Research on The World Wide Web Consortium

In my CIS 136 class, I was asked to perform research on one of three sites. I chose to research the World Wide web Consortium (w3).

The W3C site contains alot of information for any new web programmers looking to learn more about coding.There is also alot there for the seasoned coder that is wanting to watch for new trends that will be coming to the web.

Under the Technical Reports link, you will find links to new recommendations, proposed recommendations and candidate recommendations. All of these are projects that various organizations are working on to help make the web an even better place to work and play. This includes new protocols, development standards from everything to graphics to new mobile technology.

There are also working groups out here that anyone can sign up and join. Of course, you should make sure that you have the proper skills needed to support this group. There are many cool projects out here including mobile web initiative, Privacy and of course security. l33t.

This site is a great place for all web developers, from the n00b to the old skol to go and learn new stuff about web technology. Please take a moment to check out the link in this post. 

Thanks,

xs 

Great resource for learning more about web development

I found a really cool site that will help anyone who wants to learn more about web site development. This site contains some really great examples and tutorials. I spent some time here just going over the site and looking at the code. 

This site layout is very cool and easy to use because of how everything is designed. All of the links on the right hand site of the site catagorize everything for you. I like that kind of site where all the data is presented and I just go where I want to within the page.

There is alot out here, so I am going to stop writting and start reading. I hope this will help all of you with building your developer skills. Enjoy.

link:

http://www.putertutor.net/

XS 

OWASP - Open Web Application Security Project

The OWASP project is a community of security people that have come together to discuss and help improve web application security. This site has been one of my favorites since I discovered it about 3 years ago. There is a ton of useful knowledge here for anyone who is involved with either developing web applications or responsible for auditing and testing the secuirty.

As I have been working in application security I am seeing more and more people who know about the OWASP project or who are working with the group.

One thing I really like about the OWASP is that local chapters ahve been established and they meet monthly to discuss and present on security. If you are looking for a cheap way to learn more about web application security, this is a cheap solution.

Check this site out.

http://www.owasp.org/index.php/Main_Page

Enjoy,

XS

New Year means new updates to this page...

Nothing like a little XSS to start my headline with. hehe... just kidding.

OK... so it has been sometime since I have been out hear updating this site. That does not mean I have forgotten about it. So what has been going on int he past year plus of my life?

Well, for starters I have been involved pretty heavily in the Day-con hacker convention. This convention, which is run my Meshco has allowed me to really mingle and meet some excellent security researchers and hackers. This con in particular has helped me stay motivated to work and learn as much as I can about computers. Not just about security per say, but about programming, architecture, communication protocls, networking and yes... hacking.

I attended Shmoocon last year and had a great time. Many of the local hackers went, along with talent from all over the US. I got to meet and hang out with Chris Hoff, who is an excellent guy and someone who has my deepest respect. Enno Ray and his entire crew from Germany were also at the con.All of which are A-plus guys and engineers. I also got to hang with the DC 949 crew. These guys run the oCTF competition at Def-con. They are just a great group of people and very cool. They also write some pretty sick code. :)

Def-con, was I was expecting a very excellent convention. I went with my lovely wife Renee and we had an excellent time when I was not at the con. This is my favorite con because there is so much hands on stuff to do. Hardware hacking, lock picking village, the oCTF competition, talks, vender room. Plus, it is a great way to meet up with your friends and hang out. Be ready to stay up late, get up early and learn a metric ton.

I am also back in school and working on my degree. Yep... I have finally got back at it and I am very happy to be here. I love learning about computers and in general just learning. I wish I could have been this motivated when I was younger. Oh well. My goal is to finish my 2 year and then work on my BA at Wright State in computer engineering. Yep.. I wanna learn about FPGA programming. :P

So you now have an update on me. I will be posting out here weekly so stay tuned for updates cause they should be pretty cool. I will be posting new code, and several research ideas I am working on.

Later,

XS

d-khan is coming to Dayton

d-khan is coming to Dayton! What is d-khan? D-khan will be the first Infosec\Hacking convention in the Dayton Ohio area and it will be coming in 2007. Yes... I have decided that I need more to do in my life. So, why not start a hacker... err I mean Infosec convention in Dayton.

