Just a quick listing of some secure USB drives that use hardware encryption and are recommended:

mtrust mdrive 500
kingston data traveler elite – privacy ediction
verbatim store’n go corporate – secure

This link has a number of good pages and pieces of information on cracking WEP and other wireless fun.

Every now and then the SANS Handler Diary offers up some nice information. They just threw out this list of switch features that many people never know to use, and I thought it was a nice rundown to use at a later date, especially if my two switches include all of this stuff.

If one must absolutely use passwords with Windows (not sure why anymore) and not pass phrases, and the password needs to be highly secure, you don’t get much better than using non-printable characters. Both of these posts go into detail on using non-printable characters to thwart most password cracking tools.

Microsoft, of course, even weighs in on their password suggestions.

Quite an ingenious simple little method to hide files on an ntfs disk: alternate data streams. This article on Security Focus makes it look a little more difficult than it is, due to the author going through the effort of describing breaking into a machine to set an ADS on a few hidden files. LNS and LADS are two tools to scan a disk for ADS…although they are certainly not swift in their scans.

Update: An ADS tutorial from STC

A post over at SecurityFocus went over Microsoft Office forensics and some things to do to enhance security, most notably privacy. Because Office is so universally used, I’ve found that many people, techie and non-techie both, want to put their heads in the sand about issues with Office. They just don’t want to hear about the issues, even as malicious persons have begun poking at the apps and more and more data is disclosed on the web and search engines.

I’ve long wanted a concise and listed set of items to check on and change when dealing with metadata in MS Office Word documents. Now I have it!

Update: Here is another link dealing with pesky lingering Office data that shouldn’t be there.

The folks at F-Secure put up this series of exercises in reverse engineering and called it a khallenge. Sounds like a fun way to get into reverse engineering a bit, someday. If I get stumped, might be able to find some hints around this blog.

So, when I get around to testing my linux firewall, I can use ftester along with this “how to” guide.

Not sure on the quality of this content, but this site has some modules up about their training in infosec assurance and assessments. I’ll take this down if this proves to be useless fluff.

I need to check this out sometime. The packet challenge at SANS is not a regular thing, I think, but could still make for an interesting exercise for me. Bejtlich posted a couple links to answers here and here.

You can search for malware using Google, right down to infected sites inadvertantly sharing out malware code (executables). Damn cool stuff, and damn cool site. Search for “Bagle” for a good example.

Tutorial on how to crack WEP using Ubuntu.

It is interesting to see the trend of what is hot in security and networking and sysadminness. The turn of the millenium brought in virtualization, and a few years ago Metasploit broke onto the scene in a big way. Wireless and mobility have been amazingly hot in the last 6 years as well. And now that web apps are being developed by everyone, web app testing and security is catching up. In all of this, I thought it would be nice to keep track, for my own purposes, the hot topics at periodic times of the years just to see where things are moving and shaking.

1. web application / layer 7 security / fuzzing – driven by a huge focus in the past 8 months on MS Office vulnerabilities and browser exploits.

2. mobility – driven by laptops being used and lost in the field, prompting a huge number of disclosures of lost information that questionably should not have been outside the corporate/gov’t environments anyway.

3. disclosure and identity theft – Just about everyone has been joining the disclosure bandwagon whether they like it or not, from the VA, Deloitte and Touche, and many universities (poor edu’s will always have a tough open vs secure battle). This will only get worse and hopefully soon the media stops waving each one that happens.

5. botnets and ddos – Blue Security wanted to beat spammers by spamming them. Instead, Blue Security got DDoSed so hard, they are now out of business and have thrown in the towel. Botnets have been widely reported in the past couple years, but they still seem to grow and remain huge and potent.

4. wireless – wireless is just waiting to blow up, with hotspots getting more common and big companies with secret plans on widespread wireless for the masses. Since wireless is still hugely exploitable and fun to mess with, this is just waiting for a huge lashback and a huge outbreak in personal systems being exploited over wireless. Home users haven’t been this vulnerable to being rooted since NAT was hardly used on broadband connections. This is an area that is also just waiting to explode with use and companies and wirespread access.

Mentions and tools: Metasploit is still hot and HD Moore is one of the biggest names in security right now; virtualization is still hot; Office and IE are getting hammered with exploits which is keeping Microsoft very busy; LiveCDs are all over the place now, joining the awesome Knoppix (BackTrack owns).

This presentation on wireless injections was given in June 2005 at RECON. Powerpoints without presentations tend to be pretty barren in terms of being able to get the just of what the speakers is trying to say, but might be ok to check out someday.

Sometimes you just need to inject some “security awareness” points into your training program. “Protect Your Workplace” posters from the federal government are an inexpensive and easy way to start.

And search this page for the security calendar.