frameloss

Helix forensics is no longer free!

It is always a danger with open-source security tools that are maintained by companies that they will move to a commercial license.  Some have gone the crippled version route (ie OSSIM,) some the exclusive non-free route (Nessus, which honestly wasn’t really commercial quality software anyway–true it was useful, but not polished) and now Helix no longer has a free version available.  And a few, like Snort and Metasploit have stayed true to their roots offering both enhanced and standard free versions.

The pricing isn’t overbearing in comparison to other forensics tools, but those tools are not a collection of open-source software.  All links to the free version have been removed from the website, but you can still find the last free release on SoftPedia.

I haven’t looked at the new version yet–which I assume in all fairness to e-fense has significant new functionality and better integration (I would hope!) And once I have a look I will post back on what is up and hopefully be able to give more useful information, and a better review.  (I have at one point or another used many of the other forensics tools on the market.)  I am not too hopeful though–I have always looked at Helix as a convenient collection of open-source tools freely available elsewhere; even on other bootable Linux distros, and not as a primary tool for doing forensic analysis.

Google Voice + Sipgate + PIAF + Orgasmatron == Free home phone service.

Instructions are at nerdvittles . . .

Ya, it’s been spammed all over the web by now–I know.  But, I actually set it up and have tested it.  The only downsides I have noticed is that call-setup takes more than 15 seconds, I can’t set my outbound caller-id to my “real” number OR use LNP to move my real number over, and there is roughly 500ms of delay (though you probably already have worse on your crappy cellular service and never noticed.)

Of course these are all initial impressions.  In a few weeks I will post back on how I really feel, after the new-geek-toy-smell has worn off.

Defcon is a go!

I will be at defcon again this year.  Be sure to stop by the hackers-for-charity booth in the vendors area!  I will be there tomorrow (Thursday) at 2pm signing autographs and giving out my social security number (no not really, just manning the booth actually.)  I should be pretty easy to spot–I am the white guy wearing a black t-shirt (HA!)  I am donating a few items for the silent auction–an old G4 powerbook, an EDACS capable trunking scanner, and an old PS2-based hardware keylogger, so if you want any of my old crap be sure to drop in and bid on it!  I also decided on Sumatran (espresso roasted,) and Peruvian (medium roast) coffees for Coffeewars X–so if you are a judge just let me know where to wire the money so I can be immortalized in coffedom fame eternally.

Nmap 5.0 released

Nmap 5.0 is out.  Fortunately, after a very preliminary and unscientific test, it appears that the XML output is still compatible with MyNmap.

Apple STILL doesn’t have an APA template for Pages?

I am back in school, and that means research papers, hooray.  I am being smarter about it all these days though–templates and citation management software are definitely the way to go!

It would sure be nice if Apple would include templates for the major paper formats with their word processor.  And all the ones I could find that others had posted were either not really templates, or got the formatting wrong.

So I created one based off of their research paper template that references the latest rules at Perdue.  I couldn’t have done it so quickly if it weren’t for this great tutorial over at the Mac Law Students website, thanks for the handy write-up.

So, if you came here looking for a free APA template for Pages, try this one out and let me know if it works for you: APA template for Pages 09′.

Updated July 17, 2009: Fixed a few annoyances in the template (page titles were not repeating and hyphenation was set for document.)

Electronic Warfare in Iran

A very common military tactic is to damage the communication ability of an enemy before the bullets and bombs start to fly.  Here in the US we couldn’t imagine the government blocking all SSL encrypted traffic on the Internet, or disabling the ability to send SMS on our phones.  In Iran it is a reality.  But it goes much further than that.  Roving groups of militia the “Basij” are raiding dorm rooms and college computer labs to physically destroy computers.  People are being tracked down and detained for using Twitter.  Today the Khameini warned citizens that he is watching their twitter accounts, and they will be held accountable.  The government is even using ECM jamming to prevent reception of foreign television.  The people in power in Iran obviously see the free flow of information as a serious threat to their being able to continue to hold power, why else use military grade tactics on your population?  I fear the worst is yet to come in Iran.

Chilling.

But despite fearing for their lives, people in Iran haven’t stopped sending pictures and video of what is happening in the country.  Video of protesters being shot, students beaten, and smashed computers haunts the Iranian regime.  How is it happening?

