Short week in the office this week due to a conference I’m presenting at next Monday. Hopefully I’ll have time to prepare the Suggested Blog Reading on Monday morning.

Here’s the list:

Nemisis – Packet Injection Suite – It’s always handy to have packet crafting tools kicking around when testing IDS’ or firewall rules. Add this one to your kit.

Nemesis is a command-line network packet crafting and injection utility for UNIX-like and Windows systems. Nemesis, is well suited for testing Network Intrusion Detection Systems, firewalls, IP stacks and a variety of other tasks. As a command-line driven utility, Nemesis is perfect for automation and scripting.

Reversing a “ZLib-Obfuscated?” Network Protocol – I don’t even have to say anything…these guys provide great articles 🙂

We just wrapped up a security assessment on a commercial enterprise server/agent security product. I can’t get too specific here, but we did run into an interesting problem that we thought would be worth a post.
The application we were evaluating had a home-grown network protocol doing some interesting things worth investigating.

Analyzing an obfuscated ANI exploit – I wish I could take credit for this but the Andrew in question is someone else.

Some time ago one of our readers, Andrew, submitted an interesting ANI exploit sample. Unless you’ve been under a rock for the last couple of months, you heard about the latest ANI vulnerability.

Most of the exploits we’ve seen so far (and we’ve seen thousands of them) didn’t try to obfuscate the exploit code. The exploit code itself almost always contained a downloader that downloaded the second stage binary from a remote site and executed it on the victim’s machine.

As the exploit wasn’t obfuscated, running a simple string commands was enough to see the URL of the second stage binary.

Securityhacks show off security hacks – Thanks to LonerVamp for introducing me to a new blog to read 🙂

I don’t typically single out new links I add to my menu, but the blog at SecurityHacks has been posting some neat stuff. I still think there is “market bandwidth” for sites that show off tools or “how-to” sorts of postings in our niche blogosphere (although a forum or wiki may be more appropriate long-term information storage). They have gone over creating an SSH tunnel for Windows SMB connections ( I think if you’re going to this much trouble, may as well learn SSH transfers or implement a full VPN), SQL Injection scanners, and “recovering” Firefox stored passwords. There’s also mention of pwdumpx (not to be confused with pwdump or even fgdump…

Anti-Splog Evasion – “Splog”? Great…another phrase to confuse my parents.

I know I’m really going to kick myself for this one, as it will no doubt come back to haunt me, but I’ve been thinking about this one for a long time. One of the things that Blackhat SEO types do is they attempt to scrape other people’s sites that have original content (such as mine). Then they post that content on their site as their own, attempting to raise their own page-rank. Because the search engines aren’t smart enough to know who is the original author, the sploggers get higher in the page ranks.

A Practical Application of SIM/SEM/SIEM Automating Threat Identification – from the SANS Information Security Reading Room.

The Case of the Unknown Autostart – Good walk through to determine a problem.

A few weeks ago I installed an update to a popular Internet Explorer media-player ActiveX control on one of my systems. I knew from past experience that the plugin’s updates always configure an autostart, (an executable configured to automatically launch during boot, login or with another process) that I don’t believe serves any useful purpose, so as I had in the past, I launched Sysinternals Autoruns, set both Verify Code Signatures and Hide Signed Microsoft Entries in the options menu, pressed Refresh, found the autostart and deleted it. However, as I was about to close the window another entry caught my eye and caused my heart to stop

Paper about In-Place File Carving – I’m always on the look out for new and exciting papers to read 🙂

Golden G. Richard III, Vassil Roussev and Lodovico Marziale describe a file carver that is able to work on local and remote drives. They presented their paper In-Place File Carving at the 3rd annual IFIP WG 11.9 International Conference.

The article explains the whole concept of in-place file carving. The authors give the example of a 8 GB drive. The process of carving came to an abrupt end as the files produced exceeded the storage capacity of the 250 GB target drive. Beside the extra storage capacity the recreation of carved files takes a significant amount of time.

Courts Cast Wary Eye on Evidence Gleaned From Cell Phones – Good news for criminals…bad news for forensic examiners.

Another problem is that the market is glutted with so many different types of cell phones, so there will always be some models for which no existing forensic tools work. In that case, “Sometimes the best tools are hacker tools, as long as they’ve been thoroughly examined and reverse-engineered,” said Jansen, who helped write NIST’s official recommendations (.pdf) for do*****enting the chain of evidence and creating tamper-proof files when searching a cell phone.

Even the best forensic practices will face a daunting challenge as more complex mobiles become vulnerable to tampering before they’re seized as evidence. It’s relatively easy for an adversary with a bluetooth device to plant new addresses in a bluetooth-enabled phone’s contact list, or even place bogus calls from the phone. Keith Thomas, a cell-phone forensics expert with First Advantage Litigation-Consulting, said this is where the real problem for investigators will begin — when courts start to realize that evidence from cell phones isn’t any more foolproof than what’s found on computers.

Oh how I enjoy holiday Monday’s…

Here’s the list:
Argus 3.0: Cisco Netflow – Good intro to using Argus with NetFlow if you’ve never been exposed to either before.

