I ran into this link over on Sunbelt Blog. It's a story about Meth addicts using ID Theft to fund their addictions.
The article, appearing in USA Today, offers some eye opening insight as to how this section of the criminal underground operates.
A lot of the initial information gathering by the group was done through dumpster diving and picking through trash (until the group went global) at companies that should know better.
Be diligent when it comes to destroying papers containing your sensative data. Buy yourself a paper shredder, for starters.
What do you do when companies with your data are lax in their procedures?
Staying familiar with your account and credit card transactions will help you notice anything out of the ordinary.
Thursday, December 15, 2005
Friday, December 09, 2005
Regular Tools to Make Your Security Life Easier - II
I ran across VirusTotal.com today. VirusTotal offers the scanning of any file uploaded to their website and does so through the use of multiple A/V products. The site does come with a caveat:
Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file.That should be obvious to anyone in information security, but it's a good reminder nevertheless. This page has a list of the A/V products used to scan the files.
Monday, December 05, 2005
Regular Tools to Make Your Security Life Easier
Today, I ran into a couple of problems switching back and forth between computers. Changing back and forth between keyboards and mice was getting to be a pain.
A coworker pointed me to the following tools:
Synergy was the answer to my problems. Synergy allows you to use two separate monitors attached to two separate machines and share a keyboard, mouse, and clipboard between the two.
In my case, I was switching back and forth between my Windows XP desktop and my PowerBook G4 laptop. Synergy installs on both machines (including Linux).
I chose to run the server on my Windows machine and the client on my OS X laptop. Configuration is self explanatory and can be easily adjusted from the sample .conf file.
Obviously, this would work best if you could actually see both monitors at the same time like a traditional dual monitor setup.
The second application was GeekTool.
A coworker pointed me to the following tools:
Synergy was the answer to my problems. Synergy allows you to use two separate monitors attached to two separate machines and share a keyboard, mouse, and clipboard between the two.
In my case, I was switching back and forth between my Windows XP desktop and my PowerBook G4 laptop. Synergy installs on both machines (including Linux).
I chose to run the server on my Windows machine and the client on my OS X laptop. Configuration is self explanatory and can be easily adjusted from the sample .conf file.
Obviously, this would work best if you could actually see both monitors at the same time like a traditional dual monitor setup.
The second application was GeekTool.
GeekTool is a PrefPane (System Preferences module) for Panther or Jaguar to show system logs, unix commands output, or images (i.e. from the internet) on your desktop (or even in front of all windows).A screenshot of GeekTool in action can be seen here.
Wednesday, November 30, 2005
Forensic Tools: FTK - Part II, Adding Evidence
In the first installment of Forensic Tools: FTK I talked a litte bit about what FTK is and does and also installing the FTK Demo version on a Windows computer. In this installment we'll talk about adding an image as evidence to a case. Screenshots visually describing the process described in this post can be found on the Infosecisms Flickr page.
Important Notice (the first three lines of ABOUT FTK):
First, open FTK and you get to see the lovely reminder that the Demo version of FTK can only handle 5,000 files (Pic 2). That's ok because AccessData was nice enough to give us this version for FREE. Besides, if you are serious about using FTK as a professional invesitgation tool this version should give you enough information for you to figure out if you like it. Then, you can pay for it or get your company to pay.
On to the "evidence". First, we need some "evidence" to learn the ins and outs of FTK. A good place for test images is the Digital Forensics Tool Testing Images website which is run by Brian Carrier, who also happens to be the author of Autopsy and The Sleuth Kit. For this exercise, I'll use the Basic Data Carving Test #1 image. Download, save, and unzip the image into a directory of your choosing.
