Month: May 2007

Suggested Blog Reading – Wednesday May 23rd, 2007

ReadWell my wife is out this week so maybe I’ll try and do some golfing in between book reviews and home lab work 🙂

Here’s the list:

Cisco IPS – Support of ‘minreq-‘ Style Signature Updates has Ended – Thought I’d put this out there in case you’re still using the old style signatures 🙂

Beginning with S288, customers must be running IPS version 5.1-5-E1 or later to install signature updates. Signature updates on sensors running IPS versions older than 5.1-5-E1 (i.e. sensors using the nomenclature ‘IPS-sig-S2XX-minreq-5.1-4’) are no longer supported.

The E1 Engine update for IPS Version 5.1(5) is available for download on Cisco.com. This release includes the E1 engine update package and the 5.1(5)E1 Service Pack and System/Recovery images which replace the 5.1(5) Service Pack and System/Recovery images.

nCircle buys compliance vendor Cambia – Sounds like a logical aquisition for nCircle to bolster their VA offerings.

Software vendor nCircle Network Security Inc. has acquired Cambia Security Inc., a provider of risk and compliance management software.

Cambia, based in Alpharetta, Georgia, sells a product called Cambia CM, which can be used to audit the configuration of computers on a network and help determine if they are in compliance with company policy or government regulations.

Cisco MIBs updated – Wow, great resource!

We recently updated the Cisco MIB package ZIP file for Unbrowse SNMP. You can download it for free here. (28.9 MB). The new MIB package contains all the latest MIBs released by Cisco on their public website. This package contains 1024 MIB Modules, and over 68,000 unique objects.

Google Launches Online Security & Malware Blog – I’ll have to add this to my watch list 🙂

Online security is an important topic for Google, our users, and anyone who uses the Internet. The related issues are complex and dynamic and we’ve been looking for a way to foster discussion on the topic and keep users informed. Thus, we’ve started this blog where we hope to periodically provide updates on recent trends, interesting findings, and efforts related to online security. Among the issues we’ll tackle is malware, which is the subject of our inaugural post.

Fresh From CEIC2007: Updated Presentations! – I’ll have to check these out.

CEIC 2007 NTFS AttributeId

CEIC 2007 NTFS Object IDS

CEIC 2007 NTFS Initialized Size

CEIC 2007 BitLocker

CEIC 2007 Vista

“Defeating” Whole Disk Encryption – Part 1 – I can’t wait for part 2.

An issue that we are going to continue to encounter is computers with whole disk encryption (WDE). I’m going to post a couple of techniques that have worked for me, and hopefully they’ll be of use to someone else out there. In this post, we will look at PGP’s WDE, although the techniques outlined here should be easily applied to other encryption schemes.

All I Need to Know About Security Programs I Learned from the Pawn – Well written post with an interesting take on security.

The foundation of the game is the chess board. The board can be compared to the business itself, with alternating colored boxes, some black and some white representing elements and challenges of the business. Rows and columns can be divisions or groups as well as levels of management and project silos. The capabilities of the pieces contrast nicely with the personality types found in management. Rooks can move straight up a vertical, taking a bottom up or a top down approach. Bishops can move diagonally across silos, touching upon varying verticals and management levels. Knights are the often coveted consultants, jumping between silos and levels in an attempt to address everyone and everything. Finally, King and Queen are two great examples of security leadership. The King is all-powerful, but chooses to stay within his local area, while the Queen moves all around.

These positions address the bigger picture. However, when an information security group with limited resources spends too much time building top heavy organizations, insecure applications and weak architectures slip through the cracks. It has been my experience that the pawn’s gradual, forward movement is what makes security work in the trenches. Assessment frameworks and complicated review processes work great, but sometimes, it is the basic approach that needs to be developed first. I have developed a simple, four step process that I use every day to manage the tidal wave of security decisions that flood my inbox.

Using VMware for malware analysis – If your organization is constantly fighting malware outbreaks then why not build a virtual lab to get familiar with handling the incidents?

Even if malware analysis is not your primary occupation, once in a while you may find yourself wondering about the nature of an unfamiliar malicious executable that crosses your desk. Starting your investigation with behavioral analysis — an observation of how the specimen interacts with the file system, the registry and the network — can rapidly produce useful results. Virtualization software such as VMware is incredibly helpful in this process.

