-Kurtz> No, this is new to me, but it was great
<Simo> how much did you make from that book?
<HE-Kurtz> Not enough!
<netsecurityadm> Do you speak or teach often, or are you primarily busy with your CEO duties?
<Simo> im guessing 25k
<Charlie> A lot more by the time IPV8 comes out
<HE-Kurtz> I speak alot, and our classes our popular. Ultimate Hacking 12www.foundstone.com
HE_McClure has entered the room (hostname: XXX.XXX.XXX.XXX)
HE_McClure Quit (Web Browser left the chat web page)
HE_McClure has entered the room (hostname: XXX.XXX.XXX.XXX)
<netsecurityadm> Well, I for one would like to thank you for your time. It has been a pleasure
HE_McClure Quit (Web Browser left the chat web page)
HE_McClure has entered the room (hostname: XXX.XXX.XXX.XXX)
HE_Real_McClure has entered the room (hostname: XXX.XXX.XXX.XXX)
<netsecurityadm> I look forward to speaking / chatting with you again in the future
<HE-Kurtz> Thank you so much!
<HE_Real_McClure> Hello all. Stu signing in...
<Charlie> yeah vmt Mr Kurtz
<Simo> hello mclure
<netsecurityadm> Welcome Mr. McClure- Stuart McClure is president and chief technology officer of Foundstone
<netsecurityadm> Prior to starting Foundstone Mr. McClure was with Ernst & Young as a leader of the Security Profiling Services Group.
<HE_Real_McClure> How goes the chatting?
<Simo> slow
<netsecurityadm> Did the two of you work together at E&Y?
<Buck_K_W> Thank you Mr Kurtz.
<HE_Real_McClure> Yup. We worked nationally and around the world.
<netsecurityadm> What made you decide to leave and form Foundstone?
<HE_Real_McClure> Going into organizations and showing people how insecure their networks were,
<HE_Real_McClure> training their staff, and hunting down hackers...
<Charlie> How did you do the hunting??
<HE_Real_McClure> We wanted to take our esoteric knowledge
Christina has entered the room (hostname: XXX.XXX.XXX.XXX)
<HE_Real_McClure> and automate it into products and services that no one was offering...
<netsecurityadm> Did others from E&Y join you?
<HE_Real_McClure> The hunting occurred when companies got hacked and we would get called in to identify and clean their systems.
<HE_Real_McClure> Companies would also want an assessment of the perpetrator, so we would gather evidence and help determine the
source.
<netsecurityadm> would your forensic investigations lead to arrests or prosecution?
<HE_Real_McClure> We have a number of folks from ex-big 5, government and the military including EY, Deloitte, KPMG, Air Force, Army
<Simo> What is the age group of hackers you have met? mostly i find a majority to be teenagers
HE_McClure Quit (Web Browser left the chat web page)
<HE_Real_McClure> The age of hackers ranges wildly. But I find that the folks who brag about being a hacker is usually of a younger
generation... Yes.
<netsecurityadm> What made you decide to write the Hacking Exposed books?
<Simo> all the younger 1337 h4x0rs? ;-)
<HE_Real_McClure> Two reasons: 1) we wanted a central place of reference for how hackers get in and how to prevent them from getting in.
And 2) at the time, there were no good books that de-mystified the art of security.
<netsecurityadm> The book is one of the best-selling computer books of all time and its been translated into 19 languages- will you continue
to put out new editions as new attacks and technology come out?
Guest1258 has entered the room (hostname: XXX.XXX.XXX.XXX)
Guest1258 Quit (Guest1258)
Internet connection having trouble. Attempting to clear it up. Please wait
Signing on with nickname Simo
Internet connection trouble has been cleared up
This room is recording transcripts
Welcome to the Internet/Network Security Chat Session with the authors of Hacking Exposed. George Kurtz will be joining us from 8pm to
9pm and Stuart McClure will join us from 9pm to 10pm.
If you have any questions to ask these gentleman just have them ready. I am going to allow open dialogue, but I ask that you please take
turns and not flood our guests with 100 questions at once.
<netsecurityadm> I only read the first edition cover to cover. The other editions I mainly read the updates and tend to use it more as a
reference than a novel
Internet connection having trouble. Attempting to clear it up. Please wait
Signing on with nickname Simo
Internet connection trouble has been cleared up
This room is recording transcripts
Welcome to the Internet/Network Security Chat Session with the authors of Hacking Exposed. George Kurtz will be joining us from 8pm to
9pm and Stuart McClure will join us from 9pm to 10pm.
If you have any questions to ask these gentleman just have them ready. I am going to allow open dialogue, but I ask that you please take
turns and not flood our guests with 100 questions at once.
<HE_Real_McClure> Either Web hacking book would do. The "Web Hacking" book from Addison is more like case studies of hacking. And
the HE-Web App book is more like an encylopedia like the prior HE books... Just depends.
<netsecurityadm> We talked earlier with Mr. Kurtz about knowledge and proper configuration being more important than the platform or
application...
<netsecurityadm> but would you recommend one operating system or web server over another? Windows over Linux? IIS over Apache?
<HE_Real_McClure> Education is definitely everyone's best weapon. I always say that no product is secure. There are only degrees of
security and it usually depends on the person setting it up. I can harden a Windows system and Linux system equally strong...
