Friday, December 23, 2005
Enough of my rambling...it is the Friday before Christmas and campus is dead. Time to go home and work from the comfort of my couch.
Tuesday, December 20, 2005
I was planning on getting this list out last week but never bothered to sit in front of my desktop to look at the iTunes podcast subscriptions since I post to my blog from my PowerBook. So, here it goes. They are in alphabetical order thanks to iTunes. I will post my opinions and descriptions with each one. Note: This list and the links took quite a while to put together. I hope you find it useful. Disregard misspellings and such because it is late!
- A Day in the Life of an Information Security Investigator
- This is a fun and informative listen. It is based on the Chief's blog. The Chief, aka Security Monkey, talks about his cases as a security investigator, answers questions from his monkey (blog readers) and allows his right-hand man, Scrap, to rant. Definitely one of my favorites.
- This is a podcast novel by Scott Sigler who releases a new chapter/episode every week. Another one of my top favorites. I really look forward to listening every Mon as the story unfolds. If don't mind some blood, gore and explicit language, check it out!
- Blue Box: The VoIP Security Podcast
- I had to catch up as I came into listening around the 8th episode. It is a good podcast about VoIP issues, current trends, new products and topics from the VOIPSA mailing list.
- I enjoy just about every episode. I find myself laughing out loud to while walking around campus or having lunch in the breakroom. Kevin and Alex talk about the top "dug" stories from the site Digg.com. They provide adolescent humor the entire time making me wonder why I like it so much, but I think it just reinforces why I like it so darn much. The comic relief makes it one of my top favorites.
- EarthCore: A Podcast Novel
- This is the first podcast novel ever and Scott Sigler did a great job. I was always looking forward to the new episodes. It has ended and even become published because of the huge fan base. You can catch up on all the episodes as they are still online. This ranks in my top favorites. Plenty of blood, gore and explicit language.
- ITC: Security
- I keep this in my iTunes list in hopes that good stuff will come around again. There have been three really good ones that I have saved and sometimes relisten too. Most suck. The chick who runs the "security university," or whatever it is called, is a moron and conducts awful interviews. Check out the ones with Ron Gula and Dan Geer. I also have Bruce Schneier's in my list under ITC but can't remember if it was really that good.
- Martin McKeay
- Martin is a CISSP with a pretty good blog. He is focused quite a bit on the Payment Card Industry (PCI) regulations and has some good insight into it. I enjoy his blog and podcast but wish he would fix it so I could subscribe via iTunes. As he gets more into podcasting and decides more on a structure for the shows, I could see this as possibly becoming a favorite.
- Mighty Seek: WebAppSecurity
- There have only been a handful of episodes but they were pretty good regarding web application security. The host gets on his soapbox a bit but he has intelligent arguments. I hope to hear more good stuff from this one.
- I started listening to a couple of these after I had begun downloading them for my wife. At the time, she was pregnant and I was able to use some of the things I learned from the podcast to immediately help her through the pregnancy. It has been a couple of months since I listened to any of them but keep them around for her and the chance I might be interested again.
- Network Computing | Security Channel
- I subscribed to this because it is done by a friend of mine. I have only listened to about 4-5 of them and enjoyed a couple. The ones that include interviews are usually the best ones. If you are of limited time and get bored easily, you might want to pass over this one. I do expect it to get better, but it isn't there yet.
- NotParanoia Podcasts
- I'm not sure I have made it through a full episode yet. The hosts are in Australia and England making the sound quality pretty shoddy. I keep it in my list so that one day I will go back and give it another chance. Maybe the newer ones have gotten better. YMMV.
- NPR: 7AM ET News Summary
- I am not a world news, or even a local news, nut. If the news doesn't come in a security related e-mail, I don't usually know about it. This is my weak attempt at knowing what is going on in the world.
- PaulDotCom Security Weekly
- This is a pretty decent podcast. I do get a little tired of the guys rehashing current security issues but it is fun to listen to their ideas. They tend to be goofy when referring to putting on their White/Gray/Black hats when discussing issues but I have hope that they will continue to refine their podcast.
- This is by two guys that work for McAfee. It is pretty good. They don't evangelize their products as much as you might think. McAfee product coverage is minimal with only talking about new releases or bugs. The rest of the time is spent on a topic of the week or month and current "notable" vulnerabilities. Not a favorite but it has potential.
