Steve on Security

First linkedIn Nigeria scam spam?

stevegoldsby — Thu, 12 Jan 2012 18:31:23 +0000

Looks like the Nigerian banker scam is ramping back up on LinkedIn.

Script to delete empty folders in outlook

stevegoldsby — Tue, 20 Sep 2011 16:01:22 +0000

Ever had your PST file folders grow uncontrollably due to autoarchive? Try this powershell script. Genius. http://www.xipher.dk/WordPress/?p=255

Apple batteries are brickable by hackers

stevegoldsby — Sat, 23 Jul 2011 01:56:51 +0000

https://threatpost.com/en_us/blogs/apple-laptop-batteries-can-be-bricked-firmware-hacked-072211

Speaking at INetU ITX Data Security Summit 13 July

stevegoldsby — Tue, 12 Jul 2011 22:31:08 +0000

http://www.itexpertseries.com/ come visit. Great panel.

Visualization: Greatest data losses of all times.

stevegoldsby — Wed, 06 Jul 2011 13:51:44 +0000

Those who know me know I love the visualization of complex data. Check out Nathan Yau’s gerat work (and upcoming book Visualize This
The FlowingData Guide to Design, Visualization, and Statistics) at http://flowingdata.com/2011/06/13/largest-data-breaches-of-all-time/

A futures market for information security

stevegoldsby — Tue, 05 Jul 2011 19:14:23 +0000

http://www.technologyreview.com/computing/37967/?p1=A3&a=f

“10 Days of Rain” Korean attack analysis

stevegoldsby — Tue, 05 Jul 2011 18:48:24 +0000

Things they are a changin’. Looks like a resiliency test for some APT code modules that might be used in the future. Replace DDoS code with other malware and you have resistent code base that you can use in future attacks. http://blogs.mcafee.com/wp-content/uploads/2011/07/McAfee-Labs-10-Days-of-Rain-July-2011.pdf

Accountkiller – kill accounts on any site

stevegoldsby — Fri, 17 Jun 2011 16:38:47 +0000

http://www.accountkiller.com/en/

Finally a resource to help navigate sites that make it hard to kill your account.

Innovative and cost efficient way to stop ATM skimming

stevegoldsby — Fri, 17 Jun 2011 15:55:49 +0000

Saw this card reader on a Wells Fargo ATM at the Atlanta airport. Easy and cost-efficient way to stop the installation of skimmers. The odd shaped card reader interface prevents overlay of a skimmer. Kudos for keeping it simple.

WF Interface

New automated multi-stage Facebook email harvester / malware dropper

stevegoldsby — Wed, 08 Jun 2011 14:16:31 +0000

Got this one today. Interesting bot. Solicits your email address with a bot, then automagically sends a payload to that email address. Just complex enough for noobs to think it may be legit.

Facebook Bot

Elegant rootkit Banker

stevegoldsby — Sat, 21 May 2011 14:45:56 +0000

I like this one. Quick and dirty ways to turn off UAC, register face signed certs and install unsigned drivers. Sexy.

http://www.securelist.com/en/blog/11266/Rootkit_Banker_now_also_to_64_bit

Microsoft Buying Skype – to kill it!

stevegoldsby — Wed, 11 May 2011 00:41:17 +0000

Been on a news hiatus for 8 weeks, but passed a TV with this story playing. No way to make enough money to justify $8.5bn purchase price. Strategy: buy it, charge per user while building demand for unified communications, kill it and take over with LCS.

