frameloss

Helix forensics is no longer free!

It is always a danger with open-source security tools that are maintained by companies that they will move to a commercial license.  Some have gone the crippled version route (ie OSSIM,) some the exclusive non-free route (Nessus, which honestly wasn’t really commercial quality software anyway–true it was useful, but not polished) and now Helix no longer has a free version available.  And a few, like Snort and Metasploit have stayed true to their roots offering both enhanced and standard free versions.

The pricing isn’t overbearing in comparison to other forensics tools, but those tools are not a collection of open-source software.  All links to the free version have been removed from the website, but you can still find the last free release on SoftPedia.

I haven’t looked at the new version yet–which I assume in all fairness to e-fense has significant new functionality and better integration (I would hope!) And once I have a look I will post back on what is up and hopefully be able to give more useful information, and a better review.  (I have at one point or another used many of the other forensics tools on the market.)  I am not too hopeful though–I have always looked at Helix as a convenient collection of open-source tools freely available elsewhere; even on other bootable Linux distros, and not as a primary tool for doing forensic analysis.

Google Voice + Sipgate + PIAF + Orgasmatron == Free home phone service.

Instructions are at nerdvittles . . .

Ya, it’s been spammed all over the web by now–I know.  But, I actually set it up and have tested it.  The only downsides I have noticed is that call-setup takes more than 15 seconds, I can’t set my outbound caller-id to my “real” number OR use LNP to move my real number over, and there is roughly 500ms of delay (though you probably already have worse on your crappy cellular service and never noticed.)

Of course these are all initial impressions.  In a few weeks I will post back on how I really feel, after the new-geek-toy-smell has worn off.

Defcon is a go!

I will be at defcon again this year.  Be sure to stop by the hackers-for-charity booth in the vendors area!  I will be there tomorrow (Thursday) at 2pm signing autographs and giving out my social security number (no not really, just manning the booth actually.)  I should be pretty easy to spot–I am the white guy wearing a black t-shirt (HA!)  I am donating a few items for the silent auction–an old G4 powerbook, an EDACS capable trunking scanner, and an old PS2-based hardware keylogger, so if you want any of my old crap be sure to drop in and bid on it!  I also decided on Sumatran (espresso roasted,) and Peruvian (medium roast) coffees for Coffeewars X–so if you are a judge just let me know where to wire the money so I can be immortalized in coffedom fame eternally.

Nmap 5.0 released

Nmap 5.0 is out.  Fortunately, after a very preliminary and unscientific test, it appears that the XML output is still compatible with MyNmap.

Electronic Warfare in Iran

A very common military tactic is to damage the communication ability of an enemy before the bullets and bombs start to fly.  Here in the US we couldn’t imagine the government blocking all SSL encrypted traffic on the Internet, or disabling the ability to send SMS on our phones.  In Iran it is a reality.  But it goes much further than that.  Roving groups of militia the “Basij” are raiding dorm rooms and college computer labs to physically destroy computers.  People are being tracked down and detained for using Twitter.  Today the Khameini warned citizens that he is watching their twitter accounts, and they will be held accountable.  The government is even using ECM jamming to prevent reception of foreign television.  The people in power in Iran obviously see the free flow of information as a serious threat to their being able to continue to hold power, why else use military grade tactics on your population?  I fear the worst is yet to come in Iran.

Chilling.

But despite fearing for their lives, people in Iran haven’t stopped sending pictures and video of what is happening in the country.  Video of protesters being shot, students beaten, and smashed computers haunts the Iranian regime.  How is it happening?

One way is the use of “Open” protocols.  Why is it that Twitter, which previously had been most famous for allowing a person to program an arduino processor to automatically post when he used the restroom, become such a great tool of dissent in a place like Iran?  The same thing allowing the preposterous use of the bathroom technology is what makes Twitter hard to stop.  Twitter publishes their API (application programming interface) which allows third parties to plug in directly to their website.  Nothing ground breaking really, but there are so many ways to post, and read tweets that it is difficult to stop.