Open FTK and you'll be presented with a dialogue asking you to Start a New Case, Open an existing case, Preview evidence, or Go Directly to using the program. Since we're budding FTK users and forensic investigators, we'll choose "Start a New Case". (Pic 3)
This choice will bring us to the wizard for creating a new case. Enter the appropriate information for yourself (the investigator) and the case and press Next. (Pic 4)
Take the default settings on the next two windows. On "Processes to Perform", check all of the available options. (Pic 5)
When you get to the "Add Evidence to Case" window, click "Add Evidence". (Pic 6)
Choose add an "Acquired Image of Drive". Pic 7
Browse to the image you wish to add and select it. In this case, I choose "12-carve-ext2.dd" and press "Open". (Pic 8)
Add any relevant image information on the following screen and click "Ok". When you have added all of the "evidence" that you want to the case, click "Next" on the "Add Evidence to Case" window. Click "Finish" to finish the case setup.
Once the case setup is done, FTK will process the "evidence" (Pic 9)that was added to the case. For larger images this may take some time. However, for our example it shouldn't take very long.
Ok, now we have an image added to a case (Pic 10).
Now what? "What" is the topic for the next installment of Forensic Tools: FTK.
In the meantime, feel free to browse around and figure some things out. After all, while you are still learning is the best time to make mistakes and learn the intricacies of a program. Until next time...
Important Notice (the first three lines of ABOUT FTK):
FOR TRAINING AND DEMO PURPOSES ONLY. PER THIS PROGRAM'S LICENSE AGREEMENT, COMPUTER FORENSICS INFORMATION GATHERED FROM A NON-LICENSED VERSION OF THE FTK IS NOT ADMISSIBLE IN COURT AS EVIDENCE. (Pic 1)Ok, now that you have FTK installed (along with KFF), it's time to start adding "evidence" to a case as you would during an investigation. Keep in mind that this is a guide for using FTK and NOT a guide for conducting a forensic investigation.
First, open FTK and you get to see the lovely reminder that the Demo version of FTK can only handle 5,000 files (Pic 2). That's ok because AccessData was nice enough to give us this version for FREE. Besides, if you are serious about using FTK as a professional invesitgation tool this version should give you enough information for you to figure out if you like it. Then, you can pay for it or get your company to pay.
On to the "evidence". First, we need some "evidence" to learn the ins and outs of FTK. A good place for test images is the Digital Forensics Tool Testing Images website which is run by Brian Carrier, who also happens to be the author of Autopsy and The Sleuth Kit. For this exercise, I'll use the Basic Data Carving Test #1 image. Download, save, and unzip the image into a directory of your choosing.
Open FTK and you'll be presented with a dialogue asking you to Start a New Case, Open an existing case, Preview evidence, or Go Directly to using the program. Since we're budding FTK users and forensic investigators, we'll choose "Start a New Case". (Pic 3)
This choice will bring us to the wizard for creating a new case. Enter the appropriate information for yourself (the investigator) and the case and press Next. (Pic 4)
Take the default settings on the next two windows. On "Processes to Perform", check all of the available options. (Pic 5)
When you get to the "Add Evidence to Case" window, click "Add Evidence". (Pic 6)
Choose add an "Acquired Image of Drive". Pic 7
Browse to the image you wish to add and select it. In this case, I choose "12-carve-ext2.dd" and press "Open". (Pic 8)
Add any relevant image information on the following screen and click "Ok". When you have added all of the "evidence" that you want to the case, click "Next" on the "Add Evidence to Case" window. Click "Finish" to finish the case setup.
Once the case setup is done, FTK will process the "evidence" (Pic 9)that was added to the case. For larger images this may take some time. However, for our example it shouldn't take very long.
Ok, now we have an image added to a case (Pic 10).
Now what? "What" is the topic for the next installment of Forensic Tools: FTK.
In the meantime, feel free to browse around and figure some things out. After all, while you are still learning is the best time to make mistakes and learn the intricacies of a program. Until next time...
Forensic Tools: Forensic Tool Kit (FTK) from AccessData
Forensic Tool Kit (FTK) from AccessData:
FTK is a forensic tool for use on Windows. The tool overview page also gives a good description of FTK's other qualities but I'll leave that bit of reading up to you. I have used FTK in a classroom setting, personal use, and recovering data from corrupted disks and files for other people.
I have never used it in an official investigation however the professor who taught the forensic class that I took does have extensive law enforcement experience so that is good enough for me.
First of all we need to download and install FTK. As you will see on the download page, the version of FTK is the Demo Version 1.60.