Google voice = Free voiceprint recognition for NSA

stevegoldsby — Mon, 14 Mar 2011 02:40:47 +0000

Brilliant. What if Google and NSA shared information? Google’s single signon, coupled with the ability to fingerprint emails, blog and other posts, an intel agency has the ability to connect all of those data-points (and signatures) temporally. 1984

stevegoldsby — Mon, 07 Mar 2011 22:49:45 +0000

I *strongly* recommend this book for entrepreneurs, business people and those with P&L responsibility. Rework

Defcon 2011 – “Crack me if you can” Password lists

stevegoldsby — Wed, 16 Feb 2011 13:10:51 +0000

What: A password cracking contest sponsored by KoreLogic.
Where: DEFCON 2011 at the Rio Casino in Las Vegas.
When: Contest takes place during DEFCON and will last 48 hours.
Who: Teams with at least one team member attending the conference.
Why: To help push the envelope of password cracking techniques / methodologies and win a prize while you are at it. Prizes will be awarded for first, second, and third place

http://contest.korelogic.com/wordlists.html

Microsoft (doesn’t really) fix Autorun vulnerability

stevegoldsby — Thu, 10 Feb 2011 14:20:45 +0000

Breaks my heart. M$oft finally used windows update to disable autorun. Still works for shiny media like CDs and DVDs (and U3 drives One of my favorite attack vectors. Do this instead:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

set key to @=”@SYS:DoesNotExist”

Forcing Win7 Search to index UNC shares

stevegoldsby — Thu, 30 Dec 2010 17:31:56 +0000

**UPDATE**: M$oft appears to have “fixed” this in a recent update. Search no longer honors this method.

Nice trick over at Windows Seven Forums that allows you to circumvent Win7 Search’s restriction on searching network shares. (A marketing feature to force you to buy Windows Server). Uses Windows Symbolic Links…didn’t unix have those like 35 years ago?

To add a non-indexed UNC as a library to Windows 7 Beta:

1. Create a folder on your hard drive for shares. i.e. c:\share

2. Create another folder in the above share. i.e. c:\share\music
2. Link the Library to this folder.
3. Delete the folder.
4. Use the mklink in an elevated command prompt to make a symbolic link. Name the link the same as the folder you created above.
i.e - mklink /d c:\share\music \\server\music
5. Done. Now you have non-indexed UNC path as a library.

Backtrack4 and NMAP Scripts

stevegoldsby — Sat, 25 Dec 2010 14:25:23 +0000

Backtrack4-r2 comes with pre-compiled nmap, but the scripts in /usr/share/nmap/scripts have not been compiled into the nmap script database at /usr/share/nmap/scripts/script.db, meaning you can’t execute the little buggers from the CLI. Fix this by executing
nmap –script-updatedb

Importing VHD files into VirtualBox (windows7)

stevegoldsby — Thu, 23 Dec 2010 23:25:07 +0000

Painful little process to uncover.

Not terribly fast, but functional. Requires Qemu. Install the QEMU manager which gives you GUI goodness should you want it and a clean install.

These instructions are tailored towards using Windows for the file conversion with qemu. If you’re using Linux you’re probably smart enough to adapt these instructions to your system.

Open a command prompt: Start > Run and type “cmd”
Use “cd” to go to the directory you download and extracted Qemu.
Run: qemu-img.exe convert -f vpc "[vhd file]” -O raw [outfile].bin
Wait…(will take a while)
Convert and compress the “.bin” file.
1. VBoxManage convertdd [outfile.bin] [vdifile].vdi
2. VBoxManage modifyvdi XPIE7.vdi compact
Open VirtualBox
Click New
Go through the wizard
1. Use the new “.vdi” file as the “Boot Hard Disk”.
2. Finish wizard and start it!
3. You may have to turn on ACPI feature if the image was built on VMWare. It’s slower, but will prevent the windows BSOD

Win7 Library Tool

stevegoldsby — Thu, 23 Dec 2010 21:15:37 +0000

Useful pointy-click/draggy-droppy tool for updating libraries to include network shares and NAS devices without using creepy slutil.exe

Successfully relocated my 13k iTunes files…

stevegoldsby — Sun, 19 Dec 2010 03:07:33 +0000

I hate itunes, but it saves me time prepping for swim/bike/run and podcast management. see http://www.ilounge.com/index.php/articles/comments/moving-your-itunes-library-to-a-new-hard-drive/

I now have all my music on the 7TB NAS and my itunes library XML up there as well.

Did I mention I hate itunes?

