[SecurityRatty] tag: folder

Use Encryption to Safeguard Your Data

Wed, 12 Nov 2008 21:00:00 +0000

A discreetly tucked-away folder that contains your résumé, your tax returns, and other important files may be convenient for you, but it's also a gold mine for online crooks who steal and sell digital data on a thriving black market.

U.S. Court Rules that Hashing = Searching

Wed, 05 Nov 2008 05:28:17 +0000

Really interesting post by Orin Kerr on whether, by taking hash values of someone's hard drive, the police conducted a "search":

District Court Holds that Running Hash Values on Computer Is A Search: The case is United States v. Crist, 2008 WL 4682806 (M.D.Pa. October 22 2008) (Kane, C.J.). It's a child pornography case involving a warrantless search that raises a very interesting and important question of first impression: Is running a hash a Fourth Amendment search? (For background on what a "hash" is and why it matters, see here).
First, the facts. Crist is behind on his rent payments, and his landlord starts to evict him by hiring Sell to remove Crist's belongings and throw them away. Sell comes a cross Crist's computer, and he hands over the computer to his friend Hipple who he knows is looking for a computer. Hipple starts to look through the files, and he comes across child pornography: Hipple freaks out and calls the police. The police then conduct a warrantless forensic examination of the computer:

In the forensic examination, Agent Buckwash used the following procedure. First, Agent Buckwash created an "MD5 hash value" of Crist's hard drive. An MD5 hash value is a unique alphanumeric representation of the data, a sort of "fingerprint" or "digital DNA." When creating the hash value, Agent Buckwash used a "software write protect" in order to ensure that "nothing can be written to that hard drive." Supp. Tr. 88. Next, he ran a virus scan, during which he identified three relatively innocuous viruses. After that, he created an "image," or exact copy, of all the data on Crist's hard drive.
Agent Buckwash then opened up the image (not the actual hard drive) in a software program called EnCase, which is the principal tool in the analysis. He explained that EnCase does not access the hard drive in the traditional manner, i.e., through the computer's operating system. Rather, EnCase "reads the hard drive itself." Supp. Tr. 102. In other words, it reads every file-bit by bit, cluster by cluster-and creates a index of the files contained on the hard drive. EnCase can, therefore, bypass user-defined passwords, "break down complex file structures for examination," and recover "deleted" files as long as those files have not been written over. Supp. Tr. 102-03.

Once in EnCase, Agent Buckwash ran a "hash value and signature analysis on all of the files on the hard drive." Supp. Tr. 89. In doing so, he was able to "ingerprint" each file in the computer. Once he generated hash values of the files, he compared those hash values to the hash values of files that are known or suspected to contain child pornography. Agent Buckwash discovered five videos containing known child pornography. Attachment 5. He discovered 171 videos containing suspected child pornography.

One of the interesting questions here is whether the search that resulted was within the scope of Hipple's private search; different courts have approached this question differently. But for now the most interesting question is whether running the hash was a Fourth Amendment search. The Court concluded that it was, and that the evidence of child pornography discovered had to be suppressed:

The Government argues that no search occurred in running the EnCase program because the agents "didn't look at any files, they simply accessed the computer." 2d Supp. Tr. 16. The Court rejects this view and finds that the "running of hash values" is a search protected by the Fourth Amendment.
Computers are composed of many compartments, among them a "hard drive," which in turn is composed of many "platters," or disks. To derive the hash values of Crist's computer, the Government physically removed the hard drive from the computer, created a duplicate image of the hard drive without physically invading it, and applied the EnCase program to each compartment, disk, file, folder, and bit.2d Supp. Tr. 18-19. By subjecting the entire computer to a hash value analysis-every file, internet history, picture, and "buddy list" became available for Government review. Such examination constitutes a search.

I think this is generally a correct result: See my article Searches and Seizures in a Digital World, 119 Harv. L. Rev. 531 (2005), for the details. Still, given the lack of analysis here it's somewhat hard to know what to make of the decision. Which stage was the search — the creating the duplicate? The running of the hash? It's not really clear. I don't think it matters very much to this case, because the agent who got the positive hit on the hashes didn't then get a warrant. Instead, he immediately switched over to the EnCase "gallery view" function to see the images, which seems to be to be undoudtedly a search. Still, it's a really interesting question.