The next is more intentional and potentially dangerous for the Iranians who use the technology–if they are caught they are certainly in peril, perhaps grave based on the news reports seen to date.  There are groups of people all over the world working to create networks of proxies, onion routing and other tunnels that allow people in Iran to get past the government’s efforts to block communication.  The effort is being coordinated via email, IRC, web forums, and just about any technology you can imagine.  There have been reports of harassment of some people in the USA helping with this effort, but this is unsubstantiated, though certainly plausible.

One problem with this approach is that it is difficult to gauge how effective it works.  And because of the mutually anonymous nature of the endeavor, it would be quite easy for Iranian government agents to infiltrate the network and actually turn the information against the people using it.  If they have a list of the proxies being used, then all they need to do is watch for connections to those proxies, and you know who is bypassing their censorship.  I hope for the sake of the dissidents in Iran, that the people coordinating these and similar efforts implement containment procedures, so that it would be difficult to compromise the entire list of proxies by any one person.  The only comfort is that there are many groups in many countries speaking many languages working on this in an collaborative, yet uncoordinated method–the chaos is perhaps the most valuable aspect.

Which of course leads to the next question, how long before Iran just shuts off their Internet connection?

Windows 7 64bit == fail.

Microsoft recently release the release candidate for Windows 7. Unfortunately, they forgot to add standard CDROM drivers (and wonder why people complain about their software.) After booting, it states that it can’t find the CDROM driver (on Vista it uses cdrom.sys, so it isn’t like I am using some sneaky unsupported DVD drive.) Very classy, I am quite impressed! So far I have run half a dozen operating systems on this laptop, and Windows was the first to not be able to use the DVD drive–after booting from it. I was expecting video driver problems, or maybe wireless driver problems, but something as basic as not being able to read the media it just booted off of is impressive!

2600 Article: Don’t steal music (or how to catch an iPod thief using forensics)

I said I would post this once it was published, and a few days ago I picked up the latest copy.  This article is a bit longer than what 2600 put out, because they were space limited (yes, I tend to be verbose.) So here it is.

Music is important, especially in a noisy office.  There is a girl that sits a few feet away in a cubicle, and she talks to herself all day.  As if it wasn’t bad enough to be stuffed into a cubicle but the constant chatter is maddening.  Honestly there are days that if I didn’t have my headphones on I could quite possibly lose it.  Because of this I am usually very careful to protect my iPod like it is made of gold–and if you look at the RIAA’s assessment (cost estimate of imaginary property? Huh?) of the value of the songs on it, it is worth more than gold!  But that is a different article.

It is a good place to work, they pay people well, and treat employees better than most.  I wasn’t too concerned when on my way home after work when I had realized that I left my iPod plugged into my Apple at work.  Of course, you being an astute reader, already know what happened.  The next morning arriving at work sleepy and slow, I was half way through the first cup of coffee before realizing that my music player was gone!  (Cue dramatic music.)  Of course I am always misplacing things, so I spent the next half hour tearing my cube apart looking for my iPod.  Nothing.  Crap.  Now I am angry.

I work in IT security, so my first reaction is to start putting together a incident timeline.  When did I leave the office, who was still there working as I was leaving.  It didn’t make sense, there was only a couple of folks left when I went home, and I KNOW that they wouldn’t steal from me.  So, maybe it was just a prank–there are a few folks that might find it funny to alarm me (and probably owe me for messing with them in the past.)  Without tact I ask them if they know anything about my iPod and let them know that if it was a prank that it was cool, but I would like my iPod back.  No luck; I believe them when they say they didn’t take it, but would add it to their list of ways to annoy me later.  Everyone I talk to accuses the cleaning crew.  I hate this response, I find it offensive for several reasons.  First, it is racist, even if not overtly.  Most of the cleaning crew are hard-working mexican immigrants that can not risk losing their job, but I know what these guys are thinking as they make the accusation.  Second, it is just too convenient, it is a typical kneejerk reaction–just like blaming every network problem on an IDS or firewall.  People are too quick to place blame and that I find repugnant, especially if they are in a place of power.

Then it strikes me, I have a critical peice of information sitting in my lap and it just might get my iPod back in my hands.  It was plugged into a Mac, not my windows box, woohoo–Unix creates log entries when a hard disk is unplugged!  Sure enough, the /var/log/system.log has a bunch of the following:

Sep 10 22:31:23 computer kernel[0]: disk2s1: media is not present.

