Close to home!

Dnsmasq configuration

To set Dnsmasq to resolve all quesries to one ip address add

address=/#/127.0.0.1

in dnsmasq.conf

ZoneRanger product

http://www.tavve.com/index.php/products/zoneranger

Need to re-look at this product, been about a year since the last demo.

Symantec

Symantec likes to distinguish itself by saying it’s the world’s largest security software company, but CEO Enrique Salem says more of the company’s solutions will come on purpose-built appliances.

At the Symantec Partner Connect conference in Orlando yesterday, Salem announced that a joint venture with China-based hardware manufacturer Huawei will produce appliance-based versions of many of the company’s security protection products, such as network-based antivirus security, data loss prevention and e-mail security.

Daemonlogger settings

Daemonlogger Soft Tap

1. 1)It sniffs packets and spools them straight to the disk and can daemonize itself for background packet logging. By default the file rolls over when 1 GB of data is logged.
   

2. 2)It sniffs packets and rewrites them to a second interface, essentially acting as a soft tap. It can also do this in daemon mode.

For ubuntu, installation is simply a matter of

- apt-get install daemonlogger

Config for capturing all packets to log file of format of time-date for reference

daemonlogger -i interface_name -l path_to_write_pcaps_to -u user_to_run_as_after_starting -n `date +"%H%M-%d%m%Y"` -S 0 -s 50000000

-S 0 captures all packets

-s 50000000 limits files written to approx 50Mb

Windows Security Articles

• Top 10 Windows Security Configurations: Where and How! (Part 1)
• Top 10 Windows Security Configurations: Where and How! (Part 2)
• Top 10 Windows Security Configurations: Where and How! (Part 3)

DNS Monitoring Script

Script to monitor dns requests on an interface, can be behind tap and then forward result to syslog for collection. Scripts a bit dirty and probably not very well constructed but appears to do enough.

Main bulk of script unashamedly ripped from

An Ajax-Enhanced Web-Based Ethernet Analyzer

Main Ruby script

dns-watcher.rb

------------------------------------------------------------
#! /usr/bin/ruby -w


# following packages required on ubuntu
# apt-get install rubygems
# gem install net-dns - no longer works as version updated to 0.6 use 0.5.2 from http://rubyforge.org/frs/?group_id=721&release_id=35799
# apt-get install libpcap-ruby*

require 'rubygems'


require 'net/dns/resolver'


require 'syslog'



require 'pcap'

require 'net/dns/packet'

capture = Pcap::Capture.open_live( 'bond0', 1500 )

capture.setfilter( 'udp port 53' )

# NUMPACKETS = 5000

puts "#{Time.now} - BEGIN run."

$log = Syslog.open('dns_logging', Syslog::LOG_PID, Syslog::LOG_LOCAL1)

capture.loop do |packet|

dns_data = Net::DNS::Packet.parse(packet.udp_data)

dns_header = dns_data.header

if dns_header.query? then

print "Device #{packet.ip_src} "
print "(to #{packet.ip_dst}) "
print "at #{Time.now} looking for "
question = dns_data.question
question.inspect =~ /^\[(.+)\s+IN/
puts $1
if $1 != nil
$log.info("dns queried for " + $1)
end

STDOUT.flush

end

end

capture.close

puts "#{Time.now} - END run."

---------------------------------------------------------------

Bash wrapper to start the script

dns-watcher

---------------------------------------------------------------

/bin/bash

case $1 in
start)
echo $$ > /var/run/dns-watcher.pid;
exec 2>&1 ruby /home/dns/dns-watcher.rb 1>/tmp/dns-watcher.out
;;
stop)
kill `cat /var/run/dns-watcher.pid` ;;
*)
echo "usage: dns-watcher {start|stop}" ;;
esac
exit 0

------------------------------------------------------------

Script can be started with

dns-watcher start &

and stopped with

dns-watcher stop &

Sometimes the script unexpected and my lack of coding skills stop me from understanding why so I use Monit to monitor the process and restart it if need be.

Monit config - follow normal rules for getting Monit to work and then add the lines below specifically for the dns-watcher script

--------------------------------------------------------------

# Monitor Ruby process for dns-watcher

check process dns-watcher with pidfile /var/run/dns-watcher.pid


start program = "/home/dns/dns-watcher start &"
stop program = "/home/dns/dns-watcher stop &"

---------------------------------------------------------------

Can use something like phpLogCon to monitor syslog output

BioMetrics Test Report

Its a bit old but is an interesting read nonetheless

pdf

Security policy resource

SANS resource site, covering a wide range of security policies.

http://www.sans.org/security-resources/policies/

Database auditting

A series of links from either securisis.com or pages created by them on database auditting and what to look for.

http://securosis.com/research/database-security

events to look for in the following DB's

SQL Server (pdf)
Sybase (pdf)
DB2 (pdf)
Oracle (pdf)

http://securosis.com/research/publication/database-audit-events/

Minimum events to look for

http://www.darkreading.com/blog/archives/2009/10/database_auditi.html

oracle single sign on product

http://www.v3.co.uk/v3/news/2250631/oracle-rolls-single-sign

[]

Duplicating keys from pictures

Interesting article and piece of research on the ability to photo keys and then replicate them without physical access to them.

