What a crazy, crazy, crazy week.

Here is the list:

XORSearch V1.2.0: XOR & ROL – I look forward to Didier’s upcoming post with further details.

Last week I analyzed a piece of malware that had each byte of its strings ROL 1 (ROtate Left) encoded. I’ll give more details about this trick in an upcoming post.

It prompted me to update my XORSearch tool to deal with ROL encoding. Feeling lazy, I only coded ROL support, not ROR. 😉 Or did I, what do you think?

Is That a Hole in Your Kernel or Are You Just Pleased to See Me? – Interesting article. Pulll that cert 🙂

Anyway, before these came another example, though I’ve only just got around to blogging about it. Why is it a good example? Well it was in a common open-source driver which is signed by a third-party and used pretty widely by the technical community. The driver is WinPCap, the packet-sniffing driver used by tools such as WireShark. The vulnerability is a bug that allowed arbitrary kernel memory to be written to.

An Evening With a Friend – I promised Ron I’d include this in my SBR today. It’s quite a good story (Shimmy agrees) and would serve as a good article to use when speaking to a small business about security (for all you consultants out there).

Several weeks ago, a good friend of my family who is a lawyer for an application hosting company and I were speaking about network security and I brought up Nessus. “Can you scan one of our hosted sites?” he asked. A short while later, especially after asking the right sort of legal questions, we were looking at the results of a non-credentialed Nessus scan for a high traffic web site.

Preventing XSS Using Data Binding – Cool demo.

Stefano Di Paola sent me an interesting email the other day. Honestly, it took me a good hour of playing with it before I finally wrapped my brain around what was going on. Using data binding he can make JavaScript attach user content to the page while validating that it does not contain active content. That is, styles are okay, but JavaScript is not. Very interesting. Here’s the demo (warning, not for the technically feint of heart).

Detecting and Preventing Rogue Devices on the Network from the SANS Information Security Reading Room

U.S. Dept. of Homeland Security Makes 14 Privacy Impact Assessments Available – “Helping corporate America receive an F on their audit since 2007”

I am a huge proponent of privacy impact assessments (PIAs); basically risk assessments for privacy. PIAs can reveal gaps in privacy practices, along with the information security practices used to protect privacy. They are important and effective exercises for all organizations that handle personally identifiable information (PII).

rtpBreak – RTP Analysis & Hacking Tool – Another tool for your belt.

rtpBreak detects, reconstructs and analyzes any RTP [rfc1889] session through heuristics over the UDP network traffic. It works well with SIP, H.323, SCCP and any other signaling protocol. In particular, it doesn’t require the presence of RTCP packets (voipong needs them) that aren’t always transmitted from the recent VoIP clients.

Advance your career – master the fundamentals – Great article for those starting out in security and a refresher for those who have been involved in it for some time.

I’ve been really impressed by the exploration and resulting discussion of the fundamentals taking place in the Security Catalyst Community. Join the discussion: What are your “fundamentals” for security?

My quest for the fundamentals began initially considering the superstars of sports, and watching, then studying their routines. I’ve shared the fundamentals conversations with clients, friends and colleagues – and I love listening to the stories of how this applies to sports, to thing like teaching children match and science… all of the different ways we connect, consider and distill. It’s not a surprise to me that we’re collectively struggling to develop a clear list of the fundamental building blocks of information protection.

PCI Poll results – Too complex but equally easy as dirt? I don’t understand the voters.

Now I know that the numbers don’t add up but voters were allowed to select multiple answers and the percentage is based on the total number of voters.

So I guess it goes back to my original thought that the level of difficulty that PCI compliance involves depends on the shape of the network you are working with. Large or small if it is a poorly designed network you are going to have a struggle. If it is a securely designed network then your job will be much easier. The issue isn’t understanding what is required it’s putting the requirements into practice.

Virtual Machine Replication & Failover with VMWare Server & Debian Etch (4.0) – Something I’ve always thought about but haven’t investigated further. Good article.

This tutorial provides step-by-step instructions about how to create a highly available VMware Server environment on a Debian Etch system. With this tutorial, you will be able to create Virtual Machines that will be available on multiple systems with failover/failback capabilities.

The system is based using components of “The High Availability Linux Project” , namely “DRBD” and “Heartbeat”.
The free open-source edition of DRBD will only allow a 2-node active/passive environment, so this is not for large businesses!. Also, the heartbeat/drbd setup configured in this tutorial, is by using 2 Ethernet NIC’s. I recommend that at least the nic to be used for DRBD replication (eth1 in this tutorial) is 1Gbit or more.

WebCast On Hacking Intranets – “Webcasts….get your webcasts here…..”

If you missed our Blackhat talk the other day and wanted to hear it, Whitehat is sponsoring a webcast this Tuesday. It’s at Tuesday, August 21, 2007 at 11:00 AM PDT (2:00 PM EDT). This is going to be almost a direct repeat of our Blackhat talk, so for those of you who already made it, don’t worry if you miss it.

