Thursday, December 31, 2009

Looking forward to the new year

I don't usually prognosticate or give thoughts about plans for the new year. I don't make New Years resolutions. However, since I have some time today, I thought I would organize some thoughts for the new year. They're not necessarily in any order, just the order that I thought of them.

1. I'd really like to grow my business. Especially in the forensics arena. It's what I love. I like the IR side, but I want to to grow the forensics business.

2. I think I'll be busy with the government side of work. I like it; and I've embraced the DoD, and I think I'm finally figuring out all the DoD regs. Whatever that means, I can count on the regs changing. I have a great boss there, and I work with a great team. But, I'd be lying if I said I wouldn't want to work in a federal capacity doing forensics. Something like the FBI. But, it would take a lot to move me in that direction.

3. I suspect I'm going to have to take the CISSP. I really don't have anything against it, it's just not a cert that I'm really thrilled to get.

4. I don't think the threatscape will change, I suspect it will only get "worse." And in that regard, I suspect that all of us, as IT Security warriors will stay busy and challenged through out the year.

Happy New Year!

Tuesday, December 22, 2009

Nostalgic, yet sad

My credit card was caught up in this hack. That was a long time ago, and I think I've since dropped that credit card company. I remember thinking I would never do business with Egghead again. Then, they went under. Now, they're NewEgg. And I've bought items from them recently.

I can't remember how I came across that link, it must have been linked in a story in my news reader. 2000....seems like a long time ago.

Thursday, December 17, 2009

SANS GCFA certified!

I sat for and passed the GCFA exam today! All the studying was worth it, as I passed with an 88%. I was shooting for over a 90, but I'll take it. The exam was definitely challenging, but if you study the books (and know where the information is in the books) you'll do ok. That, and it helps if you are passionate and really like the material.

I'll probably take the rest of this year off from studying, but it will be back to the grind after New Years. It looks like the next cert to go after will be the CISSP.

Friday, December 11, 2009

More required reading...

I'm not currently working in a cubicle, but I've put in my time working in numerous cube farms. (I don't have a problem with cubes, I'm just fortunate to have an office this time around.) But, I have guys in this office that are heavily armed with Nerf guns. While I don't have a Nerf gun at the moment, this book may just help me out. I think it's awesome that the author has cataloged great weapons that can be easily hacked together.

So, I've put this book on the reading list.

Thursday, December 10, 2009


By sheer coincidence, my cell phone plan was up just a couple of weeks ago. I've been using a Motorola Q for the past two years, and it has been "ok." I was never a real fan of the Windows OS, and I saw that Motorola had discontinued the Q line. In looking around, I thought about getting a Motorola Droid. What cinched the deal was the fact that I could get the Motorola Droid and the HTC Eris (for my wife) for only $99. That's both phones for $99. Sweet deal. The only real expense would be in ponying up for two data plans.

So, do I like it? Heck yeah. It's a cool phone that does much. Sure, the keyboard takes some getting used to, but I'm almost there. The screen is awesome, and I don't have it at full brightness. One thing I need to get used to is that I can't have the phone vibrate when I get a text, it has an audible tone. The setting must be there, I just have to find it. I haven't had a chance to fool around with the GPS yet, and I haven't installed anything from the app store yet, either. I'm trying to casually look around so as to query the privacy/security settings on it. Yes, I know it has been rooted already, but I don't think I'm going to take that road yet.

I would defintely recommend the phone. Call clarity has been great, and no dropped calls (not that I really had any with Verizon.) I was never a big fan of the "blackberry-type" phone as I didn't use the phone for business or business apps. And, while the Moto Droid is considered a "smartphone," I consider it more of a social "smartphone." I'll add another post after I've played around with it for a bit.

edit: I found the setting for vibrating on texts. I'm probably going to get in trouble with this phone as it does so much.

Monday, December 7, 2009

Impending System of Fail

I just got word of a system I'm probably going to be testing.

Sun Solaris 2.8
Oracle 9i
Windows 2000 Professional, SP3
IE 5.5
MS SQL Server 7 (With the latest patches) <---their comment
Oracle 8i client
And workstations comprised of NT and Windows 95

Do I really need to go, I could probably start writing this up now.

Saturday, December 5, 2009

At least the incident plan worked....

I was out testing this past week, at a great site. Unfortunately, it was very difficult to work in the office that we were allotted. The building was undergoing massive renovation, and our office seemed like the hub of network activity. When the workers were not stringing CAT 6 cable, there was constant drilling; putting dust everywhere. And, if that wasn't enough, the fire alarm went off in the middle of running some tests. There's nothing like a high ranking officer kicking you out of the building, into the cold, with active tests running.

Moments later, the fire department gave us the all-clear to return.

Friday, November 27, 2009

Microsoft Password Checker

I'm sure there are many password validators or checkers. However, I happened to be reading a pretty good article from Microsoft on their research into passwords when I noticed a link to their page that will evaluate a string to see how strong it would be as a password. Their password checker is located here. While the policies and recommendations that are made should be known in the security field, the page is good for clients (and those needing education) as a way to gauge how good their passwords are.

New Security Magazine

I just saw a link go by in my feed reader for a new free IT security magazine: Security Acts. I downloaded the first issue and will give it a read in a little bit. One of the articles I'm interested in reading is called "How to conduct basic security audits," especially due to the nature of testing I've been doing.

What will be interesting to see is how this magazine fares, with the likes of other free web-zines available:

(IN)SECURE Magazine

Into The Boxes - more of a forensic magazine

Let me know of other free magazines, and I'll update this list.

Wednesday, November 25, 2009

Yearly Family Incident Response Reminder

This is one of my favorite posts from the Internet Storm Center. I didn't see them post it, or something like it, this year. As family and friends gather during the holidays, you will constantly get asked/cajoled/tricked/bribed/blackmailed(?) into working on their computers because, as incident responders, we are the go-to people. Education goes a long way. But, when you have to get down to it, and work on the machines, you need the tools to get the job done.

I've found the tools in the post useful, I've added others, and I've adapted as the malware has evolved. The best-case is when the problem is not too bad, and you can eradicate, recover and move on; usually with stern warnings and helpful words of encouragement. Also, it helps to improve the security posture of the machine you are working on. Worst-case, you're in for a long day/night of work to get the machine back to a usable state.