- Security Catalyst
- This is a great podcast. Michael is a Lead CISSP Instructor who speaks and trains professionally. He has good insight into security topics, does not focus on current issues (thankfully) and has grand plans for his podcast. He is currently looking for a co-host and has an "editorial board" to help plan the episodes. Michael certainly puts a lot of time and effort into his podcast. I enjoy this one quite a bit and expect it to become a top favorite.
- Security Now!
- Ugh...I'm not sure why I keep this around. Steve Gibson is a smart guy but sometimes sounds like he needs to switch to decaf cause he gets talking so fast that he says the wrong thing. Now, I am sure it is simply because he is overexcited and confuses himself. But then again, maybe the fact the Leo Laporte is a computer security ID10T. Seriously, Leo is security stupid. It hurts me to listen sometimes. I don't think I have ever listened to a full episode out of boredom or disgust. I think I just keep it around for pure masochistic joy.
- This is a video podcast that I have only watched one episode but plan on going back and watching. I have an iPod Photo so watching it requires me to sit in front of my desktop, which I don't do much anymore since thanks to my PowerBook. This one has some definite potential as long as Kevin Rose doesn't try to act too much like a "hacker."
Monday, December 19, 2005
Did you get the message? Neither did I. Helix is an awesome Linux bootable CD for incident response and forensics. On top of being a great bootable CD, it has an excellent Windows incident response side to it. Sort of a Dr Jekyll Mr Hyde type of thing. It is bizarre to me that such a nice update didn't get any fanfare. The Helix site doesn't even state that 1.7 is available. The forum mentions it and the changelog is updated but the page doesn't state the version or an updated file hash.
Some of the highlights of the update include Linux and Windows features. Some of the Linux updates include a 2.6.14 kernel, updated tools like Autopsy, Sleuthkit, Firefox, dcfldd, and new tools like the EnCase Linen Utility, tcpxtract and hfsplus for Mac drives. For Windows, a new GUI, log files saved in PDF, updated tools like WFT, FRED. and new tools such as IRCR, Forensic Server Project and FTK Imager.
Definitely check out Helix when you have time. It is worth your time if you do any sort of Incident Response or Forensics. One beef I have with Helix is the GUI under Windows. I posted a message in the forum to see if Drew would modify Helix's behavior to open a CMD prompt first and then let the user choose to run the GUI if they want. Why? The GUI loads into RAM and could potentially overwrite important evidence. I recommend going straight to a CMD, provide some scripts for imaging memory and local drives and then let users go into a GUI for more in-depth analysis...but that is just my 2 cents. Take for a spin and decide for yourself.
Friday, December 16, 2005
Do you know what is running on your boxes? Really...are you sure? I was handling an incident today where a machine was compromised through a unnamed database running that was part of a terminal server application. The whole time I am investigating the compromise I was wondering if they knew the DB was running, and if so, did they think about whether or not it needed to be externally accessible and did they think that maybe it would need to be updated. Heck, maybe they thought the vendor who was using the DB would be responsible and provide updates to it. Beats me. As an incident handler, I don't always get my hands on the boxen that get 0wN3d. I get to provide the network forensic data proving it was compromised so that the system administrator can deal with it appropriately.
On a related note, the first alpha release of Metasploit was released yesterday. It is now based on the Ruby programming language which a friend of mine referred to as being as simple as writing pseudocode. I plan on checking it out as it may be applicable the the private hacking challenge I am working on. The whole point of this paragraph is that I was wondering if the release might have be why we saw the DB get exploited today. I haven't bothered checking all the new sploitz included in the the alpha release, but I can tell you that last year's big release caused a two immediate compromises of servers running the Veritas Backup Exec agent.
That's enough for now. I have to run home to get ready for a party that is an hour and a half away. I know I promised my lists of podcasts today but that will either have to wait until after the party or maybe later this weekend. TGIF!
