Friday, October 20, 2006

Online Malware Scanners and Sandboxes

I spend some time everyday looking at botnet traffic, collecting binaries and either analyzing the binaries myself or submitting them to an online scanner/sandbox. It surprises me how many people I talk to that don't realize these resources are freely available out there.

Why are they free? Ever heard of Nepenthes? It is sweet malware collection tool that emulates vulnerable services, lets attackers/bots/worms/etc attack it and push its payload onto it. So, what's my point besides asking too many questions in one post? These sites use people like me like a distributed Nepenthes. Make sense? Good!

On to the good stuff...

VirusTotal is the most comprehensive scanning site I've seen. It uses around 25 different virus/malware scanners to scan submitted files. The downside is that the site has become quite popular and it sometimes takes 5-20 minutes to get a file scanned. One highlight of using this site is that submitted files are passed along to AV companies so signatures are produced quicker (hopefully!).

Jotti's Virus Scan site doesn't use nearly as many scanners as VirusTotal but you can usually don't have to wait as long to get a file scanned.

Kaspersky is, in my opinion, the best virus scanning engine out. When you look at the stats for VirusTotal, they consistently identify more malware than any other tool. We've seen this based on internal testing, also. I've mostly left this link up here as a reminder that Kaspersky used to show what file packers were used. This was an awesome feature of their web scanner but it no longer shows this information. :-(

Online sandbox tools are HOT! The two I use are Norman's Sandbox and the recently released CWSandbox. I recommend you test out both tools to see how they compare. Norman gives a more "user-friendly" output while CWSandbox e-mails an XML results file. Additionally, Norman is based on a commercial product and CWSandbox is the result of a graduate student's research.

That's it for today. If you know of any other sites that provide similarly functionality such VirusTotal or the sandboxes, let me know.

Tuesday, October 17, 2006

Server Move!

I just changed servers and am waiting for DNS to propagate. For the last couple of years, I have been hosting our sites from a Cox Cable business acccount. Thanks to the 9 year anniversary at Dreamhost, I have switched and will be dumping my Business account soon. They were offering a full year of hosting with a discount of $99.99. Impossible to pass up with the ridiculous amounts of storage, bandwidth and features. Now, I need to take advantage of all the cool stuff. See you soon.

UPDATE: I am back up and running. Dreamhost rocks!

Monday, August 21, 2006

Ethical Hacker Skillz Challenge - My Answer

I'm not sure how I happened across the Ethical Hacker site, but there was a "skillz" challenge that had recently been posted by Ed Skoudis and Mike Poor of Intelguardians--both are SANS instructors. The challenge is called "Hack Bill!" and was a fun little story about how O-ren Ishii hacked Bill's server and took over a large botnet. There were going to be two winners based on their submission, one technically correct and one creative while still being technically correct. I chose to write mine in an effort to win the creative portion. Unfortunately, I didn't win, but if you have time, take a look at my submission compared to the winners above and let me know what you think.

Monday, August 14, 2006

DefCon Recap - 1@stplace Won!

Most everyone has heard by now that 1@stplace won DefCon's Capture the Flag contest hosted by Kenshoto. Between the lack of sleep (from two small children) preceeding DefCon and then compounding that deficit while in Vegas, it has taken almost a week to get back in the groove.

So, how was the DefCon/CTF experience, check out this article in the Alligator student papoer and the Chronicle of Higher Education - Wire Campus had a nice writeup that made its way to the UF "CIO". His e-mail to us said, "Outstanding work – I hope this article does not invite people to try 8-)" Nice. ;-)

If you want to learn more, I think the overview by our teammate DocBrown is an excellent place to start. I'm very fortunate to have had the opportunity to participate with 1@stplace (@tlas, apu, drb, fury, plato, psifertex, wrffr). They are an outstanding group of guys. We all share a love of hacking (in some form) and now, we all have DefCon leather jackets and Black Badges!

Where to go from here? Well, I have several projects that I need to get out the door ASAP, there the PVR and file servers that I want to build at home and I'd like to rebuild the CTF as much as possible at home on virtual machines so that I can continue working on some ideas I had during the match and get my hands dirty with the reverse engineering parts.

Friday, August 04, 2006

Defcon 14 - Day 1

Note: I will probably just add to the end of this entry as the day goes through.

So, I woke up every two hours throughout the night and was out of bed before 6am. Weird. If you know me, I don't like getting up early. Maybe it was the excitement of being here and participating in CTF.

Fast forward...I am now sitting here with l@stplace waiting for things to begin. Due to some issue that the local fire marshall had, everything is beginning an hour late. The Kenshoto guys just told the team leaders that we have to have an external modem so all the teams are sending people out to find modems. That explains why each team has two RJ-45 and one RJ-11 running to their areas.

UPDATE 11:06am: The announcement was just made that everything is going to be pushed back another hour.

DefCon 14 - I made it!

After too many hours of scrunching my big shoulder in little airplane seats, I am finally about to crash in my hotel room at the Riviera. I'm not sure if I want to try and describe excitement and the energy around this place. It is by far one of the coolest experiences I've had.

I ran into @tlas and his CTF crew, 1@stPlace. After introductions, @tlas told me they were down a man and invited me to the join the team! How can I say no? I will be meeting them at 8:30 in the morning. Ugh.

Next, I ran into my friend, the British Bulldog, a former NYPD Computer Crimes guy and former Guidance Software trainer. We had a nice long chat about forensics and some upcoming plans at UF while enjoying 99cent Amberbock and foot long hot dogs.