One way is the use of “Open” protocols.  Why is it that Twitter, which previously had been most famous for allowing a person to program an arduino processor to automatically post when he used the restroom, become such a great tool of dissent in a place like Iran?  The same thing allowing the preposterous use of the bathroom technology is what makes Twitter hard to stop.  Twitter publishes their API (application programming interface) which allows third parties to plug in directly to their website.  Nothing ground breaking really, but there are so many ways to post, and read tweets that it is difficult to stop.

The next is more intentional and potentially dangerous for the Iranians who use the technology–if they are caught they are certainly in peril, perhaps grave based on the news reports seen to date.  There are groups of people all over the world working to create networks of proxies, onion routing and other tunnels that allow people in Iran to get past the government’s efforts to block communication.  The effort is being coordinated via email, IRC, web forums, and just about any technology you can imagine.  There have been reports of harassment of some people in the USA helping with this effort, but this is unsubstantiated, though certainly plausible.

One problem with this approach is that it is difficult to gauge how effective it works.  And because of the mutually anonymous nature of the endeavor, it would be quite easy for Iranian government agents to infiltrate the network and actually turn the information against the people using it.  If they have a list of the proxies being used, then all they need to do is watch for connections to those proxies, and you know who is bypassing their censorship.  I hope for the sake of the dissidents in Iran, that the people coordinating these and similar efforts implement containment procedures, so that it would be difficult to compromise the entire list of proxies by any one person.  The only comfort is that there are many groups in many countries speaking many languages working on this in an collaborative, yet uncoordinated method–the chaos is perhaps the most valuable aspect.

Which of course leads to the next question, how long before Iran just shuts off their Internet connection?

Making MyNmap more useful: importing scans

Originally MyNmap wasn’t intended to act as a tool to automate scans.  The real goal was to get the grid display with highlighting of what is new.  Looking at tons of Nmap scans makes my head spin, and digesting that information to determine what is new is best left to a computer.

Because of this, you don’t necessarily need to use the scheduling interface to get your nmap scans into MyNmap, furthermore if you have two scans and want to compare differences between the two–you can load them in succession and be able to analyze the differences.

It is quite easy, when you run your scans use the “nmap -oX” flag.  Then copy the XML file into the “/usr/local/mynmap/scans” directory with the file extension “new.xml“.  If you don’t have the “new.xml” at the end of the filename MyNmap will ignore the file (this is to stop it from trying to process files that haven’t been completely written while a scan is in process, sure I could have used another directory for that, but I didn’t.)

I use this at work so that I can visualize scan data from external networks, using cron, a shell script, and SSH allows me to use an external machine to keep an ongoing view of what is in our public accessible network space.

I also use a script that allows me to alert on when new things appear in the DMZ based upon scan results–I will post how that works here soon.

Windows 7 64bit == fail.

Microsoft recently release the release candidate for Windows 7. Unfortunately, they forgot to add standard CDROM drivers (and wonder why people complain about their software.) After booting, it states that it can’t find the CDROM driver (on Vista it uses cdrom.sys, so it isn’t like I am using some sneaky unsupported DVD drive.) Very classy, I am quite impressed! So far I have run half a dozen operating systems on this laptop, and Windows was the first to not be able to use the DVD drive–after booting from it. I was expecting video driver problems, or maybe wireless driver problems, but something as basic as not being able to read the media it just booted off of is impressive!

MyNmap on ESX?

I have received a few requests for an ESX version of the MyNmap virtual appliance.  It turns out that getting it running on ESX is actually pretty simple.  Instead of being redundant, there are great instructions over at Tony Vegue’s website.  Thanks Tony!

2600 Article: Don’t steal music (or how to catch an iPod thief using forensics)

I said I would post this once it was published, and a few days ago I picked up the latest copy.  This article is a bit longer than what 2600 put out, because they were space limited (yes, I tend to be verbose.) So here it is.

Music is important, especially in a noisy office.  There is a girl that sits a few feet away in a cubicle, and she talks to herself all day.  As if it wasn’t bad enough to be stuffed into a cubicle but the constant chatter is maddening.  Honestly there are days that if I didn’t have my headphones on I could quite possibly lose it.  Because of this I am usually very careful to protect my iPod like it is made of gold–and if you look at the RIAA’s assessment (cost estimate of imaginary property? Huh?) of the value of the songs on it, it is worth more than gold!  But that is a different article.