PDF paper

sandboxie tool

interesting tool at http://www.sandboxie.com/

used to sandbox apps when running them or sanboxing browsers when surfing

Forensically interesting spots in the Windows 7, Vista and XP file system and registry

Taken from http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots#List%20of%20installed%20USB%20storage%20devices

Forensically interesting spots in the Windows 7, Vista and XP file system and registry

I'm writing this article for two main reasons. First, I've got an anti-forensics class to teach, so I have to learn it anyway. :) 2nd, while I've know the data is there, I did not know it's exact location if someone was to ask me. I've be using tools to recover this information for years, but I wanted to know what the tools were really accessing. For starting this article, I've used Nir's CleanAfterMe tool as sort of a guide, under the assumption that if someone wants to hide an item it must be something a computer forensics investigator would like to know about.

This sort of infromation should be useful to forensics investigators, folks trying to cover their tracks, folks trying to uncover people's track (is my spouse cheating on me?/are my kid looking are porn?) and pen-testers who have physical access to a box. While I'm testing this article on Windows 7, much of it still applies to XP and Vista. This list is NO WHERE NEAR comprehensive. If you have additions, or significant modifications for an entry, I'd be glad to post them and link to your site in the credit info. Please submit your info in a similar format to how I have my entries laid out (that way I can be lazy and just copy and paste).

A few formatting notes before I begin:
1. I'm using "C:\" in the entries for convenience, %SystemRoot% could be located elsewhere, but if you are interested in this material you most likely already know that.
2. For versions of Windows before Vista, try replacing "Users" with "Documents and Settings".
3. I've also used the Vista/Windows 7 version of the "Application Data"/"AppData" folder. You will have to use "Application Data" instead of AppData on Windows XP. For other file system profile mapping changes, check out the Managing Roaming User Data Deployment Guide.
5. To see many of these items, you will have to hit ALT, go to the Tools Menu->Folder options and enable viewing of hidden files and tell Explorer not to hide system files.
6. If you see anything in bracket like "", replace the string with an appropriate value.
7. If something does not show up in AppData\Roaming, try AppData\Local or AppData\LocalLow (and of course, vice verse). Keep in mind, somethings will be in Roaming regardless of whether or not you are joined to a domain.

Lot's of information on what files and web sites a user has accessed is repeated over and over again. Just because they wiped one way of finding the data, it does not mean they wiped all of the ways a piece of forensic information can be found. That's one reason why, from an anti-forensics standpoint, using full drive encryption or total drive wiping is far better than using a selective privacy tool like CCLeaner, Cleanafterme, Evidence Eliminator, Window Washer or Cyber Scrub. Now Let's get started.

Windows Explorer Recently opened files from Windows Explorer Network Shortcuts Items recently ran from the "Run" bar ComDlg32 recently opened/saved files ComDlg32 recently opened/saved folders Recent Docs EXE to main window title cache User Assist Windows General Temp folder Recycle Bin Last logged on user Event logs Last key edited by RegEdit List of Installed USB devices, both connected and unconnected List of installed USB storage devices SetupAPI Device Log Windows Prefetch

Internet Explorer Internet Explorer Temp Folder (IE Cache) IE Cookies Internet Explorer History IE Typed URLs Internet Explorer Forms AutoComplete Internet Explorer Password AutoComplete Printer spool folder Firefox Firefox Cached Pages Firefox Form History File Firefox Passwords File Firefox Cookies Other Apps Recently Opened Office Docs Files recently accessed by Windows Media Player Offline Outlook Mailbox Temp folder for Outlook attachments Flash Cookies Location

Windows Explorer

Not to be confused with Internet Explorer, Windows Explorer is the default GUI shell for Windows 7 / Vista / XP. It leaves all sorts of data in the registry and file system for a forensics investigation.

Description: Recently opened files from Windows Explorer
Location: C:\Users\\AppData\Roaming\Microsoft\Windows\Recent
Why you care: It can be quite useful to know what files have been opened recently. Think someone is accessing records of embezzlement? Maybe there is a pointer to the Excel file here that can lead you to where the data has been stored. You may also see links to videos and images in here. I've had this lead to personal embarrassment before while doing a presentation for the ISSA. :)
Entry by: Irongeek, but thanks to Nir.

Description: Network Shortcuts
Location: C:\Users\\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Why you care: This could show an investigator what fileservers the person is accessing, or on a captured laptop a little about the internal network (useful for pen-testing).
Entry by: Irongeek, but thanks to Nir.

Description: Items recently ran from the "Run" bar
Location:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Why you care: Useful to know what the person is running using the Windows Run bar, but in Vista and Windows 7 lots of folks use "Search programs and files" text box, which does not show up in this registry key.
Entry by: Irongeek, but thanks to Nir.

