Latest Entries »

Libyan Money …

Filed under: UncategorizedLeave a comment
October 21, 2011

To the General Public: Please delete as applicable.

Dear (Sir/Madam/Undecided/Both),

Please let me introduce myself, I am not a former (banker/government official/religious leader) of (Libya/any other nation) where a dubious infrastructure might allow for millions of (pounds/dollars/euros) to become available to me, nor am I the (son/daughter/niece/nephew/2nd cousin twice removed) of an (oil/gas/diamond/other) (millionaire/billionaire/smuggler/other), I am in fact a person who (works for a living/is a security consultant/blogs) and is (honest/trustworthy/not directly after your cash), I am not going you to offer you untold riches _but_ I _am_ going to offer you an opportunity to (hold on to what you have/not look like a complete berk/not fund criminals &&|| terrorists).

Listen to me carefully – I realise that this letter may be less believeable than the ones you normally recieve, partially because the grammar and spelling is close to correct, but also because it doesn’t offer you, someone who has no rhyme or reason to expect it, something for nothing.

I don’t wish to undermine your confidence in any way, however, you haven’t been singled out as an example of upstanding public decency or because of your obvious intellegence – rather because somewhere, at some time, your e-mail address made it onto the public internet – they don’t even know who you are – they have spammed you, along with 100,000,000 other people in the hope of a 0.1% return on their targets.

If you answer their e-mail, you will be strung along in a classic scam where, over the promise of a large sum of money, they will get you to send them larger and larger (management fees/bribes/charges) until, at last, you have none of your money and they have all of it.

I’ll do you a deal – if it makes you feel better – you can all send me (£10/$10/E10) and I’ll pretend that I’ve got something for you for 10 minutes – I’ll even send you an e-mail with an excuse why it hasn’t been transfered to you immediately – but we’ll call it quits there. I’ll give your money to the NSPCC, and you can keep the rest, and the criminals get none. What do you say ?

I write this now, because, as is the way of the world, when an event happens, the (less ethical/criminals/scum) take advantage of the (more gullible/less savvy/dumb/unfortunate), and I’ve a vain hope that perhaps this might stop just one person falling for it.

The general rule of the world is – “if it sounds too good to be true, it probably is” – if you have any doubt about something why not drop me a line, and I’ll have a look at it for you – if it is true, I’ll ask for my (£10/$10/E10) for the NSPCC and you can keep the rest – if it’s not, which I’m willing to bet on, then you’ve saved yourself a fortune !

Kind Regards,

Si

Comment

CEH – Self Study – The Review

Filed under: Security, TrainingLeave a comment
September 30, 2011

A few weeks ago I mentioned that I had been asked to perform a review of some Self Study material provided by a company called UCertify. Our relationship started out a little rocky, where they asked me to review a demo-version, I refused to review anything except the full thing, and they eventually relented and sent the whole course through, so I at least have full visibility of the whole thing ! There was a choice of courses, but figuring that I’d be better off in my own space, I decided to go for the CEH V7 course – reflecting ( I hope ! ) the changes that have been made to the CEH qualification. Once I had downloaded and installed the program without any issues ( note : Windows only option – a bit of a shame as I would have prefered to run it on my MBP [ while it was still working ] ) I opened it up to have a preliminary wander.

My first impression was that the interface was rather dated – very Windows 3.1, rather than anything else, but, remember that “Content is King” when it comes to training. The interface is laid out with “Practice Tests” and “Study Helper” tabs easily visible, but scrolling further down other features are available, including progress tracking tools and “Articles”. Featurewise, I would say that the course is no better or worse than any other CBT that I have seen, although the layout isn’t entirely intuitive. The right hand side of the window for example is full of “PrepKit Features” – marketing bumph telling you about the product that you’ve allready bought, probably because of the promised features !

Anyway, having made the earlier suggestion that “Content is King” – I suspect that one or two of you might have figured out where I am heading. The course itself is not well structured – it leaps around topics in a non-sensical fashion, it doesn’t deliver on the learning goals highlighted at the beginning of the session and it doesn’t look as if it was written by someone for whom English was their first language – I don’t wish to be negative about this, but it leads to ambiguity in meaning in places, and that – in an educational package is unacceptable. I also have _grave_ reservations about the accuracy of the content in places – how about this one :

“Microsoft networking uses UDP for logon …”

And that’s only one, in the first lesson …

The test questions, at least initially seemed to be quite promising – although my concerns about the accuracy stand.

For my part, I won’t be sitting the CEH exam off the basis of this course, and I can’t say that I would recommend anyone else to either – the quizes, if they are accurate, might well be a useful revision tool if you have learnt your information from somewhere else – but I really would suggest that you approach the product with caution, and use it only in conjunction with another resource to ensure that you are going to get the right learning for the exam.

Overall – 1/5

Tags: , , , ,
Comment

De Montfort University – New MSc in Forensics

Filed under: Forensics, TrainingLeave a comment
September 29, 2011

Below I quote a letter from Brian Jenkinson and Tony Sammes regarding the new digital forensics course at De Montfort University. Brian and Tony, formerly of Cranfield, are considered amongst the foremost Digital Foreniscs practicioners and specialists in the UK. This e-mail is reproduced less contact details to reduce spam / annoyance, but if you are serious, please contact me directly and I’d be happy to pass you on.

Dear Students, Colleagues and Friends,

It is with great pleasure that we can now let you all know that our “new”
MSc has been validated by De Montfort University and we will start teaching
in January 2012.

The MSc will run in a configuration that you will recognise. Many thanks
must be extended to the staff at DMU who have worked long and hard hours
to get the MSc developed and in place in a period of about five months.
It has been a heavy time for all of them and for the two of us. Getting this
done in such a short period must be some kind of record!  We were insistent
on speed so as not to leave any existing students in the lurch, as you know
the move was not of our choosing.

Full details of the Courses will be circulated shortly but to cover some of
the questions we have been asked :

- The MSc is made up of the Courses plus Coursework and Project.
- Three qualifications are available, MSc, PG Dip and PG Cert.
- Short Courses will run together with the MSc residential element.
- Those of you with completed modules “in the bank” can put those towards an
MSc at De Montfort.
- Those of you who have done the residential elements only (without the
coursework) will be able to “top up” with coursework only.
- Costings are not yet settled but we are assured that they will be similar
to or less than those you would expect to pay elsewhere.
- We are not aware that any fee will be charged for transfer of credits (in
their various types) to register completed modules or short course
passes at DMU.

The first course/module will be a Foundations of Forensic Computing in
January 2012.

This is an exciting time for both of us – they are building us a teaching
lab as we write with all new kit and extras. The lab is exlusively for our use so we
can do as we wish without constraints and do not have to share with any
other course, the building is massive and its layout is designed for
teaching and students’ comfort. The atmosphere is friendly and welcoming
and the staff are brilliant “can do, will do” people. There is technical support for us
should there be any glitches and the kit is better than anything we possess.
The MSc is “Forensic Computing for Practitioners” and will focus upon
Forensic stuff to do the job and us teaching Forensics rather than padding out
with non-relevant material.There are shed-loads of new stuff and includes bespoke
scripting, differing operating systems getting past the disk interface and
the like – it feels like we have been released from our leashes and can
run free, its great!

In the first instance any one who wishes to express an interest in transferring to DMU,
starting the MSc (or derivative) at DMU or simply want Short Courses at DMU
should EMail with contact details and a short explanation of their circumstances
to “<on request>” PLEASE use “MScFC4P” as the Subject in the EMail header.

Each person enquiring will then be contacted
personally, initially with some further detail and then to discuss the mechanics for those
requesting a transfer. Please include both EMail and telephone contact details.

Please feel free to contact us at “<on request>” with any queries or
telephone Brian on <on request> if you want a personal discussion.

Further Good News with detail will follow shortly, if you want a Foundation place in
January we suggest you register your interest as soon as possible, we are aware
that interest is already high.

Our very Best Regards to all of you, we hope to see you at F3 in November
or, indeed, at DMU.

Please feel free to circulate the content of this EMail to any person whom you feel may
be interested in its content – we do not have access to a database of students or
organisations at present. It would also be very helpful if you would acknowledge
receipt of this EMail, thanks.

Tony and Brian.

——————————————————–
in cauda venenum
——————————————————–
Brian Jenkinson MSc BSc[hon] BA  FBCS CITP
Forensic Computer Consultant
Visiting Professor to The Faculty of Technology of  De Montfort University, Leicester

Tags: , , , ,
Comment

Zombiecookies …

Filed under: Forensics, SecurityLeave a comment
September 28, 2011

It’s the middle of the night, and there is the faint sound of  breaking glass from downstairs. The other half, with a sharper than possible elbow, nudges you – “Did you hear that ?” she hisses – “Go have a look.” Snatching for protection the first item that comes to hand, which turns out to be a bound copy of the latest Wikileaks archive1, you edge down the stairs. As you head towards the kitchen, you hear the moans and groans of the undead – there, in the middle of the tiled floor, emerging from a box you thought that you’d thrown out three years ago are crawling, mouldy crumb by decayed choc-chip, are … ZOMBIECOOKIES !

Ok, I’m sorry, I really am. But the image was in my head since I read the term, and I had to either get it out or wake up in a cold sweat tonight. They have nothing to do with actual baked goods, thank goodness, but are about cookies ( those data holding things that websites insert into your browser ) that are a lot more persistent than is good for us – they just won’t die. There is currently a letter going through the US Federal Trade Commision regarding them, and their legality, and has also been the subject of a number of lawsuits – the argument being that they raise privacy concerns as it isn’t possible for users to have full control over their personal data. I’ve not made an extensive study as of yet, but following through the usual suspects ( The Register, Wikipedia, etc. ) eventually led me to the Evercookie. Like a real zombie, Evercookie isn’t quite immortal (for useful hints and tips on killing real zombies, I’d suggest “Shaun of the Dead“) – but it really is persistent enough to be a pain for the average user. It’s quite an interesting exhibition of resiliance that I wish a lot of my other data could follow – Evercookie will replicate itself to various locations, and will rewrite other locations that are cleaned the next time that the browser hits the cookie code. The locations listed are 4:

Clearly this is devious and underhand, it means that unless your cookie cleaner knows all of these storage locations, you aren’t going to get rid of it…

… on the other hand, from a forensic point of view, this could show that a cookie cleaner has been used – if there is a Zombiecookie present, but only in the less obvious places – there is a reasonable conclusion to be drawn that some, but not all, storage areas have been cleaned – you could also infer the time that such a cleaner was run ( after the date of some of the storage ) and that the user hasn’t returned to the source site since the cleaner was run.

As the EU is tightening up on cookies, then these “supercookies” should be few and far between in legitimate European business – but then,  as the internet is the new “Wild West“, I don’t think that we’ll be seeing the back of such tactics any time soon, and I’m sure, despite best efforts to prevent such things, that new and interesting variations will be forthcomming. If you do know of other methods for persistent cookies that could be shared, please do let me know !

1. Which, let’s face it, is more likely to bore an intruder to death before you thump them with it …2
2. I’d also like to clarify, that, as a signatory of the Offical Secrets Act, I have not, nor would I, ever look at the Wikileaks documents that are protectively marked and I have no need to know.3
3. And that has nothing to do with the fact that they are phenomenally dull !
4. Table shamelessly stolen from http://samy.pl/evercookie/

Tags: , , , ,
Comment

Ports to Promisc Linux

Filed under: Ethical Hacking, Intrusion Detection, SecurityLeave a comment
September 22, 2011

It may be that you need to configure your network ports to listen in promiscuous mode – packet sniffing, IDS etc. Quick and easy configuration on Linux is available through /etc/network/interfaces and the addition of the following lines will do it assuming (eth2):

auto eth2
iface eth2 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

Just a quick tip ;-)

Tags: , , , ,
Comment

IT Fairy Tales …

Filed under: Security, Security Fairy TalesLeave a comment
September 21, 2011

For various reasons, some related to having children, over a period of time I have come to be fascinated by Fairy Tales – one of my latest book purchases was The Great Fairy Tale Tradition: From Straparola and Basile to the Brothers Grimm (Norton Critical Editions) – this isn’t your common and garden Disney fairy tale stuff – this is the original, violent, gory, beautifully bizare strories of the 14th and 15th century. The ones that are not designed just to entertain your kids, but the ones that are there to teach them morals, behaviour and a healthy fear of monsters. Fairy Tales, like parables, are supposed to have a meaning and a purpose ( other than increasing the value of shares for large animation houses ) which has been lost a lot in their sanitisation for modern audiences. This, however, led to my warped mind taking a little wander down a fairy tale lane – what can Fairy Tales teach us about information security ?

Today’s story, children, is Rumplestiltskin … *

Rumplestiltskin

Rumplestiltskin

The parts that directly relate to the IT industry come thick and fast in this story:

Story Line … IT translation …
A man, seeking to make himself seem more important than he really is, lies that his daughter can spin straw into gold. Don’t trust salesmen who promise that their product can do everything that you want it to.
The king hears the mans boasts, and, demands that they should be demonstrated to him three nights in a row,
otherwise the girl will be put to death.		 You can guarantee that senior management will believe the salesman, and you will be required to deliver – or pay.
When all seems lost, an odd, ugly, little man turns up, and in exchange for jewellery, more jewellery, and the girls first born
child, spins the straw into gold for her.		 In exchange for cash, more cash and your first born, you can get an odd, ugly consultant in to make things work.
The king is so impressed that he marries the girl, and soon, they have a child … Management are so impressed, they make you in charge of the new system …
 … but the odd, ugly, little man comes back and demands the final part of his payment …  … but you don’t know how it works and you are indebted to the consultant, who wants more than you can afford …
 … after much pleading, he relents, saying that if she can guess his name in three days, then he’ll lay off. … however you realise that if you can guess the root password, you can do all of the work without them.
After much guessing, the man is overheard saying his name in the woods, it is repeated to him and he disappears, never to return. After much guessing, you try the consultants name, root is yours and the consultant disappears, never to return.

So what are we left with in the way of real morals ? Well,”don’t trust everything you hear” is a good start, possibly, “if you don’t know who’s problem it is, it’s yours” is another, and ultimately, and the one that actually occurred to me first, “obscurity is not the same as security”.

This last one is really important to remember, and it’s a difficult one to really grasp – there is a difference between a secret ( which is something that _only_ you know ) and an obscure thing ( like running SSh on port 222 instead of 22 ) – obscurity might slow people down a little, but ultimately that’s all it is – obfuscation – not prevention of discovery.

*( I must admit that this is one of my favourites anyway … )

Tags: ,
Comment

SSh Tunnelling for fun and profit …

Filed under: Encryption, Firewalls, Security, SShLeave a comment
September 21, 2011

Firewalls are good – firewalls that are outside of your control, aren’t. I’ve been working with a client to install a network monitoring device within their network – unfortunately they have no sensible way of giving me access to it through the firewall – no available routable IPs, no port forwarding, nothing useful what so ever. This has somewhat cramped my style – making it a pain to get to the device in any way other than being in their offices. Well, I had to be there for a few days anyway – but I finally got round to implementing the solution to the problem today. I’ve used SSh tunnels for over 15 years now, originally between university Unix boxes and Linux servers at the ISP that I worked for part-time so that I could do things all round ( Uni work in the office, office work from Uni … both from home via dial-up to work … nothing from the student union because mobile computing hadn’t been invented & the beer was cheap … ) – and every so often I end up revisiting them to either (a) bypass other people’s security controls or (b) to tunnel unencrypted protocols over a secure channel. The really nice thing about SSh tunnelling is that it is actually pretty platform agnostic – PuTTY & Cygwin on Windows, MacOS X, Linux, UNIX and even Android – all have support for it one way or another.

I have always admired the programmers virtues, despite not being a programmer myself much – I feel that they should apply to all who work in IT – laziness, impatience and hubris. And in the spirit of the first, on this occasion, rather than reading the man pages and trying to recall how it all hangs together – I went to the ultimate lazy resource ( Google ) and found this script here:

#!/bin/sh

# $REMOTE_HOST is the name of the remote system
REMOTE_HOST=my.home.system

# $REMOTE_PORT is the remote port number that will be used to tunnel
# back to this system
REMOTE_PORT=5000

# $COMMAND is the command used to create the reverse ssh tunnel
COMMAND="ssh -q -N -R $REMOTE_PORT:localhost:22 $REMOTE_HOST"

# Is the tunnel up? Perform two tests:

# 1. Check for relevant process ($COMMAND)
pgrep -f -x "$COMMAND" > /dev/null 2>&1 || $COMMAND

# 2. Test tunnel by looking at "netstat" output on $REMOTE_HOST
ssh $REMOTE_HOST netstat -an | egrep "tcp.*:$REMOTE_PORT.*LISTEN" \
   > /dev/null 2>&1
if [ $? -ne 0 ] ; then
   pkill -f -x "$COMMAND"
   $COMMAND
fi

This, coupled with a cron job to run it every five minutes and shared keys mean that my tunnel now remains open on my server, allowing me to get in remotely, fiddle with things move files etc. etc. etc.

Ironically, though, rather than making my life easier this now means that I can worry about what it is doing at 3am _and find out_ !


							


			

				
Tags: , 

				

					
													Comment 
											
				

			


		


		
		


			

				
Any topics of interest ?

				

					

						Filed under: Blog, GeneralLeave a comment					

					
September 20, 2011

				

			


			

				
I’ve just been reading another blogger who suggests that asking for suggestions about what to write about is a good way to ensure that the blog is meeting audience requirements – any specific Info Sec / Forensics / Computing topics that people want to read about ?

							


			

				

				

					
													Comment 
											
				

			


		


		
		


			

				
“Good enough” InfoSec

				

					

						Filed under: SecurityLeave a comment					

					
September 19, 2011

				

			


			

				
Just to inform that there is a new article on the Forensic Focus site : http://articles.forensicfocus.com/2011/09/19/what-is-good-enough-information-security/


In case anyone was interested ;-) 

							


			

				
Tags: , , 

				

					
													Comment 
											
				

			


		


		
		


			

				
CEH – Self Study

				

					

						Filed under: Ethical Hacking, Penetration Testing, Security, TrainingLeave a comment					

					
September 13, 2011

				

			


			

				
I’ve been asked by a company to review a self-study course on the new CEH v7, and they have very kindly provided me with a full copy of their material. On a first look, it seems pretty good – I like the way that it is arranged, and it’s easy to use. Installation was no problem, although I have to use my PC rather than my Mac / Linux box, which isn’t exactly ideal ! So far my only issue with it is that there are some minor errors with the peripheral content ( the price of the exam quoted in the material is $250, I’ve not found it less than $300 for the online exam and $500 for the meat-space exam ). These are early days though, and I actually intend to follow the whole thing through and sit the exam – so there will be more detail comming soon.

							


			

				
Tags: , , , , 

				

					
													Comment 
											
				

			


		


		
		
		

	


	









	
	













	

	

			
	

		Follow
		

			
					

		
			

			
Get every new post delivered to your Inbox.