Sunday, December 07, 2008

Security and Forensics Roundup: Heavy Version #2

cc image credit: Jeremy Botter, flickr

Standing guard so you can remain alert.

So many, many very good security and forensics related links, my head is spinning from trying to organize them all into a single and coherent post.

To help achieve that, commentary will be kept to a minimum.

Must Reads

  • (IN)SECURE Magazine – Volume 19 was released this week in PDF format.  Always an engaging mix of technical discussions, security concepts, and hidden tools and tricks. Highlight articles (to me) include:

    • The future of AV: looking for the good while stopping the bad
    • Eight holes in Windows login controls
    • Web filtering in a Web 2.0 world
    • The role of password management in compliance with the data protection act,
    • 5 strategies for proactively embracing failure
    • Navigating a sea of fake codecs,
    • Role Based Access Control, and
    • How to build a security strategy to grow your career, success, and results.

  • Secret Geek A-Team Hacks Back, Defends Worldwide Web – Amazing Wired Magazine article covering the incredible discovery by Dan Kaminsky on a critical DNS flaw, and the ensuing damage control.  If you haven’t read this yet, stop and read it now.  There have been lots of follow-on discussions on the web regarding this issue, but this is a foundational read.  Great writing on technical security subject by Joshua Davis.

Password?

  • NirBlog: Saved Password Locations – NirBlog post that provides awesome background information on the locations in the Registry or file system for popular password storage.

Good information for sysadmins and auditors.

All signs point to caution when installing Firefox Add-ons.  Don’t get caught.

Score: ElcomSoft 1 : Adobe 0

Password: Stop the Leak

Fresh on the heels of SynJunkie’s excellent wireless pen-attack story comes a new series on an insider attack and investigation.

Kick back and enjoy…depending on your perspective…

Tools and Tips for Forensic Examiners

  • Basic eBlaster forensic analysis – CFMADI blog.  Great breakdown on eBlaster computer monitoring software detection.

  • Cisco Router Forensics - SANS Computer Forensics, Investigation, and Response.   For a higher audience then the desktop level work I deal with but it was good stuff anyway.

  • Perl and Forensics - SANS Computer Forensics, Investigation, and Response. I’m quickly realizing that it might be a good thing to add “Learn Perl” to my “to-do” list.

Speaking of Forensic Examiners: R U A π?

While new legislative requirements within states for forensics professionals to hold private investigators credentials are not a new subject, they seem to again be popping up and causing some degree of confusion and concern in security circles.

I even recall concern for syadmins and pc-repair tech shops believing that new legislation in Texas would lead them to shut-down until they got proper PI accreditation. (Probably not…yet.)

Thus behind that backdrop, comes even more movement on the PI (get it now? PI, pi, π) certification front in forensics.

On the surface it seems like a very good idea.  I’m all for professional accreditation where it will provide valuable and critical training/knowledge to work done in the field.  If however it provides nothing but a piece of paper on the wall and no true relevant test of demonstrated skill in the forensics field, well, even I can let you show me where a horse has been stabled and I will find evidence of what he ate and call it proof for you.

For a perfect and crystal-clear example of just why real and certifiably proven professional forensics experts are needed (and not just those who are clearly “certifiable”) look no further than this case:

Alex Eckelberry and a team of real-world experts took a look at the official court record of evidence along with a Ghost copy of the hard-drive.

I’ve read the PDF they’ve provided based on their own professional analysis and it is simply frightening.  I don’t know where to begin.  Reading it certainly clears up a number of misconceptions I had.  And it helps me understand the whole problem much more clearly.

It should be a must-read for all forensic folks as well as system administrators/security wonks.  I almost put it in at the top.

I’m wondering if the PI accreditation requirements would have helped changed the prosecution’s "forensic” experts’ evaluation and conclusions.  Somehow I suspect not.

Which comes back to my take. Experience has taught me the following wisdom; experience doesn’t necessarily make you an “expert”, nor does any degree, honor, or accreditation. In the end it is what you do personally with any and none of those things that truly will define if you are an expert in the eyes of the public and your peers.  Enough said.

I see…malware in your future

In high-school I went through a very brief fascination with the Tarot cards.  That lasted until the reading I took regarding a hook-up with a very particular pretty girl in my class fell through.  I decided then and there it was bunk.