Here's hoping you have a Happy Thanksgiving (if you celebrate) and that you get a few minutes to relax.

Friday, November 6, 2009

Back from the dead

...Or, at least the wraith-like state I've been. It's been a quiet Summer and Fall; but I guess it's time to pay for the leisure time I've been afforded. I've just been assigned three testing trips in the next five weeks. Two require air travel. And to bases in Texas no less. I'm not really worried, but the family is mildly concerned; at least in light of recent events.

Not only that, but these projects are going to for the Air Force; which I've never worked with before. So, it should be a new learning experience as I navigate the differences between the Army- and Air Force-specific requirements.

Current Project: I'm working on scripting the Gold Disk such that it can be run in a mixed domain of XP and Vista computers. The issue I'm having is that GD asks for permission to run on Vista. This becomes an issue when we stick our script in with the other login scripts on the Active Directory Server. We only do this for the big LANs we test; as it makes getting results from many machines much easier.

Thursday, October 8, 2009


It's one of my favorite shows; and I've seen every episode. But, I think the actions of Mr. Nick Stokes and Ray Langston might not hold up in court. Not grabbing volatile memory might be forgiven and certainly isn't a crime. But it certainly might have garnered more evidence. However, actually using the computer while imaging the drive seems to me to be a bit more egregious.

I know, it's just a show. And the plot has to move to fit the hour timeslot. But still. It's a little tough to watch the obvious gaffes. I'm sure the other forensic professions see the issues particular to their discipline.

Monday, October 5, 2009

Updated post on icat

I just updated the post on file name finding with icat. I'm working on a practical assignment and I went back over my post, and can't figure out what I was writing. So, the post has been updated for clarity.

Tuesday, September 22, 2009

Crawling out from the paperwork to check the air

It's been a busy couple of weeks. I went on a testing trip that I truly consider a boondoggle. I think the company sent us on the trip just to maximize revenue for the overall project. The problem is, I think the client called the company's bluff. As such, they've demanded a ton of documentation; not that we don't have the data, but the client isn't the most helpful. That, and I'm finishing up documentation for a system we tested almost three months ago. But, there's light at the end of the tunnel, I've already got my next project; a nice big, fat juicy LAN to test.

On the forensics front, I'm in the middle of recovering mp3s from a friend's external usb drive that had crashed. I'm using foremost, and getting great results. I'll write that up when I'm finished.

Wednesday, September 9, 2009

Using Sleuthkit tools to recover pictures from a camera's flash card

We finished discussing the Sleuthkit tools in class the other week, and had an exercise to reinforce the concepts. A little while ago, I had a friend ask me if I could recover images from their camera's flash card. After completing the discussion on the Sleuthkit tools, I thought I would give it a whirl.

First, I imaged the card; it was two gigs, and easily fit on on my external evidence drive. (My first imaging attempt didn't go so well, I imaged if=/dev/sdf...I should have imaged if=/dev/sdf1. The file system type was unknown until I re-imaged it. The card is using a fat file system. And by the way, to know that I didn't image properly the first time, I ran an fsstat on the image, and fsstat couldn't determine the fie system type. I knew I was cooking with gas when I re-imaged properly the second time and fsstat showed fat, and the pertinent info on the file system.)

After imaging, I ran: sorter -h -s -m K: -d /images/windowsforensics/sorter /mnt/usb/flashcard.img

Bingo! I had about 185 images returned. My friend was only looking for 25 or so, and was thrilled to gt them all back.

Tuesday, August 25, 2009

Using strings to find file names

This is just another mental note, detailing a manual process to find a filename when you have a string. It's yet another great process, albeit manual. We've just gotten to Autopsy in the class, and the automatic process of performing the tasks that we've learned about doing manually. I kind of like these manual processes because you really see what's going on at each step. I'm sure I'll change my tune once I have to perform the tasks on a huge hard drive with many many files. Anyway.

For this example, I'm using "MYGROUP" as the string that we're searching for. "sample.img" is the dd image that was created of the filesystem.

  1. First, create a strings file from the .img file. srch_strings _a -t d sample.img > sample.asc
  2. Now, we can grep for a particular string. grep MYGROUP sample.asc This will return the offset of the string. There could be more than one return, so you may have to run the process a couple of times; steps 3-7 would be repeated.
  3. Now we need to find the original_block_number. To do this, we divide the offset from step two by the default blocksize of the filesystem. To find the default blocksize, I run the following command: fsstat sample.img | grep "Block Size:"
  4. Now, I usually check that the block number in step has data. I run a blkcat sample.img original_block_number (from step 3)
  5. To find the inode_num that the block number from step three points to: ifind sample.img -d original_block_number. The result will be the inode_num
  6. To ensure that the inode number points to blocks: istat sample.img inode_num.
  7. Finally, we can use the inode number to pull the file name that we're looking for. Run: ffind sample.img inode_num
These steps will find the file name that contains a particular string that we pulled out of the string file.

edit 10-5-09: I went back through these directions and they were written pretty badly. So, I've updated them for clarity.

Thursday, August 20, 2009

Using icat to recover delted files

We had a great class the other night, and one topic we discussed really jumped out at me. So, I'm organizing my notes in hopes that a) I don't forget what I learned, and b) these notes can help someone else. We were discussing methodologies to return data from the file system at the logical and physical layers. Here's one set of procedures we followed:
1. Image the hard drive.
2. Create a time line (a two-step process):
a. For unix, run: fls -m / -r /path/to/file.img > /path/to/file.bodyfile
For windows, run: fls -m C: -r /path/to/file.img > /path/to/file.bodyfile
b. run mactime -d -b /path/to/file.bodyfile > /path/to/timeline_name.csv
(I'm partial to the "-d" switch to produce a time line that's in a csv format.)
3. As you search through the time line, you can look for orphaned and deleted fils. Note the ones you would like to potentially recover, and be sure to jot down the inodes associated with those files.
4. Run icat, passing the inode number: icat -r /path/to/file.img [inode_number] > unknown_file
5. run: file unknown_file -- this will give the file type (if it is determinable)
6. run: strings unknown_file -- this will show any of the readable strings in the file (send to a file if you need to do further investigation, or there is a lot of data.)