Thursday, December 15, 2005
We have this little section in our policy that states a system must be rebuilt after it is compromised. In some situations, the rebuild will be at the discretion of the Information Security Manager. Unfortunately, system administrators like to argue about this or simply ignore it when it comes to malware. I have seen computer support technicians work on a spyware/adware infected box for THREE DAYS before finally giving up and rebuilding. Get a freaking clue people!!! The box could have been rebuilt using Ghost, Microsoft ADS or favorite imaging app in 20 to 60 minutes, yet you wasted 3 days. Holy crap! I seriously wanted to smack some of these people. There are some malware infections that are very simple to alleviate, but others are a real pain and most help desk people are not trained to deal with these types of things. I truly amazes me. I have had things handed to me that were not able to be "cleaned" by the help desk that I solved in 5-10 minutes yet spent the next 30 minutes verifying that it wasn't something more sinister. Rootkits are becoming more prevalent and more malware is using a "rootkit" driver to hide their processes so why not make it easy on yourselves. Spend some time developing a process where you can burn your systems down to a wiped disk, apply and image or slipstreamed OS/app install and be done with it.
Geez...enough ranting. I need to work on my list of updated tools to put on this site but that probably won't happen until next week. I will have my podcast listing up tomorrow.
Wednesday, December 14, 2005
Are there any forensic specialists out there that analyze a machine while it is running at the crime scene before pulling the power? Why I am asking? I was sitting in a presentation this morning by a law enforcement officer who is said to be a court certified computer forensic expert. He stated that a machine should have its power cord unplugged upon seizure. Someone asked about dumping memory and his response was that it was saved in swap space and will be intact. I don't want to get into why this is not true, but I am curious how many people do live analysis before taking down a system. There is lots of juicy info available in memory and will be lost as soon as power is gone. Of course, if you have an idiot in front of the keyboard, more harm than good can be done. For a trained forensic specialist, I think they could get important information from the live system, document EXACTLY what they did and it hold up in court. Any thoughts??
Tuesday, December 13, 2005
I am seriously considering getting the CISSP. Why? Well, I almost feel like I am missing something by not having it. One of my good friends, whom I respect as a security professional, has had it for a couple of years. There are also two podcasts that I listen to regularly and both individuals are CISSP's. The content of the podcasts are excellent. Specifically, the Security Catalyst is excellent and put on by a CISSP trainer. His insight and topics are very good, much better than most of the podcast and blogs that I read. Of course, that could be a singular instance and not an example of most CISSPs.
I was at a SANS conference last year where I was hanging out with two really sharp fellows when we weren't in the forensics class. We were having sushi and beer when the topic of CISSP came up. They were shocked that I didn't have it yet when I have more advanced certs already. They equated it to a kind of "foot-in-the-door" cert that recruiters look for when scanning applications. I shrugged it off thinking my more technical certs should outweight the CISSP but I am now reconsidering it.
This post is probably more than I want to devote to this topic for now until I talk to a few more friends in the sec biz to get their opinions. There will be a follow-up post about this later along with a post listing all the podcasts I listen to.
Monday, December 12, 2005
I have been wanting to blog more often because I feel like I have lots of interesting things to add to the security world but find going to Blogger to be a small hurdle that prevents me from doing it. That is a truly lame excuse but it has been enough to cause me to search for more efficient blogging methods. I am now testing Flock, a new Open Source web browser designed to "make it easier to blog, publish your photos and share and discover things." If this is successful, you will start seeing daily blogs from me...which may lead me to my eventual goal of developing a podcast.
Wednesday, November 02, 2005
Since I delved into the world of Apple ownership, I was frustrated by the lack of *real* support for Microsoft's Virtual PC for Mac. It could simply be that people don't use it very much...better yet, security professionals and hackers don't use it very much on Macs. That is probably true because finding solutions to problems with it is far from easy compared to VMware.
I still haven't found the solution to my problem with having full network access to the Virtual Machine while it is in "network sharing" mode (aka NAT). BUT, the update to 10.4.3 fixed the Virtual Switch!! What does this mean? Well, the Virtual Switch lets your Virtual Machine get an IP as if it were on the LAN right next to your host machine. Now, when I boot up my Virtual Machine running FreeBSD 5.4, it gets a private IP address on the UF network just like my PowerBook. This gives me the chance to connect/exploit services on the Virtual Machine and thus bypassing the "network sharing" issue. Thanks, Apple, for fixing this issue!!
Monday, October 31, 2005
Friday, October 28, 2005
Work is great! I am really enjoying my new position on the UF Security Team within the University of Florida. Our website is a little weak right now, but we have a Public Relations person that was hired just before me, and it is one of her projects. I hope to assist and provide information on secure OS builds, incident response tools and procedures, possibly even a security blog...but that might not fly.