Passgen tool from my book

Mon, 29 Sep 2008 16:42:29 +0000

Way back in 2005, Jesper Johannson and I wrote Protect Your Windows Network. It’s still available, and although its product set is now somewhat dated (Windows XP and Server 2003), much of the practical advice about security policies, social engineering, security dependencies, and how to think about security remains relevant. That’s because we strove to write something more lasting than a simple configuration guide.

On the CD-ROM accompanying the book we included a tool called Passgen. In the book, we recommended that you maintain separate passwords on every local administrator and service account in your enterprise. This is, of course, almost impossible to manage without something to automate it for you. That’s what Passgen does. The tool generates unique passwords based on known input (an identifier and passphrase you define), sets those passwords remotely, and allows you to retrieve them later.

For a while Jesper maintained a web site for the book, running on a server in his house. His ISP changed policies and made it impractical to continue running the site. But because the tool is still so useful, I’ve put a copy in my SkyDrive—look in the “Passgen” folder.

Also, note that I’ve put a new section in the right-side column, “Resources for you.” Here’s where I’ll keep links to bits and pieces that many of you will find relevant and interesting.

Hardening OS 10.5 Leapord-Tips from the NSA

Mon, 22 Sep 2008 15:46:48 +0000

The National Security Agency developed a configuration guide for default installations of Leapord.

According to Information Week, it’s not a completely comprehensive guide but it’s a good start — “While the agency’s advice may not be sufficient to stop a government agency like, say, the NSA, from accessing one’s Mac, it should significantly improve one’s security posture against less capable hackers.”

Tips cover user accounts, admin accounts, firewalls, software updates, folder permissions and more. For a few quick tips read the full article – or if you have time, download to the NSA guide.

One More Thing About GOVCERT.NL 2008

Tue, 16 Sep 2008 20:07:00 +0000

This is a post that I forgot to post from my drafts folder...

I am [well, I was :-) when I create it] flying back from GOVCERT.NL 2008 and lemme tell you! I have not ever seen a security conference which were THAT well-organized. Really! Everything just worked. Keynotes (first, second) were - gasp! - fun and useful (take that, RSA! :-))

My presentation was "Logging for Incident Response and Forensics: Key Issues" and I promise to post it online (here). BTW, if you attended the presentation, feel free to send the questions direct to me (since I didn't have time to answer them all at the end)

Can Chrome be read by a Keylogger?

Fri, 05 Sep 2008 11:56:35 +0000

I dont know yet, but Im checking. This is a article that bears reading.

clipped from www.tgdaily.com

Chrome is a security nightmare, indexes your bank accounts

So is this all a big deal?? Well anyone who wants to search your financial information would need local access to your machine and if a person is sitting at your computer, you have a lot more things to worry about than him/her using Chrome’s history search.? Conceivably a hacker could develop an app to pull the cache and index files off your computer and examine them later on another machine – these files reside in the “C:\Documents and Settings\USERNAME\Local Settings\Application Data\Google\Chrome\User Data\Default” folder.

The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit

Tue, 15 Jul 2008 13:18:32 +0000

Raising Symantec's ThreatCon based on a newly introduced exploit within a (random) copy of a popular web malware exploitation kit? Now that's interesting given that there are other modified versions of the publicly available malware kit empowered with exploits as they get released, the single most logical move a administrator of such kit would do is diversity the exploits set as often as possible, keeping it up to date - like they do. ThreatCon is raised already :

"Symantec honeypots have captured further exploitation of the Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability (BID 30114). Before this event, this exploit was known to be used only in isolated attacks. Further analysis of these honeypot compromises has revealed that the exploit has been added to a variant of the neosploit exploit kit, it will very likely reach a larger number of victims. This version will compromise vulnerable English versions of Microsoft Windows by downloading a malicious application into the Windows Startup folder. Computers that have Microsoft Access installed are potentially affected by this vulnerability. Customers are advised to manually set the kill bit on the following CLSIDs until a vendor update is available: F0E42D50-368C-11D0-AD81-00A0C90DC8D9 F0E42D60-368C-11D0-AD81-00A0C90DC8D9 F2175210-368C-11D0-AD81-00A0C90DC8D9"