Be advised that it will only handle 5,000 files or less in any case added to it. Also, you will want to download and install the Known File Filter (KFF).
The KFF is a collection of standard operating system and program files, known child porn and other potential evidence files, and hash datasets. It basically makes it easy for you to identify a file as "known" that otherwise would make you chase it down to identify its use or purpose.
FTK download site:
http://www.accessdata.com/Product04_Download.htm
Download and install FTK and the KFF. You can either download it as a whole or in parts, whichever is better for your situation (bandwidth, time, etc). The KFF is quite large at 183MB so you might want to download it overnight or somewhere with a fast connection.
You will need administrator access to your machine to do the installation. Double-clicking on the setup files should take care of everything. I used the default values for the install.
In the next installment, I'll show you how to add an image to a case and we'll start browsing around the application.
offers law enforcement and corporate security professionals the ability to perform complete and thorough computer forensic examinations. The FTK features powerful file filtering and search functionality. FTK's customizable filters allow you to sort through thousands of files to quickly find the evidence you need. FTK is recognized as the leading forensic tool to perform e-mail analysis.
FTK is a forensic tool for use on Windows. The tool overview page also gives a good description of FTK's other qualities but I'll leave that bit of reading up to you. I have used FTK in a classroom setting, personal use, and recovering data from corrupted disks and files for other people.
I have never used it in an official investigation however the professor who taught the forensic class that I took does have extensive law enforcement experience so that is good enough for me.
First of all we need to download and install FTK. As you will see on the download page, the version of FTK is the Demo Version 1.60.
Be advised that it will only handle 5,000 files or less in any case added to it. Also, you will want to download and install the Known File Filter (KFF).
The KFF is a collection of standard operating system and program files, known child porn and other potential evidence files, and hash datasets. It basically makes it easy for you to identify a file as "known" that otherwise would make you chase it down to identify its use or purpose.
FTK download site:
http://www.accessdata.com/Product04_Download.htm
Download and install FTK and the KFF. You can either download it as a whole or in parts, whichever is better for your situation (bandwidth, time, etc). The KFF is quite large at 183MB so you might want to download it overnight or somewhere with a fast connection.
You will need administrator access to your machine to do the installation. Double-clicking on the setup files should take care of everything. I used the default values for the install.
In the next installment, I'll show you how to add an image to a case and we'll start browsing around the application.
Forensic Tools
From time to time I will review digital forensic tools that I run across in my daily use or read about online. Mostly, the tools will be free to use but every once in a while I'll run across a tool that has a free or trial version.
As of now I have plans to review Forensic Tool Kit (FTK) from AccessData, Autopsy and The Sleuth Kit, pstools from sysinternals.com, and netcat. I'll add more to the list as I go and if you have any suggestions leave a comment. Thanks.
As of now I have plans to review Forensic Tool Kit (FTK) from AccessData, Autopsy and The Sleuth Kit, pstools from sysinternals.com, and netcat. I'll add more to the list as I go and if you have any suggestions leave a comment. Thanks.
Monday, November 28, 2005
Keeping up with the Joneses
With the SANS Top 20 Vulnerabilities list coming out on a yearly basis, information security professionals cannot afford to entirely rely on just one yearly source of information.
That is why security professionals should be subscribed to one or more (preferrably more) security mailing lists to stay on top of the latest happenings in information security.
One such list to subscribe to is the @RISK: The Consensus Security Alert:
That is why security professionals should be subscribed to one or more (preferrably more) security mailing lists to stay on top of the latest happenings in information security.
One such list to subscribe to is the @RISK: The Consensus Security Alert:
Delivered every Thursday morning, @RISK first summarizes the three to eight vulnerabilities that matter most, tells what damage they do and how to protect yourself from them, and then adds a unique feature: a summary of the actions 15 giant organizations have taken to protect their users.Two more great lists are the US-CERT Technical Cyber Security Alerts and Bugtraq.