<netsecurityadm> How did you first get involved in information security?
<HE_Real_McClure> I first got involved in security back in college, around 1988. I was an administrator for a number of UNIX systems and
was often asked to understand what security weaknesses I could find.
<netsecurityadm> Do you have a programming background? Did you write or help to write the tools and software at Foundstone?
<HE_Real_McClure> I programmed in college and for a number of years after that. I have not been involved in programming for years though.
We have much smarter programmers than me now at Foundstone. I wrote a number of automated scripting tools that automated our pen
test exercises but that is the last time I did any programming...
<netsecurityadm> Do you feel that security certifications are important? Would you recommend one over another?
<HE_Real_McClure> Ceritifications like CISA and CISSP are good to separate you from the crowd, but it doesn't prove too much. I like
experience over certifications but that is just me. What training classes have you all taken recently?
<netsecurityadm> I haven't taken any classes recently- the company has zero budget for training and I can't personally afford the price tag of
most courses
<HE_Real_McClure> But if you do want to get certified I recommend CISSP over any of them...
<netsecurityadm> I mainly read and teach myself as much as I can. I have CISSP, MCSE2k, MCSA and A+. I agree though that they are just
letters and that being certified doesn't prove you know more
<netsecurityadm> I have become particularly interested in incident handling and forensics though and may pursue the SANS GIAC
certifications for those specialties
<HE_Real_McClure> For those that have limited budgets, the book is probably your best bet. Try and get some test systems to test your
skills... I think certifications definitely demonstrates a person's seriousness in performing this type of work and definitely sets them apart...
<netsecurityadm> how long did it take the 3 of you to write the book and get it published from the time you started?
<HE_Real_McClure> Incident Response and Forensics is definitely a growing field, esp. in the government...
<HE_Real_McClure> I pitched the first TOC to IDG Books (Dummies series) while working at Infoworld, then after they turned us down twice,
we turned to Osborne. They first turned us down then came back to us later. While we had officially been writing the book for more than a
year before we got a contract, once the contract was signed it took about 4-5 months to deliver the whole book.
<netsecurityadm> What antivirus software do you use for your personal computer?
<HE_Real_McClure> I don't use any antivirus software. I really never have unless it was forced upon me at a prior job. I just harden my
system, and follow simple rules of email usage to practically eliminate the risk of viruses...
<netsecurityadm> Interesting. I have stated many times that patching is more important than antivirus
<netsecurityadm> the recent BIG viruses- CodeRed, Nimda, SQL Slammer- all took advantage of flaws for which patches were available for
months
<netsecurityadm> If users would just have stayed current on patching those viruses would have fizzled instead of crippling the Internet
<HE_Real_McClure> Agreed 100%. If you have to expend energy, patching regularly will do more than anything...
Christina Quit (Web Browser left the chat web page)
<netsecurityadm> I saw that the Organization for Internet Safety released the draft of the Security Vulnerability Reporting and Response
Process
<netsecurityadm> Foundstone was a founding member of the OIS- did you have any input into this document?
<HE_Real_McClure> We are loosely involved in those efforts and definitely had some input on the document's content. Despite all the hype,
the groups efforts legitimately attempt to define a common set of rules that vendors and research can follow to accomplish the ultimate
goal: making systems secure...
<netsecurityadm> For those who want to check it out, you can go this site 12http://www.oisafety.org/about.html
<netsecurityadm> It is open for comment until July 7, 2003
<netsecurityadm> Do you think that the federal DMCA law and the state-level super-DMCA laws in some states are hindering legitimate
security research?
<HE_Real_McClure> As a general rule, I think that the risk of security research hindering is outweighed by the deterrant of DMCA. I don't think
we need to be able to decompile applications to find security weaknesses. We just need to educate vendors, their programmers and
architects, to build applications securely...
<netsecurityadm> We are coming to the end of our time- any last questions from the audience?
<Simo> im fine
<Simo> just been listening
<netsecurityadm> Well, I want to thank both George Kurtz and Stuart McClure once again for taking time out of their busy schedules to spend
with us
<Charlie> no thankyou, it has been interesting and I would like to see more forums like this
<netsecurityadm> I have enjoyed the chat.
<Charlie> will come better prepared next time
<Simo> i have HE 3rd edition
<HE_Real_McClure> Thanks everyone! Stay secure...
<Simo> ;-)
<netsecurityadm> Stuart and George- I look forward to speaking to you and / or working with you in the future. If you are ever in Michigan for
any reason let me know
Guest503 Quit (Web Browser left the chat web page)
<HE_Real_McClure> Definitely! Thanks again!