Why based on a random copy of the kit? Well, the Neosploit malware kit itself is a commodity despite it's publicly announced varying price in the thousands, it leaked for public use just like MPack and Icepack did originally, making statements on the exact type of the vulnerabilities included within a bit pointless, since it will only cover the the exploits included in a particular version only. Web malware exploitation kits are very modular, namely, anyone can introduce new exploits, and tweak them, which is what they've been doing for a while, mostly converging third party traffic management systems with the malware kits in order to improve both, the metrics, and the evasive practices used for making a particular campaign a bit more time consuming to analyze.

Just like the innovations introduced within open source malware, and their localizations to native languages, the open source nature of web malware exploitation kit can result in countless number of variants whose new features make it sometimes difficult to assess whether or not it's a modified kit or an entirely new one - depending on the sophistication of the features of course. The introduction of new exploits within a copy of a particular malware kit should be considered as something logical, and if it's that big a deal, there are many other web malware exploitation kits whose features turn Neosploit into the "outdated choice" for malicious attackers.

Related posts:
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
The Small Pack Web Malware Exploitation Kit
Crimeware in the Middle - Zeus
The Nuclear Grabber Kit
The Apophis Kit
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
The FirePack Exploitation Kit - Part Two
The FirePack Web Malware Exploitation Kit
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot
Google Hacking for MPacks, Zunkers and WebAttackers
The IcePack Malware Kit in Action

P2P-related breach affects high-profile clients from Wagner Resource Group

Mon, 14 Jul 2008 13:08:21 +0000

Technorati Tag: Security Breach

Date Reported:
7/9/08

Organization:
Wagner Resource Group

Contractor/Consultant/Branch:
None

Victims:
Clients*

*Most notably Supreme Court Justice Stephen G. Breyer, which has been well publicized.

Number Affected:
~2,000

Types of Data:
"names, dates of birth and Social Security numbers"

Breach Description:
"The Washington Post today ran a story I wrote on a data breach of a local investment firm that exposed the names, birth dates and Social Security numbers of some of the Washington area's most powerful attorneys, including Supreme Court Justice Stephen Breyer."

Reference URL:
SecurityFix
Washington Post
United Press International
NBC Universal, Inc

Report Credit:
Brian Krebs, Washington Post

Response:
From the online sources cited above:

Sometime late last year, an employee of a McLean investment firm decided to trade some music, or maybe a movie, with like-minded users of the online file-sharing network LimeWire while using a company computer
[Evan] P2P file sharing and other client software use can pose a very significant risk in most companies. It is typically an easy risk to address however. A mixture of any one or more of the following controls can help to mitigate the risk; information security training and awareness, egress traffic monitoring and filtering, intrusion detection/prevention, and hardened workstations (i.e. removal of administrative access) to name a few.

In doing so, he inadvertently opened the private files of his firm, Wagner Resource Group, to the public.
[Evan] This is a common oversight. LimeWire and other P2P file sharing applications are wonderful tools for doing what they are designed to do. Before allowing their use (or any other software), an organization must evaluate the risks in doing so. If you intend to use or allow the use of LimeWire in your organization, understand how the software works and how it is configured. During the install you will be prompted for the "Save Folder and Shared Folders". Be careful what you choose, and be careful about what information you put in these locations in the future. Most organizations that are aware of risks just choose not to allow P2P use.

That exposed the names, dates of birth and Social Security numbers of about 2,000 of the firm's clients, including a number of high-powered lawyers and Supreme Court Justice Stephen G. Breyer.
[Evan] The high-profile nature of this breach is what has grabbed headlines all last week.

Of the 2,000 records from Wagner Resource Group that were found online, 700 included Social Security numbers, names and birth dates, while other records included only one or two of those details.

The breach was not discovered for nearly six months.
[Evan] This is another danger posed by information leaked through P2P. Once information has leaked, how does an organization detect that it has been leaked? There is no longer any control.