Description:ComDlg32 recently opened/saved files
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
Why you care: This key has sub keys by file extension that can let you know what people have been opening/saving to when the common file save/open dialog comes up. Values are in HEX, but readable if you open them in ASCII view.
Entry by: Irongeek, but thanks to Nir.

Description: ComDlg32 recently opened/saved folders
Location:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
Why you care: Much like the entry above, but the last folders. Values are in HEX, but readable if you open them in ASCII view.
Entry by: Irongeek, but thanks to Nir.

Description: Recent Docs
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Why you care: It can be quite useful to know what files have been opened recently. Got to know where people as sticking their data. :)
Entry by: Irongeek, but thanks to Nir.

Description: EXE to main window title cache
Location: HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Why you care: Once again, it's useful to know what folks are running on a system, and this might give you an idea what an exe is before you run it yourself (in a VM of course).
Entry by: Irongeek, but thanks to Nir.

Description: User Assist
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Why you care: This key is suppose to contain information about programs and shortcuts accessed by the Windows GUI, including execution count and the date of last execution, but the way it's stored is less than obvious. Didier Stevens has a tool far parsing the data here:
http://blog.didierstevens.com/programs/userassist/
The version I tested does not seem to work in Windows 7, but Mr. Stevens is on the case.
Entry by: Irongeek, but thanks to Nir and Didier Stevens.

Windows General

Even more Windows Forensics goodness (or badness depending on your perspective).

Description: Temp folder
Location: C:\Users\\AppData\Local\Temp
Why you care: Lots of programs need a safe place, where the user has permissions, to dump temp data. This is the place to look. They may have wiped/shredded the main file, but there could be a version in this directory depending on how the application works.
Entry by: Irongeek, but thanks to Nir.

Description: Recycle Bin
Location: C:\$Recycle.Bin
Why you care: Do I really need to say?
Entry by: Irongeek, but thanks to Nir.

Description: Last logged on user
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Why you care: Lets you know who logged in last, and may also give you a user name to attack if you're a pen-tester.
Entry by: Irongeek, but thanks to Nir.

Description: Event logs
Location: Should be in C:\Windows\System32\config or C:\Windows\System32\winevt\Logs depending on OS
Why you care: These may be relocated, so do a desktop search for *.evt and *.evtx. Let you know all sorts of things about what is happening on the box.
Entry by: Irongeek.

Description: Last key edited by RegEdit
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
Why you care: Can be useful to know if the user was tweaking the registry for some purpose (like writing an article on Forensically interesting spots in the Windows 7 file system and registry).
Entry by: Irongeek, but thanks to Nir.

Description: List of Installed USB devices, both connected and unconnected
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
Why you care: It can be useful to know what USB devices have be connected to a box, and even the vendor and serial number of the device in some cases. Think someone copied the data to a thumbdrive? This may help you trace down what thumbdrive. Think how useful it can be to help tie something a user physical possesses to a box.
Entry by: Irongeek.

Description: List of installed USB storage devices
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
Why you care: Much like the installed USB devices entry, but just for USB storage. Think someone copied the data to a thumbdrive? This may help you trace down what thumbdrive. CleanAfterMe scrubs HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB but not USBSTOR when I tested last.
Entry by: Irongeek.

Description: SetupAPI Device Log
Location: C:\windows\inf\setupapi.dev.log
Why you care: Log that can help you find out what USB devices have been installed, including thumbdrives. CleanAfterMe scrubs HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB but not this file when I tested last.
Entry by: Irongeek, but thanks to Nir.

Description: Windows Prefetch
Location: C:\Windows\Prefetch
Why you care: Windows Prefetch is a feature in Windows XP and newer system (Including Windows 7) that is ment to speed up commonly executed application and boot load times by recording what on the system is accessed. Mark McKinnon has a tool you might be interested in for parsing this data. Also, you may want to read the Wikipedia entry: http://en.wikipedia.org/wiki/Prefetcher
Entry by: Irongeek, but thanks to Nir and Mark McKinnon.

Internet Explorer

Description: Internet Explorer Temp Folder (IE Cache)
Location: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files
Why you care: Look at cached files to see what sort of content people are surfing around for. Also, a great place to start looking if you want to add to your pr0n collection.
Entry by: Irongeek, but thanks to Nir.

Description: IE Cookies
Location: C:\Users\\AppData\Roaming\Microsoft\Windows\Cookies
Why you care: Let's you know where people have been surfing, and possibly a password or at least a session ID to a website they authenticate to.
Entry by: Irongeek, but thanks to Nir.

Description: Internet Explorer History
Location: C:\Users\\AppData\Local\Microsoft\Windows\History
Why you care: Again, useful to know what sites someone has visited, when, and how many times.
Entry by: Irongeek, but thanks to Nir.