Cool, cool stuff. icat is part of The Sleuthkit.

Thursday, August 13, 2009

Windows Vista - and Gold Disks, part 2

Our ACA sent out a note that the Army had pushed forward with Vista. All systems are supposed to upgrade to Vista by December 2009. Any systems that have machines that are not AT LEAST Vista (or do not have a waiver) could be disconnected. Of course, I foresee many systems experiencing problems with the idiosyncrasies of Vista, but that’s another story. Further, any system that has accreditation will not need re-accreditation, according to the ACA.

The latest version of the Gold Disk came out in June. I noticed on my last certification trip that it checked for many many more controls than the prior version of Gold Disk that I used. A little inspection of the documentation revealed that Gold Disk now works on Vista. And, the latest Vista checklist states that the Gold Disk is acceptable to use when testing a Vista machine. So, I plopped it in my laptop to see what would turn up. Note that my laptop is configured to corporate policy, and is not even close to DoD STIGs.

Gold Disk completed its analysis successfully, and I created the XML to take a look at what it found, and what was not reviewed. As expected, there were plenty of findings, along with configurations that were correctly set. I was most interested in what was not reviewed as those tests would be the pain points when out testing other systems; those tests would have to be performed manually. Following are some of the checks that were "Not Reviewed" when I ran the Gold Disk. Where practical, I’ll attempt to list what the Vista Checklist has to say. The checklist is Version 6, Release 1.12, Dated 26 June 2009.

· Physical Security – V0001070 - manual

· Shared Accounts – V0001072 - manual

· System Recovery backups - V0001076 – manual

· Registry Key Auditing - V0001088 – unable to determine why this check was not performed

· Legal Notice is Not Configured – V0001089 – I’m guessing this because the setting is in the Security Policy > Local Policy that GD did not pick it up. (We have a banner on our laptops, it may be set by a Group Policy.)

· Security Configuration Tools – V0001128 – Again, I think this has to do with Group Policy.

· Strong Password Filtering – V0001131 – I think GD has not been updated for this check, as it seems like a registry check. (And the checklist still references the fact that GD doesn’t work on Vista.)

· Access To Windows Event Logs – V0001137 – I’m not sure why this is not checked.

· Users With Administrative Privilege – V0001140 – obvious.

· Enable Strong Password Filtering – V0001150 – I think this is like V0001089.

· Service Object Permission – V0002371 – looks manual. I thought it was checked on XP systems, though.

· Disable Reversible Password Encryption – V0002372 – Local security policy

· Unencrypted Remote Access – V0002908 – looks like a manual check

· Anonymous SID/Name Translation – V0003337 – manual security policy check

· Anonymous Access to Named Pipes – V0003338 – manual security policy check. (Though I thought this worked in XP, so it must be a Vista security change.)

· Remotely Accessible Registry Paths – V0003339 – manual registry inspection

· Anonymous Access To Network Shares – V0003340 – manual security policy check.

· Internet Information System (IIS) – V0003347 – manual check

· Security Related Software Patches – V0003828 – manual check

· Remotely Accessible Registry Paths and Sub Paths – V0004443 – manual registry check

· DCOM – Authorization Level – V0006825 – need the command line to check

· DCOM – RunAs Value – V0006830 – manual registry check

· Audit Configuration – V0006850 – manual security policy check

· A boat load of IAVMs

· Backup Administrator’s Account – V0014224 – manual

· Administrator Account Password Changes – V0014225 – policy check

· Hide Computer – V0014231 – I’m not sure why this isn’t checked. I know MSS checks are performed against XP.

· IPSec Exemptions – V0014232 – see above

· A whole bunch of UAC settings – these require a manual security policy check

· There were a bunch of Desktop Application checks – that seem to be related to Vista’s security architecture.

· A bunch of Windows Firewall checks were not reviewed. These look like registry settings. I don’t know if the Gold Disk couldn’t get access to the registry key, or if it is because our laptops use a 3rd party firewall.

· There were some other findings, but as I look at them, I’m not sure if it is Vista, or my specific machine.

As I test more machines, I’ll get a handle on why some of the findings are manual checks.

Wednesday, August 12, 2009

How To Image a hard drive

This is mostly a mental note for myself. Personally, it's one of the questions I was most looking forward to having answered in the SANS 508 class; and it was finally answered. I have other questions, but this one I was most looking forward to.

As I've learned in class, there seems to be three basic scenarios: A drive is handed to you to image (dead acquisition,) using Helix (you need to copy a drive from a machine but you can't take the drive,) and finally imaging a drive where the machine can not be shut down (live acquisition.)

1. When the drive is handed to you:
  • Attach drive to the system. Use SIFT or Helix. Use write-blocker if available.
  • run fdisk -l to see new (acquisition) drive
  • attach external USB drive as target drive
  • run fdisk -l to see usb drive
  • mkdir /mnt/usb
  • mount USB to filesystem (ntfs-3g -o force /dev/"usbdrive" /mnt/usb)
  • dc3dd if=/dev/"acquistion drive" of=/mnt/usb/name.img progress=on hash=md5 hashlog=/mnt/usb/name.md5
2. When the drive is in the machine, but it can't be removed:
  • Know that the system is going to be rebooted and there will be loss of volatile evidence
  • Boot the machine with Helix
  • run fdisk -l to see the acquisition drive
  • attch external USB drive as a target drive
  • run fdisk -l to see the usb drive
  • mkdir /mnt/usb
  • mount USB to filesystem (ntfs-3g -o force /dev/"usbdrive" /mnt/usb)
  • dc3dd if=/dev/"acquistion drive" of=/mnt/usb/name.img progress=on hash=md5 hashlog=/mnt/usb/name.md5
3. Live Acquisition
  • This will be a snapshot of the system, because the system will stay up
  • Will be able to gather volatile evidence first
  • Attach USB to system
  • You will have to have a copy of dc3dd to run (cd, usb)
  • dc3dd if=/dev/"acquistion drive" of=/mnt/usb/name.img progress=on hash=md5 hashlog=/mnt/usb/name.md5

Acceptable Use Policy and Privacy

We discussed the issue that I've linked to (below) in my 508 class last night. The gist of the story is that a woman is suing her company. As she was about to leave her company, she used her personal web-based email to communicate with her lawyer. The company recovered her emails in a forensic investigation. She claimed that the company's acceptable use policy said that reasonable use of the internet was ok, and as such, she should have been afforded privacy. An appellate court agreed with her.

