Month: September 2007

Suggested Blog Reading – Tuesday September 18th, 2007

ReadLess than a week until my SANS “Ask the Expert” WebCast and a week and a few days until my lunch & learn in Vegas!

Here is the list:

The Web Application Hacker’s Handbook – Hmm…interesting.

Well it’s getting closer! My friend, PortSwigger (also known as Dafydd Stuttard – author of Burp Suite) is getting ever closer to completion of his new book The Web Application Hacker’s Handbook. He’s co-authoring it with Marcus Pinto. I’ve known about the book for a while now, and am really looking forward to reading it.

Experimental Storm Worm DNS Blocklist – I look forward to seeing if this effort is kept up. I’m also curious of the resulting statistics and if they will share the results.

Threatstop is currently experimenting with a DNS based blocklist scheme to dynamically block storm worm infected hosts. Its a test list they offer for free to get some feedback on how well it works for people. The basic idea of their blocklist scheme is not like traditional DNS blocklists, which require a DNS lookup for each new IP address seen. Instead, you add a hostname to your blocklist, which will then resolve to multiple A records, each of which is an IP address to be blocked. It appears that most firewalls will refresh the list whenever the TTL for the record expires. Currently, the following hostnames can be used: basic.threatstop.com basic1.threatstop.com basic2.threatstop.com basic3.threatstop.com basic4.threatstop.com Each one resolves to a set of storm infected IPs. This is just a temporary service to test this distribution method with a larger set of users. For more details, see the threatstop.com website.

Analysis of Storm Worm DDoS Traffic – Good analysis of the aforementioned storm worm 🙂

The Peacomm (Storm Worm) botnet is known to launch DDoS attacks against networks which appear to be investigating the botnet — the cyber equivalent of explosive reactive armor. It is still unclear whether the decisions to launch an attack are made by the botnet, a human operator, or both. In exploring this, SecureWorks was able to compile and analyze information regarding timing and types of traffic that may help victims of these distributed denial-of-service attacks mitigate the impac

Covert communications: subverting Windows applications – from SANS Information Security Reading Room

And now for some eye bleeders:
Stolen UM Clinic Tapes Contain Patient Data

University of Michigan is alerting over 8,000 patients of the university’s Community Family Health Center after backup tapes containing patient data were discovered stolen. UM is sending two different letters to different patients depending upon the patient information contained on the tapes. The first letter, already sent to 4,513 people, let patients know that the tapes contained their name, address and medical information. The second letter, that the university plans to send to an additional 4,072 individuals, will let patients know that along with name, address and medical information, their Social Security number was also on the stolen backup tapes. UM police are investigating the theft but the university has no further information on the theft.

Another Mass E-mail Leaks Student Data

Queens University of Charlotte is apologizing to hundreds of university students after a mass e-mail accidentally containing personal information was sent out. The e-mail contained names, address, Social Security numbers, and student IDs. According to university officials, all affected students have been notified of the incident. In addition, the university urges all affected students to place a fraud alert on their credit reports to help prevent identity theft arising from the unauthorized disclosure.

SSNBreach.org Discovers Sensitive Information Online At Rutgers

Aaron Titus of SSNBreach.org contacted ESI to let the editors know about a Sept 14 news release announcing the discovery of four files on the Rutgers University web site containing sensitive information. All told these files contained the names, Social Security numbers, assignment scores, test scores, course grades and other information on 227 students. SSNBreach.org notified both Rutgers and the FBI over the discovery. Rutgers immediately removed these files from the web and requested the files be removed from the search caches of the major search engines.

Registry Analysis – Another good article by Harlan on analyzing the Windows registry.

One of the issues that confronts us today is knowing what we’re looking at or looking for. Having a tool present data to us is nice, but if we don’t know how that data is populated, then what good is the tool when some one-off condition is encountered? If the analyst does not understand how the artifact in question is created or modified, then what happens when the data that he or she expects to see is not present? Remember Jesse’s First Law of Computer Forensics and my own subsequent corollary?

Reversing ROL-1 Malware – Good analysis Didier…quality post!

Today I want to explain how I deal with a piece of malware that obfuscates its strings.

After dealing with the packing, we end up with an unpacked PE file. BinText reveals some strings, but not URLs. Searching for HTTP with XORSearch (version 1.1) doesn’t reveal any XOR encoding.

Foremost – Recover Files From Drive or Drive Image AKA Carving – Tool to check out.

Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive.

Slides of the IMF Workshop – Some slides to check out from Andreas’ presentation on Windows Memory Analysis.

Here are the slides from my demonstration of Windows Memory Analysis tools and techniques, that I recently gave at the 3rd International Conference on Incident Management and IT Forensics in Stuttgart.

Enduring attack trends : ISTR XII – A must read for anyone who deals in any aspect of security. The bad news…malicious activity is here to stay. The good news…we’ll all have jobs this year 😉

Volume XII of Symantec’s Internet Security Threat Report is out and shows that malicious activity over the Internet is here to stay. During the first six months of 2007, our analysis of the proportion of malicious activity in each country showed little variance form the last reporting period. There was some change in certain specific areas of malicious activity, but overall it seems that once a malicious Internet population is established in a country, it remains there.