Description: IE Typed URLs
Location: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedUrls
Why you care: Despite the name, you can not be 100% sure they were typed into the Internet Explorer URL bar, but this can help you distinguished between sites that were manually entered, and ones accessed via a link. The presumption is that if a URL shows up in the TypedURLs key, the person really meant to go there. This is not necessarily the case, just do a search for what happened to poor Julie Amero.
Entry by: Irongeek, but thanks to Nir.

Description: Internet Explorer Forms AutoComplete
Location: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage1
Why you care: This registry key stores autocomplete information for IE, but in an obfuscated form. For old versions of IE try Nir's PSPV, for IE 7 and newer try IE PassView to decode this data.
Entry by: Irongeek, but thanks to Nir.

Description: Internet Explorer Password AutoComplete
Location: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Why you care: This registry key stores autocomplete password information for IE, but in an obfuscated form. For old versions of IE try Nir's PSPV, for IE 7 and newer try IE PassView.
Entry by: Irongeek, but thanks to Nir.

Description: Printer spool folder
Location: C:\Windows\System32\spool\PRINTERS
Why you care: Sometimes a print job will get stuck here, and we all know what useful information people sometimes print. To read these spl files you will need the right PCL/PostScript parser. Try some of the tool listed at the bottom of this page: http://www.undocprint.org/formats/winspool/spl
I had ok luck with O&K Printer Viewer and LBV SPLViewer.
Entry by: Irongeek.

Firefox

I Did these tests in Firefox 3.5 (mostly). Results may vary. Take a look at anything in C:\Users\\AppData\Local\Mozilla\Firefox\Profiles\.default\, but especially *.sqllite files.

Description: Firefox Cached Pages
Location: C:\Users\\AppData\Local\Mozilla\Firefox\Profiles\.default\Cache
Why you care: While IE stored its cache in easy to read file names, Firefox makes it a little harder. You will have to open up these files to look at their headers to see what they are, or use a tool like MozillaCacheVeiwer. Files with names like _CACHE_001_ are good for looking at the banners of recently accessed sites (so you can see the server type and the like), which will be useful to a pen-tester wanting to fingerprint system. "_CACHE_MAP_" seems to be an index of items in the cache, but I've not looked into it enough yet myself. Check out http://www.securityfocus.com/infocus/1832 for more info on _CACHE_MAP_. Of course, these _CACHE_ files are also awesome for attaching dates to server access.
Entry by: Irongeek, but thanks to Nir.

Description: Firefox Form History File
Location: C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\.default\formhistory.sqlite
Why you care: This file has tons of information about web forms filled out in Firefox, when they were filled out, and what with. This is an SQLLite file that contains the browsing history for Firefox/Mozilla. You can use the Open Source app SQLLiteStudio to read the file. For other SQLLite tools, check out this site.
Entry by: Irongeek.

Description: Firefox Passwords File
Location: C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\.default\signons.sqlite
Why you care: This SQLLite file should contain Firefox's stored passwords. Nir has a tool for grabbing Firefox passwords, but it failed on my Firefox 3.5.2 installation (you can still use Firefox itself to see the password, under security options). You can use the SQLLiteStudio app to read the file, but the information is obfuscated. For other SQLLite tools, check out this site. Even if you can't find the passwords, you can find "Disabled hosts", which may tell you what sites the owner sees as too sensitive to store passwords for.
Entry by: Irongeek.

Description: Firefox Cookies
Location: C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\.default\cookies.sqlite
Why you care: Let's you know where people have been surfing, and possible a password or at least a session ID to a website they authenticate to. You can use the SQLLiteStudio to read the file, or Nir's Cookie viewer.
Entry by: Irongeek, but thanks to Nir.

Other Apps

These are items that may not fit in other categorizes. Just about anything in "C:\Users\\AppData\" is worth taking a look at.

Description: Recently Opened Office Docs
Location: C:\Users\\AppData\Roaming\Microsoft\Office\Recent
Why you care: Yet another way to see what files someone has been accessing. Notice how it's hard to cover all activity tracks?
Entry by: Irongeek, but thanks to Nir.

Description: Files recently accessed by Windows Media Player
Location: HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\RecentFileList
Why you care: I could not get this one to work in Windows 7, maybe it has moved?
Entry by: Irongeek, but thanks to Nir.

Description: Offline Outlook Mailbox
Location: C:\Users\\AppData\Local\Microsoft\Outlook\outlook.ost
Why you care: Here is were your Outlook 2007 mailbox is stored, and email is always a useful source of forensic information. If you find a freeware or open source parser please let me know (my quick search only showed commercial ones). Byte Bucket suggested this http://www.five-ten-sg.com/libpst/ but I have yet to test it.
Entry by: Irongeek.

Description: Temp folder for Outlook attachments
Location: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\\
Why you care: Here is were Outlook 2007 sometimes puts attachments you directly open from an email. If you are trying to find the exact location of this folder, look in the reg key: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security
Entry by: Irongeek.