Here's the story.

I brought this up at the company I'm working at, and the CIO said "no way, couldn't happen." I think companies need to take a hard look at their acceptable use policies if this appellate court decision is going to stand. Further, if it does, look for casual, reasonable use of the internet to disappear; which probably won't sit well with employees.

Monday, July 27, 2009

Getting into a Gold Disk-locked laptop and scanning a laptop not set up with network connectivity

Back from testing. It was a packed couple of days, and we worked in a pretty tough environment. Anyway, we had two sets of laptops that Retina could not scan, as it couldn't connect to the registry; even when we had the correct admin user name and password.

In the first case, we needed to scan two laptops that were not connected to the network. We had crossover cables, and we tried running the scans; each time though, we couldn't connect to the registry. My co-worker came up with a good trick. Because the laptops were in a workgroup, we were able to run the network setup. From there we ran the wizard, picked home network, but didn't actually set up anything. The process installs and starts the "server" service which allows the sharing of the drive. After that, we were able to run our scan and connect to the registry.

The second case presented an interesting problem. Again, we couldn't connect to the registry. However, this time, a little investigating turned up the cause. The client had run Gold Disk on the machine, and immediately clicked "remediate" when Gold Disk was finished. Yep, they locked up the box something good. Logging in to the machine from the network was not possible. To fix this, we went to Control Panel -> Administrative Tools -> Local Policies -> Security Options. From there, allow network login access.

Friday, July 17, 2009

Exchange 2003/2007 benchmark tool?

I've got a testing engagement next week, that covers lots of technologies. One type of server we will be testing that we normally do not test is an Exchange server. As of today, the DISA checklist is in draft. That will help us out. However, while searching for further guidance, I came across CISecuritiy's benchmark page. They have a page dedicated to Exchange and it appears that they had a tool at one time, but there is no longer a link to the tool.

Does anyone have a tool that will run against an Exchange Server looking at Exchange specific issues? Certainly, the server will have Gold Disk, Oval and Retina run against it looking for vulnerabilities, but I'm looking for something more targeted.

Friday, July 10, 2009

Reading List

I'm just starting the SANS 508 class in the @Home format. That will prevent me from doing as much reading as I would like. And, in the class, we'll be reading File System Forensics (which I can't wait to delve into.)

After that, my list looks like:
Perl Scripting for Windows Security by Harlan Carvey
Windows Forensics Analysis (2nd Edition) by Harlan Carvey
SQL Server Forensic Analysis by Kevvie Fowler
Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition by Mark Russinovich and David A. Solomon
SQL Injection Attacks and Defense by Justin Clarke
The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws by Dafydd Stuttard and Marcus Pinto
The Seven Deadliest Web Application Attacks by Mike Shema
Hacking Exposed Web Applications (2nd Edition) by Joel Scambray, Mike Shema, and Caleb Sima

edit 7-13-09 to add SQL Server Forensic Analysis
edit 9-1-09 to add Windows Internals
edit 12-5-09 to add SQL Inject Attacks and Defense
edit 1-7-2010 to add The Web Application Hacker's Handbook
edit 3-3-2010 to add the Seven Deadliest Web Application Attacks
edit 3-27-2010 to add Hacking Exposed Web Applications

I'm still alive....

I've been away on a week's vacation. And I've spent this week reconnecting to the real world. So, that's why there have not been any posts for a bit. A couple of odds and ends:

  • The books and materials for the SANS 508 class have been arriving over the last two days. I must say, I feel like it's Christmas time, and I can't wait to tear into them. If you've never taken a SANS class, I highly recommend it. I took 504 with Ed Skoudis, and I'll be taking 508 with author Rob Lee.

  • 363 days (or so) until the next WhatWorks Summit in Forensics and Incident Response. I'm using this year's training budget to take the 508 class. Many of my co-workers are using their training budget by going to Black Hat / Defcon. Next year, my money is going to the Summit. I've missed it the last two years, I don't want to miss it again. I'm already starting to read reports on this year's summit in the blogosphere.

  • With regards to my own company, I'm really pushing to get into the corporate environment. I've done a lot of residential work, and while it pays the bills, it's not where my heart is. First stop is to revamp the website, then jump into the marketing (yuck.) I'm hoping it will payoff.

So, I expect to busy for a bit. I've got a testing trip coming up, and another potential trip in August. I hope to keep making time to write up my thoughts.

Tuesday, June 23, 2009

Closing a port / killing a process using WMIC

This is really just for my memory's sake. I'm writing this up as I've just recently had to perform these steps a couple of times. For 99% of the readers, this is old hat. Here's the situation:

You have a port that's open and you want it closed, or, you have a process running that you can not kill. Here are the steps I've followed:

netstat -naob (use on XP Pro or newer...I don't think the 'b' switch is available in the home edition.)
Find the port that's open or the offending process.

wmic process list brief
This will list the process and their processid.

wmid process [processid] delete.'s gone.

WMIC...hugely powerful. I've mentioned it in posts here and here.

Gold Disk and password policies

The other day, a bunch of us were talking about the Gold Disk and how we mitigate for any false positives that are returned. One area that produced some discussion were password policies. Currently, I believe that the Gold Disk looks for 10-character passwords, as per policy. Army policy enforces 14 characters, at a minimum. So, while testing an Army system, Gold Disk could find a 12-character password, and pass the control. Without further review, the auditor would never know that the finding is actually a failure (with regards to the Army.)

That said, I created a little script that I'll try on my next engagement. The script idea came from a posting on the phenomenal Command Line Kung Fu blog. At a prompt:

net accounts > %computername%-AcctSecPolicy.txt

Or, if you want domain-level policy:

net accounts /domain > %computername%-DomAcctSecPolicy.txt

A quick breakdown: net accounts returns the overall general security settings for all accounts. the /domain switch will grab the same information on the domain level. Then, I shoot the output to a file that starts with the name of the computer (that's the %computername% environment variable.) This way, I can grab the results from the computer, along with the Gold Disk data. Later, I'll have the data to analyze along with the Gold Disk data, and I'll know which system it came from.

