Enclave Forensics RSS Feed

Snow Leopard & iLife - This software cannot be installed on this computer

dhoelzer@enclaveforensics.com — 2010-02-08T00:16:33-05:00

You can only imagine how disconcerting the message, “This software cannot be installed on this computer” could be for me after I upgraded all of our Macs to Snow Leopard! Of course everyone on the support forums treats you like an imbecile and tells you to just use your original Leopard disks. ... Here’s a few easy to follow steps that will allow you to successfully re-install iLife ’08 onto your clean install of Snow Leopard using your original media. ... 4 What you’ve just done is copied the installation package for the bundled software onto your desktop. ... 5 In the information window that’s presented (pictured above) take special note of the “Model Identifier” line. In the sample image above you will see that it has a value of “iMac8,1”. ... 6 Next, right click on the “Bundled Software.mpkg” that’s sitting on your desktop and choose “Show Package Contents”. ...In the file browser that appears, scroll down and select the TextEdit application (or any other text editor you might prefer). ...You will see a list of model identifier strings and you will also notice that your model is missing. ... ⁃ Right click on the “Info.plist” file and allow it to open in the Propery List editor. ... You simply need to locate a model identifier and change it to match the model identifier from your About This Mac research! ...You can now proceed with a customized installation and select the iLife components that you need successfully!

Metasploit Exploit Creation, Step By Step

dhoelzer@enclaveforensics.com — 2010-01-06T18:13:57-05:00

We were recently engaged by the SANS Institute to write a Secure Coding in C & C++ course to assist programmers in meeting the requirements for the Secure Coding Certification. Along the way, we created some content to give developers an overview of how vulnerabilities are exploited to illustrate how serious the problems are. Since the exploit demonstration was already written, we decided to turn it into a teaser tutorial that goes one step further. Not only does the tutorial explain how overflows happen and how to find flaws, the tutorial then goes on to cover basic shellcode creation, proof of concept exploit testing and, last but not least, converting the exploit into a Metasploit Exploit Module! Since the video tutorial was posted we’ve had several requests for the source code for the vulnerable service that’s discussed. ... return &(((struct sockaddr_in*)sa)->sin_addr); ... if ((sockfd = socket(p->ai_family, p->ai_socktype, ... if (bind(sockfd, p->ai_addr, p->ai_addrlen) == -1) { ... new_fd = accept(sockfd, (struct sockaddr *)&their_addr, &sin_size); ... if (send(new_fd, out_buffer, strlen(out_buffer), 0) == -1) ...For a comprehensive course on how to identify critical controls, validate that the correct controls are in place and validate processes, consider the SANS 6 day course, “Advanced System & Network Auditing“. David Hoelzer is the SANS IT Audit Curriculum Lead and the author of several SANS IT Audit related courses.

Keys to Professional Communication

dhoelzer@enclaveforensics.com — 2009-10-29T15:23:12-04:00

The top complaint that management has about otherwise very skilled technical employees is that they either can't understand what these technical folks are talking about or the technical just don't have the communication skills necessary to stand them up in front of a meeting for a report of any kind. Whether we are working as a forensic examiner, an expert witness, an IT auditor or any other technical professional, communication is a major key to our success. Communication is something that most of us do every day, so often we don't feel that we need a lot of training to be able to communicate effectively. The trouble is that our perspective may be affected by who we talk to. If we spend our time communicating with peers, communication will often be easy because we all have the same frame of reference. The problems come in when we start working outside of our peer group. This is especially important if we are aspiring to advance in our organization because as we advance we are moving from one peer group to another. Clearly, we need to be able to communicate in an effective way with both our current peers and our potential future peers! SANS Institute has just recently begun offering an outstanding short course to try to teach some of these critical communication skills. The course focuses on how to research and write effective whitepapers during the first half and then spends the second half of the course teaching powerful presentation and communication skills. The capstone of the day is a public speaking and presentation workshop where each student has the opportunity to try out the techniques taught in the course. If you're someone who needs to communicate or give presentations in your professional career, you need to think about checking out this class!