So I call up the physical security folks and let them know that there was a theft.  But, that I know what time it happened and because it was at night it should be pretty easy to figure out who did it.  The cleaning crew comes through at 6pm (quite annoying actually) and are usually done by 8pm.  So there should have been no-one in the office around the time my iPod grew legs, if anyone was there: they would look awfully suspicious.  They say they will get back to me, but since I know their manager I give her a call–to ensure that key card access logs get reviewed and that the security camera recordings are preserved.  About half an hour later I get a call saying they know who did it and will handle them later that day when they are scheduled to work.  Sweet.

The next morning the manager of the physical security group stops by and returns my iPod unharmed.  And she explains that it was a member of the cleaning crew that had come back after his shift to steal electronics.  I still feel justified in not having the standard knee-jerk reaction and would give them the benefit of the doubt in the future too!  He was given the opportunity to return the stolen property or we would press charges.  He immediately returned the iPod during the interview.  Of course the guy lost his job.  The moral of the story is that stealing music is wrong ;-)

This wasn’t the first time an iPod had been stolen at the office, and it wasn’t the last either–the things are like little stacks of cash laying around, and to someone desperate for money the temptation is just too much.  Because of that I decided to do a bit more research and look at what it would take to get the same results but from a Windows box.  Unix users have it easy–significant happenings with block devices, such as a hard drive, at the kernel level are logged by default.  For most Unix-like systems you can find these in /var/log/dmesg (or by running the dmesg command.)  But, alas Windows is the dominant OS out there and is likely to remain that way for a while.  The logging on Windows isn’t that great.  Sure it is configurable, but it somehow never seems to have the settings in place beforehand that make this type of work easy.  I found a way to get the same results on Windows XP, under the right circumstances.  Here is what I found under XP Pro SP2, it still seems to work on SP3, but does not work on Vista–sorry, as soon as the iPod is synced the disk is disconnected and you can only get a timestamp of when it was synced, not removed.

A list of forensic evidence retained pertaining to disk removal events in XP Pro, (or catching an iPod thief.)

User was logged in, and the iPod was removed. The system _has_not_ been shut down:

• When iPod was unplugged

• When iPod was last plugged-in

net use \\<hostname>\ipc$ /u:<administrator>

Substitute appropriate values for the <hostname>, and <administrator> account name.
Next you can perform the query:

logparser -i:reg -o:csv “select * from \\<hostname>\HKLM\SYSTEM\CurrentControlSet\ where path like ‘%iPod%’ order by lastwritetime desc” -e:1000 > outfile.csv

You should, once again, substitute an appropriate value for the <hostname> listed above. Also any line breaks should be removed when running the actual command.

Command options explained:

• “-i:reg” instructs “LogParser” to use the system registry as a source.
• “-o:csv” specifies that the output should be comma separated values. This allows for easier analysis within a spreadsheet program.
• “select * from \\<hostname>\HKLM\SYSTEM\CurrentControlSet where path like ‘%iPod%’ order by lastwritetime desc” Is the actual SQL query. It looks at all values in the registry, where the path name (not actual key values) has the text iPod. It then returns it sorted in a list with the most recent entries first.
• The HKLM is shorthand for HkeyLocalMachine.
• To see what other fields can be queried you can run “logparser -i:reg -h”
• There are three subkeys below CurrentControlSet that contain relevant information (Control, ENUM, and Services,) which is why the query is performed at such a high level within the registry.
• The string ‘%iPod%’ can be changed to represent another device, such as a USB thumb drive. You can view the “HKeyLocalMachine\SYSTEM\CurrentControlSet\Enum\USBSTOR\“ area of the registry to see what other removable USB devices (or substitute USBSTOR, with SCSISTOR for SCSI) have been connected, and experiment with the name assigned by the device manufacturer to find the evidence you need. Be sure to encapsulate whatever string you need with a single-quote and percent signs as shown in the above example, surrounding the string “iPod”.
• “-e:1000” instructs “LogParser” to quit after 1000 errors (a number intentionally higher than likely to ever happen in such a restricted query.) If “LogParser” is not given this instruction, errors will not appear in the output, and it is important to see the errors in case you are not seeing all of the necessary data.
• “> outfile.csv” specifies the file name where information will be stored.