SSD on Steroids – RevoDrive

stevegoldsby — Fri, 17 Dec 2010 22:22:14 +0000

I finally upgraded my rig at the house. No sense in building a custom box for the incremental performance gains I thought, so I bought an HP Z400 with 12G of RAM, Xeon w/8 cores, a trio of 15k SAS drives in a goofy RAID 1E array. I’ve always been I/O bound because of the workloads I run (fully indexed filesystem, several years at tens-of-gigs of email, multiple VMs, lots of data & database analysis, rainbow table searches, etc.) so I thought I’d try out the RevoDrive 240G.

This thing is spec’d to deliver >500MB read/write performance and has a great cost per GB of about $2.04 when I bought it a couple of weeks ago. I got this beast installed after a little grinding on the mounts to get it in the chassis, overcame some BIOS memory issues and fired it up. Windows 7 installed in about 8 minutes, and office 2010 installed in about 3. This thing is wicked fast, and at this price point it’s worth every penny. Highly recommended. And OCZ just released the RevoDrive X2 – double the size (up to 960GB), double the performance (up to 740MB/s write) and marginally more expensive.

Here’s the CrystalMark scores on this drive in my rig:

Performance of the RevoDrive

Just for comparison, I did a CystalMark test on my RAID1E array setup on some 15K SAS drives installed in the rig. Not even close.

Performance of the SAS 15K RAID volume

Stuxnet Dossier

stevegoldsby — Tue, 14 Dec 2010 14:10:30 +0000

If you’ve been tracking stuxnet but haven’t taken the time to really dig into the elegance of this piece of malware, the Symantec Dossier is well done and worth a read. Of particular interest is how the code hooks AV/HIPS products to get trusted access to the system.

Using Metasploit to silently uninstall Symantec Endpoint Proteciton

stevegoldsby — Thu, 09 Dec 2010 19:36:24 +0000

Mubix has a great video on how to remove SEP silently using metasploit. Check it

Rasterbator – make wall-sized posters without losing resolution

stevegoldsby — Thu, 09 Dec 2010 19:14:21 +0000

No real security use but wicked fun. http://homokaasu.org/rasterbator/ <- if link is dead, try http://download.freewarefiles.com/files/Rasterbator_Standalone_1.21.zip

Thread stacks for debugging & troubleshooting

stevegoldsby — Tue, 07 Dec 2010 20:48:53 +0000

I’m a big fan of Mark Russinovich’s content – very dense and very useful. In “The case of the slow project file opens” he does a quick deep dive on debugging a performance problem while poking Symantec AV squarely in the eye.

Connection strings to connect perl to MS* databases

stevegoldsby — Wed, 01 Dec 2010 20:22:58 +0000

This site has saved me on more than one occasion when trying to use perl code to mangle text files (e.g. dumps) into a MS* database http://www.connectionstrings.com/

Comprehensive Password Lists for Brute Forcing

stevegoldsby — Wed, 01 Dec 2010 19:00:04 +0000

Here’s a few repositories for password lists I like to use

ExploitHub: A marketplace for validated, non-zero-day exploits

stevegoldsby — Mon, 08 Nov 2010 15:40:53 +0000

http://www.exploithub.com/

toolsmith: Confessor & Mole for IR & security analysis

stevegoldsby — Wed, 03 Nov 2010 12:55:16 +0000

from - http://holisticinfosec.blogspot.com/2010/11/toolsmith-confessor-mole-for-ir.html from Security Bloggers Network by Russ McRee

As November 2010′s toolsmith kicks off the fifth year of the column for the ISSA Journal, I am proud to use it as an opportunity to announce the official release of Bryan Casper’s Confessor and Kris Thomas’ MOLE.
I discussed these tools at ISSA International in September and again at SecureWorld Expo Seattle, and after a slight delay to clarify licensing (they’re released under the Microsoft Public License (Ms-PL), both tools are available for you on CodePlex.
These tools were born of needing better utilities for incident response and security analysis in complex, massive cloud-like environments.
If you’d like a copy of the above-mentioned presentation, please contact me and I’ll send it to you.