Sunday, June 21, 2009

Auditing Exchange Server for vulnerabilities?

I have an engagement coming up where we'll have to audit some Exchange servers. Currently, the DISA Exchange checklist is in draft. Yes, we'll be running Gold Disk on the servers, and we'll be running Oval to check the patches. However, is there any other guidance for auditing Exchange?

As I find other options, I'll post them here. And of course, I'll write up our methodology after the trip.

Edit: NSA Exchange guide

Unfortunately, CIS doesn't have a tool for Exchange.

Wednesday, June 10, 2009

Symantec Endpoint Protection shutting down network scans - FIXED

One of my co-workers fixed our issue with Symantec Endpoint Protection shutting down our network vulnerability scanning. To do so, we uninstalled the "Network Threat Protection" feature on the test laptops; leaving the anti virus. Also, the "Application and Device Control" option was removed from the installation as it relies on the "Network Threat Protection" feature.

Here's a write-up from Symantec.

Tuesday, June 9, 2009

U.S. Army servers breached

ZDNet has an article on U.S. Army servers being breached by hackers. I've written before about the project I last worked on; acquiring data in order to certify applications that are moving off an army base. The problem discussed in the article is pervasive, and I think we did a good job of helping the developers and admins find some of these potent vulnerabilities and get them on their road to recovery.

I hope to get up a post on our methodology for completing the task. Hopefully, I can get some positive and negative feedback.

Thursday, June 4, 2009

Symantec Endpoint Protection and network scanning

Two of my co-workers returned from a small engagement this week. We had just upgraded our test laptops with Symantec Endpoint Protection. (Minor back-story: We had been using Symantec Anti-virus. When we updated the Retina definitions, a vulnerability was found in the Symantec reporting agent. We couldn't upgrade the AV because we didn't have licenses. Grrrr. Corporate had to grab SEP licences.)

Ok, so my co-workers were at a client site; having to scan a small number of workstations. They couldn't get Retina to reach ANY client machine. It seems, SEP was monitoring the NIC and assumed that the test laptops were under attack due to the high volume of packets leaving the machine and the type of traffic that was coming in and out of the laptop. It appears that the IDS shut down the NIC. NMAP was having trouble. Simple pings had problems after the IDS shut the NIC down. The ultimate solution was to uninstall SEP after getting network accreditation to test.

Is this a known issue? Has anyone else experienced this? Fortunately, they did not have to use the web application vulnerability scanner, as I'm sure it would not have worked either.

Emergency Testing Engagement - not so much

Well, I haven't been testing. What was supposedly an emergency is turning into a farce. It turns out that I have no idea when I'll actually test this system, if ever. Our project lead (that we contract for) seems to think the customer is trying to get out of testing. My manager thinks the customer is in denial. I think he's somewhat ignorant, and maybe a little arrogant. Consider:

In going through the Application Security and Development Checklist with him, he proceeded to tell me that they do not have any code, just HTML. "They don't have any code, like c++ or the like." I tried to explain that html contains code, but he wouldn't hear of it. I was also told that they do not have incidents, and therefore do not have or need an Incident Response Plan. Some other quotes I received were: they "don't get security flaws" and they've "never seen patches pushed out" for their code hosting tool.

I've been directed to write up a DIACAP based on the interviews we've had, and the results of some of the SRR scripts that they are running. I've asked them to Gold Disk their servers in order to grab the IIS information; and run the MS SQL Server scripts against their database in order to grab database configs. Yeah, I know it's not the most complete, but I don't have much choice. As it is, the answers I've been getting are not that great, so I can't see too favorable an outcome from this.

Wednesday, May 20, 2009

Emergency Testing engagement

So, I walked into work today and found out I have to go out testing next week. We've been in the middle of a huge effort to certify web applications before they move off base. There is one application that is house at a base in Virginia. Supposedly, one of the other guys was going; but once the date got changed, I was next in line.

The application is a big financial application, and what gets me is they want me to test in production. Which is nuts. The tool we use to find SQLi's and XSS vulnerabilities will litter the database with garbage data. So, I have my work cut out for me to figure out how to test this application.


I forgot to post that I've signed up for the SANS 508, Computer Forensics, Investigation and Response; in the @Home format. This is the same format as the 504 class I took. As a bonus, Rob Lee, the course author is teaching the class.

I am thinking about using it at work, maybe opening an IR or a forensics "division."

Forensics, and IR, are probably my favorite disciplines in the security field.

Policies? What Policies?

At the company, we have weekly meetings to hear various tidbits that apply to the whole company: Nuances like filling out time sheets, travel requests, and other bits of "administrivia." At this past week's meeting, it was brought up that a "rouge" server was pulled off the network as it was not installed and configured per the "corporate polices." The offending party complained that there ARE NO policies. Certainly, on our intranet page, there is a link to the policies. But, upon clicking the link, there are no actual policies listed. Interesting.

Recently, we've had a new email and records retention policy put in place. This policy was distributed as a .pdf, but is still not linked on the intranet page of policies. I'm certainly not a lawyer, but I would think the company would want to get those polices up in a public place, pronto. It's only a matter of time before the company gets tested on them.

And for the record, I had nothing to do with the server.

Sunday, May 17, 2009

A backup strategy that does not work

I preach to my clients that backing up is crucial. And, they should think out their backup strategy so that there is not one single point of failure. The school system I work with used to round-robin their backups between their servers. They have since moved to a backup vendor that stores their backups off site. Good thing, as problems like what I've snipped from Slashdot can occur:

"Flight Simulator community website Avsim has experienced a total data loss after both of their online servers were hacked. The site's founder, Tom Allensworth, explained why 13 years of community developed terrains, skins, and mods will not be restored from backups: 'Some have asked whether or not we had back ups. Yes, we dutifully backed up our servers every day. Unfortunately, we backed up the servers between our two servers. The hacker took out both servers, destroying our ability to use one or the other back up to remedy the situation.'"