So, after going through the trouble of putting all the talks I wanted to see into iCal and syncing it to my Treo, I might not be able to make it to most of them other than a couple of "must see"s. Here is my potential schedule for Day 1 and Day 2. They are graphics because I'm too tired to figure out how to export it in iCal for everyone to see. If I'm not in one of these talks, I'm at the CTF. ;-)

Monday, July 17, 2006

Live Incident Response Tools

I replied to a post on the Security Focus "Forensics" mailing list today in response to someone asking about other "live incident response" tools like the one Matthew Shannon was pimping, Nigilant32. I'm gonna poke Matt a little because he is a fellow graduate from the University of Florida DIS program.

To quote the Nigilant32 site:
Nigilant32 is an incident response tool designed to capture as much information as possible from a running system with the smallest potential impact. Nigilant32 has been developed with Windows 2000, XP, and 2003 in mind, and should work fine with computers running one of those operating systems. Nigilant32 is beta software and may not work in all instances.
What is the point of this tool? What itch does it scratch that one of the tools below do not? Well, the only feature I tested--that is not included by a tool listed below--was the live preview allowing you to look at a filesystem on a live system. Would I ever use that functionality? No, I do not want to spend any more time on a live system than I have to when doing incident response. The likelihood of destroying evidence increased with every second that a system is running, and that likelihood increases substantially if you are moving the mouse around, running tools and "previewing disks."

Coincidentally, the fact he states "Nigilant32 is beta software and may not work in all instances" is very true. I found that when trying to preview a USB drive, the program completely crashed. In fact, the only drive I was able to preview was the C:\ drive. I'll have to go back and read the accompanying articles to see if this is a known problem. I'd also like to find out how the previewing is handled; for example, is it done on such a low level under the Windows API that the file access times are not modified?

I am going to try and make it to the InfraGard meeting in Jacksonville on Tuesday to listen to a forensics talk. I wonder if he will mention live response...if so, I will blog about it later.

For now, enjoy this list. If you know of any others or have experiences with these you'd like to share, let me know.

Forensic Server Project by Harlan Carvey
- http://windows-ir.com/fsp.html
- http://windowsir.blogspot.com/
- Written in Perl with compiled code for Windows. Can be cross
platform. Very customizable. Client/Server architecture

WFT (Window Forensic Toolchest) by Monty McDougal
- http://www.foolmoon.net/security/wft/
- Executable with config file. Very customizable. Windows only. Can
define rules for touching the drive, slow acquisitions or touch as
little as possible. Checksums tools before running.

First Response by Mandiant (Kevin Mandia's crew)
- http://www.mandiant.com/firstresponse.htm
- Client/server architecture. Windows only. Best if deployed within
organization prior to incident. Provides quick readability of info to
determine if incident has occurred so you can respond properly.

FRISK by John "Four" Flynn
- http://sourceforge.net/projects/frisk
- Window but could be cross platform. Written in Perl and uses Cygwin.
May not be actively developed anymore. Provides client/server if using
the included web server cgi.

Friday, July 14, 2006

It's Official: I am a CISSP

I've finally done it! Well, the finally part is more to the fact that I took the exam on May 13, passed it and just finally sent in my resume almost TWO MONTHS later. I'm not sure why it took me so long to send it in. It could be that I didn't enjoy the whole CISSP process. In Feb, I attended SANS' CISSP prep class in Orlando. It was a good class, and I would probably think it helped me more if I had been able to take the test a week or two later, but I couldn't. The next availability in the area was almost two months after the prep class. When the exam was about two weeks away, I started taking practice exams every day until I was ready to barf CISSP material. Finally, when the test rolled around, I thought it was quite difficult...not because of the material, but because of the way the questions were asked. Now, I probably can't talk about it any further because of the "Fight Club" agreement I had to sign when taking the exam, but I can say I did not enjoy it at all, and the bad taste left in my mouth is probably why I didn't rush to send in my resume in order to complete the process.

I don't really want to complain about the whole process, but I am glad it is over, and I definitely have a feeling of accomplishment having done it. (Plus, it can't hurt to have on my resume;)

Monday, July 10, 2006

Zone Lab Blog on VA Laptop Forensics

I had been wanting to post about this topic for a while but seem to get a little fired up whenever I think about it at length. So, instead of ranting, I thought I would simply post a link to a good write-up from Zone Labs. Take a look and let me know what you think.

Also, Jordan has a BUZZCUT that will be posted on Network Computing soon about the same topic. I haven't read it, yet, but I am sure it will be a worthwhile read.

Tuesday, May 09, 2006

Honeypots are not entrapment...usually.

I was listening to one of my favorite podcasts, PaulDotCom Security Weekly (episode 26), where they were talking about an e-mail from reader who described a slick little honeypot that was created to catch students who were trying to break into systems. There were two machines running from bootable CD's and a shell script that logged into an Administrator account from one to the other every hour and a half. The machine getting logged into check at a particular interval to see who was logged in and gathered all relevant data if they were. Well, they busted a kid shortly after setting it up and he was expelled.

So, entrapment or not? Hell no! Why not?

Well, first, the sysadmin who implemented this solution is not law enforcement--this is an important detail in the definition of entrapment.

Second, the sysadmin did not trick the student into doing anything he wouldn't normally have done.

You say, "The student wouldn't normally have logged into that system." Bull crap! How did the student end up with the password? He sniffed it. Why was he sniffing the network? To break into a system. If it wasn't this system, it might have been a more important system that might have taken longer because that password sniffed on the wire would have been encrypted.

This is a beautiful example of how to use a honeypot. It provided low hanging fruit that prevented an attacker from getting into a critical system.

I say, "Bravo. Well done. And, you're wrong, Twitchy!" ;-)

Monday, May 01, 2006

To Forensicize or Not To Forensicize!

If you don't listen to the PaulDotCom Security Weekly Podcast, then you may not be familiar with the term "forensicize" as defined by Twitchy. I recommend you start listening and begin developing your kung-fu!