As described in the article, Bryan’s Confessor answers the challenge of collecting system logs and attributes on hundreds or even thousands of systems at the same time, utilizing the same tools as MIR-ROR, but deploying them in an enterprise capable manner.
Note: Since the article’s release Confessor has been updated to pass domain credentials via the UI and process host names as well as IP addresses.

Kris’ MOLE was spawned improve on a method I’d been utilizing to cull malware from malicious URLs sent across Windows Live Messenger. Where I’d been using a specific wget string at the command-line Kris built MOLE (Malicious Online Link Engine) as a wrapper for wget that includes many additionally useful features.

We find these tools incredibly useful and are very pleased to be able to release them for public consumption as freely available and open source.

The article is here, Confessor is here, and MOLE is here.

PinDr0p – analyze phone call audio to determine source & routing

stevegoldsby — Mon, 18 Oct 2010 15:39:15 +0000

Sexy….

GEORGIA TECH RESEARCHERS DESIGN SYSTEM TO TRACE CALL PATHS ACROSS MULTIPLE NETWORKS

The tool is called PinDr0p, and works by analysing the various characteristic noise artifacts left in audio by the different types of voice network – cellular, VoIP etc. For instance, packet loss leaves tiny gaps in audio signals, too brief for the human ear to detect, but quite perceptible to the PinDr0p algorithms. Vishers and others wishing to avoid giving away the origin of a call will often route a call through multiple different network types.

Remove objects from streaming video in realtime!

stevegoldsby — Thu, 14 Oct 2010 04:16:06 +0000

Wicked cool. This software removes objects from streaming video in realtime. Some interesting applications. One I can think of is a nice little thief toolkit that removes the thief from the security camera feeds. Just like something from a sci-fi movie. The link has a video demonstrating the process.
http://www.popsci.com/technology/article/2010-10/video-voodoo-software-removes-objects-live-video

Canon’s printer/photocopier blocks jobs based on keywords

stevegoldsby — Thu, 14 Oct 2010 04:02:06 +0000

http://www.boingboing.net/2010/10/12/canons-printerphotoc.html

Or, of course, you could set it up as part of industrial espionage so that when it detects a keyword, it e-mails the PDF out of the company.” That’s the stuff, right there — forgotten feature in your Canon printer is activated by a rogue employee!

Nonce Generators and the Nonce Reset Problem

stevegoldsby — Wed, 13 Oct 2010 12:49:30 +0000

Great paper on the cryptographic weaknesses resulting from bad nonce generation. Thanks to my friend Tinkle for pointing this one out.

Abstract. A nonce is a cryptographic input value which must neverrepeat within a given context. Nonces are important for the security ofmany cryptographic building blocks, such as stream ciphers, block ciphermodes of operation, and message authentication codes. Nonetheless, thecorrect generation of nonces is rarely discussed in the cryptographic lit-erature.In this paper, we collect a number of nonce generators and describe theircryptographic properties. In particular, we derive upper bounds on thenonce collision probabilities of nonces that involve a random component,and lower bounds on the resulting nonce lengths.We also discuss an important practical vulnerability of nonce-based sys-tems, namely the nonce reset problem. While ensuring that nonces neverrepeat is trivial in theory, practical systems can suer from accidentalor even malicious resets which can wipe out the nonce generators cur-rent state. After describing this problem, we compare the resistance ofthe nonce generators described to nonce resets by again giving formalbounds on collision probabilities and nonce lengths.The main purpose of this paper is to provide a help for system designerswho have to choose a suitable nonce generator for their application. Thus,we conclude by giving recommendations indicating the most suitablenonce generators for certain applications.

