Posts tagged interview

Tips on Malware Analysis from Jake Williams

image

I had the pleasure of speaking with Jake Williams, my colleague at SANS Institute, about his perspective on various malware analysis and reverse-engineering topics. You can read the interview in three parts:

  • Part 1: Getting into digital forensics, crafting a strong malware analysis reports and making use of the analyst’s findings
  • Part 2: Acting upon malware analyst’s findings and the role of indicators of compromise (IOCs) in the incident response effort
  • Part 3: Various approaches to malware analysis, including behavioral, dynamic, static and memory forensics 

Jake is highly experienced in this space and shared helpful insights in the interview above. Jake will be teaching FOR610: Reverse-Engineering Malware on several occasions at SANS this year.

Lenny Zeltser

Tips for Getting the Right IT Job - New Cheat Sheet

image

I published a new cheat sheet, this one offering practical tips for finding and getting the right job in Information Technology, with a slant towards information security. You can view the contents on the web or print them as a 1-page PDF file.

This cheat sheet covers the following topics:

  • What to do before you start looking for a job
  • How to use social networking as an ongoing part of your career
  • Steps towards finding the IT position worth pursuing
  • Advice on crafting and polishing your resume
  • Tips for negotiating a favorable compensation package

If you have comments or tips related to getting the right IT job, please leave a comment or drop me a note.

Lenny Zeltser

Getting to Know Larry Seltzer (Not Lenny Zeltser)

Larry Seltzer is a well-knowing author, whose writing in the recent years focused on IT and information security. He has been a regular contributor to PC Magazine, eWEEK and other publications, and is now writing the PCMag Security Watch column. Sometimes people confuse Larry and me because our full names are surprisingly similar. So I thought it would be fun to get to know Larry a little better by asking him a few questions on my blog.

Lenny: How did you start writing about security? Why was it interesting to you?

Larry:

I was actually involved in testing of anti-virus products back in the late 80’s at NSTL, where I was in charge of contract testing. I dealt with some security issues at PC Week (which later became eWEEK) and PCMag where I was Technical Director in the Labs, but it wasn’t a full-time thing. I had been freelance writing and testing dev tools and system software for a while when, in 2003, I was invited to write about security twice a week for eWEEK.

The idea of having to put a column together twice a week on the same topic was scary for a while, but I quickly realized that security is an endless fount of news and issues. (Here’s an archive of my columns from eWEEK.) In the beginning, just reading Bugtraq and Full-Disclosure was enough to keep me busy. Now I have security vendors pestering me all day with story pitches.

The endless potential for research and writing was one reason it was interesting, but another was how even as the security becomes more important and more central an issue, it’s also such an aggravating waste of money and time. Security is like marketing; it’s necessary and, when done well, makes a company more successful, but it doesn’t in itself produce anything useful. This is why so many companies didn’t take it seriously enough for so long.

Lenny: What is the favorite security story or topic you had the opportunity to cover?

What comes to mind is what later came to be called “domain front-running” (this is arguably not a security story, but I think of it as one). A reader I found that she had used a domain lookup form on CNet that offered registration and hosting numbers from a group of sponsors. 2 days later she went to buy it and it was taken. I did some testing and found out she was right. I looked up a bunch of available domains, including “lickmynose.com.” A couple days later lickmynose.com was owned by “Chesterton Holdings”.

To make a long story a little shorter, I never found out exactly how they were doing it. There were a number of possibilities, including an inside job (someone at one of the hosting services was forwarding requests to these guys).

It got really interesting when I found that what I was calling “whois hijacking” and what ICANN later called “front-running” (inspired by a stock scam) was only done in pursuit of another scheme called domain tasting. Certain registrars and outside companies abused a hole in the registration system called the AGP or Add Grace Period to register large numbers of domains, throw monetized PPC ads on them, delete the registration after a few days. All registrar and ICANN fees were refunded if you deleted the registration within 5 days, but in the meantime you got ad money off them. Of course, the better the domain name the better the ads will do, so Chesterton Holdings was cherry-picking from the lookups they were pilfering.

Through changes in domain registration practices that removed the economic incentive, ICANN eventually did away with both practices. I’m positive I was the first to write about front-running, but ICANN never cited me in their reports on it.

Lenny: What approaches do you use to keep up with the security industry?

Larry:

By now I’m well-known enough that I could be busy all day just using incoming pitches, but it wouldn’t be a good way to go about it. I still read F-D, funsec and a couple other mailing lists, but the real action today is on blogs. I have 170 subscriptions in my RSS reader and I bet about half of them are security-related. For a while I was also on Twitter all the time and things happen even faster there, but it became impossible. Twitter is largely write-only for me now.

Lenny: What are your current topics of interest related to security?

Larry:

I’ve been writing a lot lately on SSL/TLS and related issues for VeriSign (the part that’s now owned by Symantec), so I’ve gotten a lot of mileage out of Firesheep. Once again it’s not exactly security, but I’ve been following the impending (and by that I mean real soon) end of availability in the IPv4 address space. I also found Stuxnet fascinating and I’ve written about it a lot (including for VeriSign because of the code signing angle). I think there’s been a lot of cheap analysis of Stuxnet. Fundamentally it does nothing we didn’t know could be done before; it’s just a really high-quality attack, the type very few could succeed in perpetrating. It’s not a game changer at all.

Larry, thank you for agreeing to be interviewed here. I’m glad for the opportunity to get to know you a little better!

Lenny Zeltser