I have had the pleasure of partipating in more cases requiring forensic analysis. This isn't common in most university environments. Why not? Well, I think it is primarily because most known compromises deal with student/staff/faculty desktops and laptops. Some underpaid university employee is tasked to figure out what is wrong so they run antivirus, antispyware, anti-whatever and finally realize the machine is too screwed up to do anything with so they reinstall Windows. OR, some wise administrator has decided that too much time has been wasted with figuring out why the systems are hosed up, so at the first sign of trouble, the OS is wiped and reinstalled via Ghost/RIS/etc.

So, what about the compromises that deal with servers or systems that could have sensitive information on them? Again, another unfortunate truth rears its ugly head--lack of knowledge of proper incident response and forensic procedures. I would guess that 90% of system administrators and support staff run McAfee or Symantec when they are told that a system may be compromised. Not only is that useless, but it could be damaging because the filesystem timeline is now destroyed. Now, ask each one of those administrators how to create a forensically sound copy of the hard drive or how to write-block a drive and all but 4-5% could answer it correctly (I am probably being generous with those numbers).

This really isn't where I was planning on going with this posting but my frustrations slowly creeped to the surface as I was writing. You can expect more and more on the topic of forensics as I get closer to my talk for the GatorLUG this month and start writing detailed forensics procedures for our university.

No more worms in my Apple...

What a cheesy title!?! About a month ago, my laptop developed a horizontal line across the LCD display. I can't even begin to tell you how disappointed I was when I opened up my PowerBook to find the line. Thankfully, a quick call to Apple Support, and they had a shipping box delivered to my office the following day. Unfortunately, my PowerBook has become my primary desktop and mobile machine for everything--meeting notes, e-mail, documents, etc. Our OPS programmer recently left, so I was able to confiscate his old desktop, install Ubuntu and get a working machine for the interim while my laptop was away being repaired.

What about my sensitive data? During the phone call with Apple Support, the guy asked for my administrative password--I said, "No." He then asked if I would create a user with administrative rights with a certain user name and password--I said, "Sure." Before shipping it off, I backed up all my data to an external firewire drive, deleted my user account and home folder, then ran "dd if=/dev/urandom of=./random.dd bs=1024k count=7000000" in order to "wipe" my data on the remaining part of the hard drive.

Today, I received my laptop back with a beautiful new LCD. I logged in, recreated my account, copied the contents from the backup, "chown"ed it back to jsawyer:jsawyer and then deleted the temp account. Everything works fantastic, and I am happily productive once again.

Google Mac OS X Widgets

I am always looking for a better, more efficient way to enable me to blog more often. Last week, I came across Google Mac Dashboard Widgets. There are three: Blogger, GMail and Search History. Check them out!

Note: This post was done via the Widget. It is definitely a quick and easy way to blog via Blogger, but it doesn't allow any advanced editing. Hopefully, they will add advanced editing in upcoming versions.

Friday, April 28, 2006

Host Intrusion Detection Systems (HIDS)

When you say Intrusion Detection Systems or IDS, people immediately think of network-based IDS--very few think of Host Intrusion Detection Systems or HIDS. Jordan was preparing a presentation on IDS for a DIS graduate class. He was looking for the history of IDS and found several early papers on HIDS. Apparently, "back in the day," those individuals looking into IDS starting thinking of it from the host perspective. So, what happened? Why did everyone move their focus to the network by developing NIDS? My guess is someone was looking for the best bang for the buck by developing a solution that would cover as many hosts as possible instead of just one. So, NIDS lived and HIDS fell by the wayside.

Enough of my rambling intro...the whole point of this entry was to discuss a couple of HIDS products and a tool for breaking them that was updated to coincide with CanSecWest. I did not go to CanSecWest, but Jordan did and so did one of the smart guys from nCircle who posted his notes from all the presentations on their blog--definitely check it out their blog and excellent write-up of CanSecWest.

I was planning on running through a demo of slipfest running within CoreForce and WehnTrust with screenshots but time has gotten away from me--thanks to 3 hrs on the phone troubleshooting a problem on my mom's laptop--so it will have to wait until this weekend. To wet your appetite, check out the descriptions from the products' websites below.

WehnTrust is a Host-based Intrusion Prevention System (HIPS) that provides secure buffer overflow exploitation countermeasures. While other Windows based intrusion prevention systems are only capable of working with a pre-defined group of applications, WehnTrust's technology allows it to work with virtually all software products. Perhaps best of all, WehnTrust is currently free for home use.


CORE FORCE can be used to:
  • Protect your computer from compromises by worms, virus and email-borne malware
  • Prevent your computer from being used as a staging point to amplify attacks and compromise others
  • Prevent exploitation of known bugs in the operating system and applications running on your computer
  • Prevent exploitation of unknown bugs (0-day) in the operating system and applications running on your computer
  • Detect and prevent execution of adware, spyware, trojan horses and other malware on you computer
CORE FORCE provides inbound and outbound stateful packet filtering for TCP/IP protocols using a Windows port of OpenBSD's PF firewall, granular file system and registry access control and programs' integrity validation. These capabilities can be configured and enforced system-wide or on a per-application basis for specific programs such as email readers, Web browsers, media players, messaging software, etc.

Officially SLIPFEST is an acronym for "System level intrusion prevention system evaluation suite and toolkit". But the name is really a french joke meaning something like "Panty's party".

It's a tool which can help you to understand how your Windows HIPS (or personal firewall, or advanced anti-virus) works. With it you can list SDT (in kernel) or userland (in library) hooks, caracterize address space layout randomization (ASLR) or non executability, inject shellcodes in a process' address space to try to fool the heuristic or test the MAC mecanism with common flaws.

Wednesday, April 26, 2006

The Latest Happenings...