It is a good place to work, they pay people well, and treat employees better than most.  I wasn’t too concerned when on my way home after work when I had realized that I left my iPod plugged into my Apple at work.  Of course, you being an astute reader, already know what happened.  The next morning arriving at work sleepy and slow, I was half way through the first cup of coffee before realizing that my music player was gone!  (Cue dramatic music.)  Of course I am always misplacing things, so I spent the next half hour tearing my cube apart looking for my iPod.  Nothing.  Crap.  Now I am angry.

I work in IT security, so my first reaction is to start putting together a incident timeline.  When did I leave the office, who was still there working as I was leaving.  It didn’t make sense, there was only a couple of folks left when I went home, and I KNOW that they wouldn’t steal from me.  So, maybe it was just a prank–there are a few folks that might find it funny to alarm me (and probably owe me for messing with them in the past.)  Without tact I ask them if they know anything about my iPod and let them know that if it was a prank that it was cool, but I would like my iPod back.  No luck; I believe them when they say they didn’t take it, but would add it to their list of ways to annoy me later.  Everyone I talk to accuses the cleaning crew.  I hate this response, I find it offensive for several reasons.  First, it is racist, even if not overtly.  Most of the cleaning crew are hard-working mexican immigrants that can not risk losing their job, but I know what these guys are thinking as they make the accusation.  Second, it is just too convenient, it is a typical kneejerk reaction–just like blaming every network problem on an IDS or firewall.  People are too quick to place blame and that I find repugnant, especially if they are in a place of power.

Then it strikes me, I have a critical peice of information sitting in my lap and it just might get my iPod back in my hands.  It was plugged into a Mac, not my windows box, woohoo–Unix creates log entries when a hard disk is unplugged!  Sure enough, the /var/log/system.log has a bunch of the following:

Sep 10 22:31:23 computer kernel[0]: disk2s1: media is not present.

So I call up the physical security folks and let them know that there was a theft.  But, that I know what time it happened and because it was at night it should be pretty easy to figure out who did it.  The cleaning crew comes through at 6pm (quite annoying actually) and are usually done by 8pm.  So there should have been no-one in the office around the time my iPod grew legs, if anyone was there: they would look awfully suspicious.  They say they will get back to me, but since I know their manager I give her a call–to ensure that key card access logs get reviewed and that the security camera recordings are preserved.  About half an hour later I get a call saying they know who did it and will handle them later that day when they are scheduled to work.  Sweet.

The next morning the manager of the physical security group stops by and returns my iPod unharmed.  And she explains that it was a member of the cleaning crew that had come back after his shift to steal electronics.  I still feel justified in not having the standard knee-jerk reaction and would give them the benefit of the doubt in the future too!  He was given the opportunity to return the stolen property or we would press charges.  He immediately returned the iPod during the interview.  Of course the guy lost his job.  The moral of the story is that stealing music is wrong ;-)

This wasn’t the first time an iPod had been stolen at the office, and it wasn’t the last either–the things are like little stacks of cash laying around, and to someone desperate for money the temptation is just too much.  Because of that I decided to do a bit more research and look at what it would take to get the same results but from a Windows box.  Unix users have it easy–significant happenings with block devices, such as a hard drive, at the kernel level are logged by default.  For most Unix-like systems you can find these in /var/log/dmesg (or by running the dmesg command.)  But, alas Windows is the dominant OS out there and is likely to remain that way for a while.  The logging on Windows isn’t that great.  Sure it is configurable, but it somehow never seems to have the settings in place beforehand that make this type of work easy.  I found a way to get the same results on Windows XP, under the right circumstances.  Here is what I found under XP Pro SP2, it still seems to work on SP3, but does not work on Vista–sorry, as soon as the iPod is synced the disk is disconnected and you can only get a timestamp of when it was synced, not removed.

A list of forensic evidence retained pertaining to disk removal events in XP Pro, (or catching an iPod thief.)

User was logged in, and the iPod was removed. The system _has_not_ been shut down:

• When iPod was unplugged

• When iPod was last plugged-in

net use \\<hostname>\ipc$ /u:<administrator>

Substitute appropriate values for the <hostname>, and <administrator> account name.
Next you can perform the query:

logparser -i:reg -o:csv “select * from \\<hostname>\HKLM\SYSTEM\CurrentControlSet\ where path like ‘%iPod%’ order by lastwritetime desc” -e:1000 > outfile.csv

You should, once again, substitute an appropriate value for the <hostname> listed above. Also any line breaks should be removed when running the actual command.