Every year over the past 3 years I have been attending Blackhat and Defcon in Las Vegas and I have to say that they are very informative and just down right cool. Tons of great people and lotz of hackers talking about there uder cool haxor skillz. OK... it is really a bunch of nerds that wanna be cool. But, I like that kind of stuff and I think we need this in Dayton.

My vision is to see a convention where the local hackers and Infosec practitioners who do not get to go to Vegas can show up for two days and have fun. There will be talk tracks, a CTF contest, a dealer room with t-shirts and old crappy computer parts... and oh yeah lots of girls whole like nerds. :)

It is my hope that d-khan will be something that I can give back to the Infosec community of Dayton. Something that will bring all of the haxors, Infosec managers and firewall jockies together for 2 days and let them all share and learn together.

Only by understanding our enemy can we learn to best him. In this case, the "enemy" is the hacker on the Internet looking to pwn your site. Learn the techniques that are used to take down a network, and then you can apply these to your site and fix the issues that can lead to compromise.

So...d-khan is coming to town. Are you ready for it?

XS

Old scene is getting new blood

So, I have been attending the local 2600 meetings in an effort to meet new people and get a feel for the local community. There are actually some really good security people out here. They are doing great research and are just cool people.

I have also organized a meet and drink after the 2600 meeting at the Foundry nightclub. Last week we had 6 people show up and just hang out. We all broke out the laptops and spent alot of time just snooping for local wireless connections and sharing stories.

The talk also turned to starting a packet wars club in the Dayton area. Everyone is really interested in setting up a packet wars competition and putting our skills to the test. Angus, our fearless leader has stated that he would be very interested in starting the packet wars, but he wants to look into getting sponsors for our events. I say, let's get started and then get the money after the fact.

I have also found my hacker name. It seams that all cool hackers have some sort of name like pixel or sokket or something cool. I wanted my hacker name to kinda sum up who I was as a person. So, from this point forward, I will be know as "xs" in the hacker community. Simple and sweet. Why xs? Because it seems like everything I do is done to excess. Thus the name "xs".

Later

Store Wars

This is just to funny. If you are a fan of Star Wars, then you will get a kick out of this:

http://www.storewars.org/flash/index.html

Enjoy.

madnos

A long time ago... I posted on this site

OK... I got a little lazy. :)

I had a little bit of work pile up around the office and I had to focus on my duty, but I am back.

I want to let the world know that I have several upcoming articles that I will be posting. One is on developing a risk assessment solution that not only evaluates technical risk, but it also reviews operational risk.

Next, I will be updating everyone on what it takes to sniff traffic from a Cisco switch. This will include, at a high level, what you need to look for as a security professional to prevent this from happening. Very leet paper!

Then, I am going to give a brief overview on UNIX shell scripting and how they can help you during an audit of your systems. I will be including several examples of scripts that I have wrote and use on systems I review.

I have also been reading like a geek in heat and I have several books that I will be recommending to new ubergeeks out there that want to learn more about hacking, but were afraid to ask.

So, stay tuned because these articles will be online over the next few days.

madnos

Least we forget layer 2

Hello everyone,

Over the past few months, I have been working on auditing a large Cisco network. It has been very slow process due to the size of this infrastructure and the amount of appliances I need to review. I also wanted to make sure that the network review included a complete review of the layer 2 devices.

Now, I love my job but it is impossible to have a deep understanding of everything that is networking. My layer 2 auditing experience definitely needed some improvement. So, I used this time as a chance for me to improve a skill area that was lacking.

I have been looking all over the internet for sources of information on Cisco switch security settings and have had good luck in finding loads of information on the subject. The problem is that it is generally scattered all over the place. Cisco's website had quit a bit of the information but you really needed to be direct with your searches.

While I was searching the web, I keep thinking about the FBI's Cisco router security guide. I mean they wrote a book on locking down routers, but they forgot the switches.

So, I decided to compile the documentation I discovered in one location. Yes, you guessed it, it will sit here on my site.

Now, I am not taking credit for this work. All I am doing is compiling a list of links and documents together that deal with layer 2/3 switch security on my site.

Also, I will be posting my switch auditing process so that all you admins out here can use my framework to audit your infrastructures. I am such a nice guy. hehe

Cisco routers are always the hot topic when we talk about network security. It seems like most system admins and network security engineers forget about the layer 2 devices. Why? The switches can be a great way to recon a network or used as an avenue of attack. I mean, they touch all of data on the network at one time or another.