Work has been busy lately. You might think that or you might just think I have been slacking since its been a month since my last post. Definitely not the latter--having a pregnant wife and 10 month old daughter require reprioritizing of my time. ;-) I also had food poisoning that put me out of commission for days, but I recuperated nicely on a 8 night Western Caribbean cruise the following week.

At work, I have finally had the chance to start flexing my forensic muscle. I really do enjoy forensics but never quite get the chance to do full analysis of a box including filesystem timelines, event logs, flow data, etc. The last three weeks have been exciting in this arena. I will be analyzing one, maybe two, hosts tomorrow.

I will be speaking on Open Source forensics at the May GatorLUG meeting. That should be fun. Right now, I am trying to decide if I want to use PowerPoint or Keynote. I thought about using OpenOffice Impress but I am thinking all the shiny effects of Keynote is what I really want. It will detract from the Open Source tools a bit but people will get over it.

And finally...why don't I update my blog or write those cool how to's or other things I have said I wanted to do on this site? Well, I am a bit of a perfectionist. When I think about putting content up here, I don't want to put it up unless I am perfectly happy with it and feel that it is "perfect." After speaking with a coworker about my tendency to act this way, she mentioned it was something she has read about in self-help books and it just leads people to never get things done. I want to overcome that so expect to see daily posts, perfect or not.

Friday, March 17, 2006

RSS Readers Dueling It Out on My PowerBook

I started researching free RSS readers several months ago after finding it to be too time consuming visiting such a large list of bookmarks in Firefox. Sure, Firefox has Live Bookmarks, but have you used them? I personally think they suck a bit. So, the RSS reader search began. I found quite a few commercial apps but I really didn't want to pay anything for something that is essentially an XML parser/aggregator.

After trying about a half dozen, I stuck with Pulp Fiction Lite for about 4-6 months--hard to say just how long without looking at timestamps on the files. It is a good, slightly crippled version of their commercial product. Unfortunately, even though it was the best of those I tested, I wasn't in love with it.

Recently, I came across Vienna which is a free, Open Source RSS reader for Mac OS X. With the exception of Microsoft Office, I prefer running Open Source software. Vienna has been quit functional and more user friendly than Pulp Fiction Lite. It does seem to be a little more picky about the RSS feed being fully compliant with RSS standards as a couple of my feeds have been reported as bad. Going back to the source of the feed, I was able to try one of the other versions (RSS .9, 1.0, 2.0, ATOM, etc) and got past the problem. To help solve the problems with the feeds, it has an option to Validate Feed, which sends the feed to the Feed Validator website.

Vienna has quite a few features that I haven't even delved into yet but I expect to get around to them. They include Groups, Smart Folders and Custom Styles. A very cool app, indeed. If you like freeware, Open Source apps and need a solid RSS reader, check it Vienna.

Thursday, March 16, 2006

Centralized Logging for Windows Using Syslog

I posted the following information on a couple of different blogs several months ago. Since it has a link that I reference regularly, I decided to add it here to keep handy next time I mention it.

Syslog Server: If you choose not to implement a syslog server on a *nix platform, I highly recommend Kiwi Syslog Daemon. There is a free version that should fit most shop's needs and a commercial version for more advanced setups.

Event Log to Syslog: The Snare Agent is hands-down the best event log to syslog tool out there. It is FREE and supports all Event Logs including Security, Application, System, DNS and AD.

Microsoft Solutions: Microsoft Operations Management (MOM) includes that ability to collect all the logs from servers it monitors but is quite expensive if thats all you want to do. The vaporware Microsoft Audit Collecton System (MACS) is supposed to have an agent on each server that forwards all the logs back to a cenitral MACS server and stores everything in SQL. Keep holding your breath for that one.

Microsoft Security Monitoring and Attack Detection Planning Guide is a superb guide for learning what and what not to monitor in a Windows environment. The most useful part of the guide is Appendix A - Exclude Unnecessary Events to help trim down to the events that deserve a monkey's precious attention.

Die Virtual PC, rise VMware on a Mac (via SSH)

Several weeks ago, I installed X11 on my PowerBook so I could run Ethereal. About a week after that, I trying tunneling the VMware Console over SSH into X. The console flashed a couple of times on the screen and promptly died. I tried several more times with no luck. A Google search did not turn up anything at the time. Frustration set in...

Today, while in a Windows Vista TAP meeting (don't ask), Jordan asked if I had tried tunneling the console over SSH, I replied yes, shortly thereafter, he sent me the following link to "How To Run vmware-console Remotely With Apple's X11" at the Tao of Mac site. I SSHed into my VMware server, added the xkeymap entry into my preferences file in the .vmware folder, ran vmware-console and BOOM!, there was VMware Console running in all its glory on my PowerBook. YES! I am a happy guy now.

DIE VIRTUAL PC! May you rot in peace. Long live VMware!

Wednesday, March 15, 2006

FrSIRT sells out!

Any security person (or even script kiddie) knows the name K-otic. K-otic has been the source of top notch Proof of Concept (PoC) code and exploits for quite some time. Last year, I think, is when they transitioned to a business mindset of becoming FrSIRT, the French Security Incident Response Team, and started selling vulnerability announcement services. They continued putting out exploit code that typically made its way into Metasploit very quickly.

It all ends today...unless you are customer of their VNS--Vulnerability Notification Service--you don't get squat anymore. Their website doesn't even list the pricing for their product, however, I may end up getting curious enough to give them a call or shoot them an e-mail. Either way, I am really disappointed. It was a great and well-used resource by many security professionals.

Were they like Tenable and didn't feel they were getting enough back from what they put out? Who knows. They just have a crappy little page up where the Exploits page once existed that says:

Exploits and PoCs are available to FrSIRT VNS™ subscribers only.
Public exploits section have been definitively closed.