Suggested Blog Reading – Tuesday May 22nd, 2007

ReadShort week in the office this week due to a conference I’m presenting at next Monday. Hopefully I’ll have time to prepare the Suggested Blog Reading on Monday morning.

Here’s the list:

Nemisis – Packet Injection Suite – It’s always handy to have packet crafting tools kicking around when testing IDS’ or firewall rules. Add this one to your kit.

Nemesis is a command-line network packet crafting and injection utility for UNIX-like and Windows systems. Nemesis, is well suited for testing Network Intrusion Detection Systems, firewalls, IP stacks and a variety of other tasks. As a command-line driven utility, Nemesis is perfect for automation and scripting.

Reversing a “ZLib-Obfuscated?” Network Protocol – I don’t even have to say anything…these guys provide great articles 🙂

We just wrapped up a security assessment on a commercial enterprise server/agent security product. I can’t get too specific here, but we did run into an interesting problem that we thought would be worth a post.
The application we were evaluating had a home-grown network protocol doing some interesting things worth investigating.

Analyzing an obfuscated ANI exploit – I wish I could take credit for this but the Andrew in question is someone else.

Some time ago one of our readers, Andrew, submitted an interesting ANI exploit sample. Unless you’ve been under a rock for the last couple of months, you heard about the latest ANI vulnerability.

Most of the exploits we’ve seen so far (and we’ve seen thousands of them) didn’t try to obfuscate the exploit code. The exploit code itself almost always contained a downloader that downloaded the second stage binary from a remote site and executed it on the victim’s machine.

As the exploit wasn’t obfuscated, running a simple string commands was enough to see the URL of the second stage binary.

Securityhacks show off security hacks – Thanks to LonerVamp for introducing me to a new blog to read 🙂

I don’t typically single out new links I add to my menu, but the blog at SecurityHacks has been posting some neat stuff. I still think there is “market bandwidth” for sites that show off tools or “how-to” sorts of postings in our niche blogosphere (although a forum or wiki may be more appropriate long-term information storage). They have gone over creating an SSH tunnel for Windows SMB connections ( I think if you’re going to this much trouble, may as well learn SSH transfers or implement a full VPN), SQL Injection scanners, and “recovering” Firefox stored passwords. There’s also mention of pwdumpx (not to be confused with pwdump or even fgdump…

Anti-Splog Evasion – “Splog”? Great…another phrase to confuse my parents.

I know I’m really going to kick myself for this one, as it will no doubt come back to haunt me, but I’ve been thinking about this one for a long time. One of the things that Blackhat SEO types do is they attempt to scrape other people’s sites that have original content (such as mine). Then they post that content on their site as their own, attempting to raise their own page-rank. Because the search engines aren’t smart enough to know who is the original author, the sploggers get higher in the page ranks.

A Practical Application of SIM/SEM/SIEM Automating Threat Identification – from the SANS Information Security Reading Room.

The Case of the Unknown Autostart – Good walk through to determine a problem.

A few weeks ago I installed an update to a popular Internet Explorer media-player ActiveX control on one of my systems. I knew from past experience that the plugin’s updates always configure an autostart, (an executable configured to automatically launch during boot, login or with another process) that I don’t believe serves any useful purpose, so as I had in the past, I launched Sysinternals Autoruns, set both Verify Code Signatures and Hide Signed Microsoft Entries in the options menu, pressed Refresh, found the autostart and deleted it. However, as I was about to close the window another entry caught my eye and caused my heart to stop

Paper about In-Place File Carving – I’m always on the look out for new and exciting papers to read 🙂

Golden G. Richard III, Vassil Roussev and Lodovico Marziale describe a file carver that is able to work on local and remote drives. They presented their paper In-Place File Carving at the 3rd annual IFIP WG 11.9 International Conference.

The article explains the whole concept of in-place file carving. The authors give the example of a 8 GB drive. The process of carving came to an abrupt end as the files produced exceeded the storage capacity of the 250 GB target drive. Beside the extra storage capacity the recreation of carved files takes a significant amount of time.

Courts Cast Wary Eye on Evidence Gleaned From Cell Phones – Good news for criminals…bad news for forensic examiners.