Description: Flash Cookies Location
Location: C:\Users\\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\\
Why you care: So, you deleted all of the cookies you browsers have so folks can't track where you have been, but what about cookie that Adobe Flash makes at times? Lots of wiping software seems to miss this area, and it's a great way to know where someone has been.
Entry by: Irongeek.

Network Miner Updated

http://sourceforge.net/projects/networkminer/files/

Autorun update

http://support.microsoft.com/kb/971029

Installing a deb file from the command line

In an Ubuntu system, just use the default option gdebi. It'll download dependencies (from the Ubuntu archives) for you.

On the command line (on a server, for example), you can say:

gdebi postgresql_7.4.5-3_i386.deb

internet history tool

http://www.jadsoftware.com/home/downloads.htm

Stuff to look at when i get around to it

http://www.addonics.com/products/cipher/default.asp

http://www.computerworld.com/s/article/9062140/Review_A_5x1_eSATA_disk_port_multiplier_for_your_PC?taxonomyId=149&pageNumber=2

http://www.xceedium.com/Products/gatekeeper_overview.php

http://www.windowsecurity.com/articles/Securing-Application-Execution-Microsoft-AppLocker.html

http://www.slashzero.com/2008/10/how-to-thin-provision-an-exsiting-vmware-disk-on-esxi-without-virtual-center/

Forensics recovery tool

http://sourceforge.net/projects/defraser/

Cheat Sheets for all

Came across some good cheat sheets

http://packetlife.net/cheatsheets/

https://blogs.sans.org/computer-forensics/files/2009/08/usb_device_forensics_xp_guide.pdf

https://blogs.sans.org/computer-forensics/files/2009/08/usb_device_forensics_vista_win7_guide.pdf

Sans do a bunch others i recall too

ORACLE articles of interest

Rogue DBA's article

Pete Finnigan's website has a collection of papers, including a recent one on securing ORACLE

How to dismantle a nuclear bomb

Link from BBC website on how to dismantle a nuclear bomb without giving away any secrets.

NetWitness Investigator

NetWitness

Seen this product before but everytime i play with it seems to have more and more. Would be a useful product to use for near real time analysis of network traffic. Don't think it has an ability to read traffic from the wire direct, certainly not in the free version. Could use something like DaemonLogger to provide continuous 50Mb pcap files for analysis.

Has as a nice interface that seems relatively intuitive to use.

Apparently PhoenixDatacom are the UK suppliers of it, so at least its easy to get a look at.

USB Device Forensics

Taken from Windows Incident Response by Keydet89

I posted to the Win4n6 Yahoo Group on USB removable storage devices and tracking connections, and got some really good confirmation from Rob Lee, so I thought I'd share it here, as well.

So, when I was writing WFA 2/e, I did some testing and found that when connecting a USB removable storage device to a system, beneath the unique instance ID key (under the DeviceClasses key), a Control subkey was created, and when the device was disconnected, the Control subkey was deleted. The creation/deletion of this subkey constitutes a modification to the unique instance ID key, updating the key's LastWrite time and allowing us to track the usage of the device.

However, there appear to have been changes to this functionality since then, and Rob's more expansive testing has confirmed my own. Essentially, if you sit down to a running system (XP SP2 or 3, Vista, Windows 7), and plug in a USB removable storage device (even one that's been previously connected to that system), you'll see the Control subkey created...but when you disconnect the device, the Control subkey will remain until the system is rebooted. Rob has confirmed that this LastWrite time survives logins, as well.

So, now the LastWrite time on the unique instance key refers to the time that the device was last connected to the system, which is an important distinction to make when performing analysis of the usage of these devices. This requires further testing for more complete confirmation, but this is how things appear at this time. Shout outs to Rob Lee for the testing on this!

So this should give us a bit more on when and should look to automate it if possible

Social Media Staff Policies

A good blog to read for social media policies, if for nothing else than the well put together graphics!

Social Media Staff Policies

IronKey

New Ironkey launched

https://www.ironkey.com/S200_Launch

Free centralised auditting in Windows

http://www.windowsecurity.com/articles/Centralized-Auditing-here-FREE.html

defeating authenticode

http://blog.didierstevens.com/2009/06/07/update-disitool-v0-3/

VMWare exploit

http://www.darkreading.com/securityservices/security/app-security/showArticle.jhtml?articleID=217701908

http://www.security.nnov.ru/news/VMWare/PB.html


http://www.coresecurity.com/content/advisory-vmware

SLA's and rules of thumb

From theDailyWtf, a story about availability & SLA’s that’s worth a read about an impossible availability/SLA conundrum. It’s a good lead in to a couple of my rules of thumb.

“If you add a nine to the availability requirement, you’ll add a zero to the price.”

In other words, to go from 99.9% to 99.99% (adding a nine to the availability requirement), you’ll increase the cost of the project by a factor of 10 (adding a zero to the cost).