Opening the CSV file in your choice of spreadsheat program will allow you to sort the data by access time.  Sort by descending timestamp and you should be able to see when the registry key was last written–this is when the device was unplugged.  I hope you are as lucky as I was and get your iPod back too!

Snort, Barnyard, MySQL and SSL: Very annoying.

So for years I have just Stunnel wrapped my database connections when setting up Snort sensors. (Perhaps you have noticed how most of the howto guides on setting up Snort with Base or ACID or whatever remote console puts so much emphasis on ensuring you have SSL configured for your webserver, but somehow fails to provide instructions on setting up SSL for the database connection? Ya, I noticed that too.)

Stunnel generally works, but I am kinda picky about how I do things and I like tidy configurations. Well I’ll be honest, the last time I built a remote snort sensor was during the Mysql 4.10 days–ya, its been a few years. So this week I am working on doing some cleanup and decided to upgrade to Mysql 5.1, which has some nice features, one of which is native SSL support. So after setting it up and testing it, recompiling everything linked to my old Mysql libraries I manually test and confirm that SSL works. Sweet. Now to test Barnyard . . . nope, no SSL. Bummer, how about Snort’s Mysql capabilities? Nope, that doesn’t work either. So, if you are trying this out and have succeeded drop me a note! Otherwise, well, stick to Stunnel!

2600 Magazine

I just got confirmation that my second article for 2600 magazine will likely be in next quarter’s issue.  Woohoo!  I will post a copy after publication.  I wonder if this cements my status as a “known associate” of 2600?

By the way, my band Hellbound Billy is playing tonight!  Come out to the 12V Tavern for some Psychobilly Punk!  More info at our website.

RMCUG Blackhat Recap

Tonight (Thursday) a group of folks that were at Blackhat together are presenting summaries of various presentations and tools that were released at the conference for the Rocky Mountain Cisco Users Group.  I am presenting on the tool that Sensepost released, called reDuh and here are my slides.

Introduction to Cross Site Scripting (XSS)

I put together a short (~2 hour) training class on Cross Site Scripting.  Here are the slides:

The Illusion of Security: Denver Police Radio Systems

As part of the security procedures for the DNC in Denver the police department changed their radio system (at what I am guessing was a great expense) to use ESK (Edacs system key.) This is a “security” measure that adds encryption to the digital control channel for Edacs systems. It is supposed to prevent eavesdropping and interference. The audio transmissions are still in the clear–all this does is make older trunking scanners less useful, newer models work fine, and how it prevents someone from jamming the data channel or even breaking into a transmission once it is started is a mystery to me!

You can still listen in at scanamerica since they have a newer ESK capable scanner (I just donated to them–if you use it you should too.) Alternatively Uniden is releasing an update to their BCD396T scanner that understands ESK. Of course you can still use your old-school scanner to listen too, but it sounds a bit messy and you no longer get the calling station identifier, it is also a lot less likely that you will be able to follow a full conversation if there is more than one conversation happening at once.

Update:

It was late last night when I wrote this post, and have some time to think.  So, suppose there was a credible threat that someone might want to get on the Edacs system and use misinformation to redirect the police.  The timing for greatest negative impact would have to be during a large internationally covered event, such as the DNC.  The only protection that changing to ESK buys is a little bit of time.  If an attacker is prepared, has researched the system and planned an attack, he or she would be thwarted for a few days by changing to ESK unexpectedly.  It takes time to get updated hardware–maybe a couple of days for an informed and funded attacker; longer for the less informed and funded.  This change successfully stops the teenager that found a police radio at a garage sale, but is that who we are really worried about?

After thinking about it, the move, while pretty weak as a long-term tactic, is quite smart because by timing it correctly it maximizes the strategic value of a weak protection when the impact of an event is highest.  It is real easy for many security professionals to get caught into the black and white thinking that pervades the academic side of security.  But in the real world, sometimes you have to settle–this is a good example of how the value of a weak security control can be maximized.  I am not advocating the use of weak controls! I am just saying that sometimes you have to make do with what you have.