MPack: Getting More Dangerous – Good follow up article with more information on the latest version of MPack.

In our previous analysis we discussed ‘What is Mpack and how it works’. We had reviewed MPack version 0.84 in our previous blog. This time we will compare it with an updated version, MPack v 0.91.

Vacation….over 🙂

I was able to get away from the office for an entire week. No phone, internet, computers, email…it was glorious! I highly recommend it as a way to recharge your batteries if you’re feeling a little worn out.

And now back to our regularly scheduled programming:

There were a bunch of SANS Information Security Reading Room papers posted while I was away including:

• Microsoft Vista Firewall; Dissected
• Implementing Single Sign-On — Imprivata OneSign™
• Automated Scanning of Oracle 10g Databases
• Software Engineering Security as a Process in the SDLC
• UNIX System Management and Security: Differences between Linux, Solaris, AIX and HP-UX
• Malware Analysis: Environment Design and Artitecture

Two kickass Web security papers recently published – A couple of papers for you to check out.

The first out of the Stanford security lab, Protecting Browsers from DNS Rebinding Attacks by Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, and Dan Boneh.

The second paper is from Sensepost, It’s all about the timing…, by Haroon Meer and Marco Slaviero.

So Easy even I could do it – Find it hard to wrap your head around XSS attacks in a real world environment? Thanks to Martin McKeay for pointing this podcast out and to Dan Kuykendall for setting this up.

A friend of mine, Dan Kuykendall, recorded a podcast that will walk you through your own attempt at a SQL injection attack. He’s even got a server set up for you to hack, though it’s a bit deceiving in that he’s got a lot of security built into the back end to keep you from getting too evil on the site. Take an hour or so to walk through it and see how easy it is for yourself. And you’ll be wondering why this isn’t happening more often too.

Why virtual honeypots are sweet – Good interview. I’d really like the opportunity to review the Virtual Honeypots book 😉

In an interview with Network World Senior Editor Ellen Messmer, Provos (a senior staff engineer at Google who’s credited with developing the open-source honeypot Honeyd) and Holz (founder of the German Honeynet Project and graduate student at the University of Mannheim’s Laboratory for Dependable Distributed Systems) discuss the latest in tools for building virtual honeypots.

What is Server-side Polymorphism? – Very good post on polymorphism.

server-side polymorphism is a type of polymorphism where the polymorphic engine (the transformation function responsible for producing the malware’s many forms) doesn’t reside within the malware itself…

just as conventional polymorphism was constrained to housing the polymorphic engine within the virus its meant to operate on (because the code doing the copying has to have access to the transformation function), server-side polymorphism requires the polymorphic engine to be part of the system (generally a website) that serves (hands out) copies of the non-replicative malware it’s used on instead of being in the malware itself…

A Parser to Transform Vista Event Log Files into Plain Text – Hey that’s kind of cool. Good work!

I am pleased to announce the release of my parser framework for Vista event log files. It mainly consists of a set of Perl modules that implement the data structures which are known to me at this time. The archive also contains two sample programs that transform the native, binary event log file into textual XML. This release accompanies my talk at the DFRWS 2007 in Pittsburgh.

A few eye bleeders were released as well:

• Improperly Discarded Computer Contains Information On 5,800 Loyola Students
• 10,200 SSNs Exposed After Yale Computer Theft
• Stolen UT Hard Drives Thought To Contain Personal Information

mssql-hax0r v0.9 – Multi-purpose MS-SQL injection script – Another tool to add to your belt.

mssql-hax0r v0.9 is a Multi-purpose MS-SQL injection attack tool for advanced Microsoft SQL Server exploitation. Three modes of operation are currently available: info (Information Gathering), dump (Record Dump), and brute (Brute Force).

You may need to tweak the code a bit to make it fit your needs (i.e. modifying the injection string and/or the language used by the RDBMS).

Free PCI Compliance Book Chapter: On Logging! – Look for my review of this book sometime this week. Very good chapter.

Wow! Syngress/Elsevier has released one chapter from our “PCI Compliance” book: and it is my chapter on logs in PCI! Enjoy!

I can’t believe it’s August already. This year is just flying by. I think I’ve tentatively decided to try and get to Black Hat next year so I may have to start tucking away money now for airfare. That might be a challenge because it’s also my 5 year anniversary next year. Think my wife would let me combine the two trips? 🙂

Here’s the list:
The Beginning of a Windows Pentest Encounter – Thanks to LonerVamp for pointing this one out.

Here is a quick paper (notes) about pen-testing a Windows Active Directory network. While I do know this paper covers only the lowest-hanging fruit, it seems that all too often, these lowest-hanging fruit are the most common fruit found in the wild.