Oh well, thanks for the good times. If anyone has a mirror of all of their code, let me know ASAP!

UPDATE 9:08pm EST: My RSS reader just notified me there was a new article at FrSIRT, so I clicked on it to simply find that someone who knows the english language better has finally updated the text to read "Public exploits sections has been definitively closed." Damn. And here I thought they saw the error of their ways and changed their mind. I guess not. Someone on the FunSec mailing list posted that them closing the section wasn't a big deal as they just took the code from milw0rm. SMACK!!

Wednesday, March 08, 2006

SANS 2006 - CISSP - Final Thoughts

After being in class for approximately 72 hrs in 6 days, I am a little burned out. The class was excellent. It really gave me an appreciation for security management. The CISSP certification is certainly designed for managers although industry and HR personnel don't seem to realize this. The more interesting parts were dealing with policy and cryptography. I really didn't know too much about cryptography before taking the class, but after a full day of it, I can say I have a good grasp on the subject. As for policy, I used to seriously dislike anything related to policy, especially, meetings that dealt with the semantics of policy. Looking at it from a managerial standpoint, it is crucial to the inner workings, efficiency and effectiveness of an IT organization. I look forward to actively participating in policy committees in the future.

I was able to attend several technical sessions during lunch and after class in the evenings. The majority of them were top-notch. I really enjoyed Joe Stewart's presentation on his tool TRUMAN for creating sandnets to accomplish behavioral malware analysis. Great presentation and I look forward to implementing this in the lab for our own testing. I also made contacts with numerous vendors regarding current work projects.

Overall, it was a fantastic, but exhausting experience. If Dr. Eric Cole had not been the instructor, I'm not sure I could have made it through. He is one of the best instructors I have had. Now, I need to continue studying and pass the CISSP exam in April.

Wednesday, March 01, 2006

SANS 2006 - CISSP 10 Domains class

What a week!?! I have been in class since Sat at 9am. Each has covered 1-2 Domains from the CISSP. Class was 9am-7pm Sat, 8am-7pm Sun-Wed and 8am-5pm Thurs. Only one day left.

There has been a lot going on in addition to the normal class. There was a Vendor Expo where vendors from all corners of the IT security market came out of the woodwork. It was cool seeing some of the ones who I have reviewed their products for NWC or SE. There was even one who I will be reviewing in the next month.

Each night has had at least on Keynote which was sometimes good, sometimes just OK. Essentially, it boils down to me being in Learning Mode for about a full 13 hrs a day.

One surprising thing is how many people are here that I know. It is pretty interesting. There is the SANS faculty and staff that I know, but I am referring to a couple of attendees from other conferences I have met before, someone from FDLE and several people from the FL Dept of Health. Very cool. It has been nice catching up.

It has also been great having "expert" sources to ask questions. I still have a couple of stumpers for some of the big name people. I hope they have good answers as I haven't found info anywhere else. I will keep you posted.

More to follow...

Tuesday, February 21, 2006

Not running as an administrator

I was IMing back and forth with a friend who is still in school. He was looking for a topic for a infosec related class so I pointed him toward LUA--Least-privileged User Account. He liked it so today, we were chatting again about the topic and how to quantify it. Below is my side of the conversation where he first asked if we had graphs or similar regarind the compromise resulting from administrators not enforcing LUA in their dept.

- We can't quantify it that well because the attacks are user initiated and not network initiated like an IDS would normally pick up.

- There are vulnerabilities that exist in Web browser, e-mail clients, RSS readers and IM clients that can be exploited simply by the user opening a link, reading an e-mail or accepting an IM. If the user does not have administrator privileges, the damage caused by those vulnerabilities exploited is greatly contained to just their user account. It is much easier to recreate a user account than to rebuild a system.

- Services are a completely separate issue. A user logged in usually does not interact directly with services running on their computer. The services start up automatically in as SYSTEM or some other user and work independently of the user. Today's attacks are targeting client applications more and more. If you go back through the Microsoft vulnerabilities, you will see patches for things that exploit the system because of something the user does like opening a bad WMF file. There have not been many remote service exploits on Windows lately.

- For example, "To continue browsing this website, you must install this software. By doing so, you agree to....blah, blah, blah." Hmm. I don't need to read that crap. I just need to click yes so I can keep browsing.

Here is a great blog post that correlates how adware/spyware affected a system where a user was an administrate and then as LUA. I did this same testing when I was at IFAS with the same results. It isn't rocket science people. Get a clue!!

Quick Update: SANS/CISSP, Articles and Personal Projects

So many things going on...where to start. Well, first of all, I will be at the SANS conference all next week in Orlando in the CISSP track. To some of you, it may seem odd to be taking a CISSP class from SANS, but it was convenient as it is in Orlando and I had $3000 in tuition credit so it's only costing $95. Makes sense, now, doesn't it? ;-) Several coworkers and security professional friends keep telling me I could simply take the test and pass it but I prefer to go to the review just to be safe. I like sure things! Especially, when the dang test costs $500.

I just finished a "Deploying EFS in the Enterprise" for Security Enterprise magazine to be published in the March issue. It was a short two pages that ended up being a pretty good learning experience. I knew most of the limitations and features of EFS going into the article and picked up a bit of new knowledge in the process. The January issue had my review of Arbor Networks Peakflow X and the March issue will also have my review of Credan't Mobile Guardian 5.1 Enterprise Edition. An upcoming issue of Network Computing magazine will also have my review of PacketMotion's PacketSentry.

I have been posting pretty regularly in the ForensicFocus' Forums over the last couple of weeks. I will probably be copy some of the content of those posts over here. The posts were good and had some excellent information that would be useful here, and I would like to elaborate on them a bit.

Foremost and Scalpel don't have extensive patterns included in their config files so I am going to slowly begin collecting and testing patterns. Eventually, I want to have an extensive reference that will become a good online reference for forensic analysts using both tools.

