Tuesday, April 29, 2008

Kraken, the friendly bot?

Slashdot had another post today, dealing with the Kraken Bot. (I'm linking the articles here so I can read them in depth a little later.) It seems the Kraken botnet was infiltrated, and the authors of the papers realized they would be able to re-seed the commands to patch (cleanse?) the impacted bots. Slashdot rightly ponders the risks/benefits of a "friendly worm." The articles are:

Owning Kraken Zombies


Kraken Botnet Infiltration


I saw this on Slashdot this morning. It seems Microsoft has collaborated to create a device to allow law enforcement to bypass windows security; including the decryption of passwords. Yes, I know there are other tools that will basically accomplish the same thing. None of these other options, as far as I know, were created (even in part) by the operating system manufacturer.

Friday, April 25, 2008


I'm really starting to study for the exam portion of the SANS SEC 504 course. Posts might not be as prolific (if they were) as before. I'll try to weigh in on some issues when I can.

Tuesday, April 22, 2008

Foreign Used Gear

Slashdot had an interesting post this morning. In it, they discussed used gear coming into the country from foreign nations; and the security implications of that used gear. One article talked specifically mentioned the security of getting gear that may have been "reprogrammed" to do other task than what the product was initially intended; and some of those tasks could be nefarious.

A second article displayed the slides (and included a link to the original PowerPoint presentation) that showed fears that the FBI believes foreign hackers may have planted back doors into governmental networks using used gear.

This is something I've always wondered about, but on a more personal level. When I wanted to experiment with linux on a laptop, I searched eBay for a laptop that was not to pricey (and met my specs) such that I would not have a problem if my experimentation failed. Or had bad results. However, I knew that once I got linux up and running, I would be using the laptop quite a bit. I found plenty of laptops. And being a paranoid security professional, I assumed that hard drives were not wiped. Most of these laptops (if not all) came preloaded with Windows XP. And, while some of the descriptions said that the computer had been "reformatted, with the operating system reinstalled," what's to say that small malicious software wasn't also loaded. Maybe that software phoned home with interesting information from the new owner. Yes, I was installing linux, so I wasn't too worried. (Note: I purchased a new hard drive and swapped out the one that came with the laptop.) But the general public probably doesn't follow that tactic.

I suppose the same thing could be said for phones bought second hand. How about DVRs with malicious software pre-installed. Unfortunately, the drawback is that a fiscally responsible person or corporation gets pushed into the arena of only buying new gear. And sometimes that doesn't make sense/cents.

Friday, April 18, 2008

Slashdot security articles

Slashdot has a slew of articles on security for today. I can't get to them all now, so I'm linking to them, and hope to comment later.

Cybersecurity and Piracy on the High Seas

Windows Update Can Hurt Security

Storm Dismantled at USENIX LEET Workshop

The weather has been absolutely gorgeous here, and it's difficult to get the reading done.

Thursday, April 17, 2008

Culture vs. What's Right

Slashdot had an interesting post yesterday that I did not get a chance to comment on. I have seen similar situations, though not directly ethicically related. A company I used to work for refuses to take security serious because of the amount of extra work it would induce. I left over half a year ago, and I guarantee the workstations have not been patched since I left. As for the servers, I don't think they were ever patched in my three-plus years of working there. I explained, and I preached. But the culture was not to take it seriously. In patching the machines, the company would be filling a big hole. But there are applications that would need testing, and minor issues would need to be fixed; and the time is not considered well spent by doing these activities. I know the big fear in patching the servers is that the enterprise applications will fail to work after patching.

I've seen clients that don't want to implement any kind of security, but more out of ignorance than anything else. Typically, I've been to these clients in order to fix a problem; a problem that might not have occurred if basic security practices were employed.

Fortunately, I haven't had to deal with outright ethics dilemmas. I can only imagine the headaches there.

Wednesday, April 16, 2008

Chamber of Commerce

I joined my local chamber of commerce the other day. It should be interesting, as marketing is not my forte. Yet, if I'm going to run a successful business, I'm going to have to effectively market it. I have a breakfast "networking" meeting coming up where I suppose I'm supposed to "press the flesh" and hand out business cards and brochures.