The Rise of the “Traveltop”

A paranoid guide to traveling with a laptop computer.

I don’t travel much for work, but I do get around for vacation or conferences. I have traveled internationally a couple of times in the last year, and around the U.S. several times. This is how I approach laptop security when I am traveling.

A big concern to many people is what you keep on your laptop. My personal laptop has information that I don’t wanted shared, and my work laptop has information my employer doesn’t want shared. A few concerns when traveling are laptop theft, search and seizure by a friendly three letter government agency (who, rest assured, have your best interests in mind,) evil-twin hotspots, and traffic interception.

There are a few ways to deal with each problem, which are helpful for travelers. The first rule is to anticipate that the worst will happen: your laptop will be stolen, searched, attacked, or sniffed at some point.

The best protection is to use what I like to call a “traveltop”, which is a laptop configured solely for traveling. The key should be that you are willing to walk away from the laptop and not give it a second thought. There are plenty of laptops available for less than $500. I am not talking about something like an EEPC or watered down laptop, I picked up a Toshiba Satellite for roughly $450, which has 64bit dual core AMD processors and is sufficiently fast for almost everything I could want to do outside of gaming. My Macbook Pro cost me more than five times as much. Think of it as cheap insurance.

The key for this strategy to be effective is to limit what information you put on the laptop. Don’t use it for creating and editing documents, don’t store email on it, don’t even put your web bookmarks on it. Here are some of the methods I use to keep my traveltop clean, likely to resist attack, and divulge the minimum information to someone who gets their hands on it:

1. Buy a throwaway. If you are traveling with any frequency it is likely that you make enough money to afford a $450 laptop. If you can’t afford that, maybe you should reconsider taking a computer at all–if you can’t afford to lose your laptop leave it at home and use a phone for checking email.
2. Use Firefox. Don’t use Internet Explorer. Configure Firefox to delete all cookies, history files–everything when you close it. You can do this by clicking on Tools -> Options -> Privacy, and clicking the checkbox that says “Always clear my private data when I close Firefox.” I realize this doesn’t protect you from a full forensic analysis, but it does help limit your exposure. For example the TSA will check your Internet history when looking at a suspect laptop.
3. Install Google Toolbar. I know, it sounds counter-intuitive, but the only thing I use from the Google toolbar is the feature that allows you to share bookmarks across different systems. Not only is it convenient–but it is safer because your bookmarks are stored online and require authentication to access them. Don’t get a false sense of security though, because google will leak your session cookie unencrypted, which allows anyone sniffing the network you are on to login as you while the cookie is valid–this is easily dealt with, and is covered later.
4. Use webmail. Google is good, hushmail is safer–which ever one you choose don’t store your messages on your traveltop, don’t even print them from the traveltop–in fact I highly suggest not even configuring a printer on the system.
5. Encrypt the entire hard drive. Truecrypt is free, faster than most commercial alternatives, easy to install, and runs on most popular operating systems (Windows, Mac, and Linux.) I suggest using a really long password–actually don’t use a password, instead use a sentance it will be easier to remember, and will stand up a lot better to automated key guessing. A couple of thoughts about dealing with government agencies (foreign or domestic.) If a border agent demands your password, or requests that you type it–comply. There is no reason to go to jail, and unless you are well funded and plan on taking on the courts (and it would require an incredibly large effort) you will lose. Although Truecrypt has the ability to have “hidden” partitions with entire operating systems inside of them–with so called “plausible deniability” this is in my opinion a bad idea. First, some research has shown that it is possible to detect (under certain circumstances) that this is being used. Second, if you get caught deceiving police, border agents, whatever you can get into a lot more trouble–it may establish mens rea. But, IANAL–don’t trust me for legal advice :)
6. Don’t save documents locally. If you must carry documents use an encrypted thumb drive to store them. Send the thumb drive to yourself at your destination using registered mail. Better yet, if you can use a web-based solution such as Webdav, or Google Documents use that. Another good solution is to use something like a Remote Desktop or Citrix session to access your files–which almost completely eliminates the likelihood that you will inadvertently place something secret on on your traveltop.
7. Use an encrypting proxy for Internet traffic. If someone is going to watch your network traffic it will most likely happen at a wireless hotspot. Many times programs leak information that an attacker can use even if the login is encrypted, a good example of this is Google Mail, which allows cookie theft. One method of dealing with this is to use an encrypted tunnel to a trusted (or more trusted) network. There are free and commercial products for doing this. If you don’t have any technical expertise, one method is to use Anonymizer a commercial web service that helps Windows users. More technical users may want to use a SSH Tunnel or setup a proxy server such as Squid or Apache using SSL and authentication. By verifying the SSL encryption certificate (or SSH key) you can be sure that no one has performed a man in the middle attack, or is injecting data as is common in evil-twin attacks.
8. Clean house frequently. You should use a program that cleans up tracks of web surfing, temporary files, and other day to day activities.  Webroot software makes Window washer, which works reasonably well, but is a little flaky under UAC on VIsta.  Anonymizer makes a competing product that is bundled with their web surfing tool, but they have problems with Firefox 3.  A feature that is desirable is the ability to “wipe” files and not just delete them (if you can turn this on permanently for your Recycle Bin it is better.)  Wiping the file with random data before renaming it and then removing it makes it effectively impossible for the deleted file to be recovered, even partially.
9. Use a firewall, anti-virus and anti-spyware software. This is a no-brainer. I am, however, skeptical about expensive programs. Use the free stuff like Avira, and the free Windows anti-spyware stuff. Don’t open strange attachments, don’t run as the administrator user, and don’t use your traveltop to surf pr0n! I know a lot of people say that Vista is not ready for prime time, but for most users it provides protection that XP lacks.
10. Update your software. Yes, I know, this is another no-brainer. A day or two before you leave for your trip you should use Windows update to get current. Stay on the latest version of your web browser too. Why does this matter? Many evil-twins will attempt to exploit your system by attacking known security weaknesses that have already been fixed. For an example of such a program, check out Hotspotter–it is particularly devious, and having the latest system updates installed really helps protect your system.
11. Buy a laptop lock, and use it when you leave your laptop alone. Sure a few blows with a hammer will break most laptop locks, and many are easy to pick. What you are trying to stop is crimes of opportunity. If someone is targeting you for theft they are more likely to be successful, but most thefts aren’t planned and most of the lock picking enthusiasts aren’t thieves. So buy a lock and use it.
12. Use an anonymous recovery service. I put little stickers on all my expensive electronics, that offer a reward through Track it Back, which is a service that offers a reward to people that find your belongings, and arranges to have a courier pick it up and mail it back to you. There are other services out there too. Basically it assumes that many people are honest, and will return something of value that they find. The allure of a reward may be more tempting for a thief that discovers that your laptop won’t boot without a password.
13. Make your laptop less attractive. I put stickers all over my traveltop–it makes it distinct, harder to claim “Oh, it looks just like mine, sorry”, and destroys the resale value for a thief.

The most important concept is that by not placing valuable information on your laptop you don’t put it at risk. I know it seems obvious, because it is, but how many big corporations have you heard about this year alone that lost something of value?

DC16

Defcon 16 Badge

I just made it home after going to the annual freakshow that is Blackhat and Defcon. I haven’t been to Defcon since I believe DC9, so it has been 7 years. Overall the conference was pretty much the same, the best part wasn’t the talks but the people you meet. However, the Sensepost talk was really cool–everytime I come across those guys they really scare me (I first met a few of them back in 98 at a class.) The part that caught my eye was a tool that they released for tunneling TCP over http. Pretty cool stuff for pen testing, and they have JSP, PHP, and ASP versions of the program.

We weren’t able to see Kaminsky’s talk–there is a moral about hackers and crowd control somewhere in the story, but basically they didn’t have room for all the people that wanted to watch his presentation (whatever, I’ll download the torrent.)

We met some really cool folks while we were out there, if you have never been you should really go! If you don’t know anyone and you plan on going next year give me a shout and we will meet up.