There is a certain symmetry to this. Assume that it’ll cost 20,000 to build the system to support three nines, then:

99.9 = 20,000
99.99 = 200,000
99.999 = 2,000,000

The other rule of thumb that this brings up is

Each technology in the stack must be designed for one nine more than the overall system availability.

This one is simple in concept. If the whole system must have three nines, then each technology in the stack (DNS, WAN, firewalls, load balancers, switches, routers, servers, databases, storage, power, cooling, etc.) must be designed for four nines. Why? ‘cause your stack has about 10 technologies in a serial dependency chain, and each one of them contributes to the overall MTBF/MTTR. Of course you can over-design some layers of the stack and ‘reserve’ some outage time for other layers of the stack, but in the end, it all has to add up.

Obviously these are really, really, really rough estimates, but for a simple rule of thumb to use to get business units and IT work groups thinking about the cost and complexity of providing high availability, it’s close enough. When it comes time to sign the SLA, you will have to have real numbers.

Via The Networker Blog

More thoughts on availability, MTTR and MTBF:

Spam domain name stats

http://gcn.com/articles/2009/05/18/cybereye-spam-domain-registry.aspx?s=security_180509

What to monitor on a server

-binary md5 sums
-disk usage
-who is logged on
-running processes
-recently altered files
-files without user or group ownership
-files with global write perms or setuid or setgid

If only...

Secured email for exchange

Boldon James Safemail products

http://www.boldonjames.com/SAFEmail-for-SIE-231

Microsoft S/MIME implementation

http://searchexchange.techtarget.com/generic/0,,sid43_gci1252311,00.html

Security Labels

http://msdn.microsoft.com/en-us/library/aa140148(office.10).aspx



Microsoft Rights Management Solutions for Exchange 2007

http://www.simple-talk.com/exchange/exchange-articles/configuring-exchange-server-2007-to-support-information-rights-management/

PXE boot links

Links for PXE boot, especially for Clonezilla

http://clonezilla.org/clonezilla-live/livepxe.php

http://docs.fedoraproject.org/install-guide/f10/en_US/sn-booting-from-pxe.html

http://linux-sxs.org/internet_serving/pxeboot.html

http://myy.helia.fi/~karte/pxe.html

Audit trail of SSH sessions

Record SSH sessions at client and at server

http://www.jms1.net/ssh-record.shtml

Chroot users in shell so that all they can do is SSH onwards

http://olivier.sessink.nl/jailkit/howtos_ssh_only.html

Privilege user product

Product to manage privilege users, passwords and their accesses

http://www.symark.com/products/padoverview.html

Free online Information Security and computer science courses

http://www.computer-colleges.com/blog/2009/diy-ciss-degree-100-open-courses-on-computer-information-systems-and-security/

Virtual host and DNS names enumeration techniques

http://lab.lonerunners.net/blog/virtual-host-and-dns-names-enumeration-techniques

Web application security test check list

taken from http://pajhome.org.uk/security/webchecks.html

Authentication
Logging in with an invalid user name does not reveal whether the user exists
Accounts are locked after a number of failed logins
An attacker cannot reset the lockout (e.g. by removing cookies)
Can't easily lockout an account to cause a denial of service
After login a redirect is issued, to prevent refresh attacks
Both "change password" and "logout" functions are provided
User is informed of last login time
Change password requires provision of old password
Passwords are proactively checked for strength
Password is never revealed (e.g. in the source of change password)

Session Management
Session tokens are at least 128-bit
Session tokens are unpredictable
A new session is allocated at login (i.e. session fixation is prevented)
Logout invalidates the session token on the server
Cookie has "secure" and "httponly" options set and is non-persistent
Sessions have an inactivity timeout
Sessions have an absolute timeout

Injection Attacks
Cross-site scripting
HTTP response splitting
SQL injection
LIKE pattern injection
LDAP injection
XPATH injection
Mail header injection
Directory traversal
Null-byte injection
Shell script / batch injection
Server-side script injection (PHP, Perl, etc.)
XML injection
Try to bypass filters using over-long utf-8 encodings
Try to bypass filters using wide-ascii, or other unicode equivalents

Content Checks
No script tags reference resources on other servers
Use of eval, document.write, innerHTML, etc. does not cause XSS
Comments in files do not reveal sensitive information
Frames/iframes, if used, have frame spoofing protection
autocomplete=off is set on all forms asking for personal information
Private IP addresses

Server Side Script Behaviour
Arbitrary redirection
Arbitrary message inclusion
File upload features restrict uploaded content to prevent compromise
JavaScript Hijacking
Scripts that cause write actions require POST with a CSRF token
Scripts that act as an open proxy or mail relay
Exponential format accepted
Server compromise by uploading XML that sources a stylesheet
Source code disclosure through scripts that allow read access to files

Authorization
All protected resources check for a valid session
All protected resources check for user permissions (forced browing)
Parameter tampering does not allow access to others' data
Page-to-page flow is correctly enforced where required
Form POST targets perform the same authorization as form views