How to Become a Computer Forensics Investigator

dhoelzer@enclaveforensics.com — 2009-10-12T17:26:37-04:00

It’s an interesting field if you’re a whiz with computers and have a keen and analytical mind. While most people in this field are self-taught experts who used their acumen and experience in getting to where they are today, there is a traditional route that you can take to become a computer forensics investigator, one that involves education and relevant experience. ... ▪ Show an interest in the subject: Besides the education that college can give you, you must have a passion for the subject if you hope to become a decent computer forensics expert. Books and experimentation will get you further than any college degree will, although a degree is what may open the career doors initially. ...And while any degree will do, it’s best to major in computer science, criminal justice, forensic science or law since they are the most relevant subjects to computer forensics. While an undergraduate degree is enough to get you in the door, you may need a master’s degree or doctoral dissertation to help you become an expert and climb up the career ladder. ▪ Know the tools of the trade: If you’re not comfortable around technology and computers, then this is not the field for you. To become an expert in the field of computer forensics, you must know your way around computers even if you’re blindfolded. ...You need to constantly update your knowledge and keep up to date with the developments in data storage, backup, retrieval and also with the new techniques that are being used by hackers. ▪ Know how the legal system works: You need to understand the law well enough to be able to retrieve and handle evidence correctly so that it is not compromised. Your investigative talents will also be tested from time to time on difficult cases, so you need to have a sharp mind that can grasp facts and information quickly. Being a successful computer forensic analyst is a combination of various factors, and if you’re dedicated and determined with a keen investigative and legal mind, you could end up at the top of the career ladder in no time at all.

ROI in Information Security and Auditing

dhoelzer@enclaveforensics.com — 2009-09-15T15:25:42-04:00

SANS recently published a report that has been picked up by syndicated news feeds like this one indicating that in a very large way security and IT audit professionals are putting their emphasis in the wrong place! To sum it up, information from real world attacks tell us that we're spending the lion's share of our resources and energy patching and validating the Operating System while the majority of attacks are occurring at the application layer, specifically Web applications and the like. Fortunately, there's help available! Not only can you point your developers and security people at resources like OWASP, but SANS offers training for IT Audit and Security professionals that will teach you or your staff exactly what to test, why it should be tested and how to perform the validations. While the course does spend two days on operating systems, the other four days deal with all of the other types of problems with one full day examining application layer problems in the form of Web Applications in tremendous detail! Check here for a free demo of the class!

IT Audit Controls that Matter

dhoelzer@enclaveforensics.com — 2009-09-15T13:54:20-04:00

For the last ten years or so I’ve been standing up in front of hundreds to thousands of auditors each year discussing controls and in that time I’ve figured some things out. One of the first things that I realized is that while there are generally accepted definitions for “Controls” and “Objectives“, how any particular auditor or organization uses those terms varies greatly in the specifics. ... In my discussions with classes over the past six years I’ve come to what is at least an anecdotal conclusion that this understanding is at least mostly correct. ...In my opinion, the effort to distinguish controls in these ways has been a contributing factor to the overall state of confusion when administrators, auditors and management get together and try to have a conversation! ...After spending years discussing this with management and auditors I’ve come to the conclusion that any control that can be defined can be expressed within this single, simple, common framework. ...A set of common accounting rules are defined and must be followed by any publicly traded company. Each quarter any particular company must publicly state its current financial standing and accounting as reflected by an application of these rules. ...If the organization in question has not properly followed the rules, a diligent auditor should be able to detect the deficiency which indicates that some control somewhere has failed. ...In fact, what experience has shown is that when organizations suffer some loss, compromise or other security breach, the most common problem is that they are missing a control. ... That can’t be answered in a general way, but we can say that generally they are lacking either a Preventative, Detective or Reactive control. Going one step further we can state that if you have a Preventative or Proactive control but lack Detective and/or Reactive controls to supplement it, you have a material weakness. ... Similarly, having detective controls is good, but without a reactive capability or a preventative control (policy, procedure, standard, etc.) with which to enforce some compliance they become worthless.

PCI Self Assessment Tools Update!

dhoelzer@enclaveforensics.com — 2009-05-07T12:46:34-04:00

Three years ago, Cyber-Defense, the free software arm of Enclave Forensics, released a set of free tools for performing self-assessments for PCI/DSS. These tools automate the repeatable technical tasks that QSAs and ASVs perform. The most valuable of these tools is the automated firewall validation scanning tools and analysis script. We are very happy to announce that these tools have recently been updated to better allow you to define your inbound and outbound requirements when performing a PCI self-assessment of your firewall! The actual changes were all made to the analysis script. Please enjoy!

iPhone Programming Tutorial

dhoelzer@enclaveforensics.com — 2009-03-31T01:51:47-04:00

I recently returned from teaching a six day audit class in Phoenix, Arizona. One evening at the conference I did a quick tutorial on writing iPhone apps. If you’d like to have a look, the screencast is over in our Videos section. Enjoy! (Download the source code for these demos here!)

