I just realized that my Friday post said Thursday as the day of the week. Oops….QA is fired!

Here’s the list:

Detecting BBB/IRS/FTC/Proforma Trojan-Infected Users on Your Network – Here is a good example of where system and device logs are important.

If you keep logs of firewall/proxy or DNS server traffic, you may be able to spot infected users by traffic analysis. This activity has been going on since at least February, so it is prudent to go back in the logfiles at least until the beginning of 2007 when searching.

Trinity Rescue Kit – Free Recovery and Repair for Windows – Another good tool to keep in your back pocket.

Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues.

A summary of the main features:

• easily reset windows passwords
• 4 different virusscan products integrated in a single uniform commandline with online update capability
• full ntfs write support thanks to ntfs-3g (all other drivers included as well)
• clone NTFS filesystems over the network
• wide range of hardware support (kernel 2.6.19.2 and recent kudzu hwdata)
• easy script to find all local filesystems
• self update capability to include and update all virusscanners
• full proxyserver support.
• run a samba fileserver (windows like filesharing)
• run a ssh server
• recovery and undeletion of files with utilities and procedures
• recovery of lost partitions
• evacuation of dying disks
• UTF-8 international character support

Heap Spraying vs. Heap Feng Shui – Good explanation of some proof of concept code.

The heap allocation code used in this exploit was quite advanced and completely different from the conventional Heap Spraying code used in the attacks that I’ve seen so many times. In this case, the exploit page (keyframe.html) used a special compact heap manipulation library named “heapLib.js” which after some investigations introduced me to the mystical world of the “Heap Feng Shui”.

How to create a computer-emergency response team – Although not a single source of information this article does get you started with important information on how to form a CERT.

Perhaps the most important thing needed for a successful recovery from a data breach is a prebuilt team of employees, pulled from different departments, who can lead the company out of crisis.

New Skillz Challenge! – For those of you with some free cycles.

Hello, Challenge fans! The Intelguardians crew is back this month with another challenge to tickle your fancy and bake your noodle. This month, Matthew Carpenter takes the helm, penning a challenge based on the movie Serenity. Shockingly, a recent SFX magazine poll found that Serenity had overcome Star Wars as the most popular Sci-Fi movie among its readers. It’s amazing what someone can accomplish with a bot-net voting in these on-line polls… Isn’t it, Matt? I hope you enjoy the challenge, as you help the Serenity crew thwart a nasty bot-net to escape the Reavers and the Alliance.

Netstat Revealed! – Another video to add to your collection.

Another video in 2-3 days… I think i this becoming like a mania for me… Anyway in this video i played around with netstat so that for those who do not play with it could see the possibilities it offers to us

Visually Assessing Possible Courses of Action for a Computer Network Incursion – New paper posted to the SANS Information Security Reading Room.

Oh Friday…how I love you!

Here’s the list:

General: China taking on U.S. in cyber arms race – Is this the rebirth of the Cold War?

China is seeking to unseat the United States as the dominant power in cyberspace, a U.S. Air Force general leading a new push in this area said Wednesday.

“They’re the only nation that has been quite that blatant about saying, ‘We’re looking to do that,”‘ 8th Air Force Commander Lt. Gen. Robert Elder told reporters.

Elder is to head a new three-star cyber command being set up at Barksdale Air Force Base in Louisiana, already home to about 25,000 military personnel involved in everything from electronic warfare to network defense.

How to enable EFS context menus – All you Windows users…pay attention 🙂

One solution to help reduce the risk for stolen data is to use Windows Encrypting File System (EFS). We’ve already covered before how to use EFS to encrypt a file or folder, and in this simple registry hack, we’ll show you how to make it easier for you to encrypt and decrypt files and folders by adding the Encrypt and Decrypt options on the context menus in Windows Explorer.

EventLog Analysis – Great introductory article by Harlan on Windows Event Log Analysis.

But what about actual Event Log analysis? What about really using the Event Log to get some insight into activity on the system? What can we look for and how can we use it?

Here are some tidbits that I’ve come across and use…please don’t consider this a complete list, as I hope that people will contribute. This is just to get folks started….

DropMyRights: Running programs safely as an admin – Interesting utility. I like the concept.

DropMyRights is a free command-line utility, developed by Microsoft, to help users who must run as an administrator run applications in a much-safer context. In a nutshell, it takes the current user’s token, removing various privileges, and then using that token to start another process, such as Internet Explorer or Outlook.

No wars are won through awareness… – I see both sides of the argument but I personally believe that awareness training should be introduced at the same time that the security measure is implemented.