I have settled in pretty well with my new Apple PowerBook. It has taken some getting used to. Compiling different forensics tools has not been a problem. I did a quick test of MetaSploit Framework 2.5 and it seemed to work fine. Working within Virtual PC is limiting compared to VMware, but I am getting by OK withing snapshots. :-( I was surprised to find that I could install FreeBSD 5.4 in it.
My coworker Jordan and I are working on "Hacking: The Art of Exploitation" with some guidance from our friend Atlas we met last year at a SANS conference. Atlas was first place individual (Ronin) and third place overall in Capture the Flag (CTF) at Defcon 13. It is very cool stuff. Some of the examples work on MacOSX while the rest I have had to SSH into a SUSE 8.0 Linux box. Oddly, the examples don't work on my SUSE 9.3 box, which I think has to do with some sort of kernel setting for exec-shield, but I don't know yet. I am looking forward to getting into working on real executables...like the ones from CTF.
What else? I am DJing again this weekend at a Haunted House in Orange Park. My daughter, Gabriella Skye, is almost 5 months old. I am drinking coffee daily again, more water, less soda.
I think that is about it. I promise to start posting more technical stuff. My goal will be at least once a day during the week depending on if I am in the office of not. Have a great Halloween!!!
Thursday, September 29, 2005
Where am I going with this? Well, I love playing with malware and testing incident response techniques on virtual machines. My first love is VMware but there is no Mac version so I am forced to use MS Virtual PC. Unfortunately, it doesn't do snapshots like VMware...BUMMER! I'm not really a fan of undo disks but it maybe what I am forced to do. One idea was to use a tool like Deep Freeze or ShadowUser to lock the system so that any changes were undone with a reboot which is a bit like a costly version of undo disks. I am going to test each method and see which is the easiest and most efficient. Until I decide, I will be making duplicates of my VPC files, working on the dupe and deleting it after my test.
ADDENDUM: I have settled on Undo Disks. The additional software adds a level of unneeded complexity and that is something I definitely don't desire when doing malware analysis. One feature I found during testing is the ability to carry forward changes during reboots when using Undo Disks. Sometimes it is necessary to reboot during analysis to see how malware will react...nice feature! One thing I did not check was how this affects booting up with Helix and dd'ing the hard drive. That is one more test to check. :-)
Monday, September 12, 2005
So, where I am going with this? The Digital Forensic Research Workshop (DFRWS.org) held their conference in Aug where they put on a forensic challenge based on memory analysis. Two entries received top showing on their website and each contained custom programmed tools to parse memory. The real question is will they be releasing these tools. Kntlist looks like it might be a commercial tool written by George M. Garner, but the more interesting tool (or possibly easier) is memparser which rips through a memory dump and pulls out process lists and detailed info about individual processes. Check out the DFRWS site and look for the memory challenge results.
Wednesday, August 31, 2005
I will be presenting again this year at the Florida Association of Educational Data Systems (FAEDS) this year. My title isn't up yet, but I am planning on, "Windows Incident Response, Forensics and Malware Analysis." That might be a lofty goal since I only have a fifty minute spot. I expect to post more on the presentation topic as it develops. Last year, I tried to do to much, ran over, but people were skipping lunch to hang out and hear more. That was cool, plus the president said to one of our administrators when asking if I could return, "Last year one of the most popular and valuable sessions at our conference was by John Sawyer, an engineer from your organization." More to come...
Saturday, June 25, 2005
Currently, my desktop is an Athlon 64bit 3200+ with a gig of RAM and there is an Athlon 2600+ with a gig of RAM just sitting next to it unused. Maybe it should become a file and web server...I just don't know. So much power and so little bandwidth used by our sites. That is partly why I was thinking of virtualizing the web server. It provides a layer of security in addition to being able to consolidate server tasks to one powerful machine. Enough rambling about this. I still have yet figured out the true usefulness of the debugging tools I wrote about previously. They are installed, I created a crash dump, opened it to see complaints about symbol issues and have not been able to get much further. Time to sleep since Gabi is finally sleeping. Good night.