Sunday, May 10, 2009

Security Content Automation Protocol from NIST

The other day, our ACA sent us an email with directions to start reading up on SCAP from NIST. There was not much guidance, or further recommendations; just that we should start reading up on it. I took a quick gander at it, and I'm not quite sure what it means for me, yet. However, I did find some cool documents to start reading:

Cell Phone Forensic Tools: An Overview and Analysis Update

Cell Phone Forensic Tools: An Overview and Analysis

Forensic Filtering of Cell Phone Protocols

Guidelines on Cell Phone Forensics

Guide to Integrating Forensic Techniques into Incident Response

Guide to Malware Incident Prevention and Handling

Computer Security Incident Handling Guide

There were lots of other documents there, I've just linked to the ones that caught my attention and have my interest. Looks like I have some reading to do.

Friday, May 8, 2009

GCFA - thinking about it

I'm pretty sure I want to go for my GCFA. SANS is running a great deal. First, Rob Lee is teaching the class in the @Home format. I took the GCIH with Ed Skoudis in that format. The format is great (@Home is a great learning environment) and I like taking the course taught by the course author. And second, I received a voucher for 25% off. That seems like a great deal, if not a sign I should be taking the class. All that said, computer forensics (and IR) is where my heart lays, in the security field.

I've gotten my manager's approval. It will mean putting off studying for the CISSP, which I don't really have my heart in right now. And, I may need to push for a "career-path" so to speak at the job. Would I do inside incident response and forensics? Or, would the company start exploring IR and forensics for its normal clients?

Either way, it's looking like I'm going to go for it.

Thursday, April 30, 2009

Using AppDetective to audit a MySQL database

I'm still in the middle of a big project testing web applications. Most of the databases have been SQL Server or Oracle. Believe it or not, we've run into some Access databases as well. And I'll admit, I did not know that Access could be used as a back-end to a web application. Yesterday, I had to test a MySQL database. The DoD has not put out a specific checklist for MySQL, and there are not SRR Scripts for MySQL either.

We did have AppDetective, though. We've run into many issues with getting AppDetective to audit LotusNotes databases, so I was a little worried. But, I'm happy to say that it was pretty straight forward and I got good results back.

To do this:

Fire up AppDetective
Add an application
  • Fill out the DNS Name / IP Address
  • On the Port tab, pick MySQL (and the correct version.) For my test I was able to leave the default port, but you could add the port if it is not on the default.
  • On the platform tab, select the platform that the application is running on.
  • On the Miscellaneous tab, I added the version of MySQL.
Once the application is added to the right pane in AppDetective,
Expand the + signs until you reach your application.
Right-mouse click on the app, and pick Audit with....
then choose your audit policy

(Of course, you could run a Pen Test, or pick any number of audit policies.)

I chose Strict.

The AppDetectivePro - Run Audit window will pop up.
Right-mouse click in the username/password frame.
At this point, you can fill in the username and password combination that will grant you the access you need. I always test the DB connection, just to make sure every thing connects and works.
Click OK.
Then, click the Run Audit button to start the test.

If I've left anything out, leave it for me in the comments, and I'll update the post.

Wednesday, April 22, 2009

Information Security Magazine - update

Well, I got an email the other day, to download the latest issue of Information Security magazine. I didn't know it went digital. So, at least I've caught up with the magazine. However, it would have been nice to know that the magazine was moving to a digital format. I never saw anything in print or an email.

Sunday, April 19, 2009

2009 Verizon Data Breach Report

I forgot to write about this. I saw that the 2009 Verizon Data Breach report was out. This is a report I almost always read because it is interesting, concise, and full of validated data. Mainly, the fact that there are hard numbers to back up the real-world claims gives the paper credence. This is not just media spin doctoring. Or biased claims by any one company. Sure, any point could be countered, but with the amount of data collected and the source, there has to be some validity.

I have the paper downloaded, I just need time to spend reading and digesting.

To do, to do....

I haven't written much lately. Partly, I haven't had the time. As I've alluded to, I've been busy on a huge project; working to help certify applications that are moving from the local fort to wherever they are going. It is very time consuming because there just are not enough resources to run the project smoothly. My manager decided to hire a bunch of employees to help with the workload. Not a bad idea, except they are all new to the security field. (One guy has his CISSP, yet has never worked in a security domain, and has ZERO security experience.) I believe it is just a case of the company bidding on a contract that would bring in much revenue without really thinking about how we would accomplish it. (And, one of the tools that is central to our testing is not the best; I almost say it's not ready for prime time; and it is not one of ours.)

So, we're continuously behind the proverbial eight-ball. Working long hours. And dealing with clients that are less than enthusiastic to have us there.

But then, I've been thinking of going in a different direction. Forensics has been the siren song in my head for a very long time. It's part of the reason that I left the old company; I wanted to work in computer forensics on my own. (To say nothing of the LACK of security at my old job.) Where I'm at now does not have a forensics group. They don't have an incident response group. Besides the IA we perform, there is a small group that does commercial testing, more of a pen-testing group.

What to do? What to do?

If I move towards forensics I could attempt to push forensics into the company. But, are their DoD engagements where they would need CF? Or, do I push to create a forensics group that would be internal to the company and only serve the company? Is there even a need? (I suspect "yes", but would it get funded? The ultimate question.) Or, do I start casting an eye elsewhere?

And, further at issue, I should really make a push for the CISSP. I'm not really a huge fan of it. Not that it is a bad certification. If I stay in the company I'm at, I'll probably need it sooner or later as the DoD somewhat worships it. But does it align with MY goals? I'm not sure. It certainly wouldn't hurt.

You could say I'm Lost In The Flood. At least Bruce has been putting on some great shows.

Writing is therapeutic. I might scribble some more in order to clearly think about my options, goals, and ambitions.

Cool gadget bag

I saw this post on Gadget Lab. This bag would make an awesome jump bag. The only thing I can't figure out is if a laptop would fit in it. But, boy, you could probably pack a lot of gear in there.

(granted, I don't carry bullets, but still.)

Friday, April 3, 2009

Shhh, Don't tell anyone....

I finally signed up for Facebook. I spent a good hour and a half figuring out the privacy and security settings. I may have been a bit paranoid, and I may have to start relaxing the settings. We'll see.

Conficker Eye Chart

I found a great link to the Conficker Eye Chart, with instructions on how to use it. I would say that it is accurate as of this writing. As we know, Conficker has a new method to update itself, and my mutate to make the Eye Chart worthless. However, for the time being, this seems to work.