SANS Top 20 Vulnerabilities
Every year, the SANS Institue releases a Top 20 Internet Security Vulnerabilities list. Originally, the Top 20 list began as Top 10 list in June of 2001. Each successive list was released with 20 vulnerabilities, 10 centering on Windows and 10 centering on Unix.
This year, SANS made a change to how the list was presented. Windows and Unix vulnerabilities are still represented, however, the addition of two other categories of vulnerabilities were added.
SANS chose to list applications and network devices as "areas" in the Top 20 advisory. At first glance, this seems to lead to a broader advisory list with less content.
The broadness is slightly misleading because if you drill down on each vulnerability point, the list includes several advisories that make the case for that specific point being in the Top 20 list.
This format allows for an executive summary (original 20 vulnerability points) for managers and the more technical details (actual advisories and recommendations) for the technical side of IT.
The Top 20 Vulnerabilities list did get off to a rocky start as Richard Bejtlich pointed out but quickly recovered after fixing some confused wording. In my eyes, this shows the professional level at which SANS operates by being able to fix mistakes quickly for the betterment of the information security community.
This year, SANS made a change to how the list was presented. Windows and Unix vulnerabilities are still represented, however, the addition of two other categories of vulnerabilities were added.
SANS chose to list applications and network devices as "areas" in the Top 20 advisory. At first glance, this seems to lead to a broader advisory list with less content.
The broadness is slightly misleading because if you drill down on each vulnerability point, the list includes several advisories that make the case for that specific point being in the Top 20 list.
This format allows for an executive summary (original 20 vulnerability points) for managers and the more technical details (actual advisories and recommendations) for the technical side of IT.
The Top 20 Vulnerabilities list did get off to a rocky start as Richard Bejtlich pointed out but quickly recovered after fixing some confused wording. In my eyes, this shows the professional level at which SANS operates by being able to fix mistakes quickly for the betterment of the information security community.
Wednesday, November 23, 2005
Sniffing on a switched network - Part 2
In the previous post, I discussed sniffing traffic on a switched network using a span or mirrored port on a managed switch or using a network tap using either homegrown, multipurpose hardware or dedicated hardware.
What happens when the person wanting to sniff traffic does not have the ability to place a tap inline or turn on a span port? Would this be something that a person with nefarious intent would like to do? How would that person go about getting around the seeming inability to sniff traffic without being able to place their own device?
Those answers can be found in a couple of places online.
The first is a nice paper entitled Packet Sniffing on Layer 2 Switched Local Area Networks from Ryan Spangler from packetwatch.net. This paper discusses attacks such as ARP cache poisoning, CAM table flooding, and switch port stealing and then provides methods for mitigating the attacks.
The second place I found for good information was a tutorial on Antionline.com. This tutorial covers the topics of the first paper but also goes into greater depth since it discussses VLAN hopping and other more advanced layer 2 attacks.
What happens when the person wanting to sniff traffic does not have the ability to place a tap inline or turn on a span port? Would this be something that a person with nefarious intent would like to do? How would that person go about getting around the seeming inability to sniff traffic without being able to place their own device?
Those answers can be found in a couple of places online.
The first is a nice paper entitled Packet Sniffing on Layer 2 Switched Local Area Networks from Ryan Spangler from packetwatch.net. This paper discusses attacks such as ARP cache poisoning, CAM table flooding, and switch port stealing and then provides methods for mitigating the attacks.
The second place I found for good information was a tutorial on Antionline.com. This tutorial covers the topics of the first paper but also goes into greater depth since it discussses VLAN hopping and other more advanced layer 2 attacks.
Sniffing on a switched network
Having recently configured a network monitoring system using sguil , talk of how to capture traffic on a switched network came into play.
If you are fortunate enough to have a managed switch then all that is necessary is to create a mirrored or span port which will replay all switch traffic to the port of your choosing. This enables you to set up a sniffer on that port to monitor and listen to the traffic going across your switch. What if you don't have a managed switch?
Several options exist. One option is to use a network tap such as those offered from Net Optics(no affiliation). What if you do not have the money to spend on a dedicated tap device? Create your own!