So, I'm in the middle of creating a brochure that conveys the importance of security and what companies should be doing. I don't want to scare and shock potential clients, however, I know a lot businesses (some that I deal with) don't take their computer security seriously at all.

We'll see.

Monday, April 14, 2008

mini-book review: Incident Response & Computer Forensics (2nd Ed.) by Mandia, Prosise and Pepe

Before I took the SANS 504 course I had picked up the book Incident Response & Computer Forensic (2nd Ed.) by Kevin Mandia, Chris Prosise and Matt Pepe. I was well into the book before the class started, and I'm glad class began while reading the book. The book almost makes a perfect companion for the class. The book helped me re-enforce many of the concepts taught in the class.

I'll start out by saying the book is excellent, well written, easy to read; and chock full of sites to pick up the tools used in the examples written about in the book. I learned many new tactics that I have already put into practice and I believe have made me a better security warrior. Rest assured, the authors are well versed in the field and they rely on their vast experience to convey their points. Many chapters contain real-world anecdotes to cases the authors worked on/witnessed and lend credence to the points being discussed.

The book is divided up into four logical sections: an introduction to incident response, collecting data, analyzing data, and an appendix (one chapter of which contains common sample forms.) The introductory chapters explain the basics of IR, what to expect, creating a team, and establishing the processes. Specific chapters deal with preparing for incidents and what to do after an incident has been declared. I really liked the chapters on data acquisition as it applies the most to what I do. Chapters deal with Windows, unix/linux, network data collection, and an important chapter on evidence and evidence handling. (The latter chapter is important for everyone, but the authors stress why this would be important in a corporate setting.) I especially liked the tools discussed and the scripts that are presented with the methodology for using them. The next section presented how to analyze the data that has been collected. While there is heavy presentation on forensics duplication (and rightly so,) there are chapters on Windows analysis, unix/linux analysis, and network analysis. From the network analysis chapter, the points on network data capture and reconstruction helped me the most.

My only complaint about the book is no fault of the author's. The book is copyright 2003. And, while the processes and methodologies could be considered timeless, unfortunately; the links to some of the software is not. In the five years, some companies have gone out of business, some have been absorbed by other (larger) companies. And some tools are no longer available. A great benefit of the book is that much of the software is free (and open source.) However, there are instances where the software linked to now costs.

All in all, I highly recommend the book to anyone looking to get into the field, or, anyone charged with setting up (or running) an incident handling team in their company. The methodologies and processes should be employed in any company where an incident response team works so that incidents can come to their proper conclusion. Many tools are presented in the chapters along with insights on how to get the most out of those tools.

Friday, April 11, 2008

SANS: ADSL Router / Cable Modem / Home Wireless AP Hardening in 5 Steps

(This is probably for my own edification, so I don't lose the article, and can easily remember where it can be found.)

SANS has a great, simplistic article on securing a home access point that everyone with a wireless access point should read. And follow.

Whitepapers on IFRAME attacks

One thing I'm learning in this industry/profession is that there is never-ending research. I'm always learning and reading to learn more. The pile of books next to my bed is constantly getting bigger, faster than I can read them. (And it gets in the way of the pleasure reading sometimes. I guess that's what vacations are for. Vacations?) Fortunately, I like to read, and like to broaden my horizons.

Over the past couple of weeks, I've been reading the various reports (Symantic's is here, in pdf, Panda's is here, in pdf) that have been released on the state of the industry and what to expect for the rest of the year or the short-term. Frequently, I have read of IFRAME attacks. I used to be a web application developer, so the term IFRAME was familiar. I had never really used one, so I figured I would learn what they are. A quick Google search turned up a treasure trove of papers; two I'll highlight here.

I believe the two papers belong together, so I'll list them first. These papers are:
All Your IFRAMEs Point to Us
The Ghost In The Browser

I started by reading All Your IFRAMEs Point to us first, but the first citation was to The Ghost In The Browser; so I stopped and read that first. I'm glad I did.

The Ghost In The Browser was a little more technical. While it contained some of the same analysis covered more in depth in the other paper, it laid out definitions and explained how the IFRAME attack in detail. Snippets of code were included to show what you could look for in the source of the attacks. Also included were various attack vectors. This was exactly what I was looking for.