The goal of my paper is to help all of the admins out there understand the attacks that can effect you layer2/3 switches and how you can lock them down. I will include the IOS and CatOS commands for you.

This paper will be a living document and will change from time to time, so be sure to check back for updates. I will also include a list of tools hackers can use to attack your switches and (hopefully) screen shots of the tools in action. I will also try to post the source of Perl scripts that help me in my auditing of layer2/3 devices.

Please use this info responsibly. I am posting to help admins out here audit there networks. Use this info at your own risk.

madnos

Dark side of the force very weak in Dayton

OK. First let me say that the art of Hacking (and I believe it is truly an art form) interests me. I read as many online and print publications on the subject that I can get my hands on. The Ed Skoudis book "Counter Hack" is an excellent resource for someone who wants to learn how to attack a network.

With that being said I also believe that there is a time and a place for this to be done. I recently went to the Dayton 2600 meeting. 2600 is a printed publication that deals with hacking, phone phreaking, lock picking and just about any other topic under the sun. It can be purchased at Barnes and Nobles for around $5 dollars. There are local chapters of 2600 groups in almost every major city in the US. They meet once a month and "discuss" hacker issues (mostly they just drink beer, and geek out).

The meeting place in Dayton is the Marion's pizza by the Dayton Mall. When I arrived, I found very few people where there. When the group did arrive, I found that I was surrounded by teenage kids and a few middle age misfits (including myself). There was no formal topics discussed and talks ranged from new game systems, to digital cable boxes. The one thing I found is that the group was very disorganized and lacked leadership.

This is actually a good thing for the Dayton community. I mean, hear we have the core of the Dayton hacking underground and most of them have no real direction in life. If they had someone to step in and take control and provide direction and order, this group could do great things. By that I mean that they could help each other by sharing there knowledge, teaching each other vital skills that will be needed in the work force and also providing a social outlet for these people.

You can also turn the tables and say that if someone stepped in and turned them out against companies in the area, infosec people could be in trouble. Fortunately for local companies, these people lacked real direction and motivation to even try to hack into companies. It also appears that, in the event that they did attack someone, they would go after the "low hanging fruit" (i.e. unsecured wireless networks).

I brought up my training ground idea and did get positive feedback from the group. But, again the lack of leadership and motivation stiffled this group. Also, there was talk of setting up Daycon and having 2 or 3 days of hacking competitions like capture the flag, wireless hacking and infosec presentations. The idea needs someone to run with it and turn it into a reality. Stay tuned for more info on Daycon.

So, to rate this group I would rate them a 5 out of 10. This was a first impression and I will go to a few more meetings to gather more data on this group. I will post all my findings here, so stay tuned.

Dagobah training grounds

I have been building a lab in my basement that I want to use to test my hacking skills. I recently setup a Windows NT 4.0 server. This baby is a PDC and will be running DHCP, DNS and any other services that I feel most people turn on by default. I also have a Redhat Linux web server, a Redhat laptop, a Knoppix 3.3 station that will be attacker #1, a Windows 98 client. I plan on deploying a Windows 2000 server and a Citrix metaframe box, a Solaris SPARC 5 workstation that will run Solaris 9 and a wireless AP (vendor unknown but something cheap).

Hacking is not a sin people. However, hacking into a company that does not authorize you to do so is a crime! If you do not have permission to hack, then DON'T DO IT! This is where most hackers go wrong and end up in jail. Even gathering data through an open wireless connection is an illegal wiretap and can get you thrown in jail.

If you want to learn how to hack, buy some cheap @ss hardware and setup a lab. Most of the gear I am using is old P2 systems with 64 megs of ram. These machines are going very cheap on EBay. If you are local, TJC computers usually carries cheap systems that are low cost. They also have SPARC gear if you are interested in Unix.

So, please go out there and hack your lab. Blow it up till Windows spews forth many blue screens of death. Ignite the flames of your imagination and write many papers on your findings and share them with the infosec community. But be warned, blackhat hacking is like the Dark side of the force. Once you go down this road, there is no going back, and the Jedi council WILL find you.

May the force be with you.

Wri-Ti woann

Try this site out to build your Jedi name.

http://www.wilcoxusa.net/saber/swname.htm