Miscellaneous
cache-control: private or stronger is used on sensitive pages
All client-side validation is repeated on the server
Site supports HTTPS, and sensitive pages forbid HTTP access
All pages are displayed with status and address bars
All URLs are expected from a customer's point of view
No "Mixture of secure and insecure content" warnings

Server Configuration
There are no "orphaned" files (exist on the web server, but not linked)
No backup versions of files are accessible (may reveal source code)
No common insecure scripts (e.g. snoop servlet) are accessible
Error messages do not provide overly-detailed information

Special Cases
Dynamic login questions: question cannot be changed by the user
Application forms: restarting a transcation doesn't leak information
Smoke & mirrors: generated emails are appropriately protected
Domain auth: domain accounts cannot be locked out from the internet
Forgotten password: understand any information leaked or risks created

SSL Client Certificates
Does login check username matches certificate?
Can you lock out an account without holding the certificate?
Is certificate required for every request?
Does it check the certificate matches the session ID?
Can you login using a self-signed certificate?
Are test/pre-prod certicates separated from live?

Nested Web Service
Is the WSDL file accessible?
Does access to the web service require a web session?
Does it check the web session user matches the WS user?
Also, most of this checklist also applies to the web service.

Hard Drive Destroyer

http://www.garner-products.com/PD-4.htm

Indy arrives but doesn't save the day

The new ankle biter

How to mount an LVM partition on another system

I ran into a Fedora Core 3 box recently which after rebooting was unable to mount the root filesystem. Here's what I did to get this going:

First I booted off the Fedora CD and typed "linux rescue" at the prompt in order to boot into rescue mode. When asked if I would like to enable the network interfaces or mount the filesystems, I said no to both.

If you are running a different Linux distro or don't have the Fedora CD, I'm pretty sure you can use a different Linux bootable CD like Knoppix and then just install the LVM tools (How to install LVM tools on Knoppix) and use that instead.

So, once you're at the command prompt, you need to activate the LVM partitions so they can be used. This can be done using the following command:

lvm vgchange --ignorelockingfailure -P -a y

The -P will make logical volumes which are missing one of their disks available too.

This should create the device entries for these logical volumes. You can find out what the name of the logical volumes are by typing:

lvm lvs

This should give you output showing the name of the Volume Group and the name of the Logical Volume. The device entry should be created in /dev//. So in my case it was created as /dev/VolGroup00/LogVol00.

You can now mount or fsck or whatever you need to do. If you wanted to check/repair the filesystem you could run:

fsck /dev/VolGroup00/LogVol00

If you wanted to mount the filesystem you could run:

mkdir /volmount
mount /dev/VolGroup00/LogVol00 /volmount

And that's it, you now have access to your logical volume on another system. Please leave any comments or corrections using the comment form below.

On the Entropy of Fingerprints

http://lukenotricks.blogspot.com/2009/04/on-entropy-of-fingerprints.html

WEP Cracking Tutorial

http://blog.durdle.com/archives/2007/03/08/clientless-wep-cracking/

sneaky wireless AP's

For $40, anyone can purchase a cheap wireless AP and plug it into the company network. Often, employees do this simply for the sake of convenience, not realizing that it opens the company to attack. Criminals also deliberately plant wireless access points, which allow them to bypass the pesky firewall and remotely access the network later on. These days, disgruntled employees can easily hide an AP behind the file cabinet before cleaning out their desks, and then access the company network months later from the parking lot.

Many companies conduct regular “war-walking” scans to detect rogue access points (ie. using Kismet or Netstumbler), or invest in commercial Wireless Intrusion Detection Systems (WIDS). However, there are sneaky ways to bypass traditional war-walking and WIDS systems. Recently, I took Josh Wright’s excellent “Wireless Ethical Hacking” SANS class, and he touched on a number of tricks that attackers can use to foil your company’s rogue WAP detection efforts. Here are a few:
1) Channel 14

In the United States, the FCC has licensed 11 channels for 802.11b/g, which have center frequencies between 2.412 GHz to 2.462 GHz. However, most of Europe allows 13 channels (up to 2.472 GHz), and Japan allows 802.11b all the way up to channel 14, or 2.484 GHz.

Cards manufactured for the United States often don’t support channel 14, since it’s illegal to transmit on that frequency. There’s overlap between the channels, but at 2.484 GHz, channel 14 is far enough away from channel 11 that network cards are unlikely to pick up much signal on channel 11. If an attacker were to configure an AP to illegally transmit on Channel 14 and export data at 2.484 GHz, security teams monitoring US channels would probably never detect it.
2) 802.11n Green Field mode

The IEEE has been hard at work on the 802.11n (“MIMO”-based) specification, which allows much greater throughput than 802.11a/b/g (100Mbps or more). The draft 802.11n standard specifies two modes:

* “Mixed-mode,” which allows it to work with legacy 802.11a/b/g networks;
* “Green Field” or “high-throughput only” mode, which takes full advantage of the enhanced throughput but is not visible to 802.11a/b/g devices. Older devices will see GF-mode traffic only as noise.

