Steve on Security

Ever had your PST file folders grow uncontrollably due to autoarchive? Try this powershell script. Genius. http://www.xipher.dk/WordPress/?p=255

Posted in Uncategorized

https://threatpost.com/en_us/blogs/apple-laptop-batteries-can-be-bricked-firmware-hacked-072211

Posted in Uncategorized

http://www.itexpertseries.com/  come visit.  Great panel.

Posted in Uncategorized

Those who know me know I love the visualization of complex data.  Check out Nathan Yau’s gerat work (and upcoming book Visualize This
The FlowingData Guide to Design, Visualization, and Statistics) at http://flowingdata.com/2011/06/13/largest-data-breaches-of-all-time/

Posted in Uncategorized

http://www.technologyreview.com/computing/37967/?p1=A3&a=f

Posted in Uncategorized

Things they are a changin’.  Looks like a resiliency test for some APT code modules that might be used in the future.  Replace DDoS code with other malware and you have  resistent code base that you can use in future attacks. http://blogs.mcafee.com/wp-content/uploads/2011/07/McAfee-Labs-10-Days-of-Rain-July-2011.pdf

Posted in Uncategorized

http://www.accountkiller.com/en/

Finally a resource to help navigate sites that make it hard to kill your account.

Posted in Uncategorized

Saw this card reader on a Wells Fargo ATM at the Atlanta airport.  Easy and cost-efficient way to stop the installation of skimmers.  The odd shaped card reader interface prevents overlay of a skimmer.  Kudos for keeping it simple.

WF Interface

Posted in Uncategorized

Got this one today.  Interesting bot.  Solicits your email address with a bot, then automagically sends a payload to that email address.  Just complex enough for noobs to think it may be legit.

Facebook Bot

Posted in Uncategorized

I like this one. Quick and dirty ways to turn off UAC, register face signed certs and install unsigned drivers. Sexy.

http://www.securelist.com/en/blog/11266/Rootkit_Banker_now_also_to_64_bit

Posted in Uncategorized

Been on a news hiatus for 8 weeks, but passed a TV with this story playing. No way to make enough money to justify $8.5bn purchase price. Strategy: buy it, charge per user while building demand for unified communications, kill it and take over with LCS.

Posted in Uncategorized

Brilliant.   What if Google and NSA shared information?  Google’s single signon, coupled with the ability to fingerprint emails, blog and other posts, an intel agency has the ability to connect all of those data-points (and signatures)  temporally.   1984

Posted in Uncategorized

I *strongly* recommend this book for entrepreneurs, business people and those with P&L responsibility.   Rework

Posted in Uncategorized

What: A password cracking contest sponsored by KoreLogic.
Where: DEFCON 2011 at the Rio Casino in Las Vegas.
When: Contest takes place during DEFCON and will last 48 hours.
Who: Teams with at least one team member attending the conference.
Why: To help push the envelope of password cracking techniques / methodologies and win a prize while you are at it. Prizes will be awarded for first, second, and third place

http://contest.korelogic.com/wordlists.html

Posted in Uncategorized

Breaks my heart.  M$oft finally used windows update to disable autorun.  Still works for shiny media like CDs and DVDs (and U3 drives  One of my favorite attack vectors.  Do this instead:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

set key to @=”@SYS:DoesNotExist”

Posted in Uncategorized

**UPDATE**: M$oft appears to have “fixed” this in a recent update.  Search no longer honors this method.

Nice trick over at Windows Seven Forums that allows you to circumvent Win7 Search’s restriction on searching network shares.  (A marketing feature to force you to buy Windows Server).  Uses Windows Symbolic Links…didn’t unix have those like 35 years ago?

To add a non-indexed UNC as a library to Windows 7 Beta:

1. Create a folder on your hard drive for shares. i.e. c:\share

2. Create another folder in the above share. i.e. c:\share\music
2. Link the Library to this folder.
3. Delete the folder.
4. Use the mklink in an elevated command prompt to make a symbolic link. Name the link the same as the folder you created above.
i.e - mklink /d c:\share\music \\server\music
5. Done. Now you have non-indexed UNC path as a library.

Posted in Uncategorized

Backtrack4-r2 comes with pre-compiled nmap, but the scripts in /usr/share/nmap/scripts have not been compiled into the nmap script database at /usr/share/nmap/scripts/script.db, meaning you can’t execute the little buggers from the CLI. Fix this by executing
nmap –script-updatedb

Posted in Uncategorized
Tags: nmap bt4

Painful little process to uncover.