Another problem is that the market is glutted with so many different types of cell phones, so there will always be some models for which no existing forensic tools work. In that case, “Sometimes the best tools are hacker tools, as long as they’ve been thoroughly examined and reverse-engineered,” said Jansen, who helped write NIST’s official recommendations (.pdf) for do*****enting the chain of evidence and creating tamper-proof files when searching a cell phone.

Even the best forensic practices will face a daunting challenge as more complex mobiles become vulnerable to tampering before they’re seized as evidence. It’s relatively easy for an adversary with a bluetooth device to plant new addresses in a bluetooth-enabled phone’s contact list, or even place bogus calls from the phone. Keith Thomas, a cell-phone forensics expert with First Advantage Litigation-Consulting, said this is where the real problem for investigators will begin — when courts start to realize that evidence from cell phones isn’t any more foolproof than what’s found on computers.

Suggested Blog Reading – Monday May 21st, 2007

ReadOh how I enjoy holiday Monday’s…

Here’s the list:
Argus 3.0: Cisco Netflow – Good intro to using Argus with NetFlow if you’ve never been exposed to either before.

Cisco has improved and add new features to its IOS, I have found few new features for Netflow that looks pretty interesting to me where you can capture more useful information. The most commonly used Netflow version is 5, I would like to try out version 9(shiny?If any of you use version 9, I would like to hear from you) however argus doesn’t identify Netflow version 9 yet thus I remain to use the solid Netflow version 5. So here I start to export Cisco Netflow data to argus collector(probe).

Hiding Inside a Rainbow, Part 2 – Part Two in the series.

In my previous post about steganography and rainbow tables, I explained a technique to hide data in a rainbow table. The disadvantage of this method is that there is a way, albeit costly, to detect the hidden data. This is because we replace the random bytes, that makeup the start of the chain, by the data we want to hide, thereby breaking the chain. A broken chain can be detected by recalculating the chain and comparing the recalculated hash with the stored hash. If they differ, the chain is broken.

Pre-connect NAC – The first building block of a controlled guarded enterprise LAN – Good overview of “pre-connect” NAC.

For those of you who are confused by the different terms, pre-connect NAC is the phase in which the identity of the device and the identity of its user are to be verified.

Litchfield on Oracle Live Response – I can’t believe I missed this one. Thanks Harlan/Richard!

Thanks to Richard Bejtlich, I learned this morning that David Litchfield, famed security researcher with NGSSoftware, has released a paper entitled Oracle Forensics Part 4: Live Response. In that paper, David starts off by discussing live response in general, which I found to be very interesting, as he addresses some of the questions that we all face when performing live response, particularly those regarding trust and assurance…trusting the operating system, trusting what the tools are telling use, etc.

More Terms from Logging Glossary Published – I can’t wait to see how this list grows.

As I mentioned here, I started publishing the LogLogic Logging Glossary. Here are the terms and definitions published so far:

Alert
Audit Logging
Context Information

Windows Home Server versus Linux or BSD – I don’t think I’ll be up late at night pondering which to choose 😛

Last year whenever people asked me what to use when building a home server, I’d tell them to use Linux or FreeBSD because there was absolutely nothing from Microsoft under a few hundred dollars. There was no way anyone would spend a few hundred dollars on Windows Small Business Server so Linux or FreeBSD was their only choice. With Windows Home Server on the horizon, Microsoft might just steal a piece of the home server appliance market from Linux.

This Old Vulnerability: Sendmail 8.6.9 – I think these articles are a fantastic idea. Simply telling people that sendmail is/was vulnerable just doesn’t cut it. Showing some historic examples will drive the point home. Someone give this guy a laptop 🙂

Today on This Old Vulnerability, we will take a quick tour through a classic metacharacter/delimiter injection attack. Our petri dish will be Sendmail 8.6.9 (and 8.6.10). The vulnerability was caused when sendmail would take input from a remote identd (the username) and blindly write it into a sendmail queue file.

Enumerate Windows Users In JS – Creepy-cool!

Sergey Vzloman is at it again… He sent over a really interesting piece of demo code (he tested it in IE6.0 and FF – I was only able to test it in Firefox) that enumerates users on Windows systems. Right now, as the code stands in his demo (with only minor tweaks from me) it only tries four accounts and is intentionally noisy to show what it’s doing, but it works pretty well.

Scroll to top