However, the dark-arts are alive and well in the world of malware.  And that is a prediction I would put money on to remain true.

  • Malware constructor – Sunbelt Blog highlights a new malware building tool for the masses.  Looks pretty cute and harmless until you come to find out from other links that it also seems to contain a trojan.  No honor among thieves I guess…

  • VirusTotal += Comodo – Yep. Comodo’s earned a major recognition upgrade here by getting its AV scanning engine included in the VirusTotal arsenal.

  • CBS.COM was compromised – Finjan MCRC Blog – Darn it.  And all I wanted to do was get tickets for “The Price is Right”….

  • Microsoft adds malware detection to its Webmaster tools - heise Security UK.  I’ve already signed up and have this blog being monitored by Webmaster Center.  So far so good.  Still need to enroll in Google’s Webmaster Tools which has similar features.  It was very simple and pretty easy to enroll and configure. No pain.

  • Merry Malware - You’d better watch out, you’d better think twice… and O Come All Ye Malware– Microsoft Malware Protection Center blog.  More fun and holiday cheer than a bad company holiday party coupled with rancid eggnog.  Yeah.  That good.

  • VLC Exploit In The Wild – Infosecurity.us – I’ve used and loved a portable version of VLC for quite a while, but Secunia’s PSI tool never has been happy with VLC for some reason. No matter how hard I patch it, it never seems like it was enough.  Now it seems that there are even more problems with it from a vulnerability standpoint.  I only use it with trusted media files, and it has not been set as an associated application. I’m not giving up yet. But you better be careful all the same and stick to trusted media files, from trusted sources.

Rootkits?

Here we go again with software vendors dropping rootkit like stuff into their products.  So it appears folks have already forgotten Sony’s failed foray into this arena?

The Ghost of USB/AutoRun malware past

As I responded at Harlan Carvey’s post in the comments:

Daughter unit (Alvis) needed a USB stick to take to her high school to save work from a computer-lab if her assignment work wasn't completed. She had responsibly asked me a few days in advance and I promptly forgot. We got in the car a few days later and I remembered again and asked her about it. She had the forethought to grab one of our old/small USB sticks (32MB?) and had it with her.

I had to confiscate it with regret.

  1. I didn't know what of our data was still on it and needed to "audit" it and remove anything of importance in case of loss/theft at the school. (update for the curious: Turns out it had two archived KeePass databases from early 2007 (!), numerous jr.high project documents, probably every picture from icanhascheezburger, some Zoo Tycoon save files, mid-2008 dated JSON and OMPL backup files from my Firefox profile, and a PE disk building tutorial from work.  Would have been “ok” but I’ve gone back and (securely) cleaned all the old stuff off anyway.)

  2. I needed to make sure it was "clean" of any thing that might get her into trouble at school for "possessing" (forbidden utilities perhaps such as pentesting tools and other PUPS, etc.).

  3. I have NO idea the condition of the lab-pc's she will be using at school. Don't know how their IT department maintains them, what AV/AM software is used, how often they are scanned/checked for rootkits and other baddies, etc. So cross-infection of our systems could be a real possibility.

  4. Need to figure out a "reasonable" way for daughter-unit to use a USB drive between school/friends houses/systems and our own but that will minimize chance of infecting our own. Going to have to spend time looking at my new AV/AM software to check out automatic detection and scanning/access settings for removable (USB) devices.  (update: from the comments, Steve suggested looking at Didier Stevens’ USBVirusScan which can be configured to launch an AV application when a USB stick gets inserted.  Awesome tip and now added to my Sunday “to do” list! Thanks Steve!)

(Sigh)

It's hard being an IT dude AND a dad these days. Oh to be blissfully unaware....

Harlan encouraged me to start applying the MS patch and registry fix. I’m working my way through our systems this weekend.

Hogfly also chimed in with tips

There are ways to mitigate risk on a usb stick.

1) Buy one with a write block switch. Kanguru sells these.

2) Create a directory(yes a directory) named Autorun.inf. This is known to help mitigate the ability of the malware to write to the drive.

3) Disable Autorun using group policy on your computers and force the following registry change:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

These steps work.