I keep a list of "articles" that I want to work on and post on the blog in a PDF format. The list is quite ambitious and the magazine articles have pushed them to the backburner but I expect a lull in the magazine world for the next couple of weeks so I hope to make some headway with those personal articles.

nubuntu: this is a link as a reminder for a potential future project.

Saturday, January 14, 2006

Be Careful What You Say...It Might End Up Online!

At the DoD conference, I met a fellow named Paul F. Roberts who is a Senior Editor with eWeek. Jordan and I chatted with him for a while in the Expo Hall while killing time waiting for the Floppy Disk Throw. During the chat, we talked about the Mac OS X Forensics class I was in along with other presentations that either Jordan or I had attended. He showed interest in the Mac class and our experiences with them at work. Paul never mentioned he might included any of this in an article but I guess we should have expected it since he was "covering" the event.

I was taking a break from my article writing and thought I might check out the eWeek site to see what kind of stuff Paul writes. A quick search for his name revealed a slew of articles written by Paul. At the time, the latest one was titled, "Gov't Cyber-sleuths Focusing on Linux, iPod, Xbox" so I clicked it wanting to see what Paul thought about the conference. I never expected to see our names mentioned, but there we were.

Nothing really worth noting, although I would have liked to see more in-depth and insightful quotes than the ones included since they were a bit vague. For example, the Apple PowerBook I use was purchased by UF so that I could learn more about forensics and incident response on the Mac OS X platform. Very true, however, it isn't really for the entire staff to learn from since it is my primary workstation that travels everywhere with me. As for Jordan's quote, he can address that if he wants. I won't put words into his mouth.

Moral of the story...if you don't want it said in an article, don't say it in front of a reporter. Thankfully, we didn't say anything bad, but it would have been nice to know that we might be quoted. It is something I will certainly remember in the future. Paul, if you're reading this, it was great meeting you and thanks for the Corona.

DoD - Day 6 - The End...

Day 6 - 01/13/2006: It is Friday the 13th and the final day of the Department of Defense Cybercrime Conference 2006. I admit that I am sad to see it end. Unlike most people I know, I truly love coming to conferences like this one where I am immersed into a learning environment and subjected to highly technical topics that I am interested in. It is fantastic. There were some presenations that were disspointing, but overall, it was worth every minute of my time.

The day started out early since I had to load up my junk because room checkout was around 11am when I would be in a presenation. After loading up, I headed over to Inverness Hall for breakfast and the "conference wrap-up." Nice things were said about everyone who participated and presented. Jordan and I won First Place in the Cipher Hunt challenge. Now that I think about it, I wish I had a copy of our challenges. Oh well. We received First Place medals in the DoD Cybercrime Olympics 2006 along with USB Aquariums. I received two nice certificates; a generic one for attending the conference and a very nice one for completing the 2 day Mac OS X Forensics class. Those were bonuses I wasn't expecting.

The first presentation of the day was "Identity Theft" by Kevin Mandia. Kevin is an awesome speaker. I was really impressed by his "stage presence" and comfort with the material. He went through a case study of a woman who had $50,000 stolen from her accounts which was later determined to have been accomplished by exploiting Internet Explorer on her computer and installing a keylogger. Great intro to people who don't do incident response and know the associated tools.

The second and last presenation focused on BitTorrent and forensics. It was quite and interesting topic. One of the dilemmas mentioned deals with how do investigators tracking down child porn deal with the issued of forced sharing when they are trying to download and verify potential child porn images. As soon as the investigator finishes downloading a file chunk, it is automatically shared out to others making the investigator a distributor of child porn. It raised several questions that I would like to research later on and possibly provide some help to the author and law enforcement (forensic) community.

I am now hanging out at my sister-in-law's house working on an article with a looming deadline but wanted to get in my last conference update. It was a great experience. I loved meeting all of the interesting people and look forward to keeping in touch with them. I am already anticipating next year's conference. Thanks to DoD, JTF-GNO & Technology Forums.

Thursday, January 12, 2006

DoD - Day 5 Update

Day 5 - 01/12/2006: Today may have been the least exciting day so far. I expected more from several of the presentations I attended. There were several cool people that I met and hung out with which makes up for the mediocre day. It started out with an early breakfast where I sat with some of the Air Force OSI guys, a Marine JAG fellow and a Naval Post Graduate School sysadmin. Very cool people.

The first presentation must have been specifically for law enforcement folks since it wasn't overly technical. Nothing wrong with that, but the title of "Hacking and Forensic Analysis of an iPod" made me expect more. The presentation briefly went over the partition structure of iPods, the directory structure, "hiding" files on it and using to boot Linux from an iPod. I know many others in the class got lots from it so I won't knock it. It just wasn't technical enough for me.

My second choice was a presentation by a lawyer from the JTF-GNO about the rights of system administrators to provide info to law enforcement and what info can be given. It was definitely interesting and raised a few questions I have for the university environment. Not much more that I can say about this one. I do need to review the slides as he did not go over all of them. Great information and excellent speaker.

The third presentation was by Thane Erickson who taught part of the Mac OS X forensics class I was in earlier. He was focusing specifically on Tiger things that were different and/or not covered in the previous class that was mainly on Panther. I learned about the difference in how passwords were hashed between Panther and Tiger, how to crack them, details about Spotlight and associated commandline tools and Dashboard Widgets with their associated forensic value. Excellent stuff. Thane is a good presenter and knows his stuff well. If you ever see him, make sure you tell him that LSU SUCKS!!!

Next, I went to a talk titled, "Daubert Digital Forensics." Since I am not LE, this presentation was just something I thought I might learn more about. I did take a few notes but did not find it overly interesting. Right now, I bet you are thinking, "Duh, it is legal stuff. Of course, it isn't interesting." Well, you have a point, but one day, it might be something I have to adhere to...but not yet.