In security, as in life, one is forced to make certain choices, certain trade-offs on how they focus their time and energy. If one is able to mass unlimited resources, one could come as close to fault tolerance and a secure position as is possible. But in the real world of IT one is faced with limited resources, whether they be knowledge, time, people, money or access to technology. I think it’s great that one can arm themselves with a Sun Tzu Art of War quote-a-day desk calendar and make declarations about how one would actually secure a complex, globally distributed network and how focusing efforts on user awareness training will fend off Mongol hordes riding against our golden palaces, but that is just not realistic.

Finally got a good nights sleep and does it ever make a difference.

Here’s the list:

FBI May Have Broken the Law 1,000 Times in Surveilling Americans – Only those who broke the law have to worry though right? 🙂

The FBI egregiously violated privacy laws and bureau rules to obtain telephone, e-mail and financial records on scores of Americans, according to an internal audit obtained by the Washington Post and reported today.

Is a merger or acquisition in Sourcefire’s future? – Interesting interview with Marty Roesch. I’m very interested in who might be in the market, and have the capital, to merge with a company like Sourcefire.

It’s been a busy year for Sourcefire Inc. founder and Chief Technology Officer Martin Roesch, creator of the widely popular Snort open source IDS tool. In November he announced that Sourcefire had filed with the U.S. Securities and Exchange Commission to raise up to $75 million in an initial public offering (IPO) of stock. Seven months earlier, Check Point had dropped plans to acquire the company amid concerns that foreign ownership of Snort would threaten U.S. national security. In the wake of the IPO, Roesch remains reluctant to go into greater detail on his company’s future direction. But at the Gartner IT Security Summit in Washington D.C., he told SearchSecurity.com how Sourcefire fit into Gartner’s Security 3.0 theme. In the process, he suggested that the war chest Sourcefire has developed as a newly public company could be used in a future merger or acquisition.

Determining the version of XP – Another good post from Harlan on how to discover the version of XP (Home or Pro).

I received an interesting comment to one of my recent blog posts…the poster was musing that he wished he could determine the version of XP (Home or Pro), presumably during a post-mortem examination. As this struck my interest, I began to research this…and most of what I found applies to a live running system. For example, MS has a KB article that tells you how to determine the version of XP you’ve got. Also, the WMI class Win32_OperatingSystem has a value called “SuiteMask” which will let you determine the version of the operating system; to see if you’re on the Home version of XP, perform a logical AND operation with the SuiteMask value and 0x0200 (the “Personal” bit) – if it succeeds, you’re on XP Home. You can also use the Win32::GetOSVersion() function in Perl, or implement the WMI Win32_OperatingSystem class in Perl.

TSK 2.09 Released – New version of The Sleuth Kit ready for your downloading pleasure.

Version 2.09 is now available. This release fixes some bugs for large files and hash databases on Windows, some stability bugs with corrupt file systems, some ‘ils’ flag bugs, and some updates to internal libraries. All users should apply this update.

Security Views Case Study #1 – Unauthorized P2P Software on Company Laptop – I’m sure a lot of system/network/security people can relate to this story.

This is the first in what unfortunately could be many posts I’ll call “Case Studies”. It’s unfortunate, because breaches are now publicized on such a regular basis, I could make a blog entirely about them, as SC Magazine now does. It’s called the Breach Blog. In my case, I was thinking it may be helpful to add some value to some of their entries by doing a bit of analysis and guidance on what you can do to avoid them.

Fuzzled – PERL Fuzzing Framework – Another fuzzing tool for you to try out.

Fuzzled is a powerful fuzzing framework. Fuzzled includes helper functions, namespaces, factories which allow a wide variety of fuzzing tools to be developed. Fuzzled comes with several example protocols and drivers for them.

Port number not shown in access-list log output – This one is more for my reference so I don’t forget it in the future 😉

The reason for this behavior is very simple: unless a line in the IP ACL matches on the layer-4 port numbers, the router does not inspect them; the log action thus has no port number to show in the syslog printout.

To fix the printout, you have to force the router to inspect the layer-4 port numbers.

Irongeek.com – Hacking Illustrated Videos – Something tells me that I’ve mentioned this site before but I can’t find the post. This is a great site with some great instructional security videos.

If you’re interested in learning how to test the security of your network by attacking it, Irongeek.com has a number of flash/AVI videos that walk you through the mechanics of specific attacks.

Notable entries:
Using Cain and the AirPcap USB adapter to crack WPA/WPA2
Cracking Windows Vista Passwords With Ophcrack And Cain
Passive OS Fingerprinting With P0f And Ettercap
SSH Dynamic Port Forwarding
Basic Nmap Usage
Boot from Phlak and run Chkrootkit to detect a compromise
Cain to ARP poison and sniff passwords