Cisco has improved and add new features to its IOS, I have found few new features for Netflow that looks pretty interesting to me where you can capture more useful information. The most commonly used Netflow version is 5, I would like to try out version 9(shiny?If any of you use version 9, I would like to hear from you) however argus doesn’t identify Netflow version 9 yet thus I remain to use the solid Netflow version 5. So here I start to export Cisco Netflow data to argus collector(probe).

Hiding Inside a Rainbow, Part 2 – Part Two in the series.

In my previous post about steganography and rainbow tables, I explained a technique to hide data in a rainbow table. The disadvantage of this method is that there is a way, albeit costly, to detect the hidden data. This is because we replace the random bytes, that makeup the start of the chain, by the data we want to hide, thereby breaking the chain. A broken chain can be detected by recalculating the chain and comparing the recalculated hash with the stored hash. If they differ, the chain is broken.

Pre-connect NAC – The first building block of a controlled guarded enterprise LAN – Good overview of “pre-connect” NAC.

For those of you who are confused by the different terms, pre-connect NAC is the phase in which the identity of the device and the identity of its user are to be verified.

Litchfield on Oracle Live Response – I can’t believe I missed this one. Thanks Harlan/Richard!

Thanks to Richard Bejtlich, I learned this morning that David Litchfield, famed security researcher with NGSSoftware, has released a paper entitled Oracle Forensics Part 4: Live Response. In that paper, David starts off by discussing live response in general, which I found to be very interesting, as he addresses some of the questions that we all face when performing live response, particularly those regarding trust and assurance…trusting the operating system, trusting what the tools are telling use, etc.

More Terms from Logging Glossary Published – I can’t wait to see how this list grows.

As I mentioned here, I started publishing the LogLogic Logging Glossary. Here are the terms and definitions published so far:

Alert
Audit Logging
Context Information

Windows Home Server versus Linux or BSD – I don’t think I’ll be up late at night pondering which to choose 😛

Last year whenever people asked me what to use when building a home server, I’d tell them to use Linux or FreeBSD because there was absolutely nothing from Microsoft under a few hundred dollars. There was no way anyone would spend a few hundred dollars on Windows Small Business Server so Linux or FreeBSD was their only choice. With Windows Home Server on the horizon, Microsoft might just steal a piece of the home server appliance market from Linux.

This Old Vulnerability: Sendmail 8.6.9 – I think these articles are a fantastic idea. Simply telling people that sendmail is/was vulnerable just doesn’t cut it. Showing some historic examples will drive the point home. Someone give this guy a laptop 🙂

Today on This Old Vulnerability, we will take a quick tour through a classic metacharacter/delimiter injection attack. Our petri dish will be Sendmail 8.6.9 (and 8.6.10). The vulnerability was caused when sendmail would take input from a remote identd (the username) and blindly write it into a sendmail queue file.

Enumerate Windows Users In JS – Creepy-cool!

Sergey Vzloman is at it again… He sent over a really interesting piece of demo code (he tested it in IE6.0 and FF – I was only able to test it in Firefox) that enumerates users on Windows systems. Right now, as the code stands in his demo (with only minor tweaks from me) it only tries four accounts and is intentionally noisy to show what it’s doing, but it works pretty well.

Friday already. I have to remember to go to the butcher tomorrow morning to pick up my brisket….mmmm…..brisket. On another note, I’ve noticed a decrease in posting on my RSS feeds today. I suspect that this may be due to everyone getting ready for Interop in Vegas next week.

Here’s the list:

pwdump6 1.5.0 as well as fgdump 1.5.0 Released for Download – New versions of some great tools.

A while ago some updates of pwdump and fgdump were released, namely pwdump6 1.5.0 as well as fgdump 1.5.0.

Version 1.5.0 of both programs takes advantage of some changes which makes them less likely to be detected by antivirus, at least as of today. This will be particularly helpful to those of you dealing with recent, more aggressive AV solutions. The README file for pwdump6 has also been updated to give some examples, as it seems some folks were having a hard time figuring out how to get started with it.

Does Using “Certified” Software Products Improve Compliance? – What does “Certified” really mean anyway?

You see software vendors touting that their products have been certified and that they will help companies meet “compliance,” but I have found very little research into what this really means, or if it means anything at all.

Estonian DDoS Attacks – A summary to date – Good analysis of the issues that Estonia was facing.

Largest attacks we measured: 10 attacks measured at 90 Mbps, lasting upwards of 10 hours. All in all, someone is very, very deliberate in putting the hurt on Estonia, and this kind of thing is only going to get more severe in the coming years.

Gone in 120 seconds: cracking Wi-Fi security – Does it scare you? It should.

When WEP was compromised in 2001, the attack needed more than five million packets to succeed. During the summer of 2004, a hacker named KoreK published a new WEP attack (called chopper) that reduced by an order of magnitude the number of packets requested, letting people crack keys with hundreds of thousands of packets, instead of millions.

Last month, three researchers, Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann developed a faster attack (based on a cryptanalysis of RC4 by Andreas Klein), that works with ARP packets and just needs 85,000 packets to crack the key with a 95 per cent probablity. This means getting the key in less than two minutes.