Andrew Hay

the man, the myth, the blog

Suggested Blog Reading – Tuesday May 22nd, 2007

| 0 comments

ReadShort week in the office this week due to a conference I’m presenting at next Monday. Hopefully I’ll have time to prepare the Suggested Blog Reading on Monday morning.

Here’s the list:

Nemisis – Packet Injection Suite – It’s always handy to have packet crafting tools kicking around when testing IDS’ or firewall rules. Add this one to your kit.

Nemesis is a command-line network packet crafting and injection utility for UNIX-like and Windows systems. Nemesis, is well suited for testing Network Intrusion Detection Systems, firewalls, IP stacks and a variety of other tasks. As a command-line driven utility, Nemesis is perfect for automation and scripting.

Reversing a “ZLib-Obfuscated?” Network Protocol – I don’t even have to say anything…these guys provide great articles :)

We just wrapped up a security assessment on a commercial enterprise server/agent security product. I can’t get too specific here, but we did run into an interesting problem that we thought would be worth a post.
The application we were evaluating had a home-grown network protocol doing some interesting things worth investigating.

Analyzing an obfuscated ANI exploit – I wish I could take credit for this but the Andrew in question is someone else.

Some time ago one of our readers, Andrew, submitted an interesting ANI exploit sample. Unless you’ve been under a rock for the last couple of months, you heard about the latest ANI vulnerability.

Most of the exploits we’ve seen so far (and we’ve seen thousands of them) didn’t try to obfuscate the exploit code. The exploit code itself almost always contained a downloader that downloaded the second stage binary from a remote site and executed it on the victim’s machine.

As the exploit wasn’t obfuscated, running a simple string commands was enough to see the URL of the second stage binary.

Securityhacks show off security hacks – Thanks to LonerVamp for introducing me to a new blog to read :)

I don’t typically single out new links I add to my menu, but the blog at SecurityHacks has been posting some neat stuff. I still think there is “market bandwidth” for sites that show off tools or “how-to” sorts of postings in our niche blogosphere (although a forum or wiki may be more appropriate long-term information storage). They have gone over creating an SSH tunnel for Windows SMB connections ( I think if you’re going to this much trouble, may as well learn SSH transfers or implement a full VPN), SQL Injection scanners, and “recovering” Firefox stored passwords. There’s also mention of pwdumpx (not to be confused with pwdump or even fgdump…

Anti-Splog Evasion – “Splog”? Great…another phrase to confuse my parents.

I know I’m really going to kick myself for this one, as it will no doubt come back to haunt me, but I’ve been thinking about this one for a long time. One of the things that Blackhat SEO types do is they attempt to scrape other people’s sites that have original content (such as mine). Then they post that content on their site as their own, attempting to raise their own page-rank. Because the search engines aren’t smart enough to know who is the original author, the sploggers get higher in the page ranks.

A Practical Application of SIM/SEM/SIEM Automating Threat Identification – from the SANS Information Security Reading Room.

The Case of the Unknown Autostart – Good walk through to determine a problem.

A few weeks ago I installed an update to a popular Internet Explorer media-player ActiveX control on one of my systems. I knew from past experience that the plugin’s updates always configure an autostart, (an executable configured to automatically launch during boot, login or with another process) that I don’t believe serves any useful purpose, so as I had in the past, I launched Sysinternals Autoruns, set both Verify Code Signatures and Hide Signed Microsoft Entries in the options menu, pressed Refresh, found the autostart and deleted it. However, as I was about to close the window another entry caught my eye and caused my heart to stop

Paper about In-Place File Carving – I’m always on the look out for new and exciting papers to read :)

Golden G. Richard III, Vassil Roussev and Lodovico Marziale describe a file carver that is able to work on local and remote drives. They presented their paper In-Place File Carving at the 3rd annual IFIP WG 11.9 International Conference.

The article explains the whole concept of in-place file carving. The authors give the example of a 8 GB drive. The process of carving came to an abrupt end as the files produced exceeded the storage capacity of the 250 GB target drive. Beside the extra storage capacity the recreation of carved files takes a significant amount of time.

Courts Cast Wary Eye on Evidence Gleaned From Cell Phones – Good news for criminals…bad news for forensic examiners.

Another problem is that the market is glutted with so many different types of cell phones, so there will always be some models for which no existing forensic tools work. In that case, “Sometimes the best tools are hacker tools, as long as they’ve been thoroughly examined and reverse-engineered,” said Jansen, who helped write NIST’s official recommendations (.pdf) for do*****enting the chain of evidence and creating tamper-proof files when searching a cell phone.

Even the best forensic practices will face a daunting challenge as more complex mobiles become vulnerable to tampering before they’re seized as evidence. It’s relatively easy for an adversary with a bluetooth device to plant new addresses in a bluetooth-enabled phone’s contact list, or even place bogus calls from the phone. Keith Thomas, a cell-phone forensics expert with First Advantage Litigation-Consulting, said this is where the real problem for investigators will begin — when courts start to realize that evidence from cell phones isn’t any more foolproof than what’s found on computers.

Leave a Reply

Required fields are marked *.