Insider Threat and Cowboys:

The Wall Street Journal Tells Your Personnel How To Get Around Your Security

– I hope organizations treat this as a “wakeup call”
Oh, boy, reading this Wall Street Journal story, “Ten Things Your IT Department Won’t Tell You” brought back some memories of personnel who went to great lengths to get around security requirements!

All the networking you could need: Netcat – Good cheat sheet for NetCat commands.

So my SANS course this past week culminated today with a nice game of capture the flag. While not Defcon caliber it ended up being quite a lot of fun, especially for a game that only could last six hours, and did a fantastic job of bringing the course together. We learned a lot of tools during the class and playing scenario based ctf brought it all together as many of them were used during the game. Mostly we focused the old favorites: NMap, Nessus, John the Ripper; the kinda tools that have been around forever, and for good reason.

We focused mainly on another tool, one I’d known but used little. Called the “network swiss-army knife” Netcat proved, as we were promised by Ed, the most useful tool of the whole course. Netcat does just about everything. Yes, I know, if you’ve been in networking or security for any amount of time you’re asking how I’d missed that, I hadn’t, but practical use is something else. There’s no doubt it’s one of the most useful tools a network admin, security engineer, or hacker could ever want. So just for general consumption, and for myself, I’m posting the cheat sheet I used during our class CTF competition (my team came in 3rd of around 50 in case you were wondering) just to get any other Netcat neophytes started and possible remind some old hands of some fun tricks.

Security Freak Video Lectures – Hacking, Programming, Networking & More – Yay videos!!!!

A while back a reader e-mailed us about a new site they have called Security Freak, the site is about informatin security education and is mostly using video lectures to illustrate and convey the lessons.

Security-Freak.net is an attempt to lower the entry barrier for starting computer security research. The author has noticed that during his interactions with security enthusiasts in general and students in particular, he noticed that many lose interest because of the lack of organized learning resources in this area.

The admissibility vs. weight of digital evidence – Interesting post about a topic that I don’t regularly get to think about.

There is always a lot of conversation about when digital evidence is and is not admissible. Questions like “are proxy logs admissible?” and “what tools generate admissible evidence?” are focused on the concept of evidence admissibility. Some of the responses to these questions are correct, and some not really correct. I think the underlying issues (at least from what I’ve observed) with the incorrect answers stems from a confusion of two similar yet distinct legal concepts: evidence admissibility and the weight of evidence.

s/regex/English/g – I agree with Lori on this. Especially in my line of work there is a need for strong regular expression knowledge when dealing with operating system, application, and device logs.

So if you’re a developer and find yourself in need of a good tutorial, i.e. one that doesn’t tersely indicate you should RTFM(an page), check out this blog post by I’m Mike, appropriately titled “The absolute bare minimum every programmer should know about regular expressions”. Mike also has some more detailed posts about regular expressions and all are a great place to start digging into the craziness that is regex.

When you’ve finished reading if you want to play around with some regular expressions – cause practice makes perfect – check out Regex Designer, a nice little app that not only evaluates regular expressions but lets you visually see how the matches are made. It’s a great tool for learning regular expressions as well as fleshing out more complex expressions before trying it out in a live application. This one is great for beginners or experts.

Upcoming Workshop on Windows Memory Analysis – If you find yourself in Deutschland you may want to check this out.

I’m excited to announce that I will hold a workshop on Windows Memory Analysis on Thursday September 13, 2007 at the IMF Conference in Stuttgart, Germany.

The workshop most likely will be themed around the detection of a trojan horse and a rootkit. During the 90 minutes I will demonstrate the usage of the Microsoft Debugger and some open-source tools.

Worm vs Thief: Take Your Pick – Wow. I would have loved to have been a fly on the wall during that conversation.

At a recent security conference (as many mentioned, presentations are not even half the value of such events!), I had this eye-opening chat with a guy who manages security at a large “natural resource extraction” company (to avoid specifics …). The conversation moved towards “data security” vs “IT infrastructure security,” which I always thought to be a somewhat artificial distinction (they are kinda the same since the sole purpose of IT infrastructure is to process and move data around). However, for this guy the difference was very real; in fact, he said: “I’d rather have all my critical systems fell to a worm than have the details of my mining process stolen and possibly disclosed! We will go out of business the next year.” I argued that surely his company has more assets and “crown jewels” than that, but he explained that there are key pieces that, if purposefully stolen, will cause the worst case scenario to manifest …

Project Lasso 4 Released – Collecting logs from a Windows box is a disgusting endeavor that usually leaves you feeling dirty and shamed. Tools like Lasso help you feel that much cleaner when you’re done 🙂

Project Lasso collects all log data from Windows hosts without the need for any agents or code installed on the remote system – this speeds up deployment and reduces administration, leading to a much higher ROI. Windows DLL files contain critical information relating to the log messages themselves.