After lunch with the FDLE boys, I thought "Digital Crime Scene Reconstruction" would be good with Fred Cohen. Hmmm...other people enjoyed it more than I did. His talk did a good job of validating the Daubert talk but his constant joking and goofiness turned me off. During the presentation, I ended up designing a future hacking challenge network layout for UF where I will set it up and challenge all L33T hackers at UF to penetrate. It should be fun.

My next choice was another bust. How did I keep choosing crappy presentations? It was Johnny Long presenting "Death by a 1000 Cuts." How could it be lame? Have you read "Stealing the Network: How to Own an Identity?" If yes, then don't go to this presentation. It is a rehash of one of the chapters and not very exciting. I really disappointed I chose it over Kevin Mandia's "Windows Malware Analysis" presentation. Johnny did get done 15 minutes early, so I was able to catch the last bit of Kevin's presentation which pissed me off even more that I chose the wrong presentation. I think by going to Kevin's "Identity Theft" presentation tomorrow, it will make up for it.

Finally, I caught the last hour of Bill Harback's "Examining the Windows Registry." It was FULL of windows registry information. Holy Crap! Bill went through so much in that hour, I would have had registry coming out of my ears if I had been there for both hours. Afterwards, he gave us updated copies of his presentation along with a free version of a registry tool that was recently purchased by a decently well known forensic tool company.

That's it for Thursday. The presentations I chose to attend certainly did not turn out as I hoped. Tomorrow will be better, especially since Jordan and I will be getting awards for kicking @$$ in the DoD Cybercrime Olympics. Now, I think I am going to drive over to Wing House or Hooters and work on an article for Secure Enterprise magazine that is due next week.

Wednesday, January 11, 2006

DoD - Day 4 Update

Day 4 - 01/11/2006: Today was a good day. Well, other than the fact that Jordan was stuck in our hotel room all day sick, today was definitely a good day for listening to excellent speakers. This morning started off with a Google hacking presentation from Johnny Long. It was a good presentation and pretty much a rehash of the related book, yet still entertaining.

Next, I sat through two 2 hr presentations by Richard Beijtlich from Tao Security. Most people know him from from his extremely popular blog. Richard is a smart guy when it comes to network monitoring and incident response. To top things off, he is a fantastic speaker. His first presentation was on Network Incident Response and went through his standard incident response procedures. One issue he drove home with me was to not tip your hand when responding to an incident. Many times when I am incident handling, I will download the same tools that the attacker used which could easy alert them that I am tracking them if I download from a server they have compromised. There are two sides to the logic there but if there is a risk the attacker might do more damage because they know I am aware of them, they may retaliate. He also had some good ideas of how to implement a logging only server and incident response in general.

Richard's next presentation focused more specifically on forensics from a network perspective. He had some interesting thoughts on creating a ring-buffer type of full packet network logger that simply sits and records all network data in 1gb chunks and overwriting the oldest chunks. Applying the theory of computer forensics to network forensics, he reiterated several times that the key to successful investigations and prosecuting is developing a sound methodology and sticking to it every time. Most of the interesting examples and ideas can be found on his blog as he has posted them at some point in the past. I am glad I made it to both.

The fourth presentation was Xbox Forensic Analysis. No joke...it was a real presentation. Xboxes are beginning to show up more on forensic analysts' desks as they become used for more and more things. Someone playing a game online could be approaching an underage minor or they could have modded their Xbox so they can view illegal photos and videos. It was some interesting stuff. All in all, it makes me want to mod my Xbox even more. Since I have one that appears to have a bad BIOS, it needs to be replaced anyways...what better time to mod it. :-)

The last presentation was on something Jordan and I will be putting together soon at work. Creating a database and web frontend to hashsets. The idea is that known good and bad files can have hashes created and stored in a database. When investigating an incident, hashes from the filesystem can be compared to the database rule out files that are known good, identify those known bads and single out any odd ones not in either group. The whole point is data reduction so that more time can be focused on analyzing suspicious files than what is normally spent on identifying them. We think it is a rocking idea.

I was disappointed there were not many BoF (birds of a feather) sessions planned. Out of the whopping TWO, I chose the "Bring Your Foo: DoD Wireless Hacking Challenge." Come on, with a name like that, how could I resist. The only thing that I didn't consider was that I only had my 3 month old PowerBook with me and no L33T toolz. I was stuck running nmap across the network and trying to find the servers to be hacked. Dave, the Army CID dude running it, had intended on us being on hubs so we could do some passive recon to figure out what was going on within the network. Unfortunately, we were on switches and no person with an Auditor CD knew what to do with ettercap so we were a bit blind. After a hint from Dave, we knew that the servers were on an entirely different subnet. Again, I was still at a loss with only nmap and no Internet access to grab tools that I could compile on Mac OS X. So, just after I shut down my laptop, I noticed someone using Metasploit which reminded me I had downloaded it on my laptop. In a display of power rivaling that of the most L33T script kiddies, I owned two servers within minutes. Ipconfig on one of them showed it had two NICs with one on a completely different subnet from the first two. Geez. Dave put together an awesome challenge but we had limited time reserved in the room and did not get to complete the challenge. Oh well, it was fun and I have some great ideas for putting on a hacking challenge at UF's next ITSA Day.

That's it for me. I am tired, it has been another long day and I will be up early again tomorrow. Thanks for reading.