[tonybradley]

I want to thank Simo for attending and for posting the transcript so quickly for the group.

I have posted the transcript on my site and color coded the entries so it is easier to follow who is "talking" at any given time. You can view the chat session transcripts by visiting this link: Hacking Exposed Chat Session

Enjoy!

[b0$$y]

Thanks for posting the transcript!!!!!!!!!!!!!!!!!!

[tonybradley]

netsecurityadm is sending me a free copy of hacking exposed 4th!

I thought we decided on Hacking Web Applications Exposed? If you want Hacking Exposed - 4th Edition instead let me know ASAP.

Just FYI- I asked to have it sent directly to you instead of coming to me first so that it can get there before you leave. They said they would rush it and you should have it within the next few days.

[MrLinus]

Hey .. if he doesn't want the Web Applications.. I'm sure I can find a space on my book list..

[lumpyporridge]

No nitty gritty in the interview? I ws hopen for a question about the toolz folder ? (see recent foundstone scandal if ya don't know what i am talkin about)

[b0$$y]

Sorry to interrupt - I was just thanking the correct parties for posting the info about the transcript - getting alot of email - straight up.... wanted to read it....

[tonybradley]

To be honest I considered asking those questions- delving into the allegations against them regarding software piracy.

However, I know that they would not be able to answer and would be evasive whether they are "guilty" or not. Because the case is pending they really wouldn't be at liberty to discuss any aspect of it or confirm or deny the accusations.

I also did not want the session to become adversarial. I was hoping for some more detailed questions about information security and about the tools and techniques in the book, but the audience seemed more novice and did not come prepared with any particular questions to ask.

Had someone ELSE broached the subject of the software piracy allegations I would have been interested to see where the conversation may have gone- but like I said I would be willing to bet that their lawyers won't let them say much more than "I am not at liberty to comment on that at this time."

[Simo]

Originally posted here by tonybradley


I thought we decided on Hacking Web Applications Exposed? If you want Hacking Exposed - 4th Edition instead let me know ASAP.

Just FYI- I asked to have it sent directly to you instead of coming to me first so that it can get there before you leave. They said they would rush it and you should have it within the next few days.

DOH! i meant to send me the web applications exposed book please heh sorry

[tonybradley]

Simo- Did you get the Hacking Web Applications Exposed yet?

They sent the other book to me express via DHL and it arrived yesterday. So, if you didn't get yours you should get it soon.

When do you leave?