Metasploit training content (Irongeek)

stevegoldsby — Tue, 14 Sep 2010 21:21:51 +0000

http://www.archive.org/details/LouisvilleMetasploitClass

Password Patterns

stevegoldsby — Tue, 14 Sep 2010 12:43:03 +0000

Some interesting information to make more efficient bruteforcing attacks - http://www.architectingsecurity.com/2010/09/11/password-patterns/

Microsoft hardening tool with graphical user interface

stevegoldsby — Fri, 03 Sep 2010 19:25:07 +0000

HAKIN9 e-magazine

stevegoldsby — Thu, 02 Sep 2010 13:13:05 +0000

gBridge – poke holes through those firewalls

stevegoldsby — Thu, 26 Aug 2010 13:13:59 +0000

Rating: Functionality-7/10 Ease of use: 8/10 Usability: 9/10

This week I’ve been testing Gbridge. Gbridge is a (currently free) extension to Google’s Gtalk network service for Windows 2000/XP/Vista/7. Installed as an agent, it will automatically create a VPN tunnel between other computers running Gbridge and logged in under the same gTalk account. You can also extend the VPN to Gtalk friends by invitation. Gbridge also has some nifty features such as folder synchronization, remote desktop share (VNC), automatic backup, live browsing, chat, and tunneling of RDP and other TCP/UDP protocols. Gbridge also integrates with Google Apps accounts, making it easy to create VPN within organizations that utilize Google Apps.

APPLICATION SUPPORT: I tested several applications over Gbridge such as RDP, NetBIOS shares, FTP and even a little NMAPpery — everything worked like a champ. Gbridge has built in firewall functionality, allowing you to allow/block traffic to and from other Gbridge clients logged in under your gTalk account as well as specific firewall rules for connections to other gTalk friends’ computers.

THROUGHPUT: Gbridge will, like many p2p platforms, try to establish direct connections between Gbridge clients, even if behind a NAT device using some UDP NAT traversal tricks. If for some reason it cannot traverse the NAT device(s), it will use Gbridge servers as a proxy, or you can manually setup port forwarding. In my testing between my house (7Mb DSL) and the office (10MB fiber) I got a respectable 2.5Mb throughput using CIFS copy and about the same using the built in SecureShare HTTP copy. Not bad for NAT traversal.

SECURE SHARES: Want to share a folder or group of folders out to your gTalk friends? Not a problem. The Gbridge pointy-clicky interface allows you to share a folder with other PCs logged in under your gTalk account; individuals friends accounts; and apply file filtering rules and additional password protection. Very nifty for a quick file transfer or leeching.

AUTOSYNC and BACKUPS: Quickly becoming one of my favorite functions. Setup a SecureShare on one or more of your GBridged computers, and you can “AutoSync” it at will. Great for syncing work/home files or pwning a headless server. Not as elegant as ncat, but workable and everyone allows access to google servers these days. Backups work much the same way — a one-way sync of a SecureShare. Fast and easy DR/COOP.

CAVEATS: if you have a host firewall or Host-based intrusion prevention service like eEye Blink, be sure you pre-configure rules to allow gBridge to do its thing. When I was testing the utility, I forgot to disable the firewall service before I left for work and as a result when I tried to connect from the office, the connection failed because Blink was popping up dialogs on my home PC asking if it should allow the inbound connection.

Software Security space exceeds $500MM

stevegoldsby — Mon, 16 Aug 2010 20:54:25 +0000

The software security space exceeded the $500 million mark in 2009. Software security expert Gary McGraw examines the tools providers and services firms to find out how quickly the market is growing, and which parts of the market are driving growth.

http://www.cigital.com/justiceleague/2010/08/16/software-security-crosses-the-threshold-in-2009/

VentureBeat – a hidden gem of developments in IT

stevegoldsby — Sun, 15 Aug 2010 03:23:58 +0000

Not sure why I never stepped on this before: This is a well managed aggregrated news site + original content http://venturebeat.com/

Metasploit To Get More Powerful Web Attack Features

stevegoldsby — Wed, 04 Aug 2010 02:18:15 +0000

The open-source Metasploit penetration-testing tool currently has exploits for a handful of Web application bugs, as well as a few for generic Web flaws that affect multiple applications, says HD Moore, chief architect of Metasploit and chief security officer at Rapid7. But the goal is to expand Metasploit with more integrated Web flaw detection and attack features. I heart metasploit. Pop on over to the article here

Weaknet linux penetration testing distro

stevegoldsby — Wed, 04 Aug 2010 02:16:38 +0000

WeakNet Linux is designed primarily for penetration testing, forensic analysis and other security tasks. WeakNet Linux IV was built from Ubuntu 9.10 which is a Debian based distro. All references to Ubuntu have been removed as the author completely re-compiled the kernel, removed all Ubuntu specific software which would cause the ISO to bloat, and used a non-Ubuntu-traditional Window Manager, with no DM. To start X11 (Fluxbox) simply type “startx” at the command line as root.