Not visible to 802.11a/b/g devices? That means if you’re war-walking with an 802.11a/b/g card, you can’t see 802.11n devices operating in Green Field (GF) mode. The specification hasn’t even been finalized, but 802.11n devices are already available for as little as $50– easy to buy, easy to plug into your company’s network. However, most companies have not yet purchased 802.11n-compatible equipment and hence can’t detect GF-mode 802.11n rogue APs.

Josh published a vulnerability report explaining this, in which he wrote: “With the inability to decode GF mode traffic, an attacker can position a malicious rogue AP on a victim network using the GF mode preamble. This would allow an attacker to evade wireless intrusion detection systems (WIDS) based on non-HT devices. This includes all WIDS devices based on 802.11a/b/g wireless cards.”
3) Bluetooth Access Point

If you’re like me, when you think about Bluetooth you envision your tiny little headset which crackles and hisses every time you walk too far away from your phone. That’s because your Bluetooth headset is designed for a Class 2 Bluetooth network, which is fairly low-power and has a maximum range of ~10M.

However, there’s more to Bluetooth than your rinky-dink headset. Bluetooth Class 1 devices are much more powerful, with ranges similar to 802.11b wireless APs. A Bluetooth Class 1 device can transmit up to 100mW, with a typical range of ~100M (or miles, if the receiver has a directional antenna).You can buy a Class 1 Bluetooth AP for $100-200.

Can you discover Bluetooth APs while war-walking? Not if you’re just using an 802.11 card. Even if you’re using a spectrum analyzer like WiSpy, you may not notice it. Bluetooth uses Frequency Hopping Spread Spectrum, and hops 1600 times a second throughout the 2.402-2.480GHz band. Because it’s spread out across the spectrum, it can be hard to notice and easily mistaken for noise by the untrained eye. Most Wireless IDS systems and security teams simply don’t look for it (yet).
4) Wireless Knocking

This is my favorite. Remember port knocking? Instead of installing a backdoor to listen on a particular port (where it might be noticed), l33t h4×0rs installed rootkits that would wait for a particular sequence of ports to be scanned, at which point the knocker’s IP address would be granted access. “A three-knock simple TCP sequence (e.g. port 1000, 2000, 3000) would require an attacker without prior knowledge of the sequence to test every combination of three ports in the range 1-65535, and then to scan each port in between to see if anything had opened… That equates to approximately 655354 packets in order to obtain and detect a single successful opening. That’s approximately 18,445,618,199,572,250,625 or 18 quintillion packets.” (Wikipedia)

With wireless knocking, a rogue AP sits on the network in monitor mode, listening for probe requests. When the rogue AP receives a packet (or sequence of packets) with the preconfigured SSID, it awakens and switches to master mode. The program “WKnock” is designed for this purpose, and it can be installed on any AP supported by the OpenWRT framework. During times when the rogue AP isn’t active, it is silent and can’t be detected using common wireless scanning tools.

Sneaky!

Tap Choices

http://netoptics.com/products/product_family_details.asp?cid=4&pid=103&Section=products&menuitem=4&tag=NetOptics+aggregation+Taps

IPhone intenet sharing

http://blog.timolthof.com/true-modem-iphone-internet-sharing/

Blogger test from Windows 7

Test

more metasploit stuff

http://darkoperator.blogspot.com/

AD stuff for screwturn wiki

http://electricimages.co.nz/UserAuth.ashx

Metasploit Across the Net

metasploit script/modules

famous at last

http://www.netvision.com/netvisionsimon.html

Winner in the Authentication/Smart Cards Category of Readers’ Choice Awards: RSA SecureID

http://www.windowsecurity.com/news/WindowSecurity-Readers-Choice-Award-Authentication-Smart-Cards-RSA-SecureID-Dec08.html

SNORT on Ubuntu 8.10

http://baronne.mouton.co.uk/snort-on-ubuntu-server-810-intrepid-ibex/

VM Security

Gartner has written a good bit about security in the virtual environment including this quote. "The increasing use of virtualization, particularly in data center environments, will lead to new potential attack paths. To protect critical servers and data in virtualized environments, organizations need to extend their security processes and controls into the virtual environment, including the use of virtual firewalls and IPSs when security separation and protection are needed." Neil MacDonald, VP and Gartner Fellow.

"Virtual Security Tools Fill Gap in Virtual Data Center" (SearchCIO.com)

"Worms Have Become Increasingly Aware of the Virtual Environment" (SC Magazine)

"Seven Things that will Sink Virtualization" (Network World)

how to suck at security

http://isc.sans.org/diary.html?storyid=5644

exchange certificates

http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/managing-exchange-certificates-part2.html

conficker social engineering

http://isc.sans.org/diary.html?storyid=5695

file sigs website

http://www.garykessler.net/library/file_sigs.html

Intella tool

http://www.vound-software.com/faq.php