Meanwhile, in security news

Just because Ike rolled in and tossed the upper Texas Gulf Coast like dice in a back-alley craps game, it doesn’t mean that the world of computer security (or insecurity for that matter) has been standing still.

@ Windows Incident Response Blog

Harlan Carvey systems forensics author has been hard at work keeping us informed and updated with a number of great posts over at his Windows Incident Response blog:

PlainSight – Introduces PlainSight which is a Live CD format to boot and collect information by examiners.  It contains a number of basic tools to get forensic beginners on the right path to understanding and using them.

• Rootkit Detection – Points us to a great article on rootkits by Diablo.  For more rootkit tools check out this GSD post: Anti-Rootkit Tools

• Updates - 29 Sept – This post either will point you to some great tools like Key Extraction and Historian as well as some updated forensic tool modules.

• Updates regarding Analysis – The highlight (to me) of the post was a point on how it might be possible to get a screen capture from a memory dump (and other technical details as well).

• SANS Forensic Summit – Harlan justifiably gets to brag a bit on his RegRipper tool presentation at the SANS Forensic Summit.  Good show, mate!

• Hackin9 Registry Analysis Article – And he makes a print appearance as well regarding Registry analysis. Hackin9 which will publish his article actually has some nice documents and whitepapers so if work turns slow, pop over and take a look.

• New Registry Analysis Tools – Finally we get to see the fun and games possible with the Parse::Win32Registry Perl module.

@ SANS ISC Handlers Diary

Never a dull moment or read there.

• Malware Analysis: Tools are only so good – Really well written breakdown of a malware file pick-apart. It’s a reminder that as good as any tool is, the understanding and knowledgebase of the technician/analyst behind it is even more important.

• More on tools/resources/blogs – A small collection of blogs, tools and resources for the incident handler to consider; PyFlag, PacketLife.net, and 0x0e.

• Good reading and a malware challenge – Two gems here, a PDF paper on the fastflux malware and a cheat-sheet on malware reversing.

@ Microsoft Threat Research and Response Blog

Yes. Microsoft does do some good and informative work in malware research.

• Rogue Antivirus - A Closer Look at Win32/Antivirusxp – Shows the distribution and infection method of one of many growing malicious anti-virus applications that trick unsuspecting users with false banners and warnings.

• The Cost of Free $oftware and The Cost of Free $oftware (part 2) – Reminder against fiddling with warez/cracked software. It isn’t worth the cost of “free”.

• Malware Writer Wants an Eye-to-Eye With Us – Curious message in a malware bottle.

@ Wise Words and Counsel

Yeah.  I couldn’t come up something catchier.  But then again, these are not to be passed up.

TinyApps.Org Blog : Free stand-alone antimalware app from Kaspersky – REALLY awesome standalone a/v-antimalware scanner that Miles found.  I’ve got a follow-up post on this getting this one set up to use as well as a couple more tools in this class. Stay tuned to GSD!

Dancho Danchev’s Blog - Mind Streams of Information Security Knowledge: The Commercialization of Anti Debugging Tactics in Malware – Long tile, good post.  Wonderfully well-written post that covers how malware writers are responding to attempts to anti-reverse engineer their malware as well as the business behind those fuzzing efforts.

Helix3 – Live CD used for forensic examinations of systems got a major update last month (Helix 2008R1 (2.0).  Really a neat tool and one I have long-carried in my CD case.  Good whitepapers on their site as well on how to use their tool effectively.  One other things I’ve loved Helix for is that their disk not only has a Live CD boot side, but also a cool Windows “auto-run” menu side with additional tools to use on a running Windows system.  Their “User Manual” runs an astounding 339 pages long in high-detail.  Amazing support for an open-source project.

[IN]Secure Issue 18 – has been released (PDF).  Always a great read for security folks and system administrators.

• Network and information security in Europe today
• Browser security: bolt it on, then build it in
• Passive network security analysis with NetworkMiner
• Lynis - an introduction to UNIX system auditing
• Windows driver vulnerabilities: the METHOD_NEITHER odyssey
• Removing software armoring from executables
• Insecurities in privacy protection software
• Compliance does not equal security but it's a good start
• Secure web application development
• The insider threat
• Web application security: risky business?
• AND MORE!

Forensic Time Dilatation « Didier Stevens – Didier draws our attention to a small problem with getting accurate timestamp data from forensic examinations.  In summary “ if you compile or interpret forensic reports, take particular care to avoid the pitfalls of timestamps. Take into account desynchronized clocks, clock drift, time-zones and time unit resolution.”

Matasano Chargen » Detecting Anonymizing Proxies – Nicely written and illustrated article on methods to attack anonymizing proxies to get information on IP sourcing and potential back-tracking to the “true” IP address.  Links to additional presentations by others on the subject are also included in the post.  While challenging, figuring out who and where someone is who is using an anonymizing proxy isn’t necessarily impossible.

Cheers!

--Claus