Link here.

Saturday, March 28, 2009

SANS Application Security Summit

Since we have a huge contract to certify and accredidate a bunch of web applications (like 90) before they move to their new site, I thought this SANS summit might be a good idea. Traditionally, we test tactical systems or networks; but because of this contract we've had to adapt to application security testing.

We're getting a process down, after our first couple of applications. Since we're not too worried about the hardware and operating system (we don't have any control over where they are moving to) we've been concentrating on the databases, the web server (site based,) and the Application Development STIGs. We test the actual database with a tool, and we crawl the code with a tool. The deadlines are insane, and the clients are not the most helpful. But I don't have to travel and the work is different.

Thursday, March 26, 2009

Information Security Magaznie - What Happened?

Quite a while ago, I subscribed to Information Security Magazine; mostly after hearing that one of my class teachers wrote for the magazine. Then, towards the end of last year, I moved my office. In doing so, I notified the magazine that I was changing my address. Ever since, I have not received a single copy of the magazine. I called after two months and was told I could get one back issue free, and that the magazine would be delivered as normal. Since then, nada. I liked the articles, the authors were great, and I always learned something new.

Has this happened to anyone else? Did the magazine eventually start being delivered. I'm just curious.

Wednesday, March 25, 2009

Facebook Security/Privacy

Ok, so I'm probably the only person on the Earth who has not signed up for Facebook. At least, if you listen to my friends, it would seem that way. I've just been reluctant. I maintain a bunch of other blogs, am starting to study for the CISSP, and am trying to manage my own company. It's not like I have a lot of extra free time. I've heard a bunch about possible security/privacy issues, and it is one less headache I've wanted to mitigate.

Really, I'm not into the applications, the wall, posting pictures, etc., etc. I try to keep as low a profile on the web as possible. However, the ability to connect with some old friends would be great.

So far, I've only found one really good site for Facebook Security:
(edit: found another buried deep in my feed reader)
Are there other good sites?

Wednesday, March 18, 2009

Open Source (or free) Web Application Vulnerability scanners

We're experiencing some issues with our web scanning tool; it seems to be dying on some types of applications. Either that, or it will finish the scan, but not generate the reports. So, a co-worker and I are looking at some Open Source or Free web application vulnerability scanners. If anyone has a comment on any of the products, I'd be interested in hearing them.

  • Wikto
  • Acunetix
  • N-Stalker - it looks like the free version has a limited number of checks and will only scan 100 pages within the target application.
  • Sandcat - it appears that the professional edition includes session resume support, full vulnerability information, report generator, and auto updates.

I wanted to mention Jeremiah's post where he mentions two reviews on App scanners.

Tuesday, March 17, 2009

How Undersea Cables are Repaired

I've mentioned undersea data cables being cut before. Here's an article I found on Slashdot that discusses the repairing of those cables. Pretty neat stuff.

Wednesday, March 11, 2009

Web Application Testing

Swamped. That's what I've been. I can't believe my last post was February; mid to late February at that. I've finished one engagement, and I'm in the process of writing that up. And, I've been thrown onto another engagement. This one's big, and of course has an end date of early May. The funny thing is, once we're done testing the system and writing the documentation, it's a 30-60 day wait for the decision on an ATO. We have almost 100 systems/applications to test. That said, we don't have enough time.

I remember this happening when I was a full-blown project manager working in the private sector. There would be some regulatory announcement that the company would have to adhere to. Instead of figuring out the requirements, figuring out the estimates, and doing the work; we worked backwards. Here's our end date....what are the milestones and when do they have to occur in order to get there. I'm finding the government is worse.

Anyway, I've been getting acquainted with NTOSpider, a web application vulnerability tool. Because of the crush to get this project done, we've already started testing. The PMs just gave us URLs, not system owners. We can't find anyone to own up to the systems, and, when we try, we get our hand slapped by the PMs. Of course, today, an app I was testing was a help-desk type of app. Every submission of one of the forms generated an email. Hundreds of them. Probably more. So, now I'm trying to dig into NTOSpider to see what I can learn in order to fine tune our testing.

Wednesday, February 18, 2009

The Importance of Patching

I listened to my first podcast tonight. Ever. I never really thought I had the time to listen to them. But, the Network Security Podcast had Brian Krebs on, and I since I follow Brian's blog, I wanted to hear what he had to say. I'll admit, it took me a bit to figure out how to subscribe, sync, and generally manage the podcasts. However, I got it figured out, and I look forward to listening to future podcasts.

Brian, Rich and Martin got me thinking. Towards the end of the podcast, they were discussing ways to mitigate the current threats, and even what we'll have to do in the future with potentially more determined threats. As an auditor (and an incident responder for my own clients) I think one of the biggest opportunities we have as a security community is to patch, patch and patch. Yes, it's easier said than done in some instances. But look at at Conficker. Here's a worm that arrives on a system because a specific patch is not installed. Installing the patch, which was released out of cycle none-the-less, goes a long way to preventing infection. I understand that businesses need to test out patches to ensure that the patch itself will not cause more harm. But certainly, home users should have Microsoft Update actively and automatically fetching these patches and installing them after downloading.

And while we (ourselves) can not physically patch these machines, we can be evangelistic about spreading the message. I know that every time I respond to incident, one of the big lessons I try to impart on my client is for the client to actively keep the machine patched to the best of their ability. Clients are thankful for ways they can proactively keep their machines safe. And I see in many of these clients pride when they learn that they can do it themselves.

I was glad to listen to the podcast and I look forward to future podcasts. Especially if they will be as engaging and get me to think.

Air Force darkens base

According to this Wired article, the Air Force has cut the internet access to Maxwell Air Force base. The article did not explicitly say what caused the loss of internet access; I'm suspecting there were multiple reasons, and multiple failures from their security vulnerability testing.

Yep, this is what I do. I never really thought I would see this, though. I've been to a few bases where our results indicated that they should be darkened, but I never actually thought it would occur. It's interesting because I remember the Air Force was trying to deploy a "cyber command" or something like that.