Spoof a cell tower for $1500. Monitor calls.

stevegoldsby — Wed, 04 Aug 2010 01:54:26 +0000

Well, 2G ATT and TMobile anyway. Over at Wired

~40,000 vulnerabilities in SCADA systems

stevegoldsby — Wed, 04 Aug 2010 01:51:43 +0000

Hey, it’s not like you could bring down the grid or anything. #root #fail Pop over to SC Magazine

Microsoft ICE – photo stitcher

stevegoldsby — Tue, 03 Aug 2010 03:02:10 +0000

One of my new favorite toys. One use: pop a client site, take a round of photo’s, show a panorama of pwnage http://research.microsoft.com/en-us/downloads/730cd6bb-6450-4e66-8101-a94e71cb0779/default.aspx

Gbridge – remote desktop share, filesync, etc. over Google Talk

stevegoldsby — Sun, 01 Aug 2010 17:11:10 +0000

I like free. http://www.gbridge.com/

Gbridge is a free software that lets you remotely control PCs, sync folders, share files, and chat securely and easily. An extension of Google’s gtalk service, Gbridge automatically forms a collaborative, encrypted VPN (Virtual Private Network) that connects your computers and your friends’ computers directly and securely with patented technology. Gbridge has many unique features.

DesktopShare(VNC): Access your computer desktop remotely or share your desktop with your friend from anywhere in the world. Gbridge automatically traverses firewalls and NATting routers without the need for configuration!

SecureShare: Securely share files among your own computers, so you can remotely access your files, e.g. play mp3 , with ultimate privacy. Securely share files to your designated friend, so the selected friend can instantly view the auto-generated photo thumbnails and slideshow remotely. No web upload/download needed!

AutoSync: Transfer large files and synchronizing folders to and from anywhere has never been easier. AutoSync supports auto-schedule, auto-resume, incremental transfers and no size restrictions!

EasyBackup: Setup an auto-recurring backup of your important folder to a local or remote PC is as easy as 1-2-3!

Droid Rooting

stevegoldsby — Sat, 31 Jul 2010 16:02:10 +0000

**Remember, these roots simply give you system file access and the ability to tweak a few other things — NOT install/flash custom roms, kernels, etc.

Droid X (Birdman method) - http://alldroid.org/Default.aspx?tabid=62&g=posts&m=6151&#post6151
Droid X (1-click) http://alldroid.org/Default.aspx?tabid=40&g=posts&t=553 and download DroidXRoot.zip

The 2010 Verizon Data Breach Report is Out

stevegoldsby — Thu, 29 Jul 2010 11:51:53 +0000

YMMV. Includes info from the Secret Service and some of their cases. Not much changed from previous years.

Who is behind Data Breaches?

70% resulted from external agents
48% caused by insiders
11% implicated business partners
27% involved multiple parties

How do breaches occur?

48% involved privilege misuse
40% resulted from hacking
38% utilized malware
28% involved social tactics
15% comprised physical attacks

What commonalities exist?

98% of all data breached came from servers
85% of attacks were not considered highly difficult
61% were discovered by a third party
86% of victims had evidence of the breach in their log files
96% of breaches were avoidable through simple or intermediate controls
79% of victims subject to PCI DSS had not achieved compliance

Jump over to Verizon for the report: http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf

Plainsight: Open Source Computer Forensics

stevegoldsby — Tue, 27 Jul 2010 02:59:42 +0000

http://www.plainsight.info/