So today I bought a 2 GB USB stick with a write-block switch for Alvis and will be keeping an eye on it as well as its contents.  I will also be removing all the U3 preloaded stuff, doing some more of Hogfly’s tips as well as adding a TrueCrypt container and showing her how to use everything. I might even round it out with one of the PortableApps Suites along with some extra apps as well.

Alvis even liked the carabiner clip it came with.  It passed the cool factor.

What a dad.

Software and Tip Roundup

Get along little doggies!

  • FileAlyzer shows you detailed info for any Windows file - Download Squad.  Been using this tool for years.  Easy to use and free.  Great starting point for looking into file specifics when mashing malware. FileAlyzer is developed by the makers of Spybot Search and Destroy malware scanner.  A new 2.0.0.10 version now supports multiple file handling.  By that I mean you can open more than one file and cascade/tile them in the main window (a la Windows Office files) for rapid comparison work.  It performed fast and great in my testing of the newest beta version.

  • PowerShell - Finding New User Accounts – SynJunkie blog. Script to locate all accounts created between two specified dates.

  • Patching offline virtual machines – Security4all. I think I remember forgetting I could do this. Now I am sure to do it.

  • Update: Restoring Safe Mode with a .REG file, and a Live CD - Didier Stevens shows us how to restore Safe Mode’s “SafeBoot” keys to the Registry via a LiveCD when they have been removed by malware attack. Got to add these to my own custom PE 2.0 build disk.

  • Privacy Alert - ISPs putting ad service boxes in the clickstream is bad - Scott Wright’s Security Views. At the risk of veering completely off target, indications are that a new partnership between Phorm and ISP’s could mean a major change in the way ads and your data is parsed through your ISP.  Tinfoil-hat stuff or true security risk?  Minority Report ad-service coming true?

  • Building a Security Tool Chest – InfoSec blog. Stumbled on this series of posts.  The first list is pretty short. The rest build in number of tools and usefulness. They might be a good starting point.  I like scanning these lists to see if I might come across a new tool or two. Your mileage here may vary.

Keep it safe!

--Claus V.

5 comments:

Anonymous said...

Hey Claus,

Yet another great post full of valuable information. Here's my attempt to repay.

For item four of your USB drive segment - specifically "automatic detection and scanning/access settings for removable (USB) devices"- have another look at Didier Stevens' site for USBVirusScan which can start an AV scan when USB devices are inserted.

Cheers,
Steve

Anonymous said...

Thanks for the link to the Security Views article on ISPs using Phorm and other Deep Packet Inspection technologies.

I also encourage people to check out the Honey Stick Project site at http://www.honeystickproject.com where I have an experiment running to see how many people put their computers and networks at risk for viruses, keylogging and becoming slaves to spammers. What percentage of people do you think have inserted a device they found into their computer?

- Scott

Claus said...

@ Steve - Awesome tip on #4 issue. I've updated the post to link-back to Didier's post on USBVirusScan.

I also enjoyed reading through the comment section there and found a hop-link over to Dan McCloy's Autorun Reference Guide and his AutoRunGuard freeware app that works in tandem with Didier's tool.

I'm thinking either/both of these tools would be awesome fits with something from my Portable Anti-Virus/Malware Security Tools: A Primer post of CLI-based av/am scanners.

Looks like I may need to do a follow up post soon!

-Cheers!

Claus said...

@ Scott - You're welcome. Good stuff there. I remember a pen-test some time ago where a bunch of USB drives were dropped around various credit-union/banks which had been pre-seeded with pen-testing "malware". As I recall a number of them got plugged up to company workstations.

Every time a "lost" USB device is found at work and brought to us, I only audit it from a LiveCD (Linux based Helix preferred) booted system that has had the Ethernet connection pulled first. As our production drives are all whole-disk encrypted, there's 99.9% chance against any local write-back while reviewing the contents.

Cheers and thanks for stopping in and leaving a comment!

--Claus V.

Izzy said...

Leave it to you to post about something I've been looking for this weekend...

The PortableApps suite got me to re-enable autoplay/autorun on my computer, which lead me to look for some kind of compromise between security and convenience. And here I find a program that can automatically start an antivirus scanner when it detects a USB drive!

Thanks Steve!