A reader of washingtonpost.com's Security Fix blog found the information while searching LimeWire in June.
[Evan] I wonder why the reader did not notify the authorities and/or Wagner at the time of its discovery. Maybe he/she did. I don't know.

Robert Boback, chief executive of Tiversa, the company hired by Wagner to help contain the data breach, said such breaches are hardly rare.

About 40 to 60 percent of all data leaks take place outside of a company's secured network, usually as a result of employees or contractors installing file-sharing software on company computers.
[Evan] Really?! I would have not guessed that the percentage would be so high. Interesting.

"We've seen a lot of instances where a company will be working on a product that's not even released yet, and the diagrams for that product are already out on the Net," Boback said.
[Evan] Very good point. It isn't just personally identifiable information that is leaked, there are plenty of instances where intellectual property (IP) is exposed. I have read estimates that as much as 80% or organizational assets globally are intangible (information, knowledge, etc.).

"This case is unique because of the high profile of the targets. The individuals on this list are at a very high risk, almost imminent, of identity theft."

Tiversa officials found that more than a dozen LimeWire users in places as far away as Sri Lanka and Colombia downloaded the list of personal data from the Wagner network.

"To me, this was devastating," said Phylyp Wagner, founder of the investment firm. "I didn't even know what peer-to-peer was. I do now."
[Evan] This is a big problem! Corporate leaders must be made aware of the risks surrounding the information for which they are ultimately responsible for.

Wagner said his company has contracted with FirstAdvantage of Poway, Calif., which last week sent out letters notifying affected clients of the breach and offering each six months of free credit-report monitoring.

He emphasized that the peer-to-peer disclosure never endangered his clients' financial records, which are stored by a separate company.
[Evan] Maybe not their financial records, but it did affect some people's financial status (at least temporarily).

But that may be small consolation to several lawyers on the list who said they recently experienced unexplained financial activity.

"This may explain why two weeks ago I got a $9,000 cellphone bill from AT&T," said Steven Agresta, a partner with the law firm Alston & Bird.

Someone had opened a phone account using his date of birth and Social Security number, but with a different address.

this morning I heard from reader Christopher Lynt, a patent attorney from Virginia whose personal data was included in the file exposed via P2P.

He told me that last July, an identity thief used his SSN and birth date to have $1,000 wired to Mexico from Lynt's bank and credit accounts.

Commentary:
This certainly isn't the first time we have read about P2P file sharing network exposures. If your organization can find a way to use the technology without posing an unacceptable risk, then fine. If not, then don't allow the technology to be used. Seems pretty plain and simple.

There is much work to be done. At Wagner and elsewhere.

Past Breaches:
Unknown

Malware and Office Documents Joining Forces

Mon, 14 Jul 2008 07:20:34 +0000

Common office files as documents, presentations, spreadsheets and PDF files, are the most widely abused ones in targeted attacks, which when backed up with enough personal information and take into consideration the time of their attack if the social engineering campaign is either going to be based on a current/upcoming event, or on an event anticipated due to information gathered through open source intelligence, often make it through common signature based scanning solutions.

Despite the relatively easy to obtain, point'n'click DIY tools for backdooring common office files are available for the script kiddies to take advantage of, some are naturally remaining proprietary tools, making them harder to analyze unless a copy is obtained. Like this one, generating "undetected" by signatures based scanning, office documents and spreadsheets that would drop the actual malware on the PC.

Automatic translation of its description and core features :

"The program represents a generator OfficeJoiner macros in the language Visual Basic for Application (VBA), for introduction in the document Microsoft Office Word / Microsoft Office Excel executable file (win32 exe), followed by fully automatic recovery and launch, without any additional action by the user. The only requirement that formed in such a way xls / doc files is to support VBA macros on the computer end-user formed file and permission to launch macros.

The program uses NOT a vulnerability (exploit) or macro-virus tools for the introduction, extraction or running embedded files. This means that it has generated macros compatible with ALL versions of Microsoft Office products starting with Microsoft Office 97 package, with any established "patches" and the service pack. Macros generated by this program not detected antivirus, for the simple reason that they are not viruses or macro viruses. The program uses only "established" means products built into Microsoft Excel VBA language to achieve their goals.

- Fully automatic generation of macro for the introduction of documents word / excel any given exe-file with his persistence in the body and subsequent documents automatic recovery and launch, when opening a document word / excel.

- Generated macros are compatible with all versions of ms word / excel since version 97, employments and regardless of the presence / absence of any patches / servicepacs.

- Generated macros are not macro-viruses, exploits do not use and do not contain any malicious code, so do not be detected by any antivirus tools as viruses.

- Conversion body ex-file macro happening in such a way that while in doc / xls file it not detected any antivirus, and can be freely sent by mail safely passed all checks, even if in itself contains viral code defined antivirus.

- Sgenerirovanny and attached to the body of the document macro can be protected with a password or signed certificate, using funds established Microsoft Office, which does not affect him productivity or efficiency (macro, in any case remain fully workable).

- Box macro can be made both in the new document, and in any document containing data and-or other macros. Generated program code is fully compatible with any other embedded in the document macros or entering data, and will not interfere with their work, as well as maintain its efficiency.

- Added auto-finding ways to extract exe-file;

- Added possibility of a macro arbitrary text in the body of the instrument;

- Optimized algorithm macro-generation code;

Enabling this option will lead to the creation macro code, who himself will find a way to unpack and run embedded exe-file. Auto-search finds the current user folder and produces there extraction and launch embedded file. The peculiarity of this method is that this method will work on the computers of users with a limited account, because in its user folder in any case has the right to record / performance. Using this option is justified to improve the "punching" macro on computers with limited account or unknown file structure (let Windows installed on the disk is different from C).

You can specify a name for final file independently, or leave blank, then the name will be generated automatically.

On this possibility has asked for a user program, its essence is that after running a macro, retrieval and downloading exe-file the document with the introduction of exe-file will be withdrawn posed text. Perhaps in this way can improve the application of social engineering, designed to force the user to allow support for macros. For example, in the text of the document indicate:

"This document contains hidden text (password, a system of calculation formulas, interactive components, etc.), Which can be viewed only after the inclusion of support macros. Please enable support for macros and re-opening this document ".

After resolving support macros, and the implementation of embedded exe-file, the document will be withdrawn given a string containing probable "password" or any other textual information. "

Despite that the tool is proprietary, the underground economy's leaks are largely driven by bargain hunters who would exchange proprietary tool, whose often biased exclusiveness may increase the profit margins, for a service or a good that may be worthless for them in general, but impossible to obtain and take advantage of in the present. It will not just leak in one way or another, someone will inevitably backdoor the backdooring tool and trick the novice bargain hunters into running it, by having both their host infected and money taken.

Related posts:
The Underground Economy's Supply of Goods and Services
Yet Another DIY Proprietary Malware Builder
The Small Pack Web Malware Exploitation Kit - Proprietary
DIY Exploit Embedding Tool - A Proprietary Release
Skype Spamming Tool in the Wild - Proprietary Release

Credit Card "Hack Pack" Is Flavour Of The Month With Script Kiddies

Mon, 30 Jun 2008 04:34:20 +0000

There's a collection of credit card hack / generation tools currently in circulation, and apparently quite popular with the script kiddies. With programs seemingly dating back from 1995(!) up until the present day, there's something for everyone in this little bundle of "joy".

Here's what you'll see when the files have been unzipped:

The folders give dates from 2006 to 2008, though the dates of the included programs stretch back quite a way further than that. One of the programs inside the folders is dated as 2001:

As you can see, it's a fairly basic Credit Card generator / validation program. The rest of the programs are something of a mixed bag indeed, some of them don't actually work (not that I'm complaining). For the old school connoisseur, here's an ancient program going back to 1995:

Click to Enlarge

The most notable program included would probably be something called Credit Wizard, which seems to make up the majority of the bundle with updated releases in each folder:

Click to Enlarge

As you can see, it comes with most of the options of the other tools and also comes with an "Info Generator", which allows you to create fake names & addresses at the push of a button. There are a few URLs included in the zip which seem to point to Argentinian hacking sites, but as they all seem to be down, there's no way to verify if they distributed this collection or are just getting shout-outs from their friends. Either way, not the greatest thing to wake up to on a Monday morning...