The second paper, All Your IFRAMEs Point To Us, to me, seemed a higher level. While the attack was briefly laid out, the paper discussed the prevalence of the IFRAME attacks and how they are so pervasive across the internet. If I didn't know better, after reading the article, I might never surf the web. It's not just the "grayer" areas of the internet where these attacks live. Ads are just as prevalent. Be advised, there are a couple of sections with some good-sized math included.

Further, for both articles, if I didn't know any better, I would never surf the web again. It really seems pretty grim. If you are not proactive and protective of your system.

From both articles, it is IMPERATIVE that you keep your systems patched; as the IFRAME attacks test for multiple vulnerabilities. Second, you must have some sort of anti-virus on your machine. But, to those of us in the security field, what I've typed is preaching to the choir.

Finally, one last point I would like to make. The references section in the paper All Your IFRAMES Point To Us is phenomenal. Listed are many articles, both in PDF and as web pages, covering all kinds of information. I plan on reading the papers on botnets next.

Wednesday, April 9, 2008

Interviewing for the school district's new admin

I was asked to help interview candidates for our local school system's new administrator. I couldn't make Monday's interview; another member of the Tech Advisory Board attended Monday's interviews.

The interviews were conducted by the Supervisor of Curriculum and Technology, and were attended by one of the principals, and the person in charge of the computer classrooms in each school. There was a clear agenda for each candidate and the interviews went smoothly. I was impressed with the precision and efficiency with which the group worked. I only saw a handful of candidates today. Yes, there were the people not really qualified (and I'm surprised they were even given an interview;) and there were very qualified and talented individuals.

What surprised me (pleasantly) was a question by one of the principals. She asked the first candidate "How do you feel, and what do you know about Open Source?" I almost fell out of my chair. Mostly because it is a great question, and I was surprised it came from the principal. (The first candidate couldn't answer the question, the second had heard of it but didn't use it, and the third, well......wasn't even in the right ballpark.)

I'm glad to see the school looking in the Open Source direction. I know that there are state contracts and regulations, but I know that the school district has monetary constraints. Dropping OpenOffice.org onto desktops is a lot cheaper than spending for X number of dollars on MS Office. Getting kids exposed to an alternative environment, I believe, will help the kids when situations are not ideal or what they expect.

The next step is to recommend two names to the Board of Ed, and they take it from there. I may have to go to the next round of interviews, just so that there is someone with technology experience there as the interviewers will be the Superintendent, the other principal, and Board of Ed members.

Friday, April 4, 2008

PandaLabs 1st Quarter 2008 report and MBR Trojans

Panda Labs has issued their first quarter quarterly report. You can see it here. Under the first quarter trend, it is noted that trojans are making up the biggest percentage of distribution channels for malware. Also noted were new methods for distributing malware through exploits.

To me, one of the biggest announcements in the document is that we are seeing a return of MBR exploits; though not with a virus but a rootkit. If I have it right, a rootkit hidden in the MBR will be active every time the system starts up. This would be tough to detect.

From the article (p. 19):
Stealth techniques aimed at carrying out almost-invisible silent infections are evolving.
Other topics discussed in the article are: a recap of Storm Worm over the last year, Multi-AV scanners, Web 2.0 attacks, and the latest attacks on mobile phones.

The article is definitely a great read. I have already sent it to a couple of sys admins that I know don't take security that serious.

Thursday, April 3, 2008

Hydan on Ubuntu, part II

Well, I got Hydan running, sort of. I needed to install the following package: libcurl3-openssl-dev.
I thought it might be openssl, as that is what the error indicated. However, it looks like Ubuntu comes with openssl installed. The dev library needs to be added. Following installation, Hydan compiles.

So, I've tried working on a file that I know has text hidden in it, and I receive the following error(?):

./hydan-decode [filename]
Password: [entered]
hdn_crypto_decrypt: Error allocating memory for duplicating decryption. Requested -77012715 bytes.

What I'm unsure of is this: Is there another problem with Hydan, or is there an issue with running on Ubuntu.