Tuesday, January 10, 2006

DoD 2006 - Days 2 & 3 Update

Day 2 - 01/09/2006: This was the second day in the Mac OS X forensics class. It was a smidgeon better than the first day. We went through an image of a system and learned about how applications store their configuration, how to read those files, tools to extract data from configs, caches and history files that are specific to certain apps. It was quite interesting to learn about it from a forensic perspective because it also helped me learn more about an OS that I use everyday. I can truly say that I understand X better and where to look if I ever have issues with it or need to cover my tracks. ;-)

The last portion of the class was spent cracking the passwords. It was surprisingly simple. {I just edited this as I started to talk about a tool we used in class but realized it might be a violation since it is an internal tool for "Official Use Only."}. The passwords were pretty easy to get to and crack. I was quite surprised, but remember, this was done on Panther. The instructor said that Tiger has made some changes making it trickier...but not impossible. He will be giving a presentation in the next day or two about Tiger and specific forensic challenges such as this.

Monday evening, the expo began with a large list of vendors and some tasty food. There was a gimmick to get attendees to visit booths by giving out a list of the vendors and requiring their signature from 25 of them so you could be entered into a raffle. I finished it after listening to quite a few pitches but did talk to some interesting people. The turnout of attendees and number of vendors was quite impressive, and I walked away with some pretty darn useful tools and swag. I even got added to a mailing list, portal and magazine subscription that I probably wouldn't have access to if I wasn't here.

Day 3 - 01/10/2006: Today was the official kickoff of the conference with the keynote and headliners. Jordan and I missed the keynote because we were working on the Cipher Hunt challenge which required us to find clues all over the large Innisbrook property and solve the cipher on each one to find the next clue. With a little social engineering and good decipering skills, we kicked some but and were most likely the first team to finish it (but there may have been _1_ before us). This was also the only day they are feeding us all day according to the schedule. There was a nice breakfast, lunch and dinner in a walk_around_and_choose_what_you_want_to_eat_from_the_many_food_tables format.

Det Randy Stone gave a brief presentation about the BTK case and an intro into the forensics that helped catch the killer. It was quite impressive. Johnny Long gave a very amusing presentation on how Hollywood has portrayed hacking. It was damn funny as he went through examples from Hackers, Net Force, Swordfish and more. We were asked to choose if the portrayal was L33T or LAME. Holy Crap! We were all laughing! David Marconi spoke next about Hollywood villians. It was written up as being a talk about the future of hacking in the movies but I didn't see any of that. He was talking about having multidimensional villians and showed too many movie of these types of villians. Oh well, not great.

The evening had food, tickets for free drinks and more vendor action. At 6:30pm, they raffled all kinds of cools vendor-donated prizes. Do you think I won anything? Heck No!! Jordan won the _last_ prize to be given out...a Symantec engraved 20gb iPod Photo. After that, we had the Floppy Disk Throw as the second part of the Cybercrime Conference Olympics as a followup to the Cipher Hunt. We did a great job but there was some crappy judging, crappy distance recording, contestants who should not be eligible and shady score changes at the end. We should have been 2nd but were "bumped" to 5th. Even with that pile of crap, we should still be in the Top 3 and win some kick-butt prizes thanks to our excellent Cipher Hunt work.

It was a LONG day so I will be crashing soon. Sleep will not be coming soon enough. There is so many cool presentations tomorrow. It starts with Johnny Long at 8:30 and keeps getting better after that. I will keep you updated.

Sunday, January 08, 2006

Department of Defense Cybercrime Conference 2006

Today was the first day of the DoD Cybercrime 2006 annual conference. If you check the site, it says the official start date is Jan 10, but they are holding two days of training before the official conference kickoff that were included in the cheap $225 conference fee. That is ridiculously cheap so guess which one I took advantage of...do you know? Well, since I made the decision to buy a PowerBook at work so I could learn more about Mac OS X incident response, I couldn't pass up two days of Mac OS X forensics training. BTW, if you know anything about the conference, you have to be DoD personnel, DoD contractors or some sort of law enforcement. Thankfully, the University Police Department sponsored me so I could attend. SWEET! It is a lot of fun being around all these "feds."

How is it so far? Well, if you haven't been to the Westin Innisbrook Golf Resort, it is a gorgeous place with lush golfing all around the resort. I have spoken here two years in a row for the FAEDS conferences and was happy to finally get to come as an attendee of conference where I can really enjoy the amenities. As for the conference, there are already quite a few feds lurking around the classes. The Mac OS X forensics class is quite good. I have enjoyed most of it and learned quite a bit already. Since the instructors are teaching from a thick book used in their two week class, they have to skim over some topics but I get to keep the book to review later on. Also, the book hasn't been updated for Tiger but the instructor has been doing a good job of pointing out any differences. One instructor is doing a Tiger-specific forensic presentation later this week so I might catch that one, too.

So, my initial thoughts...can I clone myself? There are so many presentations that I want to attend and so little time to fit them all in. About 8-12 presentations are going on simultaneously and I want to see at least 2-5 of them each hour. Luckily, I have been given the "Law Enforcement Only" CD that contains all the presentations, so whatever I don't make it to, I can look at the presentation later. Fantastic stuff. I will try to post every day what is going on and my thoughts about it all.

Monday, January 02, 2006

Performancing for Firefox

This is my first post with the Performancing extension for Firefox. It appears to be very powerful so far. After installation, I hit F8 and the bottom half of Firefox turned into a WYSIWYG blog editor. I really like it so far. First impressions are great. Right now, I am using it on my PC at home but will be testing it on my PowerBook later today. It supports Blogger.com (what I use), WordPress, TypePad, LiveJournal, MSN Spaces and Custom Blogs running on your own webserver with software like WordPress, Movable Type, Drupal, TextPatter, Blogger API and MetaWeblog API.

I was attempting to use the Developer Preview of Flock but it is still pretty buggy and does not compare to Performancing. If you are a blogger and use any of the supported blog software/sites, definitely check out Performancing. Thanks to Martin McKeay for mentioning it in his podcast.