Command options explained:

• “-i:reg” instructs “LogParser” to use the system registry as a source.
• “-o:csv” specifies that the output should be comma separated values. This allows for easier analysis within a spreadsheet program.
• “select * from \\<hostname>\HKLM\SYSTEM\CurrentControlSet where path like ‘%iPod%’ order by lastwritetime desc” Is the actual SQL query. It looks at all values in the registry, where the path name (not actual key values) has the text iPod. It then returns it sorted in a list with the most recent entries first.
• The HKLM is shorthand for HkeyLocalMachine.
• To see what other fields can be queried you can run “logparser -i:reg -h”
• There are three subkeys below CurrentControlSet that contain relevant information (Control, ENUM, and Services,) which is why the query is performed at such a high level within the registry.
• The string ‘%iPod%’ can be changed to represent another device, such as a USB thumb drive. You can view the “HKeyLocalMachine\SYSTEM\CurrentControlSet\Enum\USBSTOR\“ area of the registry to see what other removable USB devices (or substitute USBSTOR, with SCSISTOR for SCSI) have been connected, and experiment with the name assigned by the device manufacturer to find the evidence you need. Be sure to encapsulate whatever string you need with a single-quote and percent signs as shown in the above example, surrounding the string “iPod”.
• “-e:1000” instructs “LogParser” to quit after 1000 errors (a number intentionally higher than likely to ever happen in such a restricted query.) If “LogParser” is not given this instruction, errors will not appear in the output, and it is important to see the errors in case you are not seeing all of the necessary data.
• “> outfile.csv” specifies the file name where information will be stored.

Opening the CSV file in your choice of spreadsheat program will allow you to sort the data by access time.  Sort by descending timestamp and you should be able to see when the registry key was last written–this is when the device was unplugged.  I hope you are as lucky as I was and get your iPod back too!

Snort, Barnyard, MySQL and SSL: Very annoying.

So for years I have just Stunnel wrapped my database connections when setting up Snort sensors. (Perhaps you have noticed how most of the howto guides on setting up Snort with Base or ACID or whatever remote console puts so much emphasis on ensuring you have SSL configured for your webserver, but somehow fails to provide instructions on setting up SSL for the database connection? Ya, I noticed that too.)

Stunnel generally works, but I am kinda picky about how I do things and I like tidy configurations. Well I’ll be honest, the last time I built a remote snort sensor was during the Mysql 4.10 days–ya, its been a few years. So this week I am working on doing some cleanup and decided to upgrade to Mysql 5.1, which has some nice features, one of which is native SSL support. So after setting it up and testing it, recompiling everything linked to my old Mysql libraries I manually test and confirm that SSL works. Sweet. Now to test Barnyard . . . nope, no SSL. Bummer, how about Snort’s Mysql capabilities? Nope, that doesn’t work either. So, if you are trying this out and have succeeded drop me a note! Otherwise, well, stick to Stunnel!

Requesting Suggestions for MyNmap Enhancements

I am brainstorming on where the project should go. There are a few bugs that need fixing, the most glaring of these is a race condition where a scan doesn’t complete and the file is perpetually trying to be parsed by the back end loader. I have been toying with the idea of rewriting the PERL code so that the application is entirely written in PHP, I just feel the whole architecture of mixing programming languages is a little ugly. The scheduling interface, while functional, is very clunky. And finally there have been a lot of improvements in Nmap that the tool doesn’t take advantage of, like LUA scripts.

I am open for suggestions and feature requests right now, please comment if you have an idea!

2600 Magazine

I just got confirmation that my second article for 2600 magazine will likely be in next quarter’s issue.  Woohoo!  I will post a copy after publication.  I wonder if this cements my status as a “known associate” of 2600?

By the way, my band Hellbound Billy is playing tonight!  Come out to the 12V Tavern for some Psychobilly Punk!  More info at our website.

RMCUG Blackhat Recap

Tonight (Thursday) a group of folks that were at Blackhat together are presenting summaries of various presentations and tools that were released at the conference for the Rocky Mountain Cisco Users Group.  I am presenting on the tool that Sensepost released, called reDuh and here are my slides.

Introduction to Cross Site Scripting (XSS)

I put together a short (~2 hour) training class on Cross Site Scripting.  Here are the slides: