Archive for May, 2007

23
May

“Wholesale Rummaging” vs. Electronic Evidence

By alfredo reino Comments
Categories: Uncategorized

Michael Overly comments about new developments in the use of electronic evidence in forensics cases.

If the discovery request related to paper documents, the producing party would be able to cull out documents that were irrelevant or that contained attorney-client information or that were subject to some other privilege.  But, if you produce the entire hard drive or permit an image to be created, the producing party would have no ability to narrow the range of information being provided to only the information relevant to the litigation.

[…]

To protect against this “wholesale rummaging,” the court ordered special procedures be used to limit the information disclosed to only information relevant to the litigation.

Read the whole article here.

21
May

Discover Hackistan

By alfredo reino Comments
Categories: Fun and Weird, Products and Security

Discover the glorious Hackistan.

Hackistan

(Brought to you by Fortify)

17
May

Massive DoS attacks on Estonia

By alfredo reino Comments
Categories: News and Security

The trouble between the Estonian government and Estonia’s ethnic Russians has taken a new dimension in the online world.

According to Ars Technica:

Cyber-warfare on an unprecedented scale has hammered Estonian web sites for the last two weeks in the aftermath of the government’s controversial decision to relocate a Soviet-era war monument from the center of Tallinn to the suburbs. Two days of rioting by ethnic Russians, who saw this as an attack on their heritage and on minority rights, quickly transitioned from the real to the virtual world, as government web sites came under DDoS attacks so severe that many agencies shut off access to IP addresses outside Estonia for several days.

Since it seems clear that the attacks come from Russia (some attacks coming allegedly from Russia’s president Putin office), Estonia is raising the issue with NATO. After all, when a NATO-member finds itself under attack, it is the function of NATO to get involved, considering the whole alliance under attack.

Estonia

According to The Guardian, “NATO has dispatched some of its top cyber-terrorism experts to Tallinn to investigate and to help the Estonians beef up their electronic defences“.

Updated (May-18): The Arbor Networks blog (”Security to the Core”) has some information about the targets of the attacks and other quantitative data.

09
May

Distributed Open Proxy Honeypot results

By alfredo reino Comments
Categories: Papers and Security

The Web Application Security Consortium (WASC) has released an interesting paper with the results of the Distributed Open Proxy Honeypot Project.

The idea of the Distributed Open Proxy Honeypot Project is to place monitored “open proxies” around the world, which are normally used by hackers to mask their origin when performing attacks, scans, etc. According to the authors:

During this timeframe, we had 7 internationally placed honeypot sensors deployed and sending their data back to our central logging host. What did we see? Here are some brief highlights

  • SQL Injection Attacks
  • Brute Force Attacks
  • OS Command Injection
  • Web Defacement Attempts
  • Google-Abuses (Google-Hacking and Proxying for BannerAd/Click Fraud)
  • Information Leakage

You can download the report here.

08
May

The dangers of forensics

By alfredo reino Comments
Categories: Rants and Security

RSnake comments (at Dark Reading) about the perils of home-grown forensics, and how, if you’re not careful, you can end up making a mess of it.

“It’s best to treat a hack event like a fire. Stop, drop, and roll. Once you’ve done that, hopefully you’ll have come to your senses enough to know you need to hire a professional.”

Read it here. It’s good advice.

07
May

(IN)Secure Magazine - Issue 11

By alfredo reino Comments
Categories: News and Security

(IN)SECURE Magazine - Issue 11

The May 2007 issue of (IN)SECURE Magazine has been released. This issue contains articles about :

  • On the security of e-passports
  • Review: GFI LANguard Network Security Scanner 8
  • Critical steps to secure your virtualized environment
  • Interview with Howard Schmidt, President and CEO R & H Security Consulting
  • Quantitative look at penetration testing
  • Integrating ISO 17799 into your Software Development Lifecycle
  • Public Key Infrastructure (PKI): dead or alive?
  • Interview with Christen Krogh, Opera Software’s Vice President of Engineering
  • Super ninja privacy techniques for web application developers
  • Security economics
  • iptables - an introduction to a robust firewall
  • Black Hat Briefings & Training Europe 2007
  • Enforcing the network security policy with digital certificates

Download the (IN)Secure Magazine Issue 11.

05
May

What you put online, anyone can see

By alfredo reino Comments
Categories: Meta and Security

Everybody knows your name - Youtube

Good ad from the National Center for Missing and Exploited Children.

04
May

Two tools to detect rootkits in Linux

By alfredo reino Comments
Categories: Products and Security

Rootkits are security tools used by intruders after compromising a hacked system. Rootkits help the intruders maintain their access to the system while hiding the toolkit, processes, open ports, etc. from the system administrator.

There are several interesting tools to scan for rootkit presence on a system. In this post, I’ll look at the two tools I use: Rootkit Hunter, and chkrootkit.

Rootkit Hunter

http://rkhunter.sourceforge.net/

Rootkit Hunter is a scanning tool that scans for rootkits, backdoors and local exploits. It checks MD5 hashes, default files used by rootkits, strange permissions in binaries, suspect strings in modules, hidden files, etc. It works in most flavours of Linux, BSD (OpenBSD, FreeBSD, MacOS X, but not NetBSD) and some Unix variants (AIX, Solaris, etc.)

Once you download Rootkit Hunter, unpack it, and execute the installer.sh script as root user.

Rootkit Hunter - installing

After installing, just execute it (as root) with the following options:

rkhunter -c

- performs standard check of the system

rkhunter -c –quick

- performs quick scan

rkhunter -c –check-deleted

- performs a “deleted files” check (processes using deleted files)

rkhunter -c –scan-knownbad-files

- performs a “known-bad files” check

rkhunter –update

- updates database of rootkits

Rootkit Hunter - scanning

An interesting option is to use a cron job to schedule periodic update and system check, by using this script (add it to the crontab or /etc/cron.daily directory)

#!/bin/sh

( /usr/local/bin/rkhunter –versioncheck
/usr/local/bin/rkhunter –update
/usr/local/bin/rkhunter –cronjob –report-warnings-only
) | /bin/mail -s ‘rkhunter Daily Run’ root

chkrootkit

http://www.chkrootkit.org/

chkrootkit is another option for our rootkit-detection toolkit. It can be downloaded from: http://www.chkrootkit.org/download/

It doesn’t need to be installed. Just unpack it and run chkrootkit it as root. This is useful if you need to run it from read-only media, such as CD-ROM, to avoid compromise of the rootkit-detection tool itself.

chkrootkit - scanning

chkrootkit has an interesting option, which allows to specify the root directory to be scanned. Although I haven’t tested it yet, it could be used to mount an off-line image of a suspect filesystem, in a typical forensics analysis way, and scan it for rootkit infections.

04
May

Multi-layer cryptography

By alfredo reino Comments
Categories: Fun and Weird and Security

Interesting and humorous comment by XKCD on “added layers of security”.  How many times you’ve evaluated a security product, and found some of the claims boil down to this?