A System of Persistent Baseline Automated Vulnerability Scanning and Response in a Distributed University Environment – from the SANS Information Security Reading Room

I Can Hear You Now: Eavesdropping on Bluetooth Headsets – This was a great video. Good work Josh 🙂

I’ve been spending more time evaluating Bluetooth technology lately, and have put together a YouTube video demonstrating an attack against a Bluetooth headset.
Recent advances in SDR technology including Dominic Spill’s paper “BlueSniff: Eve Meets Alice and Bluetooth” have made it possible to identify the Bluetooth device address for non-discoverable devices like headsets. Unlike early attempts to discover undiscoverable Bluetooth devices such as RedFang, BlueSniff reveals 3 or 4 bytes of the address within seconds by passively capturing an active Bluetooth connection. The remaining 3 of 2 bytes of the Bluetooth address can be determined by testing each of the common Bluetooth OUI’s, using the results of the BNAP, BNAP project.
Once the Bluetooth device address is known, an attacker can connect to the headset as if he were a legitimate phone, authenticating with a fixed PIN of “0000”. Even when not configured in discoverable mode, my JawBone headset will respond to these unsolicited connection requests, allowing an attacker to pair with it and record any audio within range of the headset microphone. The attacker can also inject arbitrary audio through the headset device as well, which could get interesting when applied with finesse.

New Uninformed Journal – Vol 8 – Something to download and read through.

Get it here. Papers include:

Real-time Steganography with RTP
PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3
Getting out of Jail: Escaping Internet Explorer Protected Mode
OS X Kernel-mode Exploitation in a Weekend
A Catalog of Windows Local Kernel-mode Backdoors
Generalizing Data Flow Information

Fun Preso on Proxy Logs – Ever think you’d hear “fun” and “proxy logs” used in the same sentence?

I did a few insightful webcasts for LogLogic lately, here is one of them (webcast with voice, slides only), on analyzing and managing web proxy logs. It goes well with my logging tip #12, also on proxy logs.

Writing a Book: OSSEC Host-based Intrusion Detection

ossecWell I’ve eluded to it over the past couple of months and everything is now final. I will be co-authoring the Syngress book “OSSEC Host-based Intrusion Detection” with Daniel Cid and Rory Bray. Look for it in stores in February 2008 and buy as many copies as you can 🙂

About the book:

Since it’s launch in October of 2003, OSSEC has gained momentum to the tune of 10,000 downloads per month from every part of the globe. Commercial host-based intrusion detection solutions range from $60 to as high as thousands of dollars. As there is no free host-based intrusion detection solution that can match the functionality, scalability, and ease of use of OSSEC it stands in a class by itself.

This book is the definitive guide on the OSSEC Host-based Intrusion Detection system. Documentation has been available since the start of the OSSEC project but, due to time constraints, no formal book has been created to outline the various features and functions of the OSSEC product. This has left very important and powerful features of the product undocumented…until now! This book will show you how to install and configure OSSEC on the operating system of your choosing and provide detailed examples to help you prevent and mitigate attacks on your systems.

Included with the book is a DVD containing the latest OSSEC software for Windows and Linux/Unix, a pre-configured VMWare image with OSSEC already installed, and a step-by-step video detailing how to get OSSEC up-and-running on your own system.

Am I Supposed To Hate My Competitors?

fight1When I’m out speaking in public I’m representing the company I work for so I have to, as my grandmother used to say, “mind my tongue”. It has always been an unwritten rule that you don’t discuss business with competitors but what about being chatting about the industry (e.g. trends, acquisitions, issues, etc.) with said competitors?

boxing2On more than one occasion I’ve had great conversations with Dr. Anton Chuvakin of LogLogic and Ron Gula of Tenable Network Security. We’re fully aware of the organizations which we work for, we’re all very proud of our respective products, but we’re still able to talk casually (and sometimes bluntly) about the industry, it’s challenges, and it’s pitfalls.

I believe we get along for a few reasons…we all have similar interests, we all have a great sense of humor, and (I think) we’re genuinely nice people 😛

Let me give you a few examples…

Earlier this week, Anton and I discussed the percentage was of a certain products users actually using the product when it was thrown in for free (A certain company has been known to do this as a value-add to a large customer purchase of its switches and routers to ‘manage’ their newly purchased infrastructure). The jury is still out on this number as we both feel it sits on the shelf most of the time 😉

A few weeks back I needed assistance finding someone to talk to in product management at a particular company. I hesitated asking Ron if he knew anyone there, but he quickly offered to make the introductions.

I recently asked Anton’s opinion on how many slides he would recommend for a 30 minute technical presentation. The answer, in case you’re wondering, was between 15 and 20 depending on content. Anton then told me, jokingly, that he was off to work on competitive slides detailing why my company’s solution sucked. I reminded him to include sections on how great his syslog server solution was (inside joke). We both had a good laugh on that one.

A few months back I was talking with Ron and he mentioned how he was looking for someone in California to join Tenable as a trainer. I happened to know an excellent resource in the area and had no second thoughts about sending the resume along with my endorsement. It didn’t work out but if he asked me again I’d be happy to recommend some additional resources that might fit an open requirement.

godfatherI guess, at the end of the day, we’re just a couple of like minded guys trying to help each other out. Granted, the only thing I’ve given Anton is a hard time but you never know…someday, and that day may never come, my colleagues may call upon me to do a service for them. And you know what…I’d be happy to do it!

Scroll to top