Tuesday, February 10, 2009

New Testing Engagement

It appears that at the end of the month I will be going to test a system that was missed by my co-workers. It's all part of a large effort, and these two servers were missed. One server is an Oracle Web Application Server, and one server is a MS SQL Server. I'm not too worried about the SQL Server, however, I've never tested an Oracle Web Application server. I could not find a SRR that would help, so I read through the Application Server STIG and parsed out the questions. I'm going to have to sit with an SME to guide me through finding the answers. Tedious at best. Of course, I'll also hit the server with nmap, and our new web vulnerability scanner, NTOSpider. I've never used NTOSpider.

So, if you have any pointers on either Oracle Web Application Server or NTOSpider, I would love to hear them.

Security+ certificate arrived

A fear of mine partially came true. All along, I suspected there might be issues with the fact that my initial attempt at the Security+ exam was canceled, and rescheduled for another date. Sure enough, after waiting the requisite five business days, no information was posted to my CompTIA account. I emailed an incident, and was told I had to send proof of my taking the exam (the score sheet.)

I got back a response that because my exam attempt was canceled and rescheduled, the results had "gotten lost." However, it was quickly rectified, and my certificate finally arrived.

Which is good, as I can now update the DoD.

Thursday, February 5, 2009

Testing Canceled - and Guard Dogs with Lasers

Testing was just canceled for a trip I had been looking forward to. That, and I was supposed to train a new employee.

In a meeting today with a different client, they proposed a method of meeting physical security requirements:
They proposed getting guard dogs with lasers mounted on their heads.

We actually laughed out loud.

Monday, January 26, 2009

Building a vulnerability scanning laptop with XP

I'm building a new laptop that will be used to conduct vulnerability analysis scanning. Due to the constraints, this will be an XP laptop. I have a laptop in use that uses linux, so this laptop is meeting a different set of needs. I've been compiling a list of applications to load on the laptop, and this is what I've come up with so far:
  • A network vulnerability scanner - TBD - I'm looking at SAINT, Nessus, and Retina
  • Microsoft Network Monitor - I've never used this, but I could see scenarios where it would be useful.
  • Wireshark - a great open source packet capture and analysis tool
  • Oval - for host base vulnerability checking
  • I'll have a couple of SRR scripts on the laptop (unix, SQL Server, and Oracle)
  • NMAP - for scanning
  • Netcat - because it is the Swiss Army Knife of network tools
  • NetStumbler - for war-walking
  • TruCrypt - for data at rest protection
Yes, you will have noticed that the majority of the applications are open source. The scaner will probably be a commercial application as I need something to do the heavy lifting.

If you can think of something I'm missing or something that might be useful, let me know.

Friday, January 23, 2009

Send the Interview Questions to the Client, pre-test

I just had a client ask for some clarifying information regarding non-technical controls. It seems that the documentation did not fully enumerate those results. In order to ensure I have that information before leaving the client site, I will ensure the clients have the interview questions before I arrive. I believe it will allow the interview to run quicker in that the client will already know the questions. Also, if they've filled out answers, I'll have a hard copy I can take back to accompany what I've documented myself.

I'll see how this goes shortly, as my next testing engagement is scheduled for a couple of weeks.

Thursday, January 22, 2009

The Hacking of Congress

I had heard this story in the past, the article isn't new. However, it was linked on Slashdot yesterday, and I don't want to lose it.

There are so many points in the article. I think one of the best points was summed up in the summary on Slashdot:

The article notes the difficult work of the House Information Systems Security Office, which must set security policies and then try to enforce them on a population of the equivalent of C-level executives.

Saturday, January 17, 2009

Woohoo!! Passed the Security+


I'll have a post in a few days reviewing the book that I used in preparation for this attempt at the exam. I went into the exam pretty confident, with a goal of acing it. I signed up for the exam during the holiday break. The test center nearest to me had appointments on Monday (MLK Jr. day) and since my office would be closed that day, I figured that would be a good time. It gave me almost three weeks to really prepare for it. Then, yesterday (Friday,) I get a call from Pearson/Vue telling me that the test center was going to be closed for the holiday and how did I want to reschedule my exam.

I thought about the next Saturday, but I didn't want to wait that long. And, I thought about Tuesday, but I really didn't want to take a day off from work. So, I asked if there were any centers that were open on Saturday. There was, and it was a drive, but I figured what the heck. If I passed, I'd have a great weekend. If I didn't.....well, I didn't want to go there. And I was still pretty confident.

But, as I confident as I was, and knowing the information, I still thought the exam was pretty hard. There were some questions dealing with technologies that I had never heard of before, and I was pretty surprised. Sure, I know there are questions that they use on the exam that are un-scored. But it was pretty unsettling. There were a couple of times that I had to rally myself as there were some questions I didn't think worded well. But to see the "CONGRATULATIONS" on the screen after filling out the survey was absolutely the best feeling. I had to sit in my car for ten minutes before texting home to let them know I was on my way.

So, the exam knocks off a DoD requirement; one less certification to worry about.


Monday, January 12, 2009

Still Alive - Just Studying

I'm still around.
There's been a big push for certifications with the government job. Some of the guys in my group are in a month-long CISSP class. Due to other issues, I wasn't able to take the class. So, I'm pushing myself to pass Security +.

Hopefully, you'll hear from me soon. With positive news.

Friday, January 2, 2009

Vista rant

I have to preface this post with the following fact: for my governmental contracting position, the laptop provisioned to me has Vista Business Ultimate. And it seems to work ok. There are some limitations, but there are enough work-arounds.

However, my consulting business has a machine that runs Vista Home on it. The machine's sole purpose is to run Quickbooks. I'm learning Quickbooks, which is no big deal; but the task is made infinitely harder by Vista. For almost every action I make in Quickbooks, I get a "Server Busy" message and I have to switch tasks. The machine runs Zone Alarm, and I'm constantly getting alerts that Windows Mail is trying to access the trusted zone. Huh? Windows Mail? I'm to the point where I just want to downgrade so that I can run the one application I need to run and get on with it. Because of these issues, I really don't recommend Vista to clients when they ask. I generally recommend XP when asked, or, if I feel they can handle it, Ubuntu.

It's just so mysterious because I'm having a (relatively) good experience (knock on wood) with the laptop provisioned for me for governmental contracting.

There, I feel a little better.