If you have not used OpenBSD, now is the time to begin. Creating a bridge(w/ span port) with OpenBSD requires 3 NICS. Use ifconfig to bring up the two NICs that will be used to bridge the connection (since this will be an inline device). Use ifconfig to create the bridgeN device, where N is a number. Use brconfig to add the two bridging network interfaces and the third network interface as a span port. Reboot to make sure your changes stick and you have your own homemade network tap.
If you are fortunate enough to have a managed switch then all that is necessary is to create a mirrored or span port which will replay all switch traffic to the port of your choosing. This enables you to set up a sniffer on that port to monitor and listen to the traffic going across your switch. What if you don't have a managed switch?
Several options exist. One option is to use a network tap such as those offered from Net Optics(no affiliation). What if you do not have the money to spend on a dedicated tap device? Create your own!
If you have not used OpenBSD, now is the time to begin. Creating a bridge(w/ span port) with OpenBSD requires 3 NICS. Use ifconfig to bring up the two NICs that will be used to bridge the connection (since this will be an inline device). Use ifconfig to create the bridgeN device, where N is a number. Use brconfig to add the two bridging network interfaces and the third network interface as a span port. Reboot to make sure your changes stick and you have your own homemade network tap.
Wednesday, November 16, 2005
Virtual Training Environment
Ran across this in #snort-gui this evening:
This site has a lot of walkthrough-video demos on topics in the following areas:
The Virtual Training Environment (VTE) is a Web-based knowledge library for Information Assurance, computer forensics and incident response, and other IT-related topics. VTE is produced by the Software Engineering Institute at Carnegie Mellon University.
This site has a lot of walkthrough-video demos on topics in the following areas:
- Asset and Risk Management
- IA Policy and Implementation
- TCP/IP Security
- Cryptography
- Host System Hardening
- Securing Network Infrastructure
- Firewalls and Networking
- Intrustion Detection
- Synchronization and Logging
- Forensics and Incident Response
Monday, November 14, 2005
Wiping hard drives
With near-commodity hardware, computers are coming and going at a faster rate than ever. For around $300-$400, a new machine can be bought from Dell.
These aren't high end machines but they meet the needs of everyday users. They run office applications, accounting software, email clients, and web browsers with ease.
The machines are also priced and built to become almost disposable in the eyes of the user. What happens to those machines when they are recycled? They go to neighbors, relatives, schools, churches, and other needy groups or they go to the dump.
While recycling and donating older and used computers is a great idea, there is one thing that people forget or do not realize: their data is still on the hard drive and available to anyone who can access the computer!
How does a person avoid leaving all of that personal or business information on the computer's hard drive? Wiping the hard drive with a disk wiping utility.
By wiping the hard drive, a person can remove all traces of your personal information stored on the computer. Wiping, or overwriting your hard drive, enables a person to remove:
Remember, only wipe your hard drive when you are ready to completely say goodbye to the data on the drive. If there is some information you would like to keep, do not forget to back it up! Happy Wiping!
These aren't high end machines but they meet the needs of everyday users. They run office applications, accounting software, email clients, and web browsers with ease.
The machines are also priced and built to become almost disposable in the eyes of the user. What happens to those machines when they are recycled? They go to neighbors, relatives, schools, churches, and other needy groups or they go to the dump.
While recycling and donating older and used computers is a great idea, there is one thing that people forget or do not realize: their data is still on the hard drive and available to anyone who can access the computer!
How does a person avoid leaving all of that personal or business information on the computer's hard drive? Wiping the hard drive with a disk wiping utility.
By wiping the hard drive, a person can remove all traces of your personal information stored on the computer. Wiping, or overwriting your hard drive, enables a person to remove:
- personal information
- business information
- incriminating information? (for all of the bad guys out there)
Remember, only wipe your hard drive when you are ready to completely say goodbye to the data on the drive. If there is some information you would like to keep, do not forget to back it up! Happy Wiping!
Thursday, November 10, 2005
Infosecisms
Well, I've finally thrown my hat into the blogging ring. This blog will focus on information security topics. Generally, I will cover articles, guides, books, and things that I read/do in my neverending quest for greater Infosec knowledge.
Subscribe to:
Posts (Atom)