Wednesday, January 11, 2006

DoD - Day 4 Update

Day 4 - 01/11/2006: Today was a good day. Well, other than the fact that Jordan was stuck in our hotel room all day sick, today was definitely a good day for listening to excellent speakers. This morning started off with a Google hacking presentation from Johnny Long. It was a good presentation and pretty much a rehash of the related book, yet still entertaining.

Next, I sat through two 2 hr presentations by Richard Beijtlich from Tao Security. Most people know him from from his extremely popular blog. Richard is a smart guy when it comes to network monitoring and incident response. To top things off, he is a fantastic speaker. His first presentation was on Network Incident Response and went through his standard incident response procedures. One issue he drove home with me was to not tip your hand when responding to an incident. Many times when I am incident handling, I will download the same tools that the attacker used which could easy alert them that I am tracking them if I download from a server they have compromised. There are two sides to the logic there but if there is a risk the attacker might do more damage because they know I am aware of them, they may retaliate. He also had some good ideas of how to implement a logging only server and incident response in general.

Richard's next presentation focused more specifically on forensics from a network perspective. He had some interesting thoughts on creating a ring-buffer type of full packet network logger that simply sits and records all network data in 1gb chunks and overwriting the oldest chunks. Applying the theory of computer forensics to network forensics, he reiterated several times that the key to successful investigations and prosecuting is developing a sound methodology and sticking to it every time. Most of the interesting examples and ideas can be found on his blog as he has posted them at some point in the past. I am glad I made it to both.

The fourth presentation was Xbox Forensic Analysis. No was a real presentation. Xboxes are beginning to show up more on forensic analysts' desks as they become used for more and more things. Someone playing a game online could be approaching an underage minor or they could have modded their Xbox so they can view illegal photos and videos. It was some interesting stuff. All in all, it makes me want to mod my Xbox even more. Since I have one that appears to have a bad BIOS, it needs to be replaced anyways...what better time to mod it. :-)

The last presentation was on something Jordan and I will be putting together soon at work. Creating a database and web frontend to hashsets. The idea is that known good and bad files can have hashes created and stored in a database. When investigating an incident, hashes from the filesystem can be compared to the database rule out files that are known good, identify those known bads and single out any odd ones not in either group. The whole point is data reduction so that more time can be focused on analyzing suspicious files than what is normally spent on identifying them. We think it is a rocking idea.

I was disappointed there were not many BoF (birds of a feather) sessions planned. Out of the whopping TWO, I chose the "Bring Your Foo: DoD Wireless Hacking Challenge." Come on, with a name like that, how could I resist. The only thing that I didn't consider was that I only had my 3 month old PowerBook with me and no L33T toolz. I was stuck running nmap across the network and trying to find the servers to be hacked. Dave, the Army CID dude running it, had intended on us being on hubs so we could do some passive recon to figure out what was going on within the network. Unfortunately, we were on switches and no person with an Auditor CD knew what to do with ettercap so we were a bit blind. After a hint from Dave, we knew that the servers were on an entirely different subnet. Again, I was still at a loss with only nmap and no Internet access to grab tools that I could compile on Mac OS X. So, just after I shut down my laptop, I noticed someone using Metasploit which reminded me I had downloaded it on my laptop. In a display of power rivaling that of the most L33T script kiddies, I owned two servers within minutes. Ipconfig on one of them showed it had two NICs with one on a completely different subnet from the first two. Geez. Dave put together an awesome challenge but we had limited time reserved in the room and did not get to complete the challenge. Oh well, it was fun and I have some great ideas for putting on a hacking challenge at UF's next ITSA Day.

That's it for me. I am tired, it has been another long day and I will be up early again tomorrow. Thanks for reading.

No comments: