New addition to the site “Security Projects”
Posted by Dickson in IDS / IPS, Lab, Mobile Security Platform, Tool on January 25th, 2010
I have been away for a while working on various projects but I have returned and with some new material.
I just created the new sections called “Security Projects” where it is a tutorial section that a user can follow to create the same project. The first security project available is “Snort IDS in VMware” using the latest builds of Snort, MYSQL, Base, & Barnyard2 all running on Ubuntu. Keeping in mind you can build your Snort box without VMware following my instructions. This project will continue to grow as I include Oinkmaster or Pulled Pork with Emerging Threats in my next release.
In addition I will be presenting my Snort IDS in VMware and how to setup Snort as a web application IDS to the South Florida OWASP tomorrow afternoon at Nova South Eastern University Carl DeSantis Building, Main Davie Campus Knights Lecture Hall, Room 1124 3301 College Ave Fort Lauderdale FL. 33314, it starts at 3:00 PM.
Video on Windows 7 SMB Kernel Crash Video
Posted by Dickson in General, Malware, Mobile Attack Platform, Tool on January 20th, 2010
While browsing the web recently I found this great site Pratorian Prefect which is an employee blog of a company called Pratorian Security. I don’t know anything about the company but I do enjoy the video they provided of the Windows 7 SMB Kernel Crash Video. The best part is that Microsoft still does not believe it needs a patch. This is the same Microsoft that knew about the 0day flaw that was used by “Chinese Hackers” that attack Google and other organizations. This is very interesting approach to security, lets pray that no one will ever use the Win 7 SMB Kernel Crash attack in a exploit kit, while we are at it lets leave this giant gaping hole of an exploit in IE 6,7, & 8.
Spy Drones Hacked… Wonderful
As I am sure many of you have already read or saw in the news like Slashdot that US very expensive spy drones (10 – 12 Million dollars each) are susceptible to being eavesdropped by simply buying some software that costs $30.00. Wall Street Journal had recorded this response from Gen Deptula
The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. – Gen. Deptula
Wonderful is all I had to say about that comment. Don’t get me wrong I don’t know what proprietary and large amounts of work & research is needed to make these drones and I can’t be one to criticize without knowing more details about the intricacies of the drone.
But it comes to my mind, when dealing especially with military hardware why are companies not using any form of encryption for this communication?
Currently the US is engaged in a conflict / war with determined but technologically weaker opponents. Think of a conflict / war that is involved with a full nation state such as Russia or China, they would definitely have the ability the technological ability to tap into unencrypted lines.
So SkyGrabber is the software they mention that can be or was used to perform this eavesdropping, unfortunately I do not have enough resources currently to pursue using SkyGrabber to capture satellite data but perhaps in the future. But LAN grabber appears to be interesting I will be trying this out in the near future and post about it.
Jetico BCWipe 4.0
Posted by Dickson in Encryption, Tool on December 1st, 2009
On Dark Reading there is an article talking about Jetico’s new release of BCWipe 4. The new feature of this product is that it can provide Transparent Wiping. So instead of traditional methods of wiping data after use, this product will wipe the data without requiring any additional action.
Transparent Wiping intercepts all ‘delete’ commands sent by the user or by the system and securely wipes the data files
BCWipe offers a variety of wiping methods such as U.S. DoD 5220.22-M, DoE M 205.1-2 and German VSITR standards, and many more". I look forward to purchasing this product to perform some trial tests to see if I can recover any data with forensic tools.
Rapid7 releases community edition scanner
Rapid7 is giving back to the community by providing a free edition of their enterprise scanner. It is limited to 32 IP’s but it allows Metasploit integration and endless updates. The product supports both Linux & Microsoft Windows 32/64 bit versions. This is a very interesting move on Rapid7 since many in the security community believe the acquisition of Metasploit was going to end up like the Symantec acquisition of LophtCrack, a dead end.
Screenshots below of a scan of a Windows XP with SP3 VM FW Disabled
Astaro Security Gateway releases community edition
Astaro Security is offering their Security Gateway community edition for free which runs on Linux, that provides Firewall, NAT, DHCP, DNS, remote access, and more. Astaro offers both a VMware image and a traditional ISO file for clean installs. This release can also be used for small businesses, so for companies looking for a free Firewall that can perform network functions, this would be a good option to try out. So for those researchers and individuals looking for a complete perimeter security suite for free, you may want to try this out.
Justifying buying a Sony Playstation 3 in mass quantities
As many of you already may be familiar that Sony Playstation Aka Crack Stations can be used with its cell processors to crack passwords. Well an article came up on PC World which confirms this idea is not just for researches or malicious individuals but also the Federal Government. It appears they also have caught on to using multiple Sony Playstation 3’s to crack passwords from machines seized.
"Bad guys are encrypting their stuff now, so we need a methodology of hacking on that to try to break passwords," Claude E. Davenport, an agent in the U.S. Immigration and Customs Enforcement Cyber Crimes Center,
Interesting, I wonder truly how effective they are even in mass quantities using distributed cracking. If your password is over 20 alphanumeric characters, uppercase/lowercase, spaces, symbols and does not contain dictionary words, I can only imagine how long it would really take….
| 16,788,555,621,033,700,000,000 days |
Sans has a great diagram and downloadable spreadsheet that can inform you. Granted that number above does not count for distributed cracking with PS3’s rather PC’s with GPU cards but really how many PS3’s would you need to crack that in reasonable time.
Wonderful English Shell Code
Slashdot has an exciting article about several security researches developing shell code that appears to be English sentences but in fact is shell code for an exploit. Metasploit already had the capability to make shell code become alphanumeric but making shell code look like sentences is a interesting approach to evade detection.
Specifically, we demonstrate a technique for automatically producing English Shellcode — that is, transforming arbitrary shellcode into a representation
that is statistically similar to English prose
I am sure some shell code already used this method but with this papers release I wonder, what percentage of new shell code will incorporate this method.
So Brazil was not hacked they say.. faulty equipment to blame…
It appears about the whole drama situation with dangerous hackers attacking infrastructure and debates about countries preparedness for cyber warfare was for nothing. Even though the Cyber Security Czar, some other high ranking officials and President Obama appeared to believe that it was a cyber attack that brought down power to those cities in Brazil.
“In other countries cyberattacks have plunged entire cities into darkness” – President Obama
Well Brazil has been getting great amounts of attention, gangs shoot down police helicopters with small arms, rolling blackouts (recent ones blamed on storms), and winning the bid for the next Olympics in 2016. Either way whether it really was faulty equipment or to keep up the good appearance so they don’t change the location of the Olympics, infrastructure needed the attention.
Twitter API helping the bad guys
The Register has a interesting article on drive-by exploit, by using Twitter to send messages to web surfers to become their next victims. The system appears to be driven by hot topics and will attempt register a malicious domain by using some form of combination of the hot topic and their random algorithm.
The Twitter API is a useful weapon in the miscreant’s arsenal because it helps prevent malicious scripts from being caught by scanners searching for malicious domain names in web scripts.
From what I have seen out on the web they use Tiny URL to mask their malicious sites into short domain names which appear to be harmless and lure unsuspecting visitors to their malware infested website.
I wonder if Twitter is going to do anything about this API abuse.
Cofee Leaked…
It was only a matter of time as confirmed on Dark Reading, Cofee has been leaked. In one of my earlier posts I talked about how Microsoft was providing various law enforcement a tool called Cofee which was to be used for forensic evidence capture. Unfortunately it seems it has been leaked and has been spotted on various file sharing networks as shown below.
I do not endorse any form of software piracy or performing anything illegal the above screenshot is simply demonstrating the already known existence of the application “Cofee” on file sharing networks.
Who knows if this is a real copy or some hacked up malware waiting for unsuspecting users to run it thinking it is a forensic tool. The problem now is if someone actually builds scripts to detect this tool.
Cookies and DNS attacks
Posted by Dickson in DNS, Web Application on November 9th, 2009
An excellent paper and presentation titled “There’s one in every family” by Matt Bailey demonstrates how sub domains and cookies can be used to perform XSS (Cross Site Scripting) or CRSF (Cross Site Request Forgery). The examples given on the paper were superb as Google, Chase, and Expedia were shown as proof of concepts (POC).
Above Image originated from Matt Baileys PDF titled “There’s one in every family” Page 6
Exploit techniques like these turn up all the time in applications and the more research into them, the better prepared we are against the malicious hackers that use them.