Not terribly fast, but functional.  Requires Qemu.  Install the QEMU manager which gives you GUI goodness should you want it and a clean install.

These instructions are tailored towards using Windows for the file conversion with qemu. If you’re using Linux you’re probably smart enough to adapt these instructions to your system.

1. Open a command prompt: Start > Run and type “cmd”
2. Use “cd” to go to the directory you download and extracted Qemu.
3. Run: qemu-img.exe convert -f vpc "[vhd file]” -O raw [outfile].bin
4. Wait…(will take a while)
5. Convert and compress the “.bin” file.
   1. VBoxManage convertdd [outfile.bin] [vdifile].vdi
   2. VBoxManage modifyvdi XPIE7.vdi compact
6. Open VirtualBox
7. Click New
8. Go through the wizard
   1. Use the new “.vdi” file as the “Boot Hard Disk”.
   2. Finish wizard and start it!
   3. You may have to turn on ACPI feature if the image was built on VMWare.  It’s slower, but will prevent the windows BSOD

Posted in Uncategorized

Useful pointy-click/draggy-droppy  tool for updating libraries to include network shares and NAS devices without using creepy slutil.exe

Posted in Uncategorized

I hate itunes, but it saves me time prepping for swim/bike/run and podcast management.   see http://www.ilounge.com/index.php/articles/comments/moving-your-itunes-library-to-a-new-hard-drive/

I now have all my music on the 7TB NAS and my itunes library XML up there as well.

Did I mention I hate itunes?

Posted in Uncategorized

I finally upgraded my rig at the house.  No sense in building a custom box for the incremental performance gains I thought, so I bought an HP Z400 with 12G of RAM, Xeon w/8 cores, a trio of 15k SAS drives in a goofy RAID 1E array.  I’ve always been I/O bound because of the workloads I run (fully indexed filesystem, several years at tens-of-gigs of email, multiple VMs, lots of data & database analysis, rainbow table searches, etc.) so I thought I’d try out the RevoDrive 240G.

This thing is spec’d to deliver >500MB read/write performance and has a great cost per GB of about $2.04 when I bought it a couple of weeks ago.  I got this beast installed after a little grinding on the mounts to get it in the chassis, overcame some BIOS memory issues and fired it up.  Windows 7 installed in about 8 minutes, and office 2010 installed in about 3.  This thing is wicked fast, and at this price point it’s worth every penny.  Highly recommended.  And OCZ just released the RevoDrive X2 – double the size (up to 960GB), double the performance (up to 740MB/s write) and marginally more expensive.

Here’s the CrystalMark scores on this drive in my rig:

Performance of the RevoDrive

Just for comparison, I did a CystalMark test on my RAID1E array setup on some 15K SAS drives installed in the rig.  Not even close.

Performance of the SAS 15K RAID volume

Posted in Uncategorized

If you’ve been tracking stuxnet but haven’t taken the time to really dig into the elegance of this piece of malware, the Symantec Dossier is well done and worth a read.  Of particular interest is how the code hooks AV/HIPS products to get trusted access to the system.

Posted in Uncategorized

Mubix has a great video on how to remove SEP silently using metasploit.  Check it

Posted in Uncategorized

No real security use but wicked fun.  http://homokaasu.org/rasterbator/ <- if link is dead, try http://download.freewarefiles.com/files/Rasterbator_Standalone_1.21.zip

Posted in Uncategorized

I’m a big fan of Mark Russinovich’s content – very dense and very useful.  In “The case of the slow project file opens” he does a quick deep dive on debugging a performance problem while poking Symantec AV squarely in the eye.

Posted in Uncategorized

This site has saved me on more than one occasion when trying to use perl code to mangle text files (e.g. dumps) into a MS* database http://www.connectionstrings.com/

Posted in Uncategorized

Here’s a few repositories for password lists I like to use

• SkullSecurity’s archive
• ophcrack
• Shmoo Group
• Rainbow Crack

Posted in Uncategorized

http://www.exploithub.com/

Posted in Uncategorized

Posted in Uncategorized

Sexy….