Saturday, June 18, 2005
Adware & Spyware Tools
|-- Ad-Aware SE Personal - 1.06r1
|-- BHO Demon - 126.96.36.199
|-- CWShredder - 2.15
|-- HijackThis - 1.99.1
|-- Microsoft Windows AntiSpyWare - 2/16/2005 Beta
|-- Spybot Search and Destroy - 1.4
|-- McAfee CleanBoot - 1.0
|-- McAfee Stinger - 2.5.4
|-- McAfee VirusScan Enterprise - 8.0i
|-- Microsoft Malware Removal Tool - 1.4
Incident Response ToolKit
|-- DiamondCS CmdLine - 1.0
|-- DiamondCS OpenPorts - 1.0
|-- FoundStone BinText - 3.0
|-- FoundStone Forensic Toolkit - 2.0
|-- FoundStone Fport - 2.0
|-- FoundStone Galleta - 1.0
|-- FoundStone Pasco - 1.0
|-- FoundStone Rifuti - 1.0
|-- FoundStone ScanLine - 1.01
|-- FoundStone ShoWin - 2.0
|-- FoundStone SuperScan - 4.0
|-- Heysoft LADS - 4.0
|-- Inetcat.org NBTScan - 1.5.1
|-- myNetWatchman SecCheck
|-- NetCat - 1.1
|-- NirSoft CurrPorts - 1.05
|-- NirSoft CurrProcess - 1.10
|-- NirSoft StartupRun - 1.22
|-- NTSecurity.nu PMDump - 1.2
|-- SysInternals AccessEnum - 1.2
|-- SysInternals AutoRuns - 7.01
|-- SysInternals Contig - 1.52
|-- SysInternals DiskView - 2.0
|-- SysInternals FileMon 9x,NT,x64,IA64 - 7.0
|-- SysInternals Hex2dec
|-- SysInternals ListDLLs - 2.25
|-- SysInternals Page Defrag - 2.3
|-- SysInternals ProcessExplorer 9x,NT,x64- 9.11
|-- SysInternals PS Tools - 2.15
|-- SysInternals RegMon 9x,NT,x64,IA64 - 7.0
|-- SysInternals Rootkit Revealer - 1.4
|-- SysInternals Sdelete - 1.4
|-- SysInternals ShareEnum - 1.6
|-- SysInternals Sync - 2.2
|-- SysInternals Sigcheck - 1.2
|-- SysInternals Strings - 2.1
|-- SysInternals TCPView - 2.4
|-- Red Cliff Web Historian - 1.1
|-- Sam Spade - 1.14
|-- Tigerteam.se SBD (encrypted netcat) - 1.36
|-- UnxUtils - 04-14-03
|-- Windows Forensic Toolchest (WFT) - 2.0
|-- Ethereal - 0.10.11
|-- Nmap - 3.81
|-- MS Baseline Security Analyzer - 1.2.1
|-- Putty - 0.58
|-- WinDump - 3.8.3 beta
|-- WinPcap - 3.1 beta 4
|-- WinSCP - 3.7.5 beta
Friday, June 17, 2005
Harlan Carvey has a couple of blog entries about "RAM, memory dumps and debuggers" that raises several issues I hadn't thought of before now. I have tried my hand at Ollydbg and a couple of pieces of malware to learn more about their protection scheme and the underlying goal of the writer but never really knew what I was doing. Now, I have new tools to learn to pick apart malware. The next step is to add them to my custom Helix CD and see what I can break. Also, Harlan (or is it Mr Carvey) linked several MS KB articles about generating full memory dumps, kernel memory dumps and small memory (64K) dumps on command.
I will write more when I get some testing time in. For now, I have to work on a review for NWC. That, and my list too. I will add the MS debugger to that list, now.
Sunday, June 12, 2005
Monday, May 30, 2005
Thanks to Sarah, I have fallen in love with reading, again. She has tried getting me to read several times over our years together, but it wasn't until our honeymoon trip to Maui in March that she suckered me into reading a John Grishman book we had laying around and BOOM! I read three novels before we returned to the mainland. Below are the books I have read so far this year, the ones I am currently reading and those I am looking forward to reading.
Books I read in 2005:
The Zero Game - Brad Meltzer
The Tenth Justice - Brad Meltzer
Dead Even - Brad Meltzer
The Last Juror - John Grisham
The King of Torts - John Grisham
The Summons - John Grisham
Frankenstein Book One: The Prodigal Son - Dean Koontz
The DaVinci Code - Dan Brown
Books I am Reading:
The Millionaires - Brad Meltzer
The Art of Intrusion - Kevin Mitnick
Looking forward to reading:
The Broker - John Grisham
Angels & Demons - Dan Brown
Deception Point - Dan Brown
Digital Fortress - Dan Brown
Split Second - David Baldacci