Prediction of Compromise Fulfilled!

dhoelzer@enclaveforensics.com — 2009-01-20T18:04:47-05:00

One of those predictions was that sometime in 2009 we would see a major breach of cardholder data (PCI data), larger than that of TJX. Another aspect of the prediction was that this compromise would occur at an organization that was certified to be fully compliant with the PCI/DSS standard. ...Earlier today it was announced by Heartland Payment Systems that they experienced a major compromise as a result of an intrusion involving malware spread across their enterprise. ...Executives may wonder how it can be that malware such as this could go undetected in an enterprise, especially one that strives to be compliant with a security standard like PCI/DSS. ... We won’t dig into this issue here, but the short answer is that our antivirus tools today almost exclusively use signature matching rather than behavioral detection. The frightening thing is that, in my experience, most companies when faced with indicators that there may be custom malware in the organization prefer an easy and safer explanation to the scary but more likely explanation. For example, one client in 2008 who engaged us because they felt that they had been compromised... in fact the FBI told them that they were compromised... steadfastly preferred to imagine that SpySweeper was generating DNS lookups to known malware domains rather than face the truth that they were infected with customize malware that was completely undetected by their corporate solution. Back to the story at hand, executives also wonder how they can be compliant with PCI/DSS, HIPAA, ISO 27000, etc. yet still be compromised. ...For instance, in the DEV 536 course that we wrote for SANS, we actually go above and beyond what the PCI/DSS standard requires for secure coding to get at the real root of the security problems, especially when storing sensitive data. In the two day AUD 521 course we teach you and your people what PCI/DSS is really about and how to effectively maintain compliance while remaining very secure. Further, in our AUD 507 course we give you tools and techniques that can be used by auditors, system administrators, network administrators, compliance managers and security officers to create ongoing security with continual baseline auditing and security setting enforcement within the enterprise. When you’re ready to get serious about securing your enterprise, whether your trying to be compliant with a standard like PCI/DSS, implement a standard like ISO 27000 or just have excellent security and audit practice in your IT environment, come to one of our courses offered through SANS.

Data Recovery from Dead Drives

dhoelzer@enclaveforensics.com — 2009-01-13T14:44:28-05:00

So there I was, happily working away, when Time Machine pops up and tells me, “Time Machine has not successfully completed a backup in 18 days.” ...After poking at this for a couple of minutes I decided to simply reformat the Time Machine partition and be done with it. ...After disassembling the drive array (it’s a Western Digital MyBook with dual 500 gig SATA drives inside) I hooked each of the drives up to a Tableau write blocker to see what was what. ...Everything from the magnetic sucking sound of the voice coil pulling the heads in and shooting them back across the drive in a frantic effort to read your data to the grinding sound of heads crashing into the platter. ...The data recover process, at this rate, was looking to be pretty spotty and would likely take more than ten days to complete its run. Looking at the facts so far, particularly the fact that when the drive was cool I had few read errors and now that it was hot I was having tons of read errors, I decided to stop and restart the process. ... This might sound like bad news but it’s actually excellent news coupled with the fact that there are no physical sounds of a dying drive. ...You never know when a drive will come across your desk with serious problems, all of which are related to the controller board. ...What you really need to do is make sure that whenever a computer system is purchased, especially a widely deployed system, at least one (more is better, of course) spare drive is purchased for that model of system. For instance, if you decide to push out a stack of Dell Poweredge servers with terabyte drives then at least one spare drive that matches the model of drive in the server should be purchased and stored as part of a response kit. Even if you never need them for an actual forensic incident the drives easily pay for themselves when you need to recover data off of a drive that has suddenly become unreadable and was not backed up as it should have been! Just as a final closing thought, if the drive you are looking at is making evil sounds and you need to get something off of it, you should power the drive off and stop poking at it.

Trends in Vulnerability Management

dhoelzer@enclaveforensics.com — 2008-12-18T11:37:11-05:00

There’s always a new gadget. Ten years ago the big thing was Intrusion Detection Systems. Five years ago everyone wanted an Intrusion Prevention System. Two to three years ago everyone wanted a SIM/SIEM/SEM. Last year the new gadget was Log Aggregation and Management. These days everyone’s all a-buzz with Vulnerability Management tools. If this is a topic that interests you, you may want to have a look at the Webcast Archive over at SANS. The December 17 Webcast deals with current and future trends in this space in addition to discussing what to look for and what to watch out for when deciding to buy a Vulnerability Management platform!

Building an Incident Response/Audit CD

dhoelzer@enclaveforensics.com — 2008-12-17T18:58:31-05:00

The first thing that you need to do is to create a directory that you'll use to hold all of your security tools while building your CD. Generally it's easier if you build a directory structure that's familiar, so we'll recommend that you first create a top level folder that will essentially be the root of the security tools CD that you create. ...lsof - If I had to pick just one tool to bring along for incident response or security analysis of a system it would be lsof. ...If you think that you might be dealing with a kernel level rootkit these tools will still be fooled, but for a userspace rootkit these tools are invaluable for figuring out what's happening at the network level. ...This allows not only for good reuse of code and smaller disk sizes, it also leads to smaller in-memory sizes since the shared libraries are only loaded one time rather than being duplicated throughout the memory space of the system. This means that we either need to recompile every tool that we want to put on our CD as a static binary (unpleasant at best) or somehow bring along the dynamic libraries. As it turns out, there's a really easy to use tool that can tell you which libraries any UNIX binary needs: ldd. ... What we need to do is to extract this dynamic library information from all of the security tools that we have in our "bin" folder and copy them into the "lib" folder. ...At this point you really could just copy this whole bundle into an archive, copy it to your Windows host and unpack it onto a CD that you burn from there. When dealing with UNIX tools, though, I find that it's often better to actually make the ISO image on the UNIX system too so that you have control over what the file attributes will be, especially the execute bit for your security tools. This might sound like a hard task but there's actually a great file system tool available on Linux systems in particular but which has been ported to all major UNIX systems: mkisofs. "mkisofs" allows you to point it at a directory structure and it will then convert that into an ISO that can be used to burn a CD! ...Your ISO is actually a disk image, so you can now take this to any platform and use your favorite CD burning tool to burn this image out as a CD.

SANS CDI East

dhoelzer@enclaveforensics.com — 2008-11-13T13:56:56-05:00

One thing that almost every one of them has in common is that they’re top notch people trying to help organizations to control risks but they often feel that they are really missing something on the technical end. ...The entire thrust of this six day hands-on course is to give an auditor the technical know-how that he or she needs to ask the right questions, know what the answers should be and even be in a position to create a world class information assurance and compliance management framework in the enterprise. ...Day one of the class gives you hands on practical risk assessment strategies that can be applied immediately to your audit practice upon returning to the office. On this day we also spend time helping to give you the non-technical tools that you need to better communicate your findings. Perhaps most importantly we spend time assisting you to learn how to better communicate with those being audited and how to effectively convince them to willingly comply with policies and procedures. ...You will leave the class with tools and techniques that can be immediately applied to your organization the day that you get back to the office. You will also have performed and know how to perform a technical validation of a firewall or router rulebase, allowing you to provide complete assurance when it comes to the functioning of these systems in your enterprise. You will also know how to determine whether or not these your network is architectured to properly support the information security requirements of your organization. Day four of the class is everything that you need to know to perform technical audits and validations of web applications. Web applications are one of the most important applications that we have in our organizations when it comes to marketing and visibility, but these are also the number one cause of compromises in our networks and systems today. ...Day five is spent focused on Windows technologies with special emphasis on XP, 2003 and Vista and how to audit these as stand alone systems as well as domain level auditing. Day six is spent doing in depth auditing of UNIX based systems with special emphasis on how to create automated scripts to automatically perform periodic validations and to help administrators to ensure that their systems are remaining secure over time.

Training Videos

dhoelzer@enclaveforensics.com — 2008-11-12T03:05:17-05:00

You may want to start checking back more often! As you may have noticed over on the right hand side, we’ve added a Video section! In this section we will be hosting a variety of demonstration and training videos created by EnclaveForensics staff. For instance, our first video went live yesterday, a twenty minute quick introduction to the WebScarab tool with a demonstration of just a few of its functions. Over the next days and weeks keep your eyes peeled for video tutorials on topics such as iPhone programming, demonstrations of the free/open source DAD log monitoring and alerting tool and more!

Attacking Applications

dhoelzer@enclaveforensics.com — 2008-11-11T17:58:08-05:00

I’ve been teaching for The SANS Institute for just about ten years now. In that time I’ve seen dramatic changes in the information security industry, some of which have been the direct result of the diligent efforts of SANS and the associated power of the GIAC certification. Just as the state of information security practice has improved we’ve also seen a tremendous leap in sophistication on the apart of attackers. Techniques that used to require you to be “in the know” and that were only understood by an elite few have been embedded into easy to use point and click tools today! For instance, just a few years ago it would have required a significant level of sophistication to effectively perform a blind SQL exploit against a vulnerable application. Today there are easy to use tools with graphical interfaces that will both find the vulnerabilities and exploit them without the user really needing to know what’s happening! One of the things that security practitioners absolutely must be able to do these days is effectively asses the security of a web application. You probably noticed, but the number of new vulnerabilities in web applications discovered daily or weekly is astounding, far outstripping the number of problems found in the more traditional places (like operating systems and services!) To give you a quick idea of what’s involved we’ve prepared a short demonstration video on the use of WebScarab, a fantastic tool available at no cost from OWASP. In the video we briefly discuss how to configure the proxy, how the proxy operates, how to do some very basic injection testing and finally a quick demonstration of how to use the Session ID Analysis module. If you need more information, please feel free to contact us or SANS to investigate the training that your people need to perform effective testing using this and other tools.

PCI Testing Suite

dhoelzer@enclaveforensics.com — 2008-09-12T22:01:09-04:00

Several of our clients are required to be PCI compliant. The truly frightening thing is that several of these customers have successfully passed the audit requirements conducted by a designated QSA or ASV yet even a cursory look reveals that their systems and environment are clearly non-compliant! These customers have been left with a false sense of security and, in the end, will be holding the bag when it comes to a damaged reputation and perhaps liability if a compromise of PCI data is compromised. What can be done, and what can a QSA do to improve his practice? From before the time that the original VISA Digital Dozen was shown to us while still in draft form we have had the tools in place to perform the requisite testing. In fact, the original drafters of the Digital Dozen actually attended one of our courses! The influence of the course, especially in the area of firewall configuration and security, is quite clear. To assist in creating a technically repeatable and accurate test for the major technical requirements in the standard we have made available a suite of scripts that can be used in combination with Nmap, Nemesis, Nessus and OpenSSL to automatically score most of the technical controls required by PCI. The tools are available as a free download at the bottom of this page. You are welcome to use these scripts at no charge. If you’re looking for a way to really learn what the requirements are, how to implement them and how to effectively use these and other tools for self-assessment we strongly recommend that you have a look at the SANS Institute course that we wrote for this purpose. You may also be interested in our course for Web Application Developers to satisfy the PCI requirement for “evidence of a training program” for techniques in secure coding.

Log Aggregation & Management

dhoelzer@enclaveforensics.com — 2008-07-12T22:06:47-04:00

The reason that everyone’s concerned about aggregating logs is that there are suddenly a number of legal and industry requirements that deal with log management and alerting. ...While this is all true, until the advent of Vista and 2008 there was no easy way to subscribe to or aggregate the events from several systems into one location. Even if you surmount this problem there are other issues, most notably how to correlate events for users across the enterprise since there is no consistent marker in the events from one machine to another that will distinguish users. ... Let’s see what we can do about getting the logs into one place and reporting on them. ...The most common comment from people in the trenches who are using these tools, though, is that they all looked good on paper but they don’t seem to perform quite as reliably as the salesman said that they would. ... We need to be sure that we can never be accused of stealing someone’s interface or concept in our tool. ...DAD (Distributed Aggregation for Data analysis) is a free open source solution to this log aggregation and reporting problem. ...The really beautiful thing about this particular solution is that we have abstracted the data so that we are not concerned about how the events are formatted. The real power of this is that we can digest absolutely any kind of text based log format including syslog and web logs very easily. ... Not only does this give us tremendous speed when searching for events but it also means that we can store far more events than might otherwise be possible because we never duplicate data. We do encourage you to consider looking at the DAD project as a possible solution but we also want to make sure that you are aware that this product falls somewhere between an Alpha and Beta status. ... If you do decide to try it out, please drop us a line and let us know how you like it!

Writing Policies

dhoelzer@enclaveforensics.com — 2008-06-16T15:06:08-04:00

Writing policies really isn’t rocket science (or brain science as my brother in law would say), but writing effective policies that people can read, understand and follow is something of an art. ...One of the big mistakes that we see people make in creating policies is starting out trying to write a policy. ... Quite often we get one person or a group of a few people to create a “draft” policy that then gets reviewed and everyone starts arguing about what it says. In the end the particularly unpopular pieces of the policy that no one can agree on get killed or the entire policy gets scrapped because no one wants to sign it. Rather than starting out trying to write sentences and paragraphs begin by working with management to define a bullet point list of control principles that the business would like to apply to situations generally. It is good to try to connect these principles to the business objectives of the organization and the risks that can affect the ability of the organization to meet those objectives. Next, create a bullet point list of what the objectives of the policy under consideration are and align these with the principles that you work with management to create. I would recommend that you circulate this list to the stake holders and management to ensure that they agree that the objectives that you are seeking to meet match their view of what is important and how risks should be addressed. ...Next, take both the objective and control bullets that you have come up with to the stake holders and management for their review. ...The problem really isn’t the wording of the controls but most commonly the problem is the actual underlying objectives and controls and how they align and affect the business. By starting at the business objectives and working our way down to the policy control bullet points we have proposed controls that align directly with the business and serve to control actual risk! ...At this point, there may be some wordsmithing and wrangling but we will no longer need to rewrite the policy for every objection.

Zone Transfer without the AXFR

dhoelzer@enclaveforensics.com — 2008-06-02T18:29:59-04:00

Servers used to willingly tell you who was logged on and from where, everyone had an anonymous FTP server and DNS servers were more than happy to give you a copy of their zone records. Of course, there are lots of techniques for scanning and fingerprinting hosts and discovering networks, but these are sure to tip off someone who’s watching that there’s something going on. This is even more true if you’re performing an internal pen-test where, generally speaking, there should be next to no scanning going on. ...Relatively few name servers permit zone transfers anymore and exploiting a well secured DNS server has a good chance of getting someone’s attention. ...Essentially, if you know what you are interested in, you can ask the server directly without requesting an AXFR. Rather than scanning the network for live hosts, send reverse queries to the name server for each of the public IPs in the networks that you can discover. Another fantastic trick, provided your target has not deployed a Split DNS arrangement is to set your resolving server to be one of your target’s servers and then do a reverse lookup for the .1 address of every private network range. To help you along your way, we’ve included a Perl script here that we use for just this purpose. ...# techniques that can be used to map out a network, but that it's always best
...# this reason, I recommend that people NOT try to dump a zone from a DNS
...# Especially of the organization does not have a split DNS, this can be
... print"Usage: dnsscan a.a.a.a b.b.b.b\n\na.a.a.a and b.b.b.b represent the starting and ending IP addresses to obtain information for.\n\n";

PCI/DSS Section 6

dhoelzer@enclaveforensics.com — 2008-05-30T18:54:19-04:00

As the world wide adoption requirements of the PCI/DSS take effect, more and more organizations are becoming concerned about how to meet the requirements in the standard. As it stands today there are still some disparities between the standard and the audit procedures, not to mention one or two... shall we say misstatements? ...Auditors are instructed to look for evidence of a training program for secure programming and verification that the web application programmers have been through this training program. ...Using this portion of the PCI standard, however, we have a fairly good sized lever to cajole the programmers into training with. ...There are many courses out there that will teach you how to hack web applications, how to do penetration testing, etc. ... Fortunately there are a few good options out there that can allow you to satisfy the PCI requirement without having to create your own training program or a secure programming training department (which can be real challenges!) ...There are other week-long training options available out there but in our experience it’s almost impossible to get your programmers to go to a week long training program or to convince everyone that you can afford a week with your programmers unavailable. The SEC 536 program is a two day bootcamp style workshop where the programmers are introduced to the roots of the problems in web applications, educated about how serious and wide spread these are and then taught how to identify problem spots and how to write clean, secure code. During the workshop, the students have the opportunity to work in a semi-competitive environment using whichever web application development tools or framework they prefer to create a simple web application. The application that they create forces them to address all of the major secure coding issues that create vulnerabilities in web applications. By the time they leave each student should be able to understand the principles of secure coding, have experience writing secure code, be able to identify bad coding practice and know how to do quality assurance testing for security issues. All in all, SANS has created an all in one solution to allow you to easily meet your PCI compliance requirements in short order!

Keeping Cool

dhoelzer@enclaveforensics.com — 2008-05-28T15:57:46-04:00

Electronic memory is essentially a set of tightly packed electronic switches. In reality, memory is typically comprised of a large number of latches which are formed from transistors, but it’s much simpler to imagine something more physical. ...When you turn on your sprinkler, it takes a few moments for the water pressure in the hose to rise high enough to start spraying water out of the sprinkler head. Conversely, when you turn the water off, water will continue to flow out of the sprinkler head as the water pressure drops. In a similar way, the memory latches maintain their state as a result of a charge that is applied to them. When the power turns off, the “pressure” source is removed, but it takes varying amounts of time for all of the pressure to go out of the system. By refrigerating the memory chips, you are actually making them much more efficient, so it takes longer for the remaining power to drain completely. Even without cooling, however, tests have found that some laptops will actually retain a fairly accurate representation of the RAM for upwards of ten minutes! Desktop systems, far more power hungry, can only retain memory contents for a few seconds without cooling. ...It means that the rumors are true. In fact, there was at least one paper regarding this issue written and published back in 2006, but it never really caught anyone’s attention. If you’re looking for tools that you can use to test out these theories, have a look at McGrewSecurity, which has released a simple tool with easy to follow directions on how to build a bootable USB key that will allow you to easily dump memory captures to the USB stick.

Magstripe Magic!

dhoelzer@enclaveforensics.com — 2008-05-23T15:53:30-04:00

While there are probably non-standard items out there (there always are), the standard for magnetic stripe data indicates that the data will be stored on one or more of three distinct stripes. ... There are also some differences in how the data itself is recorded (how many bits per character, what the character set is, etc.). At one point, we were producing a prototype for future miniaturization that would allow Law Enforcement to quickly and easily identify magnetic card data stored on any stripe that actually contained credit card data. ...We did not select this out of any preference or because it’s really awesome at reading card data; it just happened to be what we had handy in enough numbers that if we fried a few it wouldn’t matter much. The other major piece of hardware that is required in order to read a magnetic stripe is some sort of magnetic stripe head. While you can make your own (we sure don’t advise that) and there are lots on the market, we found that the Magtek 21047019 mini magnetic head assembly was perfect for our application. The especially nice part about using this part is that you don’t have to write code to figure out when the card has been inserted and where the stripe began (or which way the card was going). ... Once the card has been swiped, you simply (we use that word loosely) need to read the data out of the buffer and interpret it! The other advantage to this particular part is that it runs at 5 volts DC rather than 3.5 volts, which is pretty common for a card read head. This simplifies the circuit design since (at least for us) since all of the PIC parts we had handy are 5 volts. ...The design is extremely simple and, if you’re patient, you can probably reconstruct it from the image or the source code below, but we felt that there should be some hurdle for people who might want to take this and turn it into a card skimmer for nefarious purposes. ... In tomorrow’s blog post we’ll also release and detail the code for the LCD driver in case you have a Hitachi based LCD that you’re trying to drive from a PIC.

Driving a Hitachi 4x20 LCD

dhoelzer@enclaveforensics.com — 2008-05-20T15:51:38-04:00

Over the years, we’ve put together a number of electronic testing rigs for a variety of purposes and we’ve found the four line LCD display invaluable when it comes to quick and dirty output. ...You can save yourself a lot of pain and effort by installing one on pin 3 (Contrast Adjustment Vee) rather than trying to fiddle around wondering why you’re not seeing anything at all. ...For simplicity, we’ve included driver code that will work seamlessly with a PIC16F819 and can easily be adapted for a large variety of other PIC processors with little to no effort. The code that we’ve included will expect to drive the display in eight bit mode, which is the easier way to go if you have the datalines to spare. Other than choosing the width of the data that you will be sending, the two modes that you care most about are whether the display is in command mode or ready to accept and print a character. ... In order for the display to operate properly, it’s generally a good idea to begin by waiting a few milliseconds after powerup so that things can settle down, then setting the data width and then clearing the display. ...While we’re considering an eight bit bus in this example which makes the notion very easy to understand, it actually can be found in virtually all types of digital communications. ... Think about it, if the LCD responded to every voltage change on the data pins, we’d end up with all kinds of junk since the various bits will often not all change state simultaneously. The way that we solve this problem is by using a sort of trigger to tell the LCD, “Ok, take of your blindfold and see what’s on your data pins.” ...Where it requires a bit more thought is in situations where there are only one or two data lines available and we still need to get 8, 16, 32 or any other length data through that single line. ... It is quite likely that the reason this confuses most people is that when they see “clock” they immediately think that they need to hook the system clock or crystal up to drive the input, but as you can imagine that could create all kinds of hassles! In more advanced applications, though, it can make a lot of sense to drive this bus clock through a divider that is driven directly by the system clock, removing the requirement for you to manage this clock “manually”.

The Dangers of Source Routing

dhoelzer@enclaveforensics.com — 2008-05-15T15:47:47-04:00

For our purposes, this could range from a network ACL that prevents anyone from communicating with Alice on a particular port to a full blown trust relationship whereby a user on Bob may access Alice’s resources without presenting any credentials. ...It is pretty clear that if Eddie wishes for his router to be able to communicate outbound to the network, the external address must comply with the networking scheme in the organization. ...If you note slide #5, Eddie could certainly configure his router so that the external address is assigned by DHCP and at the same time he can configure the internal address of the router to be anything that he wants. He cannot necessarily expect to receive an answer, but if he were to configure the router and his host as pictured in slide #5, the packets certainly could be expected to route outbound into the network, unless the network has some form of unicast reverse path forwarding enabled or some other network access controls that will detect that the packets are coming from the wrong network. ...In any event, using this arrangement, if we look at slide #6, we can see Eddie’s first attempt to send a packet. In this case, he has simply reconfigured the internal addresses on his router and host and attempted to send a packet to Alice. Try as he might, though, he will consistently receive an unreachable message because his router believes that Alice’s address is local, but cannot find a reachable host. If you look at slide #7, it is possible for Eddie to set up a static route to force traffic outbound for Alice to be delivered to Alice, (or to use a different address range and simply spoof Bob’s address, which is what is pictured in the slide) but all of her answers will go to the real Bob. ...Instead, a list of all of the devices through which this packet must pass is included at the end of the IP header. ...For this attack to work, we need at least one device not on the target network and not the attacker’s router to pass packets through. ...She would like to send her response to Bob directly (the dotted line) but IP requires that if an IP option is enabled when a packet is received, the appropriate option and option list must be enabled in the responses. ... What this means is that rather than responding directly to Bob on the local network, Alice forwards her response to Ivan, Ivan then forwards it to Eddie’s router and Eddie’s router now makes a local delivery to Bob’s address.

Networking Basics

dhoelzer@enclaveforensics.com — 2008-05-10T14:27:55-04:00

Many people who have transitioned into IT Security, especially in the audit disciplines, discover that they are missing some of the fundamentals. This presentation and accompanying notes is designed to get you up to speed on some of the low level basics. The 100+ page booklet starts out by covering some of the basics of numbering systems used with computers including some of the background theory that connects the dots but that was likely skipped when you were learning math in school. From there we cover some of the basics of networking protocols and finally how network addressing and masking works. As frightening as it is, I remember going through a pool of over fifty applicants for a network engineering position. Of those, quite a few had documented experience managing and designing networks of more than five years. Even so, out of that entire pool, not a single one of them was able to perform the simple task of taking a network address and subnetting it into two networks. In the end, I hired the two guys who said, “You know what, I’m really not sure. I’d have to look it up” rather than the forty and more who tried and failed miserably. Download Book

Poor Passwords - The Real Risk!

dhoelzer@enclaveforensics.com — 2008-05-06T02:40:12-04:00

In fact, if there’s one policy that your company has in the IT Security arena, it’s probably a password policy! ... You have to pick a password that’s at least eight characters long, includes upper and lower case, has at least one number or a special character, etc., etc. ... What if I told you that there’s a trick that I use when performing penetration tests that always recovers at least five percent of the accounts in the domain without requiring that I capture the password hashes and that can be performed without locking out anyone? ...In fact, most organizations write policy and train users in security awareness about only a part of the authentication equation and this leads to a rather sizable vulnerability that we’ve probably ignored. ...In our policies we tend to put all of our energy, or at least the vast majority, into the selection and protection of a password. To be frank, whatever policy you create for passwords I can promise you that some user somewhere can select a password that completely adheres to your policy yet is obviously an extremely poor password. For example, when we require the standard three out of four (upper, lower, number, special), which seems like a great starting point and which is the standard almost everywhere, I guarantee that you will find users selecting “Password1”, which meets all of the requirements. ...If I can discover the most complex password every created but I lack the username for which it is the key that password has no value. ...The real answer is that it is equally sensitive, but because we tend to base them on common schemes (first initial last name, first initial middle initial last name, etc.) we don’t view them as sensitive even though they are. ...If you’re somewhat technical, you can easily discover the password lockout policy by querying your local system or examining the group policies that apply to you. ...Now we’re not going to write the script for you to go and recover accounts with, but how difficult would it be to do something like this in a script and use the exit code to test for success? ...Of course, the real beauty of this type of test (which is an excellent thing to do during a penetration test) is that we never violate the account lockout policy.

About This Blog

dhoelzer@enclaveforensics.com — 2008-05-02T02:38:36-04:00

Enclave Forensics personnel have been looked to by industry professionals for security advice and solutions for more than ten years. This blog is intended to give you a window into our research and current projects, especially those portions that we make freely available for the community. If you have any thoughts or topics that you’d like to see us discuss, please feel free to contact us.