GEORGIA TECH RESEARCHERS DESIGN SYSTEM TO TRACE CALL PATHS ACROSS MULTIPLE NETWORKS

The tool is called PinDr0p, and works by analysing the various characteristic noise artifacts left in audio by the different types of voice network – cellular, VoIP etc. For instance, packet loss leaves tiny gaps in audio signals, too brief for the human ear to detect, but quite perceptible to the PinDr0p algorithms. Vishers and others wishing to avoid giving away the origin of a call will often route a call through multiple different network types.

 

Posted in Uncategorized

Wicked cool. This software removes objects from streaming video in realtime. Some interesting applications. One I can think of is a nice little thief toolkit that removes the thief from the security camera feeds. Just like something from a sci-fi movie. The link has a video demonstrating the process.
http://www.popsci.com/technology/article/2010-10/video-voodoo-software-removes-objects-live-video

Posted in Uncategorized

Posted in Uncategorized

Great paper on the cryptographic weaknesses resulting from bad nonce generation.  Thanks to my friend Tinkle for pointing this one out.

Abstract. A nonce is a cryptographic input value which must neverrepeat within a given context. Nonces are important for the security ofmany cryptographic building blocks, such as stream ciphers, block ciphermodes of operation, and message authentication codes. Nonetheless, thecorrect generation of nonces is rarely discussed in the cryptographic lit-erature.In this paper, we collect a number of nonce generators and describe theircryptographic properties. In particular, we derive upper bounds on thenonce collision probabilities of nonces that involve a random component,and lower bounds on the resulting nonce lengths.We also discuss an important practical vulnerability of nonce-based sys-tems, namely the nonce reset problem. While ensuring that nonces neverrepeat is trivial in theory, practical systems can suer from accidentalor even malicious resets which can wipe out the nonce generators cur-rent state. After describing this problem, we compare the resistance ofthe nonce generators described to nonce resets by again giving formalbounds on collision probabilities and nonce lengths.The main purpose of this paper is to provide a help for system designerswho have to choose a suitable nonce generator for their application. Thus,we conclude by giving recommendations indicating the most suitablenonce generators for certain applications.

Posted in Uncategorized

http://www.archive.org/details/LouisvilleMetasploitClass

Posted in Uncategorized

Some interesting information to make more efficient bruteforcing attacks - http://www.architectingsecurity.com/2010/09/11/password-patterns/

Posted in Uncategorized

Posted in Uncategorized

Posted in Uncategorized

Rating:   Functionality-7/10            Ease of use:  8/10               Usability: 9/10

This week I’ve been testing Gbridge.  Gbridge is a (currently free) extension to Google’s Gtalk network service for Windows 2000/XP/Vista/7.  Installed as an agent, it will automatically create a VPN tunnel between other computers running Gbridge and logged in under the same gTalk account.   You can also  extend the VPN to Gtalk friends by  invitation. Gbridge also has some nifty features such as folder synchronization, remote desktop share (VNC), automatic backup, live browsing, chat, and tunneling of RDP and other TCP/UDP protocols.  Gbridge also integrates with Google Apps accounts, making it easy to create VPN within organizations that utilize Google Apps.

APPLICATION SUPPORT: I tested several applications over Gbridge such as RDP, NetBIOS shares, FTP and even a little NMAPpery — everything worked like a champ.  Gbridge has built in firewall functionality, allowing you to allow/block traffic to and from other Gbridge clients logged in under your gTalk account as well as specific firewall rules for connections to other gTalk friends’ computers.

THROUGHPUT:  Gbridge will, like many p2p platforms, try to establish direct connections between Gbridge clients, even if behind a NAT device using some UDP NAT traversal tricks.  If for some reason it cannot traverse the NAT device(s), it will use Gbridge servers as a proxy, or you can manually setup port forwarding.  In my testing between my house (7Mb DSL) and the office (10MB fiber) I got a respectable 2.5Mb throughput using CIFS copy and about the same using the built in SecureShare HTTP copy.  Not bad for NAT traversal.

SECURE SHARES: Want to share a folder or group of folders out to your gTalk friends?  Not a problem.  The Gbridge pointy-clicky interface allows you to share a folder with other PCs logged in under your gTalk account; individuals friends accounts; and apply file filtering rules and additional password protection.  Very nifty for a quick file transfer or leeching.

AUTOSYNC and BACKUPS: Quickly becoming one of my favorite functions.  Setup a SecureShare on one or more of your GBridged computers, and you can “AutoSync” it at will.  Great for syncing work/home files or pwning a headless server.  Not as elegant as ncat, but workable and everyone allows access to google servers these days.  Backups work much the same way — a one-way sync of a SecureShare.  Fast and easy DR/COOP.

CAVEATS:  if you have a host firewall or Host-based intrusion prevention service like eEye Blink, be sure you pre-configure rules to allow gBridge to do its thing.  When I was testing the utility, I forgot to disable the firewall service before I left for work and as a result when I tried to connect from the office, the connection failed because Blink was popping up dialogs on my home PC asking if it should allow the inbound connection.

Posted in Uncategorized

The software security space exceeded the $500 million mark in 2009. Software security expert Gary McGraw examines the tools providers and services firms to find out how quickly the market is growing, and which parts of the market are driving growth.

http://www.cigital.com/justiceleague/2010/08/16/software-security-crosses-the-threshold-in-2009/

Posted in Uncategorized

Not sure why I never stepped on this before:  This is a well managed aggregrated news site + original content http://venturebeat.com/

Posted in Uncategorized

Posted in Uncategorized

WeakNet Linux is designed primarily for penetration testing, forensic analysis and other security tasks. WeakNet Linux IV was built from Ubuntu 9.10 which is a Debian based distro. All references to Ubuntu have been removed as the author completely re-compiled the kernel, removed all Ubuntu specific software which would cause the ISO to bloat, and used a non-Ubuntu-traditional Window Manager, with no DM. To start X11 (Fluxbox) simply type “startx” at the command line as root.

Posted in Uncategorized

Well, 2G ATT and TMobile anyway.  Over at Wired

Posted in Uncategorized

Hey, it’s not like you could bring down the grid or anything.  #root #fail  Pop over to SC Magazine

Posted in Uncategorized

One of my new favorite toys.  One use:  pop a client site, take a round of photo’s, show a panorama of pwnage http://research.microsoft.com/en-us/downloads/730cd6bb-6450-4e66-8101-a94e71cb0779/default.aspx

Posted in Uncategorized

I like free.  http://www.gbridge.com/

Gbridge is a free software that lets you remotely control PCs, sync folders, share files, and chat securely and easily. An extension of Google’s gtalk service, Gbridge automatically forms a collaborative, encrypted VPN (Virtual Private Network) that connects your computers and your friends’ computers directly and securely with patented technology. Gbridge has many unique features.

DesktopShare(VNC): Access your computer desktop remotely or share your desktop with your friend from anywhere in the world. Gbridge automatically traverses firewalls and NATting routers without the need for configuration!

SecureShare: Securely share files among your own computers, so you can remotely access your files, e.g. play mp3 , with ultimate privacy.   Securely share files to your designated friend, so the selected friend can instantly view the auto-generated photo thumbnails and slideshow remotely. No web upload/download needed!

AutoSync: Transfer large files and synchronizing folders to and from anywhere has never been easier. AutoSync supports auto-schedule, auto-resume, incremental transfers and no size restrictions!

EasyBackup: Setup an auto-recurring backup of your important folder to a local or remote PC is as easy as 1-2-3!

Posted in Uncategorized

**Remember, these roots  simply give you system file access and the ability to tweak a few other things — NOT install/flash custom roms, kernels, etc.

1. Droid X (Birdman method) - http://alldroid.org/Default.aspx?tabid=62&g=posts&m=6151&#post6151
2. Droid X (1-click) http://alldroid.org/Default.aspx?tabid=40&g=posts&t=553 and download DroidXRoot.zip

Posted in Uncategorized

YMMV. Includes info from the Secret Service and some of their cases.  Not much changed from previous years.

Who is behind Data Breaches?

• 70% resulted from external agents
• 48% caused by insiders
• 11% implicated business partners
• 27% involved multiple parties

How do breaches occur?

• 48% involved privilege misuse
• 40% resulted from hacking
• 38% utilized malware
• 28% involved social tactics
• 15% comprised physical attacks

What commonalities exist?

• 98% of all data breached came from servers
• 85% of attacks were not considered highly difficult
• 61% were discovered by a third party
• 86% of victims had evidence of the breach in their log files
• 96% of breaches were avoidable through simple or intermediate controls
• 79% of victims subject to PCI DSS had not achieved compliance

Jump over to Verizon for the report: http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf

Posted in Uncategorized

http://www.plainsight.info/

Posted in Uncategorized